[Esapi-user] Interface Validator getValidInput

Jeff Williams jeff.williams at aspectsecurity.com
Fri Oct 24 02:33:15 UTC 2014


I believe ESAPI is canonicalizing the \u005c to \ and then the resulting \a is being canonicalized to a LF.  ESAPI detects this as double encoded data and flags the attack. In fact this could be an attack depending on the downstream decoders and interpreters...like a log injection or response splitting.

This can happen if you don't choose the right codecs for your Encoder before you use it to canonicalize.

If this is really a password, then you probably shouldn't canonicalize at all anyway.  Just be sure you don't feed it to any interpreters downstream.

--Jeff

Jeff Williams, CTO
Aspect Security
work: 410-707-1487




On Oct 23, 2014, at 2:12 PM, Chris Schmidt <chrisisbeef at gmail.com<mailto:chrisisbeef at gmail.com>> wrote:

It looks like the data you are actually validating is subject to multiple encodings - is it possible that whatever is sending the data is encoding it twice?

You can still canonicalize without detecting the multiple-encoding by updating ESAPI.properties with the value


Encoder.AllowMultipleEncoding=true

On Thu, Oct 23, 2014 at 12:48 PM, Ricardo Iramar dos Santos <riramar at gmail.com<mailto:riramar at gmail.com>> wrote:
Hi All,

This is my first post so take easy with me.
My system receive a JSON from another system in a HTTP request in
order to create a user. This JSON has this format:

{
    "id": "12345",
    "name": "username",
    "pasword": "123\u005casd"
}

I'm using this java code in order to validate this JSON content
against a pattern:

Validator xpto = ESAPI.validator();
String validInput = xpto.getValidInput("JSON Validation",
Resquet_Body, "JSON-Pattern", 100, true);

But I getting an exception is this part:

2014-10-23 15:37:37,637 ERROR -
org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449)
[SECURITY FAILURE Anonymous:null at unknown ->
/ExampleApplication/IntrusionException] INTRUSION - Multiple (2x)
encoding detected

I'm using the default ESAPI.properties
(https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties).
It seems that the error occur because I'm trying to canonicalize the
input. If I disable it with this code it worked:

String validInput = xpto.getValidInput("JSON Validation",
Resquet_Body, "JSON-Pattern", 100, true, false);

I'm afraid that I solve this problem but create new security issue.
I'm not sure about that.
As it is an input is it correct? All my outputs are canonicalized (encoded).

Thanks
Ricardo Iramar
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user



--
Chris Schmidt

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

Yet Another Developers Blog
http://yet-another-dev.blogspot.com

Bio and Resume
http://www.digital-ritual.net/resume.html
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20141024/fa1d6080/attachment.html>


More information about the Esapi-user mailing list