[Esapi-user] canonicalizing troubles
jeff.williams at aspectsecurity.com
Thu Jan 14 23:59:12 UTC 2016
The problem is that some browsers (and I haven't tested in years) allow HTML entities without the semi-colon. What if an attack sneaks through using non-terminated entities? Do you to canonicalize the whole querystring? Maybe you could getParameter and canonicalize individually.
From: Greene, Geoffrey N <geoffrey.n.greene at boeing.com<mailto:geoffrey.n.greene at boeing.com>>
Sent: Thursday, January 14, 2016 5:27 PM
Subject: [Esapi-user] canonicalizing troubles
To: <esapi-user at lists.owasp.org<mailto:esapi-user at lists.owasp.org>>
I have been having some difficulty canonicalizing:
Consider this string:
When ESAPI canonicalizes this string, it incorrectly sees &NE and thinks this is encoded, so it translates this as
a.go?OLD=b≠W=c – that’s the not equals symbol – it doesn’t seem to realize that it should be looking for the additional semicolon, and so it treats &NEW as <not-equals>W
There are be other examples of this, but &NEW seems like a common parameter name to have
Here’s an example of a test:
public void esapiTest()
String input2 = "a.go?OLD=b&NEW=c";
String canon = ESAPI.encoder().canonicalize(input2);
As a result, all my calls to request.getQueryString() fail when my parameter names start with certain characters because it doesn’t canonicalize properly.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user