[WEB SECURITY] Implementation of Global Outout Encoder with ESAPI

Erlend Oftedal erlend at oftedal.no
Tue May 11 01:25:34 EDT 2010


I agree with Juan. I think you need to look a bit more at what exactly 
ESAPI is meant to do. It's not a purifier, but an encoder. And the 
different methods should be called depending on context, so it means you
will have to change your JSPs everywhere when you are printing user 
provided content.

Check the OWASP prevention cheat sheet.
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

You use encodeForHTML when you are printing input between tags (#1 in the 
cheat sheet)
You use encodeForHTMLAttribute when you are printing input within the 
attribute of a tag (#2 in the cheat sheet).
etc. etc.

And you have to be careful to avoid DOM-based XSS.

Trying to do all of this as an ouput filter is difficult (and probably 
impossible), because you no longer know in which context you are printing 
the input.

Best regards
Erlend Oftedal


On Mon, 10 May 2010, Calderon, Juan Carlos (GE, Corporate, consultant) wrote:

> I might be missing something, but from my point of view it is not
> possible to do what you intend with a filter, this is because by the
> time you hit the filter all the response HTML is already created, so
> there is no way to isolate specific variables or pieces of content
> (except by parsing the HTML that will be even more work). Also if you
> encode all the HTML then you will see the response HTML displayed in the
> browser as text but not interpreted as usual. So the only centralization
> I can see you can do is to have a global function or a JSP tag to use
> everywhere in your JSPs.
>
> Maybe a massive replace of out.print and <%= can do the job, yet you
> will have to validate you don't break the application.
>
> Regards,
> Juan Carlos
>
> ________________________________
>
> From: Kesavanarayanan, Ramesh
> [mailto:Ramesh.Kesavanarayanan at Pearson.com]
> Sent: Viernes, 07 de Mayo de 2010 03:23 p.m.
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Implementation of Global Outout Encoder with
> ESAPI
> Importance: High
>
>
>
> I have a question on the output encoding using the ESAPI.
>
> In my application I tried to implement the ESAPI for the response output
> encoding in a centralized manner so that I do not need to change every
> JSP page in my application.
>
> The following is the piece of code I have written using my
> sessionFilter.
>
> import java.io.CharArrayWriter;
>
>        public void doFilter(ServletRequest request, ServletResponse
> response,
>
>                        FilterChain chain) throws ServletException,
> IOException {
>
>                HttpServletRequest httpRequest = (HttpServletRequest)
> request;
>
>                HttpServletResponse httpResponse = (HttpServletResponse)
> response;
>
>                HttpSession session = httpRequest.getSession();
>
>                ServletResponse newResponse = null;
>
>                if (request instanceof HttpServletRequest) {
>
>                        newResponse = new CharResponseWrapper(
>
>                                        (HttpServletResponse) response);
>
>                }
>
>                chain.doFilter(request, response);
>
>                String text = newResponse.toString();
>
>                text = text.toUpperCase();
>
>                text = ESAPI.encoder().encodeForHTML(text);
>
>                text = ESAPI.encoder().encodeForHTMLAttribute(text);
>
>                text = ESAPI.encoder().encodeForJavaScript(text);
>
>                text = ESAPI.encoder().encodeForCSS(text);
>
>                CharArrayWriter caw = new CharArrayWriter();
>
>                if (text != null) {
>
>                        try {
>
>                                caw.write(text);
>
>
> response.getWriter().write(caw.toString());
>
>                        } catch (java.lang.IllegalStateException ille) {
>
>                        }
>
>                }
>
>       }
>
> In my JSP I have the code as follows
>
> Not working
>
> <script>
>
> function setUserName(){
>
>         document.getElementById("login").value ='<%=
> (String)request.getAttribute("username")  %>';
>
> }
>
> </script>
>
> Working
>
> <%!
>
>        String cleanXSS(String value) {
>
>                value = ESAPI.encoder().encodeForHTML(value);
>
>                value = ESAPI.encoder().encodeForHTMLAttribute(value);
>
>                value = ESAPI.encoder().encodeForJavaScript(value);
>
>                value = ESAPI.encoder().encodeForCSS(value);
>
>                return value;
>
>        }
>
> %>
>
> <script>
>
> function setUserName(){
>
>         document.getElementById("login").value ='<%= cleanXSS(
> (String)request.getAttribute("username")  ) %>';
>
> }
>
> </script>
>
> As you can see I expect the response to be updated with the ESAPI
> functions, but somewhere I loose the ESAPI. The idea for me is to
> centralize the output encoding so that it saves me time and effort.
>
> Appreciate if you have any pointers on the same.
>
> Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
> (O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list