<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=WordSection1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>So this is good, right?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> augustd
[mailto:augustd@codemagi.com] <br>
<b>Sent:</b> Monday, September 27, 2010 5:28 PM<br>
<b>To:</b> Esapi-user@lists.owasp.org<br>
<b>Cc:</b> Jim Manico<br>
<b>Subject:</b> Re: [Esapi-user] disabling logging<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'>I have a report from one of my
users of IntrusionDetector.Disable not working also: <br>
<br>
<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
have an exception coming from the Intrusion Detection in ESAPI, I tried
disabling it with: <o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;
IntrusionDetector.Disable=true<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But
that doesn&#8217;t seems to be working.&nbsp; The problem is with a cookie value that
we have.&nbsp; It seems to be double encoded and the Intrusion Detection throws
an exception so the loading of the page fails.<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Here&#8217;s
the exception<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2010-09-27
18:00:50,811 INFO&nbsp; [STDOUT] 2010-09-27 18:00:50,810 ERROR [<a
href="http://some.server.com">some.server.com</a>%2F12.34.56.78-8009-1]
Log4JLogFactory$Log4JLogger - [SECURITY FAILURE Anonymous:null@unknown -&gt; <a
href="http://some.server.com:443/ExampleApplication/IntrusionException">some.server.com:443/ExampleApplication/IntrusionException</a>]
INTRUSION - Multiple (2x) encoding detected in XXXXXXXXXXXXXXXXXXXXX<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>2010-09-27
18:00:50,812 INFO&nbsp; [STDOUT] 2010-09-27 18:00:50,811 ERROR [<a
href="http://some.server.com.com">some.server.com.com</a>%2F12.34.56.78-8009-1]
Log4JLogFactory$Log4JLogger - [SECURITY FAILURE Anonymous:null@unknown -&gt; <a
href="http://some.server.com:443/ExampleApplication/com.server.some.SecurityWrapper">some.server.com:443/ExampleApplication/com.server.some.SecurityWrapper</a>]
Error in SecurityWrapper: Input validation failure<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>org.owasp.esapi.errors.IntrusionException:
Input validation failure<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
at
org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:169)<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
at
org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
at org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:290)<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:173)<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
dug into the code and it looks like StringValidationRule.getValid( String
context, String input ) calls the one-argument
DefaultEncoder.canonicalize(String input) which automatically enforces strict
intrusion detection regardless of the value in ESAPI.properties. <o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-August
<o:p></o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>On Fri, Sep 24, 2010 at 6:59 AM, Saad Shakil &lt;<a
href="mailto:sshakil@rim.com">sshakil@rim.com</a>&gt; wrote:<o:p></o:p></p>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>But intrusion detection sounds like something I should be
keeping :)</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>Other than validation against the regex, what else does
IntrusionDetector do?</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<div>

<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> Jim
Manico [mailto:<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>]
<br>
<b>Sent:</b> Thursday, September 23, 2010 8:36 PM<br>
<b>To:</b> Saad Shakil; <a href="mailto:Esapi-user@lists.owasp.org"
target="_blank">Esapi-user@lists.owasp.org</a><br>
<b>Subject:</b> RE: [Esapi-user] disabling logging</span><o:p></o:p></p>

</div>

</div>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>Yes, just disable Intrusion Detection and this problem
should go away. To do that, please just add the following to your copy of
ESAPI.properties</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-size:10.0pt;font-family:"Courier New";color:black'>IntrusionDetector.Disable=</span><span
style='font-size:10.0pt;font-family:"Courier New";color:#2A00FF'>true</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:#1F497D'>&nbsp;</span><o:p></o:p></p>

<div>

<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span
style='font-size:10.0pt'>From:</span></b><span style='font-size:10.0pt'> <a
href="mailto:esapi-user-bounces@lists.owasp.org" target="_blank">esapi-user-bounces@lists.owasp.org</a>
[mailto:<a href="mailto:esapi-user-bounces@lists.owasp.org" target="_blank">esapi-user-bounces@lists.owasp.org</a>]
<b>On Behalf Of </b>Saad Shakil<br>
<b>Sent:</b> Thursday, September 23, 2010 10:38 AM<br>
<b>To:</b> <a href="mailto:Esapi-user@lists.owasp.org" target="_blank">Esapi-user@lists.owasp.org</a><br>
<b>Subject:</b> [Esapi-user] disabling logging</span><o:p></o:p></p>

</div>

</div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
tried setting &lt;priority value =&quot;off&quot; /&gt; in log4j.xml, but still
noticed an IntrusionDetector SECURITY FAILURE on a validation exception that I
catch in my code.<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Secondly,
separate validation and intrusion exceptions become redundant if a third
intrustiondetector is already thrown.&nbsp; IntrusionDetector.class reads: <o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&#8220;<span
style='font-size:10.0pt;font-family:"Courier New";color:#3F5FBF'>This method
should immediately log the exception so that developers throwing an
IntrusionException do not have to remember to log every error.&#8221;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;I
understand that the way we can catch an attack is through validation failure,
but what distinguishing a harmless error from an actual attack? &nbsp;Right
now, I have it so that I violate the default &#8216;AccountName&#8217; rule by trying to
update the value to one that is of length 2 characters, when the min is three
&#8230;{3,100}$.&nbsp; I haven&#8217;t dug deep inside ESAPI code, but this shouldn&#8217;t be
treated as an exception in my case, rather just an invalid input.&nbsp; And I&#8217;d
like to change the logging to reflect that, and the event&#8217;s handling too if
possible.&nbsp; Any idea on how I can go about doing this?<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks.<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-S<o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>---------------------------------------------------------------------
<br>
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute non-public
information. Any use of this information by anyone other than the intended
recipient is prohibited. If you have received this transmission in error,
please immediately reply to the sender and delete this information from your
system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful. <o:p></o:p></p>

</div>

</div>

</div>

<div>

<div>

<p class=MsoNormal>---------------------------------------------------------------------
<br>
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute non-public
information. Any use of this information by anyone other than the intended
recipient is prohibited. If you have received this transmission in error,
please immediately reply to the sender and delete this information from your
system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful. <o:p></o:p></p>

</div>

</div>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
Esapi-user mailing list<br>
<a href="mailto:Esapi-user@lists.owasp.org">Esapi-user@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/esapi-user" target="_blank">https://lists.owasp.org/mailman/listinfo/esapi-user</a><o:p></o:p></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

</body>

</html>