[Esapi-user] canonicalizing troubles

Jeff Williams jeff.williams at aspectsecurity.com
Thu Jan 14 23:59:12 UTC 2016


The problem is that some browsers (and I haven't tested in years) allow HTML entities without the semi-colon. What if an attack sneaks through using non-terminated entities?  Do you to canonicalize the whole querystring?  Maybe you could getParameter and canonicalize individually.

--Jeff
_____________________________
From: Greene, Geoffrey N <geoffrey.n.greene at boeing.com<mailto:geoffrey.n.greene at boeing.com>>
Sent: Thursday, January 14, 2016 5:27 PM
Subject: [Esapi-user] canonicalizing troubles
To: <esapi-user at lists.owasp.org<mailto:esapi-user at lists.owasp.org>>


I have been having some difficulty canonicalizing:

Consider this string:
"a.go?OLD=b&NEW=c"

When ESAPI canonicalizes this string, it incorrectly sees &NE and thinks this is encoded, so it translates this as
a.go?OLD=b≠W=c – that’s the not equals symbol – it doesn’t seem to realize that it should be looking for the additional semicolon, and so it treats &NEW as <not-equals>W


There are be other examples of this, but &NEW seems like a common parameter name to have

Here’s an example of a test:

    @Test
    public void esapiTest()
    {
         String input2 = "a.go?OLD=b&NEW=c";

        String canon =  ESAPI.encoder().canonicalize(input2);
        assertEquals(input2, canon);
    }

As a result, all my calls to request.getQueryString() fail when my parameter names start with certain characters because it doesn’t canonicalize properly.

Any thoughts?

Thanks
-geoff


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160114/b371b7d5/attachment.html>


More information about the Esapi-user mailing list