Comments (6)
kwwall
commented on May 31, 2024
2
@jmanico - What @forgedhallpass hall pass is saying is remove that blatant lie in the comment from your Java Encoder source code. ;-)
@forgedhallpass - Seriously, the beauty of FOSS is that you can take its source code and change it to whatever you want. The ESAPI license is one of the most liberal FOSS licenses out there (BSD 3), so the better approach (instead of building a WAF) is to just use the ESAPI WAF and canonicalization and rip out all the parts that you don't need. (Or maybe consider OWASP AppSensor, which is WAF-like). Or use a real WAF; if you want a free one, mod_security and the OWASP Core Rules Set works for a lot of people.
from owasp-java-encoder.
jmanico
commented on May 31, 2024
There is no plans to add validation or canonicalization to the OWASP Java Encoder library. It’s not likely ever to appear in the Java Encoder Library even if donated. Our library is a single-purpose library for contextual output encoding. Validation strategies like you describe are doomed to fail in out opinion. If you can’t get your developers to focus on proper encoding and HTML sanitization and other necessary user interface security techniques then I recommend you look into CSP.
You can also move your developers to react and angular were much of the encoding is done automatically.
If you still want canonicalization and validation routines I recommend you build a separate library for those needs.
Respectfully,
--
Jim Manico
@manicode
… On Dec 9, 2020, at 3:52 AM, forgedhallpass ***@***.***> wrote:
"Please note that with sufficient feedback from the user base, the above
mentioned methods may be implemented in future releases of the OWASP
Java Encoders, if/when that happens, this shim class will be updated to
call out to the new methods.)"
With regards to the quote copied from the org.owasp.encoder.esapi.Encoder class:
It would be nice if this project would support such functionality, independently from the EASPI project.
Use-case:
Contextual encoding is not always possible, especially in case of big legacy projects that use the same database to serve both browser and non-browser clients. To (somewhat) minimize the risk, I have created some pluggable filters that among other things, verify every request (headers, body, cookies) against common XSS payloads (tested against the OWASP XSS cheatsheet). In order for such validations to be successful, the canonicalization of the input is necessary.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
from owasp-java-encoder.
forgedhallpass
commented on May 31, 2024
Hello Jim,
Thank you for your answer. I agree with your points about contextual encoding, but as I said it is not always that trivial (e.g. large legacy code base). I've created my own small pluggable WAF library as an additional layer of security and I want to get rid of ESAPI because I am only using its canonicalization feature. Since I've seen the above quoted comment in the code I thought it was worth asking.
p.s. I also know that creating your own WAF is not ideal, but it's a "better than nothing option" for clients who can't set up or do not want to invest into dedicated WAF solutions.
All the best.
from owasp-java-encoder.
forgedhallpass
commented on May 31, 2024
I've tried to be subtle, but indeed that comment from the code could be removed :-)
@kwwall as I wrote in the other ESAPI issue, I have already extracted the logic I need, but wanted to have a short discussion to see what other (maybe better) options are out there and to know whether I could make my changes in a way that would potentially benefit the OSS community as well.
Currently for SaaS we have commercial WAF from CloudFlare and reverse proxies with custom rules, but I also wanted to provide at least some basic, embedded, "self-defense" measures for the other deployment strategies.
I haven't heard of the OWASP AppSensor, but I will look into it, thanks for the tip.
from owasp-java-encoder.
jmanico
commented on May 31, 2024
We do not wish to add validation or canonizalization to our Encoding
library. But if you want to fork our code and use it to build your own
canonizalization lib, I totally support that!
Aloha, Jim
On 12/9/20 5:18 PM, Kevin W. Wall wrote:
@jmanico <https://github.com/jmanico> - What @forgedhallpass
<https://github.com/forgedhallpass> hall pass is saying is remove that
blatant lie in the comment from your Java Encoder source code. ;-)
@forgedhallpass <https://github.com/forgedhallpass> - Seriously, the
beauty of FOSS is that you can take its source code and change it to
whatever you want. The ESAPI license is one of the most liberal FOSS
licenses out there (BSD 3), so the better approach (instead of
building a WAF) is to just use the ESAPI WAF and canonicalization and
rip out all the parts that you don't need. (Or maybe consider OWASP
AppSensor, which is WAF-like). Or use a real WAF; if you want a free
one, mod_security and the OWASP Core Rules Set works for a lot of people.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCJZ355T5UUFSU54GDDSUA4Z7ANCNFSM4UTQSF5Q>.
--
Jim Manico
Manicode Security
https://www.manicode.com
from owasp-java-encoder.
jmanico
commented on May 31, 2024
The main tech I suggest you consider is a strict-dynamic CSP policy!
- Jim
On 12/9/20 6:04 AM, forgedhallpass wrote:
Hello Jim,
Thank you for your answer. I agree with your points about contextual
encoding, but as I said it is not always that trivial (e.g. large
legacy code base). I've created my own small pluggable WAF library as
an additional layer of security and I want to get rid of ESAPI because
I am only using its canonicalization feature. Since I've seen the
above quoted comment in the code I thought it was worth asking.
p.s. I also know that creating your own WAF is not ideal, but it's a
"better than nothing option" for clients who can't set up or do not
want to invest into dedicated WAF solutions.
All the best.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#43 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCIEPQBV7GX352EM72TST6N2TANCNFSM4UTQSF5Q>.
--
Jim Manico
Manicode Security
https://www.manicode.com
from owasp-java-encoder.
Related Issues (20)
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
- Confusing example in Encode.forHtmlAttribute docs HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.