[WEB SECURITY] Implementation of Global Outout Encoder with ESAPI

Liu Yu yu.liu at nosec.org
Wed May 12 11:34:09 EDT 2010


After you have implemented your Web Application. You need a tool to verify
if your jobs does well. May be you should take a look  iiScan(iiscan.com).
Free Web application Security Scanner online. Try it.

BEST REGARDS TO YOU AND YOUR FAMILY

Liu Yu
MSN:zwell at yeah.net <MSN%3Azwell at yeah.net>
Tel: +86 755 8251 9327
NOSEC Technologies Co., Ltd

NOTICE: This communication is intended ONLY for the use of the person or
entity named above and may contain information that is confidential or
legally privileged. If you are not the intended recipient named above or a
person responsible for delivering messages or communications to the intended
recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of
this communication or any of the information contained in it is strictly
prohibited. If you have received this communication in error, please notify
us immediately by telephone and then destroy or delete this communication,
or return it to us by mail if requested by us.




On 11 May 2010 13:25, Erlend Oftedal <erlend at oftedal.no> wrote:

>
> I agree with Juan. I think you need to look a bit more at what exactly
> ESAPI is meant to do. It's not a purifier, but an encoder. And the different
> methods should be called depending on context, so it means you
> will have to change your JSPs everywhere when you are printing user
> provided content.
>
> Check the OWASP prevention cheat sheet.
>
> http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
>
> You use encodeForHTML when you are printing input between tags (#1 in the
> cheat sheet)
> You use encodeForHTMLAttribute when you are printing input within the
> attribute of a tag (#2 in the cheat sheet).
> etc. etc.
>
> And you have to be careful to avoid DOM-based XSS.
>
> Trying to do all of this as an ouput filter is difficult (and probably
> impossible), because you no longer know in which context you are printing
> the input.
>
> Best regards
> Erlend Oftedal
>
>
>
> On Mon, 10 May 2010, Calderon, Juan Carlos (GE, Corporate, consultant)
> wrote:
>
>  I might be missing something, but from my point of view it is not
>> possible to do what you intend with a filter, this is because by the
>> time you hit the filter all the response HTML is already created, so
>> there is no way to isolate specific variables or pieces of content
>> (except by parsing the HTML that will be even more work). Also if you
>> encode all the HTML then you will see the response HTML displayed in the
>> browser as text but not interpreted as usual. So the only centralization
>> I can see you can do is to have a global function or a JSP tag to use
>> everywhere in your JSPs.
>>
>> Maybe a massive replace of out.print and <%= can do the job, yet you
>> will have to validate you don't break the application.
>>
>> Regards,
>> Juan Carlos
>>
>> ________________________________
>>
>> From: Kesavanarayanan, Ramesh
>> [mailto:Ramesh.Kesavanarayanan at Pearson.com]
>> Sent: Viernes, 07 de Mayo de 2010 03:23 p.m.
>> To: websecurity at webappsec.org
>> Subject: [WEB SECURITY] Implementation of Global Outout Encoder with
>> ESAPI
>> Importance: High
>>
>>
>>
>> I have a question on the output encoding using the ESAPI.
>>
>> In my application I tried to implement the ESAPI for the response output
>> encoding in a centralized manner so that I do not need to change every
>> JSP page in my application.
>>
>> The following is the piece of code I have written using my
>> sessionFilter.
>>
>> import java.io.CharArrayWriter;
>>
>>       public void doFilter(ServletRequest request, ServletResponse
>> response,
>>
>>                       FilterChain chain) throws ServletException,
>> IOException {
>>
>>               HttpServletRequest httpRequest = (HttpServletRequest)
>> request;
>>
>>               HttpServletResponse httpResponse = (HttpServletResponse)
>> response;
>>
>>               HttpSession session = httpRequest.getSession();
>>
>>               ServletResponse newResponse = null;
>>
>>               if (request instanceof HttpServletRequest) {
>>
>>                       newResponse = new CharResponseWrapper(
>>
>>                                       (HttpServletResponse) response);
>>
>>               }
>>
>>               chain.doFilter(request, response);
>>
>>               String text = newResponse.toString();
>>
>>               text = text.toUpperCase();
>>
>>               text = ESAPI.encoder().encodeForHTML(text);
>>
>>               text = ESAPI.encoder().encodeForHTMLAttribute(text);
>>
>>               text = ESAPI.encoder().encodeForJavaScript(text);
>>
>>               text = ESAPI.encoder().encodeForCSS(text);
>>
>>               CharArrayWriter caw = new CharArrayWriter();
>>
>>               if (text != null) {
>>
>>                       try {
>>
>>                               caw.write(text);
>>
>>
>> response.getWriter().write(caw.toString());
>>
>>                       } catch (java.lang.IllegalStateException ille) {
>>
>>                       }
>>
>>               }
>>
>>      }
>>
>> In my JSP I have the code as follows
>>
>> Not working
>>
>> <script>
>>
>> function setUserName(){
>>
>>        document.getElementById("login").value ='<%=
>> (String)request.getAttribute("username")  %>';
>>
>> }
>>
>> </script>
>>
>> Working
>>
>> <%!
>>
>>       String cleanXSS(String value) {
>>
>>               value = ESAPI.encoder().encodeForHTML(value);
>>
>>               value = ESAPI.encoder().encodeForHTMLAttribute(value);
>>
>>               value = ESAPI.encoder().encodeForJavaScript(value);
>>
>>               value = ESAPI.encoder().encodeForCSS(value);
>>
>>               return value;
>>
>>       }
>>
>> %>
>>
>> <script>
>>
>> function setUserName(){
>>
>>        document.getElementById("login").value ='<%= cleanXSS(
>> (String)request.getAttribute("username")  ) %>';
>>
>> }
>>
>> </script>
>>
>> As you can see I expect the response to be updated with the ESAPI
>> functions, but somewhere I loose the ESAPI. The idea for me is to
>> centralize the output encoding so that it saves me time and effort.
>>
>> Appreciate if you have any pointers on the same.
>>
>> Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
>> (O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com
>>
>>
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100512/1d2ab167/attachment.html>


More information about the websecurity mailing list