[OWASP-ESAPI] SafeRequest and SafeResponse

Jeff Williams jeff.williams at owasp.org
Wed Sep 3 00:08:06 EDT 2008


Hi everyone,

 

In order to encourage the use of some of the HTTPUtilities methods, we've
refactored them into two new classes: SafeRequest and SafeResponse.  These
classes implement the HttpServletRequest and HttpServletResponse interfaces
and wrap the original request and response with validation and other checks.
There is also a SafeHTTPFilter that you can put in front of any Java EE
application to automatically use the SafeRequest and SafeResponse wrappers.

 

Deployment is as simple as adding the following to web.xml and dropping the
ESAPI jar into lib:

 

               <filter>

                              <filter-name>SafeHTTP</filter-name>

 
<filter-class>org.owasp.esapi.filters.SafeHTTPFilter</filter-class>

               </filter>

 

               <filter-mapping>

                              <filter-name>SafeHTTP</filter-name>

                              <url-pattern>/*</url-pattern>

               </filter-mapping>

 

SafeRequest
<http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/org/owasp
/esapi/filters/SafeRequest.java> 

This wrapper guarantees that all data from the request is canonicalized and
then validated before being returned. This should defeat most encoded
attacks.  All illegal characters, such as null bytes and other unprintables
are not allowed.  Even header, parameter, and cookie *names* are carefully
checked before being returned.  The getSession() method is extended to set
the HttpOnly and Secure flags on the JSESSIONID cookie.

 

SafeResponse
<http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/org/owasp
/esapi/filters/SafeResponse.java> 

This wrapper ensures that no illegal characters, such as carriage returns
and line feeds, are used in the construction of header names and values in
the response.  This should eliminate header injection attacks of all kinds.
Cookies are automatically updated with HttpOnly and Secure flags when they
are set.  The encodeURL and related methods are all stubbed out so that they
cannot cause dangerous sessionid URL rewriting.  Response codes are all set
to 200 to confound attackers with scanners.

 

The current implementations try to always return a safe value and continue.
There's some discussion of enabling a "detect-only" mode where issues are
only logged.   Also another mode where IntrusionExceptions are thrown if the
SafeRequest or SafeResponse policy is violated.  This would be configurable
in ESAPI.properties as SafeHTTPMode: (DETECT|CLEAN|THROW) or something like
that.

 

The code is in SVN and browsable on the web at GoogleCode.  Please let me
know your thoughts.

 

--Jeff

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080903/d42522b2/attachment.html 


More information about the OWASP-ESAPI mailing list