[Esapi-user] canonicalizing troubles

Jeff Williams jeff.williams at aspectsecurity.com
Thu Jan 14 23:59:12 UTC 2016

The problem is that some browsers (and I haven't tested in years) allow HTML entities without the semi-colon. What if an attack sneaks through using non-terminated entities?  Do you to canonicalize the whole querystring?  Maybe you could getParameter and canonicalize individually.

From: Greene, Geoffrey N <geoffrey.n.greene at boeing.com<mailto:geoffrey.n.greene at boeing.com>>
Sent: Thursday, January 14, 2016 5:27 PM
Subject: [Esapi-user] canonicalizing troubles
To: <esapi-user at lists.owasp.org<mailto:esapi-user at lists.owasp.org>>

I have been having some difficulty canonicalizing:

Consider this string:

When ESAPI canonicalizes this string, it incorrectly sees &NE and thinks this is encoded, so it translates this as
a.go?OLD=b≠W=c – that’s the not equals symbol – it doesn’t seem to realize that it should be looking for the additional semicolon, and so it treats &NEW as <not-equals>W

There are be other examples of this, but &NEW seems like a common parameter name to have

Here’s an example of a test:

    public void esapiTest()
         String input2 = "a.go?OLD=b&NEW=c";

        String canon =  ESAPI.encoder().canonicalize(input2);
        assertEquals(input2, canon);

As a result, all my calls to request.getQueryString() fail when my parameter names start with certain characters because it doesn’t canonicalize properly.

Any thoughts?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160114/b371b7d5/attachment.html>

More information about the Esapi-user mailing list