[Esapi-user] Do we need to enable canonicalization in Java?

Jeff Williams jeff.williams at aspectsecurity.com
Mon Nov 3 20:04:33 UTC 2014


Hi Eduardo,

I’m not sure if anyone answered your question.  For some background, read this article, “The Only Two Things Every Developer Needs to Know About Injection<http://www.darkreading.com/application-security/the-only-2-things-every-developer-needs-to-know-about-injection/a/d-id/1269091>.”

I didn’t get into canonicalization in the article, but it’s critically important.  The reason is that attacks can be encoded into many forms.  To prove the point, I once encoded an attack in Morse Code<http://www.zdnet.com/blog/security/morse-code-rickroll-0-day-no-seriously-i-mean-it/1071>.

The point is that encoded data might easily pass your validation mechanism, only to be transformed later by a decoder into an attack.  The solution is to canonicalize first, then validate, and use the canonical form everywhere downstream.

If you’re using ESAPI.isValid* methods, it does canonicalization under the hood.  I recommend using getValid* so that you can use the canonical form downstream.

--Jeff


From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Eduardo Macarron
Sent: Monday, October 27, 2014 2:17 AM
To: esapi-user at lists.owasp.org
Subject: [Esapi-user] Do we need to enable canonicalization in Java?

Hello everybody in the list.

We are adding ESAPI 2.x to a Spring MVC+Spring Security+MyBatis application.

We only want ESAPI for XSS protection (Canonicalize, Validate, Encode). Not for SQL injection, authentication or authorization.

To implement the XSS protection we are validating inputs with calls to Validator.isValid* methods.

We are not encoding output with ESAPI because input data is supposed to be trusted after validation and also because Spring does some encoding by default.

My question is about canonicalization. Sorry if this same question has been made millions of times. I have not been able to find a good reply to it yet.

Do we need canonicalization?

I can not understand how an encoded input can be a threat. Can anybody point to a sample of an attack using encoded data in Java?

thank you!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20141103/7a08a82f/attachment.html>


More information about the Esapi-user mailing list