[owasp-antisamy] Using Antisamy in URL validation

Jason Li jason.li at owasp.org
Wed May 11 10:20:31 EDT 2011


Mogare,

You may find the OWASP XSS Prevention Cheatsheet (
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
helpful. There is also the XSS sections of the OWASP Development Guide and
OWASP Top Ten documents.

AntiSamy does not appear to be the proper tool for your use case but the
references above should provide enough background information to help you
identify an appropriate strategy for your requirements.

-Jason

On Wed, May 11, 2011 at 9:57 AM, Mogare Amey <Amey.Mogare at atosorigin.com>wrote:

>  Hi Arshan,
>
>
>
> Thank you for valuable explanation. I understood your point.
>
>
>
> Can you please help me in preventing the type of XSS attack that I am
> referring to? (XSS on URL parameter)
>
> In following URL, user has inserted a alert box in one of the URL
> parameters.
>
>
>
>
> https://<host:port>/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8<https://%3chost:port%3e/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8>%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1
> %27%3balert%281%29//&system=SINEQUA_Search_System
>
>
>
> How do I prevent this alert from running and load normal page?
>
>
>
> Thank you.
>
>
>
> With warm regards,
>
> *Amey Mogare*
>
>
>
> *From:* owasp-antisamy-bounces at lists.owasp.org [mailto:
> owasp-antisamy-bounces at lists.owasp.org] *On Behalf Of *Arshan Dabirsiaghi
> *Sent:* Wednesday, May 11, 2011 7:05 PM
> *To:* Mogare Amey; Jason Li
>
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* Re: [owasp-antisamy] Using Antisamy in URL validation
>
>
>
> This is absolutely expected behavior, and I’ll tell you why. It’s not
> changing your input because AntiSamy output is meant to be placed in what we
> call an “HTML context”. The threat AntiSamy addresses is cross-site
> scripting, and understanding how untrusted user data is reflected back on a
> page is critical in figuring out how to prevent it. The “dirtyInput” you
> have is a valid XSS proof of concept when data is placed into a JavaScript
> “context” like this:
>
>
>
> <script> var a = ‘<%=user input%>’;</script>
>
>
>
> However, that context (inside JavaScript) is not where AntiSamy output is
> safe to put. AntiSamy output should only be between two standard markup
> tags, like this:
>
>
>
> <div><%=antisamy output%></div>
>
>
>
> In general, the rules that you have to apply to make sure user input
> doesn’t cause XSS 100% relies on what “context” the data ends up in the HTML
> response. This, and a lot more details are available in [1]. But, bottom
> line is, if you really need AntiSamy output to be inside JavaScript, you
> should take the AntiSamy output and run it through a JavaScript
> encoding/escaping function before putting it in your view.
>
>
>
> Thanks,
>
> Arshan
>
>
>
> [1]
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>
>
>
> *From:* owasp-antisamy-bounces at lists.owasp.org [mailto:
> owasp-antisamy-bounces at lists.owasp.org] *On Behalf Of *Mogare Amey
> *Sent:* Wednesday, May 11, 2011 5:49 AM
> *To:* Jason Li
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* Re: [owasp-antisamy] Using Antisamy in URL validation
>
>
>
> Hi Jason,
>
>
>
> I could run my code with following JARs: -
>
> batik-css.jar
>
> nekohtml.jar
>
> xerces-2.0.2.jar
>
> xml-apis.jar
>
>
>
> However, it is not able to remove coding for alert box from dirtyInput. *(have
> a look at the URL in my previous mail below)*
>
> I tried all Policy files but none of them gave any success.
>
>
>
> Here is what I tried à
>
>
>
> *1.    **Fails*
>
> String dirtyInput = "1';alert(1)//";
>
> Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
>
> AntiSamy as = *new* AntiSamy();
>
> CleanResults cr = as.scan(dirtyInput, policy);
>
> String cleanInput = cr.getCleanHTML();
>
>
>
> This prints dirtyInput as it is. L
>
>
>
> *2.    **Works fine*
>
> String dirtyInput = "123<script>alert(1)</script>";
>
> Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
>
> AntiSamy as = *new* AntiSamy();
>
> CleanResults cr = as.scan(dirtyInput, policy);
>
> String cleanInput = cr.getCleanHTML();
>
>
>
> This prints 123
>
>
>
> Any idea what is going wrong in case-1?
>
>
>
> Also, is there any document on how to prepare policy files? I am not able
> to understand how do I add new condition in Policy files.
>
>
>
> Please help.
>
>
>
> Thank you.
>
>
>
> With warm regards,
>
> *Amey Mogare*
>
>
>
> *From:* Mogare Amey
> *Sent:* Wednesday, May 11, 2011 11:58 AM
> *To:* 'Jason Li'
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* RE: [owasp-antisamy] Using Antisamy in URL validation
>
>
>
> Hi Jason,
>
>
>
> Thank you for reply. It was very helpful.
>
>
>
> I have following queries à
>
>
>
> *1.    *I want to use Antisamy for avoiding XSS attacks by cleaning the
> input data coming to server.
>
> Following is URL with XSS attack on my application which I want to clean à
>
>
>
>
