[Esapi-user] ESAPI Validation Problem

Chris Schmidt chris.schmidt at owasp.org
Fri Mar 22 18:21:40 UTC 2013

I don't immediately see a problem with white-listing ':' for parameters ­ it
is a little non-standard and I don't believe the character is covered in the
specification, however I can't think of a way that data-context could be
broken as long as proper output encoding is used wherever the parameter is

From:  Chris Barlock <barlock at us.ibm.com>
Date:  Friday, March 22, 2013 12:18 PM
To:  Chris Schmidt <chrisisbeef at gmail.com>
Cc:  ESAPI Users <esapi-user at lists.owasp.org>
Subject:  Re: [Esapi-user] ESAPI Validation Problem

Thanks, Chris.  Modifying the regex is exactly what I did as a work-around
but I wanted to run this by the ESAPI community.  I don't want to do this if
it is, in fact, dumb from a security standpoint.


IBM Tivoli Systems
Research Triangle Park, NC
(919) 224-2240
Internet:  barlock at us.ibm.com

From:       Chris Schmidt <chrisisbeef at gmail.com>
To:       Chris Barlock/Raleigh/IBM at IBMUS, <esapi-user at lists.owasp.org>,
Date:       03/22/2013 02:15 PM
Subject:       Re: [Esapi-user] ESAPI Validation Problem

It would probably be easier just to modify the regex being used for HTTP
Parameter validation to allow the ':' character. Beyond that, byte-stuffing
is perfectly ok as long as you white-list the byte's that are allowed ­ in
other words, don't blindly unpack anything that looks like


From: Chris Barlock <barlock at us.ibm.com <mailto:barlock at us.ibm.com> >
Date: Friday, March 22, 2013 12:08 PM
To: ESAPI Users <esapi-user at lists.owasp.org
<mailto:esapi-user at lists.owasp.org> >
Subject: [Esapi-user] ESAPI Validation Problem

I recently added the ESAPI  code for HTTP parameter validation in our JSPs.
Our vulnerability scans now report zero cross-site scripting
vulnerabilities, which is very good.  Unfortunately, it causes a couple of
other problems for use because sometimes we pass parameters that contain a
colon on an HTTP GET request.  A colon is, apparently, not a valid character
in an HTTP parameter, so the validator throws an exception on such strings.
One person on our team suggested URL encoding the parameters and then using
a form of byte-stuffing in the Javascript to change the %3A (colon) to
something that would pass through the validator, say __3A.  The string could
be unstuffed, I think, either in the JSP processing or back in the

Thoughts on this from a secure computing perspective?  Other suggestions?


Chris_______________________________________________ Esapi-user mailing list
Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>

_______________________________________________ Esapi-user mailing list
Esapi-user at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130322/5dce04f6/attachment.html>

More information about the Esapi-user mailing list