[Esapi-user] Interface Validator getValidInput

Chris Schmidt chrisisbeef at gmail.com
Thu Oct 23 19:11:09 UTC 2014


It looks like the data you are actually validating is subject to multiple
encodings - is it possible that whatever is sending the data is encoding it
twice?

You can still canonicalize without detecting the multiple-encoding by
updating ESAPI.properties with the value

Encoder.AllowMultipleEncoding=true


On Thu, Oct 23, 2014 at 12:48 PM, Ricardo Iramar dos Santos <
riramar at gmail.com> wrote:

> Hi All,
>
> This is my first post so take easy with me.
> My system receive a JSON from another system in a HTTP request in
> order to create a user. This JSON has this format:
>
> {
>     "id": "12345",
>     "name": "username",
>     "pasword": "123\u005casd"
> }
>
> I'm using this java code in order to validate this JSON content
> against a pattern:
>
> Validator xpto = ESAPI.validator();
> String validInput = xpto.getValidInput("JSON Validation",
> Resquet_Body, "JSON-Pattern", 100, true);
>
> But I getting an exception is this part:
>
> 2014-10-23 15:37:37,637 ERROR -
> org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449)
> [SECURITY FAILURE Anonymous:null at unknown ->
> /ExampleApplication/IntrusionException] INTRUSION - Multiple (2x)
> encoding detected
>
> I'm using the default ESAPI.properties
> (
> https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
> ).
> It seems that the error occur because I'm trying to canonicalize the
> input. If I disable it with this code it worked:
>
> String validInput = xpto.getValidInput("JSON Validation",
> Resquet_Body, "JSON-Pattern", 100, true, false);
>
> I'm afraid that I solve this problem but create new security issue.
> I'm not sure about that.
> As it is an input is it correct? All my outputs are canonicalized
> (encoded).
>
> Thanks
> Ricardo Iramar
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>



-- 
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20141023/aa7fd22d/attachment.html>


More information about the Esapi-user mailing list