0

I've a question regarding owasp ESAPI interface for xss protection.To keep it simple short and straight I'm doing a source code review using fortify. The application implement ESAPI and make call to ESAPI.encoder().canonicalize(user input) and does not do any further validation and prints the output. Is this still vulnerable to xss PS: The reflection point is inside a html element. I've gone through all the posts regarding ESAPI interface in stack overflow, but couldn't quite get it Any help would be appreciated

Improve this question
2
  • Let me know if any further information is required on this. Sorry if my way of presenting the question is odd. Thanks in advance Commented Dec 21, 2017 at 17:48
  • Let me know if any further information is required on this. Sorry if my way of presenting the question is odd. Thanks in advance Commented Dec 21, 2017 at 17:51

1 Answer 1

Reset to default
1

canonicalize alone doesn't prevent xss at all. It decodes data, but you want the opposite, to encode the data.

Not only does it allow content like <script>alert(1)</script> straight-through, but it also decodes &lt;script&gt;alert(1)&lt;/script&gt; from a non-executable script to a executable one.

The method you want instead is encodeForHTML. This will encode the data so it can be inserted safely into an HTML context, so < will become &lt; and so on.

Also, check if you're already doing HTML encoding by checking whether these characters are accepted. Some templating languages and tags do encoding automatically.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Have a small doubt here.here we are also calling the encoder aswell by using ESAPI.encodr(). canonicalize(). So doesn't the encoder encode the decoded output from canonicalize method
@itzkmv The encoder will only do encoding if you call one of the encoding methods on it. A few of the methods do decoding instead.
Have a doubt, doesn't the encodevmethod in ESAPI.encoder(). canonicalize () encode the decoded output by the canonicalize method
Thanks for concise yet precise answer
No, ESAPI.encoder method retrieves the encoder object. It doesn't do anything with the strings until you call the specific methods on it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.