[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] Implementation of Global Outout Encoder with ESAPI
From: Liu Yu <yu.liu () nosec ! org>
Date: 2010-05-12 15:34:09
Message-ID: AANLkTikMNbMyIgrHsOR0gbdGl70thvmvVFCfk2pjcaBn () mail ! gmail ! com
[Download RAW message or body]
After you have implemented your Web Application. You need a tool to verify
if your jobs does well. May be you should take a look iiScan(iiscan.com).
Free Web application Security Scanner online. Try it.
BEST REGARDS TO YOU AND YOUR FAMILY
Liu Yu
MSN:zwell@yeah.net <MSN%3Azwell@yeah.net>
Tel: +86 755 8251 9327
NOSEC Technologies Co., Ltd
NOTICE: This communication is intended ONLY for the use of the person or
entity named above and may contain information that is confidential or
legally privileged. If you are not the intended recipient named above or a
person responsible for delivering messages or communications to the intended
recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of
this communication or any of the information contained in it is strictly
prohibited. If you have received this communication in error, please notify
us immediately by telephone and then destroy or delete this communication,
or return it to us by mail if requested by us.
On 11 May 2010 13:25, Erlend Oftedal <erlend@oftedal.no> wrote:
>
> I agree with Juan. I think you need to look a bit more at what exactly
> ESAPI is meant to do. It's not a purifier, but an encoder. And the different
> methods should be called depending on context, so it means you
> will have to change your JSPs everywhere when you are printing user
> provided content.
>
> Check the OWASP prevention cheat sheet.
>
> http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
>
> You use encodeForHTML when you are printing input between tags (#1 in the
> cheat sheet)
> You use encodeForHTMLAttribute when you are printing input within the
> attribute of a tag (#2 in the cheat sheet).
> etc. etc.
>
> And you have to be careful to avoid DOM-based XSS.
>
> Trying to do all of this as an ouput filter is difficult (and probably
> impossible), because you no longer know in which context you are printing
> the input.
>
> Best regards
> Erlend Oftedal
>
>
>
> On Mon, 10 May 2010, Calderon, Juan Carlos (GE, Corporate, consultant)
> wrote:
>
> I might be missing something, but from my point of view it is not
>> possible to do what you intend with a filter, this is because by the
>> time you hit the filter all the response HTML is already created, so
>> there is no way to isolate specific variables or pieces of content
>> (except by parsing the HTML that will be even more work). Also if you
>> encode all the HTML then you will see the response HTML displayed in the
>> browser as text but not interpreted as usual. So the only centralization
>> I can see you can do is to have a global function or a JSP tag to use
>> everywhere in your JSPs.
>>
>> Maybe a massive replace of out.print and <%= can do the job, yet you
>> will have to validate you don't break the application.
>>
>> Regards,
>> Juan Carlos
>>
>> ________________________________
>>
>> From: Kesavanarayanan, Ramesh
>> [mailto:Ramesh.Kesavanarayanan@Pearson.com]
>> Sent: Viernes, 07 de Mayo de 2010 03:23 p.m.
>> To: websecurity@webappsec.org
>> Subject: [WEB SECURITY] Implementation of Global Outout Encoder with
>> ESAPI
>> Importance: High
>>
>>
>>
>> I have a question on the output encoding using the ESAPI.
>>
>> In my application I tried to implement the ESAPI for the response output
>> encoding in a centralized manner so that I do not need to change every
>> JSP page in my application.
>>
>> The following is the piece of code I have written using my
>> sessionFilter.
>>
>> import java.io.CharArrayWriter;
>>
>> public void doFilter(ServletRequest request, ServletResponse
>> response,
>>
>> FilterChain chain) throws ServletException,
>> IOException {
>>
>> HttpServletRequest httpRequest = (HttpServletRequest)
>> request;
>>
>> HttpServletResponse httpResponse = (HttpServletResponse)
>> response;
>>
>> HttpSession session = httpRequest.getSession();
>>
>> ServletResponse newResponse = null;
>>
>> if (request instanceof HttpServletRequest) {
>>
>> newResponse = new CharResponseWrapper(
>>
>> (HttpServletResponse) response);
>>
>> }
>>
>> chain.doFilter(request, response);
>>
>> String text = newResponse.toString();
>>
>> text = text.toUpperCase();
>>
>> text = ESAPI.encoder().encodeForHTML(text);
>>
>> text = ESAPI.encoder().encodeForHTMLAttribute(text);
>>
>> text = ESAPI.encoder().encodeForJavaScript(text);
>>
>> text = ESAPI.encoder().encodeForCSS(text);
>>
>> CharArrayWriter caw = new CharArrayWriter();
>>
>> if (text != null) {
>>
>> try {
>>
>> caw.write(text);
>>
>>
>> response.getWriter().write(caw.toString());
>>
>> } catch (java.lang.IllegalStateException ille) {
>>
>> }
>>
>> }
>>
>> }
>>
>> In my JSP I have the code as follows
>>
>> Not working
>>
>> <script>
>>
>> function setUserName(){
>>
>> document.getElementById("login").value ='<%=
>> (String)request.getAttribute("username") %>';
>>
>> }
>>
>> </script>
>>
>> Working
>>
>> <%!
