[Esapi-user] Canonicalization and ESAPI's Input Validation Layer

Jim Manico jim.manico at owasp.org
Wed Sep 3 22:10:44 UTC 2014


Well we have the JSON Sanitizer which could be integrated:

https://www.owasp.org/index.php/OWASP_JSON_Sanitizer

Aloha,
Jim



On 8/31/14, 9:05 PM, Fabio Cerullo wrote:
> Jeff
>
> How difficult would it be to implement a JSON validator in ESAPI? 
> Would that address the concerns raised by Jim?
>
> Thanks
> Fabio
>
> On Saturday, August 30, 2014, Jeff Williams 
> <jeff.williams at aspectsecurity.com 
> <mailto:jeff.williams at aspectsecurity.com>> wrote:
>
>     Hi Jerry,
>
>     Imagine a JSON value containing an escaped quote.  Canonicalizing
>     would unescape it and break the syntax. We don't have a json
>     codec, so this is only a problem because it is very similar to CSS
>     escaping syntax.
>
>     That's why you shouldn't attempt to canonicalize or validate
>     complex data without a specialized library like AntiSamy.  Which
>     is wrapped in the getValidSafeHTML() method in ESAPI.  We don't
>     yet have a method to get valid safe JSON.
>
>     --Jeff
>
>
>     On Aug 30, 2014, at 12:57 PM, "Jerry Hoff" <jerryhoff at gmail.com
>     <javascript:_e(%7B%7D,'cvml','jerryhoff at gmail.com');>> wrote:
>
>>     Interesting discussion gentlemen!
>>
>>     Jim - could you provide an example where canonicalization breaks
>>     html and json input?  I want to make sure I am following correctly.
>>
>>     Thank you,
>>     Jerry
>>
>>     On Aug 30, 2014, at 19:39, Jim Manico <jim.manico at owasp.org
>>     <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>
>>>     So what is the line drawn between an attack and acceptably
>>>     encoded data in ESAPI?
>>>
>>>     Canonicalization also "breaks" some input types (html, json,
>>>     etc) so canonicalization of .all. input is equally idiotic.
>>>     (which is why all of ESAPI's IV functions can disable
>>>     canonicalization)
>>>
>>>     --
>>>     Jim Manico
>>>     @Manicode
>>>     (808) 652-3805
>>>
>>>     On Aug 30, 2014, at 5:07 AM, Jeff Williams
>>>     <jeff.williams at aspectsecurity.com
>>>     <javascript:_e(%7B%7D,'cvml','jeff.williams at aspectsecurity.com');>>
>>>     wrote:
>>>
>>>>     There are many situations in which apps get encoded data that
>>>>     does not represent an attack. However, any kind of multiply
>>>>     encoded data is clearly an attack.  So the line we drew in
>>>>     ESAPI is, I think, the right one. We only throw an intrusion
>>>>     detection whenever there is absolutely a clear attack.
>>>>      Otherwise we clean up and try to make the data work.
>>>>
>>>>     Turning off canonicalization, for the vast majority of inputs
>>>>     would be idiotic.  You simply can't reliably validate encoded
>>>>     data. If you follow this plan, the only CVE you will need to
>>>>     worry about is "Canonicalize, Validate, Escape"
>>>>
>>>>     --Jeff
>>>>
>>>>
>>>>     On Aug 30, 2014, at 3:22 AM, "Fabio Cerullo"
>>>>     <fcerullo at gmail.com
>>>>     <javascript:_e(%7B%7D,'cvml','fcerullo at gmail.com');>> wrote:
>>>>
>>>>>     Hi
>>>>>
>>>>>     What about someone who "needs" encoded data to be accepted by
>>>>>     the webapp?
>>>>>
>>>>>     For example, a web form with a field that is used for
>>>>>     completion percentage of something. So in that field you could
>>>>>     input "80% complete".
>>>>>
>>>>>     That would be a legit case of canonicalise first, and then
>>>>>     validate because that value needs to be stored as it is.
>>>>>
>>>>>     I believe the approach taken by ESAPI is: treat everything as
>>>>>     potentially malicious, canonicalise just in case, and then
>>>>>     validate  all entries.
>>>>>
>>>>>     Otherwise, how would you differentiate between an attack and a
>>>>>     valid entry in example above?
>>>>>
>>>>>     Fabio
>>>>>
>>>>>     On Friday, August 29, 2014, Jim Manico <jim.manico at owasp.org
>>>>>     <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>>>
>>>>>         Or even better, if encoded data is detected, even if
>>>>>         things like %80 get rejected, I prefer to reject right
>>>>>         then and there. Pretty sure we Cannonicalize before we
>>>>>         validate though, what code are you looking at?
>>>>>
>>>>>         Aloha,
>>>>>         --
>>>>>         Jim Manico
>>>>>         @Manicode
>>>>>         (808) 652-3805
>>>>>
>>>>>         On Aug 29, 2014, at 6:26 AM, Matt Seil <mseil at acm.org> wrote:
>>>>>
>>>>>>         In the context of your question Jim, I think it makes
>>>>>>         more sense to canonicalize BEFORE you validate--not the
>>>>>>         other way around.  I noticed too, that all the
>>>>>>         "getValidInput" methods call Encoder.canonicalize()
>>>>>>         /after/ validation and meant to ask why we would want
>>>>>>         that approach.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>         On Wed, Aug 27, 2014 at 6:51 PM, Jim Manico
>>>>>>         <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>             ESAPI community,
>>>>>>
>>>>>>             I am very concerned about the design of the ESAPI
>>>>>>             validation layer and how it handles canonicalization
>>>>>>             for API's like:
>>>>>>
>>>>>>             |*isValidInput
>>>>>>             <https://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultValidator.html#isValidInput%28java.lang.String,%20java.lang.String,%20java.lang.String,%20int,%20boolean%29>*(java.lang.String context,
>>>>>>             java.lang.String input, java.lang.String type,
>>>>>>             int maxLength, boolean allowNull)|
>>>>>>
>>>>>>             Right now, before validation, ESAPI will try to
>>>>>>             decode user input to it's normalized form and THEN it
>>>>>>             will try to validate the input.
>>>>>>             http://owasp-esapi-java.googlecode.com/svn/trunk/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java
>>>>>>
>>>>>>             This seems rather dangerous in that encoded attacks
>>>>>>             will be "fixed" and will not alert of potential
>>>>>>             malicious input. If input is detected to be encoded,
>>>>>>             then I would suggest that we throw an
>>>>>>             IntrusionDetectionException and stop processing. Why
>>>>>>             do we "clean up" encoded data and then validate in
>>>>>>             these API's?
>>>>>>
>>>>>>             Aloha,
>>>>>>             Jim
>>>>>>
>>>>>>             PS: You certainly can disable canonicalization as it
>>>>>>             stands today via:
>>>>>>
>>>>>>             |*isValidInput
>>>>>>             <https://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/reference/DefaultValidator.html#isValidInput%28java.lang.String,%20java.lang.String,%20java.lang.String,%20int,%20boolean,%20boolean%29>*(java.lang.String context,
>>>>>>             java.lang.String input, java.lang.String type,
>>>>>>             int maxLength, boolean allowNull,
>>>>>>             _*boolean canonicalize*_)|
>>>>>>
>>>>>>
>>>>>>             _______________________________________________
>>>>>>             Esapi-dev mailing list
>>>>>>             Esapi-dev at lists.owasp.org
>>>>>>             https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>         -- 
>>>>>>         Matt Seil
>>>>>>         Software Engineer
>>>>>>         ACM/IEEE
>>>>>
>>>>>     _______________________________________________
>>>>>     Esapi-user mailing list
>>>>>     Esapi-user at lists.owasp.org
>>>>>     <javascript:_e(%7B%7D,'cvml','Esapi-user at lists.owasp.org');>
>>>>>     https://lists.owasp.org/mailman/listinfo/esapi-user
>>>     _______________________________________________
>>>     Esapi-dev mailing list
>>>     Esapi-dev at lists.owasp.org
>>>     <javascript:_e(%7B%7D,'cvml','Esapi-dev at lists.owasp.org');>
>>>     https://lists.owasp.org/mailman/listinfo/esapi-dev
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140903/21c50251/attachment.html>


More information about the Esapi-user mailing list