[Esapi-user] Interface Validator getValidInput

Ricardo Iramar dos Santos riramar at gmail.com
Fri Oct 24 11:58:19 UTC 2014


Hi Jeff,

Thanks four replay.
I don't think that ESAPI is canonicalizing \a to LF because actually
it's only removing the \ from the string. Take a look:

First time (that's OK!):
"123\u005casd" -> "123\asd"

Second time (no idea why removed backslash):
"123\asd" -> "123asd"

It seems a bug.
I also tried to let only two codecs, on the ESAPI.properties
(Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec), HTML and
Percent, but it wasn't reflected on the encoder. The encoder is always
using 3 codecs: HTML, Percent and JavaScript.
In order to check if the hole configuration is working I tried to
change from "Encoder.AllowMultipleEncoding=false" to
"Encoder.AllowMultipleEncoding=true" and it took effect.
Am I doing something wrong? It could be a second bug?

Thanks
Ricardo

On Fri, Oct 24, 2014 at 12:33 AM, Jeff Williams
<jeff.williams at aspectsecurity.com> wrote:
> I believe ESAPI is canonicalizing the \u005c to \ and then the resulting \a
> is being canonicalized to a LF.  ESAPI detects this as double encoded data
> and flags the attack. In fact this could be an attack depending on the
> downstream decoders and interpreters...like a log injection or response
> splitting.
>
> This can happen if you don't choose the right codecs for your Encoder before
> you use it to canonicalize.
>
> If this is really a password, then you probably shouldn't canonicalize at
> all anyway.  Just be sure you don't feed it to any interpreters downstream.
>
> --Jeff
>
> Jeff Williams, CTO
> Aspect Security
> work: 410-707-1487
>
>
>
>
> On Oct 23, 2014, at 2:12 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
>
> It looks like the data you are actually validating is subject to multiple
> encodings - is it possible that whatever is sending the data is encoding it
> twice?
>
> You can still canonicalize without detecting the multiple-encoding by
> updating ESAPI.properties with the value
>
> Encoder.AllowMultipleEncoding=true
>
>
> On Thu, Oct 23, 2014 at 12:48 PM, Ricardo Iramar dos Santos
> <riramar at gmail.com> wrote:
>>
>> Hi All,
>>
>> This is my first post so take easy with me.
>> My system receive a JSON from another system in a HTTP request in
>> order to create a user. This JSON has this format:
>>
>> {
>>     "id": "12345",
>>     "name": "username",
>>     "pasword": "123\u005casd"
>> }
>>
>> I'm using this java code in order to validate this JSON content
>> against a pattern:
>>
>> Validator xpto = ESAPI.validator();
>> String validInput = xpto.getValidInput("JSON Validation",
>> Resquet_Body, "JSON-Pattern", 100, true);
>>
>> But I getting an exception is this part:
>>
>> 2014-10-23 15:37:37,637 ERROR -
>> org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449)
>> [SECURITY FAILURE Anonymous:null at unknown ->
>> /ExampleApplication/IntrusionException] INTRUSION - Multiple (2x)
>> encoding detected
>>
>> I'm using the default ESAPI.properties
>>
>> (https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties).
>> It seems that the error occur because I'm trying to canonicalize the
>> input. If I disable it with this code it worked:
>>
>> String validInput = xpto.getValidInput("JSON Validation",
>> Resquet_Body, "JSON-Pattern", 100, true, false);
>>
>> I'm afraid that I solve this problem but create new security issue.
>> I'm not sure about that.
>> As it is an input is it correct? All my outputs are canonicalized
>> (encoded).
>>
>> Thanks
>> Ricardo Iramar
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
>
> --
> Chris Schmidt
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
> Yet Another Developers Blog
> http://yet-another-dev.blogspot.com
>
> Bio and Resume
> http://www.digital-ritual.net/resume.html
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list