> https://<host:port>/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8<https://%3chost:port%3e/mypage?url=/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8>%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1
> %27%3balert%281%29//&system=SINEQUA_Search_System
>
>
>
> Here you can see that ‘fuzzysearch’ parameter is containing an alert box.
>
>
>
> Can Antisamy be use to avoid such attacks? If yes, how?
>
>
>
> *2.    *My applications are using Java 1.4 (j2sdk1.4.2_16).
>
> Can Antisamy JAR (antisamy-1.4.4.jar) be used with it?
>
>
>
> If no, where can I download suitable JAR?
>
>
>
> *3.    *What are the dependant JARs that ‘antisamy-1.4.4.jar’ need?
>
> I saw from your reply à
> https://lists.owasp.org/pipermail/owasp-antisamy/2010-October/000353.htmlthat it needs following JARs?
>
>
>
> * Apache Xerces 2.8.1
>
> * Apache Batik-CSS 1.7
>
> * NekoHTML 1.9.12
>
> * Apache Commons HTTP-Client 3.1
>
>
>
> From where do I download these JARs?
>
>
>
> Are these versions compatible for Java 1.4? If no, please let me know
> correct version.
>
>
>
> *4.    *I tried it in my Java class for testing purpose, but it gives
> following exception: -
>
>
>
> java.lang.NoClassDefFoundError: org/apache/batik/css/parser/ParseException
>
>       at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:107)
>
>       at XssTestMain.main(XssTestMain.java:37)
>
> Exception in thread "main"
>
>
>
> This is my XssTestMain.java à
>
>             *import* org.owasp.validator.html.AntiSamy;
>
> *import* org.owasp.validator.html.CleanResults;
>
> *import* org.owasp.validator.html.Policy;
>
> *import* org.owasp.validator.html.PolicyException;
>
> *import* org.owasp.validator.html.ScanException;
>
> *public* *class* XssTestMain {
>
> *public* *static* *void* main(String[] args) {
>
>       *try* {
>
>             String POLICY_FILE_LOCATION = "C:/AMEY/SAP
> NWDS_7.01.3/WorkspaceAmey/XssTest/antisamy-esapi.xml";
>
>             String dirtyInput = "1%27%3balert%281%29";
>
>             System.out.println("dirtyInput : \n"+dirtyInput);
>
>             Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
>
>             AntiSamy as = *new* AntiSamy();
>
>             CleanResults cr = as.scan(dirtyInput, policy);
>
>             String cleanInput = cr.getCleanHTML();
>
>             System.out.println("\ncleanInput : \n"+cleanInput);
>
>       } *catch* (PolicyException e) {
>
>             // *TODO* Auto-generated catch block
>
>             e.printStackTrace();
>
>       } *catch* (ScanException e) {
>
>             // *TODO* Auto-generated catch block
>
>             e.printStackTrace();
>
>       }
>
> }
>
> }
>
>
>
>
>
> Thank you.
>
>
>
> With warm regards,
>
> *Amey Mogare*
>
>
>
> *From:* Jason Li [mailto:jason.li at owasp.org]
> *Sent:* Tuesday, May 10, 2011 11:57 PM
> *To:* Mogare Amey
> *Cc:* owasp-antisamy at lists.owasp.org
> *Subject:* Re: [owasp-antisamy] Using Antisamy in URL validation
>
>
>
> Mogare,
>
>
>
> AntiSamy policy files are available here:
>
> http://code.google.com/p/owaspantisamy/downloads/list
>
>
>
> The AntiSamy Project is meant to validate user generated rich text (HTML)
> input against a whitelist specification of safe HTML elements in order to
> prevent cross-site scripting. It does not provide any other type of
> validation. Depending on your use case, AntiSamy may or may not be
> appropriate for your requirements.
>
>
>
> You will need to identify the parameter you wish to validate and pass that
> parameter value into the AntiSamy scanner. For example, assuming the
> parameter containing user generated rich text input was named "inputHtml",
> AntiSamy can be invoked as follows:
>
> String dirtyInput = request.getParameter("inputHtml");
> Policy policy = Policy.getInstance(INSERT_YOUR_POLICY_FILE_LOCATION);
> AntiSamy as = new AntiSamy(policy);
> CleanResults cr = as.scan(dirtyInput);
> String cleanInput = cr.getCleanHTML();
>
>  Again, note that AntiSamy is not a universal validator - it's specific
> use case is to validate user generated rich text input.
>
>
>
> -Jason
>
>
>
> On Tue, May 10, 2011 at 9:13 AM, Mogare Amey <Amey.Mogare at atosorigin.com>
> wrote:
>
> Hi,
>
>
>
> I want to use Antisamy API to clean URL parameters.
>
>
>
> I read the details on
> https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>
> And downloaded “antisamy-1.4.4.jar” and imported in my java class.
>
>
>
> I don’t know how to download base policy file mentioned in above URL. Where
> do get it?
>
>
>
> Can you please help me in achieving my requirement?
>
>
>
> Which method I should use to clean URL parameters?
>
>
>
> Thank you.
>
>
>
> With warm regards,
>
> *Amey Mogare*
>
> *Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC :
> Production Line - SAP | Email : Amey.mogare at atosorigin.com | Office :
> +91-22-6733-3732 | Mobile : +91-9820-303-464*
>
>
>
>
> _______________________________________________
> Owasp-antisamy mailing list
> Owasp-antisamy at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20110511/3e99081c/attachment-0001.html 


More information about the Owasp-antisamy mailing list