[Esapi-user] canonicalizing troubles

Greene, Geoffrey N geoffrey.n.greene at boeing.com
Fri Jan 15 14:23:25 UTC 2016


That’s an idea I guess. The real problem was that I wasn’t the one canonicalizing… it was deep inside of SecureResponseWrapper.getQueryString(), and I believe it was throwing a “multiple encoding error”, because I had &NEW=%3F or something like that.
I worked around it for my puposes by writing a getRawQueryString for this one case…but I still think it is incorrect, as there really isn’t a problem with that particular query string.

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
Sent: Thursday, January 14, 2016 6:59 PM
To: Greene, Geoffrey N; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] canonicalizing troubles

The problem is that some browsers (and I haven't tested in years) allow HTML entities without the semi-colon. What if an attack sneaks through using non-terminated entities?  Do you to canonicalize the whole querystring?  Maybe you could getParameter and canonicalize individually.
--Jeff
_____________________________
From: Greene, Geoffrey N <geoffrey.n.greene at boeing.com<mailto:geoffrey.n.greene at boeing.com>>
Sent: Thursday, January 14, 2016 5:27 PM
Subject: [Esapi-user] canonicalizing troubles
To: <esapi-user at lists.owasp.org<mailto:esapi-user at lists.owasp.org>>



I have been having some difficulty canonicalizing:

Consider this string:
"a.go?OLD=b&NEW=c"

When ESAPI canonicalizes this string, it incorrectly sees &NE and thinks this is encoded, so it translates this as
a.go?OLD=b≠W=c - that’s the not equals symbol - it doesn’t seem to realize that it should be looking for the additional semicolon, and so it treats &NEW as <not-equals>W


There are be other examples of this, but &NEW seems like a common parameter name to have

Here’s an example of a test:

    @Test
    public void esapiTest()
    {
         String input2 = "a.go?OLD=b&NEW=c";

        String canon =  ESAPI.encoder().canonicalize(input2);
        assertEquals(input2, canon);
    }

As a result, all my calls to request.getQueryString() fail when my parameter names start with certain characters because it doesn’t canonicalize properly.

Any thoughts?

Thanks
-geoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160115/d4775ab8/attachment.html>


More information about the Esapi-user mailing list