[Esapi-user] Need an Urgent Help: How to prevent bad URL from redirecting

Suman Deb Roy suman.debroy at gmail.com
Sat Mar 30 11:52:03 UTC 2013


Hello,

Ethical Hack team have failed one test case in which they are injecting
bad characters to unprotected URL in my application.

URL - http://localhost:8080/Ehsample/test.jsp?target=dd369
><script>alert(1)</script>

I am using ESAPI JS to resolve this as I can't use the java version of
ESAPI in my html page.

Approach:
1. I am checking any bad chars in URL
2. If BAD Chars Present in URL, redirect to 404
3. If BAD chars not present, redirect to requested URL

JS CODE:

function encodeBadChars() {
 //get the URL
var url = document.URL;
 //check if URL is valid
if ($ESAPI.validator().isValidInput('encodeBadChars', url,
'URL',url.length, false)) {
 alert(true);
}
 else{
// BAD URL - Contains script
$ESAPI.encoder().encodeForURL(url);
}
}


// Calling code - <body onload="encodeBadChars();">


PROBLEM: ESAPI.validator().isValidInput is always returning true.

Please let me know if anything missing in my code or any better approach I
should be trying.

Thanks in advance
Suman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130330/65004409/attachment.html>


More information about the Esapi-user mailing list