>>
>> String cleanXSS(String value) {
>>
>> value = ESAPI.encoder().encodeForHTML(value);
>>
>> value = ESAPI.encoder().encodeForHTMLAttribute(value);
>>
>> value = ESAPI.encoder().encodeForJavaScript(value);
>>
>> value = ESAPI.encoder().encodeForCSS(value);
>>
>> return value;
>>
>> }
>>
>> %>
>>
>> <script>
>>
>> function setUserName(){
>>
>> document.getElementById("login").value ='<%= cleanXSS(
>> (String)request.getAttribute("username") ) %>';
>>
>> }
>>
>> </script>
>>
>> As you can see I expect the response to be updated with the ESAPI
>> functions, but somewhere I loose the ESAPI. The idea for me is to
>> centralize the output encoding so that it saves me time and effort.
>>
>> Appreciate if you have any pointers on the same.
>>
>> Regards | Ramesh Kesavanarayanan | 319-354-9200 ext 215785 / 215972
>> (O) | / 319-621-7641 (M) | ramesh.kesavanarayanan@pearson.com
>>
>>
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
[Attachment #3 (text/html)]
After you have implemented your Web Application. You need a tool to
verify if your jobs does well. May be you should take a look
iiScan(<a href="http://iiscan.com">iiscan.com</a>). Free Web application Security \
Scanner online. Try it.<br clear="all"><br>BEST REGARDS TO YOU AND YOUR \
FAMILY<br><br>Liu Yu<br><a \
href="mailto:MSN%3Azwell@yeah.net">MSN:zwell@yeah.net</a><br>Tel: +86 755 8251 \
9327<br>NOSEC Technologies Co., Ltd<br><br>NOTICE: This communication is intended \
ONLY for the use of the person or entity named above and may contain information that \
is confidential or legally privileged. If you are not the intended recipient named \
above or a person responsible for delivering messages or communications to the \
intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of \
this communication or any of the information contained in it is strictly prohibited. \
If you have received this communication in error, please notify us immediately by \
telephone and then destroy or delete this communication, or return it to us by mail \
if requested by us.<br>
<br> <br>
<br><br><div class="gmail_quote">On 11 May 2010 13:25, Erlend Oftedal <span \
dir="ltr"><<a href="mailto:erlend@oftedal.no">erlend@oftedal.no</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
I agree with Juan. I think you need to look a bit more at what exactly ESAPI is meant \
to do. It's not a purifier, but an encoder. And the different methods should be \
called depending on context, so it means you<br> will have to change your JSPs \
everywhere when you are printing user provided content.<br> <br>
Check the OWASP prevention cheat sheet.<br>
<a href="http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" \
target="_blank">http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet</a><br>
<br>
You use encodeForHTML when you are printing input between tags (#1 in the cheat \
sheet)<br> You use encodeForHTMLAttribute when you are printing input within the \
attribute of a tag (#2 in the cheat sheet).<br> etc. etc.<br>
<br>
And you have to be careful to avoid DOM-based XSS.<br>
<br>
Trying to do all of this as an ouput filter is difficult (and probably impossible), \
because you no longer know in which context you are printing the input.<br> <br>
Best regards<br><font color="#888888">
Erlend Oftedal</font><div><div></div><div class="h5"><br>
<br>
<br>
On Mon, 10 May 2010, Calderon, Juan Carlos (GE, Corporate, consultant) wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> I might be missing something, but \
from my point of view it is not<br> possible to do what you intend with a filter, \
this is because by the<br> time you hit the filter all the response HTML is already \
created, so<br> there is no way to isolate specific variables or pieces of \
content<br> (except by parsing the HTML that will be even more work). Also if you<br>
encode all the HTML then you will see the response HTML displayed in the<br>
browser as text but not interpreted as usual. So the only centralization<br>
I can see you can do is to have a global function or a JSP tag to use<br>
