[Esapi-user] FW: Some Help On Esapi

Olivier Jaquemet olivier.jaquemet at jalios.com
Tue Feb 4 10:54:03 UTC 2014


You did not provide the console output and you are using a lot of method 
which we cannot know what they do (getSessionExpireString, 
decodeAndDecrypt).

Anyway :

1. First of all, make sure you do not use any invalid characters.
Default cookie version with JavaEE is 1.0, and when this version is 
being defined you cannot use any character you want
"With Version 0 cookies, values should not contain white space, 
brackets, parentheses, equals signs, commas, double quotes, slashes, 
question marks, at signs, colons, and semicolons. "
http://docs.oracle.com/javaee/5/api/javax/servlet/http/Cookie.html#setValue(java.lang.String)

2. You are performing too many unedeed encoding, why invoke encodeForHTML ??

3. KISS ! if you need to track a date value inside a cookie, why bother 
encoding a formatted value ?
Parse the date, and only if is valid then use the timestamp (in millis) 
inside the cookie,, it will contain only number and therefore does not 
need any encoding of any sort and is sure to be validated.
String.valueOf(expireAsJavaDate.getTime())

Remember : the best way to prevent attacks is not to encode or decode 
value, it is to validate them against predictable values
Therefore if you PARSE a value in a valid java Date you will ensure its 
content and you can then send it back the way you want.

On 04/02/2014 10:59, Dibyadarshan Sahu wrote:
>
> Dear Oliver
>
> The asked informations are below
>
> ESAPI version is *2.1.0*
>
> Value Input is : *2014-01-31 02:15:21.012*
>
> *CODE :*
>
> String sessionExpireString = null;
>
> Cookie expireCookie = getCookieFromRequest(request, "EXPIRE");
>
> sessionExpireString = expireCookie.getValue();
>
> sessionExpireString = decodeAndDecrypt(sessionExpireString);
>
> sessionExpireString = getSessionExpireString(request);
>
> System.out.println("sessionExpireString: " +sessionExpireString);
>
> sessionExpireString = 
> ESAPI.encoder().canonicalize(sessionExpireString).trim();
>
> System.out.println("SESSEXPRESTRING:Canonical: "+sessionExpireString);
>
> sessionExpireString = ESAPI.encoder().encodeForHTML(sessionExpireString);
>
> System.out.println("SESSEXPRESTRING:EncodeHTML: "+sessionExpireString);
>
> try {
>
> if (isUseEncryption()) {
>
> sessionExpireString = encryptAndEncode(sessionExpireString);
>
> }
>
> expireCookie.setValue(sessionExpireString);
>
> expireCookie.setDomain("DOMAIN");
>
> expireCookie.setPath("PATH");
>
> expireCookie.setSecure(true);
>
> *response.addCookie(expireCookie); //This line creating Problem*
>
> } catch (RuntimeException ex) {
>
> result = false;
>
> }
>
> Error From Esapi is : *CWE-113: Improper Neutralization of CRLF 
> Sequences in HTTP Headers ('HTTP Response Splitting')*
>
> Thanks and Regards
>
> Dibyadarshan Sahu
>
> *From:*Olivier Jaquemet [mailto:olivier.jaquemet at jalios.com]
> *Sent:* 04 February 2014 15:06
> *To:* Dibyadarshan Sahu; esapi-user at lists.owasp.org
> *Subject:* Re: [Esapi-user] FW: Some Help On Esapi
>
> Hello Dibyadarshan,
>
> Please provide the following informations so we can help you :
> 1. your code
> 2. the exact value of the cookie you are trying to add to the response 
> object
> 3. your version of ESAPI
>
> Olivier
>
> On 04/02/2014 09:58, Dibyadarshan Sahu wrote:
>
>     Dear Team
>
>               I need some help on HTTP Response Splitting can you tell me.
>
>               There is a HTTP Response Splitting Error raised by ESAPI
>     while adding cookie to Response Object.
>
>               I have tried all the solutions but it is not working.
>
>               Can you please give some reference on this ?
>
>     Thanks and Regards
>
>     Dibyadarshan Sahu
>
>
>
>
>     _______________________________________________
>
>     Esapi-user mailing list
>
>     Esapi-user at lists.owasp.org  <mailto:Esapi-user at lists.owasp.org>
>
>     https://lists.owasp.org/mailman/listinfo/esapi-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140204/17c8eecd/attachment.html>


More information about the Esapi-user mailing list