[Java-project] Exception in SecurityWrapperRequest

Romi Awasthy romiawasthy at gmail.com
Tue Oct 30 15:40:22 UTC 2012


I am working on remediation of “HTTP response splitting flaw”

httpResponse.sendRedirect(redirect);



I am planning to use SecurityWrapperRequest to resolve it.

When I run my code, I get this exception
(org.owasp.esapi.errors.ConfigurationException:
java.lang.ClassNotFoundException: org.owasp.esapi.reference.Log4JLogFactory2
LogFactory class (org.owasp.esapi.reference.Log4JLogFactory2) must be in
class path.)


on code line

HttpServletRequest httpRequest = new
SecurityWrapperRequest((HttpServletRequest)
request)  ;



I am using 2.0GA release, which does not have
org.owasp.esapi.reference.Log4JLogFactory2
class.



       <dependency>

                     <groupId>org.owasp.esapi</groupId>

                     <artifactId>*esapi*</artifactId>

                     <version>2.0GA</version>

       </dependency>



Do you know why SecurityWrapperRequest is looking for Log4JLogFactory2 and
how do I get that class? Do I need some other dependency?





Exception:

org.owasp.esapi.errors.ConfigurationException:
java.lang.ClassNotFoundException:
org.owasp.esapi.reference.Log4JLogFactory2 LogFactory class (org.owasp.esapi
.reference.Log4JLogFactory2) must be in class path.

                at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)

                at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)

                at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:146)

                at com.ironmountain.imconnect.filter.LaunchFilter.<init
>(LaunchFilter.java:37)

                at com.ironmountain.imconnect.filter.LaunchFilterTest.<init
>(LaunchFilterTest.java:38)

                at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)

                at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:39)

                at sun.reflect.DelegatingConstructorAccessorImpl.newInstance
(DelegatingConstructorAccessorImpl.java:27)

                at java.lang.reflect.Constructor.newInstance(
Constructor.java:513)

                at org.junit.runners.BlockJUnit4ClassRunner.createTest(
BlockJUnit4ClassRunner.java:202)

                at org.springframework.test.context.junit4.
SpringJUnit4ClassRunner.createTest(SpringJUnit4ClassRunner.java:210)

                at org.springframework.test.context.junit4.
SpringJUnit4ClassRunner$1.runReflectiveCall(SpringJUnit4ClassRunner.java:
288)

                at org.junit.internal.runners.model.ReflectiveCallable.run(
ReflectiveCallable.java:15)

                at org.springframework.test.context.junit4.
SpringJUnit4ClassRunner.methodBlock(SpringJUnit4ClassRunner.java:290)

                at org.springframework.test.context.junit4.
SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:231)

                at org.junit.runners.BlockJUnit4ClassRunner.runChild(
BlockJUnit4ClassRunner.java:50)

                at org.junit.runners.ParentRunner$3.run(ParentRunner.java:
193)

                at org.junit.runners.ParentRunner$1.schedule(
ParentRunner.java:52)

                at org.junit.runners.ParentRunner.runChildren(
ParentRunner.java:191)

                at org.junit.runners.ParentRunner.access$000(
ParentRunner.java:42)

                at org.junit.runners.ParentRunner$2.evaluate(
ParentRunner.java:184)

                at org.springframework.test.context.junit4.statements.
RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)

                at org.springframework.test.context.junit4.statements.
RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:71)

                at org.junit.runners.ParentRunner.run(ParentRunner.java:236)

                at org.springframework.test.context.junit4.
SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:174)

                at org.eclipse.jdt.internal.junit4.runner.
JUnit4TestReference.run(JUnit4TestReference.java:50)

                at org.eclipse.jdt.internal.junit.runner.TestExecution.run(
TestExecution.java:38)

                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.
runTests(RemoteTestRunner.java:467)

                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.
runTests(RemoteTestRunner.java:683)

                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.
run(RemoteTestRunner.java:390)

                at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.
main(RemoteTestRunner.java:197)

Caused by: java.lang.ClassNotFoundException: org.owasp.esapi.reference.
Log4JLogFactory2

                at java.net.URLClassLoader$1.run(URLClassLoader.java:202)

                at java.security.AccessController.doPrivileged(Native
Method)

                atjava.net.URLClassLoader.findClass(URLClassLoader.java:190)

                at java.lang.ClassLoader.loadClass(ClassLoader.java:306)

                at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:
301)

                at java.lang.ClassLoader.loadClass(ClassLoader.java:247)

                at java.lang.Class.forName0(Native Method)

                at java.lang.Class.forName(Class.java:169)

                at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)

                ... 30 more



Security Flaw that I am trying to resolve:



This call to javax.servlet.http.HttpServletResponse.sendRedirect() contains
an HTTP response splitting flaw. Writing unsanitized user-supplied input
into an HTTP header allows an attacker to manipulate the HTTP

 response rendered by the browser, to inject additional headers or an
entire response body into the response stream. Injecting headers can be
used to trick various security mechanisms in browsers into allowing XSS
style

 attacks. Injecting entire response bodies can not only cause XSS attacks
to succeed but may even poison the cache of any intermediary proxies
between the clients and the application server. The first argument to

 sendRedirect() contains tainted data from the variable redirect. The
tainted data originated from earlier calls to javax.servlet.http.
HttpServletRequest.getCookies, javax.servlet.http.HttpServletRequestWrapper.
getCookies,

 and org.apache.cxf.jaxrs.impl.tl.ThreadLocalHttpServletRequest.getCookies.
Escape, encode, or remove carriage return and line feed characters from
user-supplied data before inclusion in HTTP response headers.

 Whenever possible, use a security library such as ESAPI that provides safe
versions of addHeader(), etc. that will automatically remove unexpected
carriage returns and line feeds and can be configured to use HTML entity

 encoding for non-alphanumeric data. Only write custom blacklisting code
when absolutely necessary. Always validate user-supplied input to ensure
that it conforms to the expected format, using centralized data

 validation routines when possible. References: CWE (
http://cwe.mitre.org/data/definitions/113.html) OWASP (
http://www.owasp.org/index.php/HTTP_Response_Splitting) WASC (
http://webappsec.pbworks.com/HTTP-

Response-Splitting)



Please Advise.



Thanks

Romi Awasthy

Architect, Iron Mountain

gtalk: romiawasthy at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/java-project/attachments/20121030/a7723a0a/attachment-0001.html>


More information about the Java-project mailing list