[Esapi-user] Issue in HtmlEntityCodec while implementing ESAPI security filter.

Bhuvanesh Waran bhuvanesht177 at gmail.com
Fri Jul 25 04:41:12 UTC 2014


Thanks for the Response Kevin.

Let me Explain the scenario which is giving intervention while implementing
ESAPI. Filter in our Web based Application.

Please find the Attached document for the steps which we are following For
implementing ESAPI in business App..

The getQueryString() method of SecurityWrapperRequest.java is invoked 3
times for each request. Also the queryString is getting emptied when it
finds invalid character inside queryString.

For example:
When the Url is
http://localhost:9081/w0094553/execute.do?nextPageId=testSearch, the new
page is loaded successfully. But when the URL is
http://localhost:9089/w0094553/execute.do?nextPageId=testSearch&next=abc,
the same page is loaded again and not navigated to new page. This is
happening due to the queryString is getting removed because of the
canonicalization of “ne”.

Also tried with URL
http://localhost:9081/w0094553/launchTest.redirect?nextPageId=testSearch≠xt=abc
and found blank page with NoSuchElementException in console.

Rootcause for the Issue.In HtmlEntityCodec.class Line 278 for the Method
:mkCharacterToEntityMap()

Line 510 : map.put((char)8800, "ne"); /* not equal to */ which is
responsible for adding ≠ while Canonicalize the querystring.
So the validation fails and we are unable to redirect to any of the pages.
Since We are implementing ESAPI as a filter .we cant make canonicalize as
false. By default canonicalize as true and we cannot invoke the any other
methods.
Please provide your inputs to get rid of the issue.

The Reason we are implementing ESAPI is for  avoiding  cross site scripting
issues for any of the request.

Bhuvaneshwaran T l NTT DATA Global delivery services l state farm l
v.8814-3907l ph: 8197158977 l bhuvaneshwaran.thangaraj at nttdata.com
>
> ________________________________
> From: Bhuvanesh Waran [bhuvanesht177 at gmail.com]
> Sent: Friday, July 25, 2014 9:40 AM
> To: Thangaraj, Bhuvaneshwaran
> Subject: Fwd: Re: Regex Validator.HTTPParameterValue which would allow Xml
>
> ---------- Forwarded message ----------
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Date: 25 Jul 2014 09:25
> Subject: Re: Regex Validator.HTTPParameterValue which would allow Xml
> To: "Bhuvanesh Waran" <bhuvanesht177 at gmail.com>
> Cc:
>
> If you are just trying to get rid of the canonicalization, call one of
the other
> getValidInput() methods that allows you to disable canonicalization;
e.g., this
> <
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html#getValidInput%28java.lang.String,%20java.lang.String,%20java.lang.String,%20int,%20boolean,%20boolean%29
>
> or this:
> <
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html#getValidInput%28java.lang.String,%20java.lang.String,%20java.lang.String,%20int,%20boolean,%20boolean,%20org.owasp.esapi.ValidationErrorList%29
>
>
> and set the boolean canonicalization flag to false.
>
> -kevin
>
> On Thu, Jul 24, 2014 at 10:49 AM, Bhuvanesh Waran
> <bhuvanesht177 at gmail.com> wrote:
> > Thanks for the immediate Response Kevin .
> >
> >
> > My querystring value is
> > =currentPage=clientSearch&nextPage=clientSideRedirect
> >
> > String testValue1 ="currentPage=clientSearch&next";
> > try {
> >     result =ESAPI.validator().getValidInput("HTTPQueryString " +
testValue1,
> > testValue1, "HTTPQueryString", 4000, true);
> >     System.out.println(result);
> >     }
> >
> >
> >
> >
> > Value before canonicalizing:
> > currentPage=clientSearch&nextPage=clientSideRedirect Value after
> > canonicalizing: currentPage=clientSearch≠xtPage=clientSideRedirect
> >
> > So my validation fails in ESAPI for querystring.
> >
> > My regex for querystring
> > :Validator.HTTPQueryString=^[a-zA-Z0-9\\-=\\*\\.\\?;,+\\/:&_ %]*$.
> >
> > How to get rid of this canonicalizing. Thanks in advance.
> >
> >
> >
> > On Thu, Jul 17, 2014 at 11:08 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
> > wrote:
> >>
> >> Well, I'm pretty sure that
> >>
> >>     .*
> >>
> >> would parse it! :)  Seriously, if you are looking for something to only
> >> parse
> >> this particular XML string, just use a string match. You don't tell us
> >> which
> >> part of this XML will remain constant (e.g., are all the tags
required).
> >>
> >> Furthermore, this is something more suitable for using with XML schema
> >> validation rather than a simple regex. Chances are that regex would
> >> be brittle, probably subject to XDOS attacks, and would be so complex
> >> that chances of getting it right are between slim to none. So write
> >> yourself
> >> a XSD and do schema validation. That's what it's meant for.
> >>
> >> -kevin
> >>
> >> On Tue, Jul 15, 2014 at 4:04 AM, Bhuvanesh Waran
> >> <bhuvanesht177 at gmail.com> wrote:
> >> > Hi All,
> >> >
> >> > I'm trying to modify the <b>validator.httpParamterValue</b> which is
> >> > having
> >> > the value as
> >> > Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_
!$*[email protected]:%]{0,1000}$.
> >> >
> >> > I'm, unable to parse the xml input :
> >> > <dataXML><CreateUpdateClient
> >> >
> >> >
version='1.0'><commonInput></commonInput><client><clientId>JLTF53SR00C</clientId><roleType>Individual</roleType><names><name
> >> >
> >> >
prodAssoc=''><nameType>Individual</nameType><prefixes>ADM</prefixes><firstName><![CDATA[dasd]]></firstName><middleName><![CDATA[asda]]></middleName><lastName><![CDATA[sdad]]></lastName><suffixes>SR</suffixes><unstructuredName><![CDATA[DDS]]></unstructuredName><action>add</action></name></names></client></CreateUpdateClient><CCreateUpdateClntandRelations1Rsp><messages
> >> >
> >> >
rc='0'/><clients><client><clientId>JLTF53SR00C</clientId><nameID>00010</nameID></client></clients></CCreateUpdateClntandRelations1Rsp></dataXML>.
> >> >
> >> >
> >> > Please provide me a regex which would pass the entire input xml for
> >> > HttpParamter value.
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Blog: http://off-the-wall-security.blogspot.com/
> >> NSA: All your crypto bit are belong to us.
> >
> >
>
>
>
> --
> Blog: http://off-the-wall-security.blogspot.com/
> NSA: All your cry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140725/fbfda470/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Integrating ESAPI with Business App.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 38604 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140725/fbfda470/attachment.docx>


More information about the Esapi-user mailing list