[WEB SECURITY] Sanitising AMF ActionScript

Yiannis Pavlosoglou yiannis at owasp.org
Mon May 3 06:33:44 EDT 2010

Hi all,

I was working on a coctail called grounds for sanitisation in this lonely
bar that eclipse flex builder provides for AMF ActionScript. Encountered in
the past a similar lonely place in the visual studio worlds.

There, belling up friends such as ESAPI can end up being a long chore as you
have a binary format, landing in your Filter (eg. the ExceptionFilter, etc.)
or the extension of the HttpServlet present.

Ergo, I put together 10 lines of code that we consider calling on the
factory methods. Here they are in Java & .NET:

private static String sanitise(String arg) {

        if(arg.length() > 20) {
            arg = arg.substring(0, 20);

        StringBuilder sb = new StringBuilder();
        for(int i = 0; i < arg.length(); i++) {
            if(Character.isLetterOrDigit(arg.charAt(i))) {
        return sb.toString();

static string sanitise(string inputString)
           // Chop, chop, chop...
           if (inputString.Length > 20)
               inputString = inputString.Substring(0, 20);
           // typically I add all, but [A-Z][a-z][0-9]
           // including white-spaces
           StringBuilder sb = new StringBuilder ();
           for (int i=0; i< inputString.Length; i++)
               if (char.IsLetterOrDigit(

           // This can lead to problems when all characters
           // are non digit/char like, e.g. for passwords
           return sb.ToString();


Attached is a jar poc type, sanitises arguments provided.

Optimisations and architecture aside, do you guys forsee any issues with the
calls of isLetter or anything of the above?

On the architecture, if the methods above are considered worthy of
existence, where would you guys write the Facade to handle this, so that the
architect stops pulling his hair out, having to call a static method

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100503/c1444e64/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: validator.jar
Type: application/java-archive
Size: 1544 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100503/c1444e64/attachment.jar>
-------------- next part --------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list