[Esapi-user] Need an Urgent Help: How to prevent bad URL from redirecting

Suman Deb Roy suman.debroy at gmail.com
Sat Mar 30 11:52:03 UTC 2013


Ethical Hack team have failed one test case in which they are injecting
bad characters to unprotected URL in my application.

URL - http://localhost:8080/Ehsample/test.jsp?target=dd369

I am using ESAPI JS to resolve this as I can't use the java version of
ESAPI in my html page.

1. I am checking any bad chars in URL
2. If BAD Chars Present in URL, redirect to 404
3. If BAD chars not present, redirect to requested URL


function encodeBadChars() {
 //get the URL
var url = document.URL;
 //check if URL is valid
if ($ESAPI.validator().isValidInput('encodeBadChars', url,
'URL',url.length, false)) {
// BAD URL - Contains script

// Calling code - <body onload="encodeBadChars();">

PROBLEM: ESAPI.validator().isValidInput is always returning true.

Please let me know if anything missing in my code or any better approach I
should be trying.

Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130330/65004409/attachment.html>

More information about the Esapi-user mailing list