[Esapi-user] Interface Validator getValidInput

Jeff Williams jeff.williams at aspectsecurity.com
Fri Oct 24 12:28:45 UTC 2014


Ah... \a is actually an escaped a in the CSS codec (I think).  Try constructing your own Encoder with a list of  Codecs.

--Jeff


> On Oct 24, 2014, at 6:57 AM, Ricardo Iramar dos Santos <riramar at gmail.com> wrote:Codecs
> 
> Hi Jeff,
> 
> Thanks four replay.
> I don't think that ESAPI is canonicalizing \a to LF because actually
> it's only removing the \ from the string. Take a look:
> 
> First time (that's OK!):
> "123\u005casd" -> "123\asd"
> 
> Second time (no idea why removed backslash):
> "123\asd" -> "123asd"
> 
> It seems a bug.
> I also tried to let only two codecs, on the ESAPI.properties
> (Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec), HTML and
> Percent, but it wasn't reflected on the encoder. The encoder is always
> using 3 codecs: HTML, Percent and JavaScript.
> In order to check if the hole configuration is working I tried to
> change from "Encoder.AllowMultipleEncoding=false" to
> "Encoder.AllowMultipleEncoding=true" and it took effect.
> Am I doing something wrong? It could be a second bug?
> 
> Thanks
> Ricardo
> 
> On Fri, Oct 24, 2014 at 12:33 AM, Jeff Williams
> <jeff.williams at aspectsecurity.com> wrote:
>> I believe ESAPI is canonicalizing the \u005c to \ and then the resulting \a
>> is being canonicalized to a LF.  ESAPI detects this as double encoded data
>> and flags the attack. In fact this could be an attack depending on the
>> downstream decoders and interpreters...like a log injection or response
>> splitting.
>> 
>> This can happen if you don't choose the right codecs for your Encoder before
>> you use it to canonicalize.
>> 
>> If this is really a password, then you probably shouldn't canonicalize at
>> all anyway.  Just be sure you don't feed it to any interpreters downstream.
>> 
>> --Jeff
>> 
>> Jeff Williams, CTO
>> Aspect Security
>> work: 410-707-1487
>> 
>> 
>> 
>> 
>> On Oct 23, 2014, at 2:12 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
>> 
>> It looks like the data you are actually validating is subject to multiple
>> encodings - is it possible that whatever is sending the data is encoding it
>> twice?
>> 
>> You can still canonicalize without detecting the multiple-encoding by
>> updating ESAPI.properties with the value
>> 
>> Encoder.AllowMultipleEncoding=true
>> 
>> 
>> On Thu, Oct 23, 2014 at 12:48 PM, Ricardo Iramar dos Santos
>> <riramar at gmail.com> wrote:
>>> 
>>> Hi All,
>>> 
>>> This is my first post so take easy with me.
>>> My system receive a JSON from another system in a HTTP request in
>>> order to create a user. This JSON has this format:
>>> 
>>> {
>>>    "id": "12345",
>>>    "name": "username",
>>>    "pasword": "123\u005casd"
>>> }
>>> 
>>> I'm using this java code in order to validate this JSON content
>>> against a pattern:
>>> 
>>> Validator xpto = ESAPI.validator();
>>> String validInput = xpto.getValidInput("JSON Validation",
>>> Resquet_Body, "JSON-Pattern", 100, true);
>>> 
>>> But I getting an exception is this part:
>>> 
>>> 2014-10-23 15:37:37,637 ERROR -
>>> org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449)
>>> [SECURITY FAILURE Anonymous:null at unknown ->
>>> /ExampleApplication/IntrusionException] INTRUSION - Multiple (2x)
>>> encoding detected
>>> 
>>> I'm using the default ESAPI.properties
>>> 
>>> (https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties).
>>> It seems that the error occur because I'm trying to canonicalize the
>>> input. If I disable it with this code it worked:
>>> 
>>> String validInput = xpto.getValidInput("JSON Validation",
>>> Resquet_Body, "JSON-Pattern", 100, true, false);
>>> 
>>> I'm afraid that I solve this problem but create new security issue.
>>> I'm not sure about that.
>>> As it is an input is it correct? All my outputs are canonicalized
>>> (encoded).
>>> 
>>> Thanks
>>> Ricardo Iramar
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>> 
>> 
>> 
>> 
>> --
>> Chris Schmidt
>> 
>> OWASP ESAPI Developer
>> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>> 
>> Check out OWASP ESAPI for Java
>> http://code.google.com/p/owasp-esapi-java/
>> 
>> OWASP ESAPI for JavaScript
>> http://code.google.com/p/owasp-esapi-js/
>> 
>> Yet Another Developers Blog
>> http://yet-another-dev.blogspot.com
>> 
>> Bio and Resume
>> http://www.digital-ritual.net/resume.html
>> 
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list