All geek questions in one place

XAP ESAPI Prevention for url custom property

One of my REST APIs expects a "url" property, which expects URLs as input from a user. I use ESAPI to prevent XSS attacks. The problem is that the custom url is similar to

http://example.com/alpha?abc=def&phil=key%3dbdj

The cannonicalize method from the ESAPI encoder throws an intrusion exception stating that the input has mixed encoding because it is URL encoded and the & phi snippet is treated as HTML encoded and thus an exception.

I had a similar problem with disinfecting one of my application URLs, where the second request parameter started with "pa" or "pi" and was converted to delta or pi characters using HTML decoding. Please refer to my stack overflow.site/questions/1539050 / ...

Now, since the problem is that, since the entire URL comes as input from the user, I cannot just analyze the request parameters and misinform them separately, as malicious input can be created by combining the two request parameters and sanitizing them myself work in this case.

Example: & ltscr - the last part of the first value of the request parameter and ipt & gtalert (0); or something is in the first part of the next context for managing query parameters.

Has anyone encountered a similar problem? I would really like to know what solutions you have implemented. Thanks for any pointers.

EDIT: below the response from 'avgvstvs' does not throw an intrusion exception (thanks !!). However, the cannonicalize method now changes the original input line. ESAPI treats the & phi request parameter as some html-encoded char and replaces it with '?' char. Something like my previous question related here. The difference is that this is the URL of my application, while this is user input. Is my only option is whitelisting here?

+4
source share
1 answer

, , , URL- - 4 URL-, . -, , Java URL-, UriBuilder. URL .

, , URL- , , .

java.net.URI.

:

URI dirtyURI = new URI("http://example.com/alpha?abc=def&phil=key%3dbdj");

String cleanURIStr = enc.canonicalize( dirtyURI.getPath() );

URI.getPath() URL-, , enc.canonicalize() , , URL. URI.getPath() , URL.

, API , URL-, , URL. - GET, , - .

============= JUNIT ============

package org.owasp.esapi;

import java.net.URI;
import java.net.URISyntaxException;

import org.junit.Test;

public class TestURLValidation {

    @Test
    public void test() throws URISyntaxException {
        Encoder enc = ESAPI.encoder();
        String input = "http://example.com/alpha?abc=def&phil=key%3dbdj";
        URI dirtyURI = new URI(input);
        enc.canonicalize(dirtyURI.getQuery());

    }

}

================= =====================

: Encoder.canonicalize() Java. URL-, , , , , . - , , Encoder.canonicalize().

, URI .

1: URI, URI.getQuery() 2. . httpclient-4.3.3.jar httpcore-4.3.3.jar . - :

import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
import java.util.List;

import javax.ws.rs.core.UriBuilder;

import org.apache.http.client.utils.URLEncodedUtils;
import org.junit.Test;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;

public class TestURLValidation
{

  @Test
  public void test() throws URISyntaxException {
    Encoder enc = ESAPI.encoder();
    String input = "http://example.com/alpha?abc=def&phil=key%3dbdj";
    URI dirtyURI = new URI(input);
    UriBuilder uriData = UriBuilder.fromUri(enc.canonicalize(dirtyURI.getScheme()));
    uriData.path(enc.canonicalize(enc.canonicalize(dirtyURI.getAuthority() + dirtyURI.getPath())));
    println(uriData.build().toString());
    List<org.apache.http.NameValuePair> params = URLEncodedUtils.parse(dirtyURI, "UTF-8");
    Iterator<org.apache.http.NameValuePair> it = params.iterator();
    while(it.hasNext()) {
      org.apache.http.NameValuePair nValuePair = it.next();
      uriData.queryParam(enc.canonicalize(nValuePair.getName()), enc.canonicalize(nValuePair.getValue()));
    }
    String canonicalizedUrl = uriData.build().toString();
    println(canonicalizedUrl);
  }

  public static void println(String s) {
    System.out.println(s);
  }

}

, , inputURL ( ), , .

, , , URL-... URL-, ///. ( , , .)

+2

Source: https://habr.com/ru/post/1539037/

More articles:


All Articles