everywhere in your JSPs.<br>
<br>
Maybe a massive replace of out.print and <%= can do the job, yet you<br>
will have to validate you don't break the application.<br>
<br>
Regards,<br>
Juan Carlos<br>
<br>
________________________________<br>
<br>
From: Kesavanarayanan, Ramesh<br>
[mailto:<a href="mailto:Ramesh.Kesavanarayanan@Pearson.com" \
target="_blank">Ramesh.Kesavanarayanan@Pearson.com</a>]<br>
Sent: Viernes, 07 de Mayo de 2010 03:23 p.m.<br>
To: <a href="mailto:websecurity@webappsec.org" \
target="_blank">websecurity@webappsec.org</a><br>
Subject: [WEB SECURITY] Implementation of Global Outout Encoder with<br>
ESAPI<br>
Importance: High<br>
<br>
<br>
<br>
I have a question on the output encoding using the ESAPI.<br>
<br>
In my application I tried to implement the ESAPI for the response output<br>
encoding in a centralized manner so that I do not need to change every<br>
JSP page in my application.<br>
<br>
The following is the piece of code I have written using my<br>
sessionFilter.<br>
<br>
import java.io.CharArrayWriter;<br>
<br>
public void doFilter(ServletRequest request, ServletResponse<br>
response,<br>
<br>
FilterChain chain) throws ServletException,<br>
IOException {<br>
<br>
HttpServletRequest httpRequest = (HttpServletRequest)<br>
request;<br>
<br>
HttpServletResponse httpResponse = (HttpServletResponse)<br>
response;<br>
<br>
HttpSession session = httpRequest.getSession();<br>
<br>
ServletResponse newResponse = null;<br>
<br>
if (request instanceof HttpServletRequest) {<br>
<br>
newResponse = new CharResponseWrapper(<br>
<br>
(HttpServletResponse) response);<br>
<br>
}<br>
<br>
chain.doFilter(request, response);<br>
<br>
String text = newResponse.toString();<br>
<br>
text = text.toUpperCase();<br>
<br>
text = ESAPI.encoder().encodeForHTML(text);<br>
<br>
text = ESAPI.encoder().encodeForHTMLAttribute(text);<br>
<br>
text = ESAPI.encoder().encodeForJavaScript(text);<br>
<br>
text = ESAPI.encoder().encodeForCSS(text);<br>
<br>
CharArrayWriter caw = new CharArrayWriter();<br>
<br>
if (text != null) {<br>
<br>
try {<br>
<br>
caw.write(text);<br>
<br>
<br>
response.getWriter().write(caw.toString());<br>
<br>
} catch (java.lang.IllegalStateException ille) {<br>
<br>
}<br>
<br>
}<br>
<br>
}<br>
<br>
In my JSP I have the code as follows<br>
<br>
Not working<br>
<br>
<script><br>
<br>
function setUserName(){<br>
<br>
document.getElementById("login").value ='<%=<br>
(String)request.getAttribute("username") %>';<br>
<br>
}<br>
<br>
</script><br>
<br>
Working<br>
<br>
<%!<br>
<br>
String cleanXSS(String value) {<br>
<br>
value = ESAPI.encoder().encodeForHTML(value);<br>
<br>
value = ESAPI.encoder().encodeForHTMLAttribute(value);<br>
<br>
value = ESAPI.encoder().encodeForJavaScript(value);<br>
<br>
value = ESAPI.encoder().encodeForCSS(value);<br>
<br>
return value;<br>
<br>
}<br>
<br>
%><br>
<br>
<script><br>
<br>
function setUserName(){<br>
<br>
document.getElementById("login").value ='<%= cleanXSS(<br>
(String)request.getAttribute("username") ) %>';<br>
<br>
}<br>
<br>
</script><br>
<br>
As you can see I expect the response to be updated with the ESAPI<br>
functions, but somewhere I loose the ESAPI. The idea for me is to<br>
centralize the output encoding so that it saves me time and effort.<br>
<br>
Appreciate if you have any pointers on the same.<br>
<br>
Regards | Ramesh Kesavanarayanan | 319-354-9200 ext 215785 / 215972<br>
(O) | / 319-621-7641 (M) | <a href="mailto:ramesh.kesavanarayanan@pearson.com" \
target="_blank">ramesh.kesavanarayanan@pearson.com</a><br> <br>
<br>
</blockquote>
<br></div></div><div><div></div><div class="h5">
----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> <br>
Have a question? Search The Web Security Mailing List Archives: <a \
href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> <br>
Subscribe via RSS: <a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> <br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> <br>
</div></div></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic