OWASP ESAPI Encoding

Posted on November 3, 2012. Filed under: java/j2EE |


The following example servlet code is vulnerable to cross side scripting attack.

ATTACK

http://localhost:8080/test-app/ESAPIEncoderTest?par1=<script>alert(‘hackpar1&#8242;)/script>&par2=hehe’);>alert(‘hackpar2’)</script>

–ESAPITestServlet.java–

package testPackage;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

@WebServlet(“/ESAPIEncoderTest”)

public class ESAPITestServlet extends HttpServlet {

@Override

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

response.setContentType(“text/html”);

PrintWriter out = response.getWriter();

String par1 = request.getParameter(“par1”);

String par2 = request.getParameter(“par2”);

out.println

(“<html>\n” +

“<head>Test ESAPIEncoder xxs demo</head>\n” +

“<body>\n” +

“<br><br>par1=” + par1+

“<br><br>par2=” + par2+

“<br><br><input type=’text’ value=’par1=”+par1+”‘>”+

“<br>par2 length=<script>document.write(‘”+par2+”‘)</script>”+

“</body></html>”);

}

}

DEFENSE

After using ESAPI output Encoding, we prevented the above attack.

(To use ESAPI with tomcat 7, download the ESAPI-1.4.4.jar put under WEB-INF/lib)

— ESAPITestServlet —

package testPackage;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.*;

@WebServlet(“/ESAPIEncoderTest”)

public class ESAPITestServlet extends HttpServlet {

@Override

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

response.setContentType(“text/html”);

PrintWriter out = response.getWriter();

String par1 = request.getParameter(“par1”);

String par2 = request.getParameter(“par2”);

out.println

(“<html>\n” +

“<head>Test ESAPIEncoder xxs demo</head>\n” +

“<body>\n” +

“<br><br>par1=” + ESAPI.encoder().encodeForHTML(par1)+

“<br><br>par2=” + par2+

“<br><br><input type=’text’ value=’par1=”+ESAPI.encoder().encodeForHTMLAttribute(par1)+”‘>”+

“<br>par2 length=<script>document.write(‘”+ESAPI.encoder().encodeForJavaScript(par2)+”‘)</script>”+

“</body></html>”);

}

}

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: