[Owasp-java-encoder-project] Decode

Jim Manico jim.manico at owasp.org
Wed Apr 22 19:41:55 UTC 2015


 > What canonicalization functions are you thinking of?

Detection of encoded input.

Like if a user took an attack and then URL encoded it and then HTML 
Entity encoded it in an attempt to circumvent filters.

By noticing that input is already decoded - you might want to reject it 
as a form of intrusion detection for certain fields.

So like...

if (rawContent != 
htmlDecode(urlDecode(javascriptDecode(cssDecode(rawContent)))) {
    //we might want to reject this
}

//kindda like this
canonicalize(rawInput) {
   return htmlDecode(urlDecode(javascriptDecode(cssDecode(rawContent))));
}

Aloha,
Jim


On 3/30/15 7:04 AM, Jeff Ichnowski wrote:
> I think it should be a separate equally small and efficient project.  
> owasp-java-decoder. :)
>
> The use case for decoders is typically not coupled encoders.  Like who 
> is going to do <%= Decode.fromHTML(...) %> in their JSP?  May they're 
> intentionally trying to introduce XSS? :)
>
> What canonicalization functions are you thinking of?
>
> Also, when I think of decoders, I always wonder what the proper thing 
> to do with HTML named entities (e.g.,   © etc...).
>
> -Jeff
>
>
> On Sun, Mar 29, 2015 at 8:22 PM, Jeremy Long <jeremy.long at gmail.com 
> <mailto:jeremy.long at gmail.com>> wrote:
>
>     I think the decoders would be a good add. Then if there is enough
>     interest in the canonicalization functions add those in a separate
>     jar.
>
>     --jeremy
>
>     On Mar 29, 2015 8:11 PM, "Jim Manico" <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>
>         What do you think of adding decode and canonizalization
>         functions to the Java encoder library?
>
>         Aloha,
>         Jim
>         _______________________________________________
>         Owasp-java-encoder-project mailing list
>         Owasp-java-encoder-project at lists.owasp.org
>         <mailto:Owasp-java-encoder-project at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project
>
>
>     _______________________________________________
>     Owasp-java-encoder-project mailing list
>     Owasp-java-encoder-project at lists.owasp.org
>     <mailto:Owasp-java-encoder-project at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-java-encoder-project/attachments/20150422/dc768900/attachment.html>


More information about the Owasp-java-encoder-project mailing list