[Esapi-user] ESAPI Validation Problem

Chris Barlock barlock at us.ibm.com
Fri Mar 22 18:18:08 UTC 2013


Thanks, Chris.  Modifying the regex is exactly what I did as a work-around 
but I wanted to run this by the ESAPI community.  I don't want to do this 
if it is, in fact, dumb from a security standpoint.

Chris

IBM Tivoli Systems
Research Triangle Park, NC
(919) 224-2240
Internet:  barlock at us.ibm.com



From:   Chris Schmidt <chrisisbeef at gmail.com>
To:     Chris Barlock/Raleigh/IBM at IBMUS, <esapi-user at lists.owasp.org>, 
Date:   03/22/2013 02:15 PM
Subject:        Re: [Esapi-user] ESAPI Validation Problem



It would probably be easier just to modify the regex being used for HTTP 
Parameter validation to allow the ':' character. Beyond that, 
byte-stuffing is perfectly ok as long as you white-list the byte's that 
are allowed – in other words, don't blindly unpack anything that looks 
like __[0-9a-f][0-9a-f] 

~C

From: Chris Barlock <barlock at us.ibm.com>
Date: Friday, March 22, 2013 12:08 PM
To: ESAPI Users <esapi-user at lists.owasp.org>
Subject: [Esapi-user] ESAPI Validation Problem

I recently added the ESAPI  code for HTTP parameter validation in our 
JSPs.  Our vulnerability scans now report zero cross-site scripting 
vulnerabilities, which is very good.  Unfortunately, it causes a couple of 
other problems for use because sometimes we pass parameters that contain a 
colon on an HTTP GET request.  A colon is, apparently, not a valid 
character in an HTTP parameter, so the validator throws an exception on 
such strings.  One person on our team suggested URL encoding the 
parameters and then using a form of byte-stuffing in the Javascript to 
change the %3A (colon) to something that would pass through the validator, 
say __3A.  The string could be unstuffed, I think, either in the JSP 
processing or back in the Javascript. 
Thoughts on this from a secure computing perspective?  Other suggestions? 

Thanks,

Chris_______________________________________________ Esapi-user mailing 
list Esapi-user at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/esapi-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130322/2adb27bd/attachment.html>


More information about the Esapi-user mailing list