XSS – Java Secure Coding
Using Security Encoding Library
- Download ESAPI.jar from the ESAPI Project page, and add it to library of the project.
- Import the package in jsp page: <%@ page language=”java” import=”org.owasp.esapi.*” %>
- Add code according to the different cases:
Case #1
HTML escape before inserting untrusted data into HTML element content.
<% String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); %> <div><%= safe %></div>
Case #2
Attribute escape before inserting untrusted data into HTML common attributes.
<% String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) ); %> <div attr='<%= safe %>'></div>
Case #3
JavaScript escape before inserting untrusted data into JavaScript data values.
<% String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); %> <script>alert('<%= safe %>')</script> <input type=’button’ onclick=”alert('<%= safe %>')”>
Case #4
URL escape before inserting untrusted data into HTML URL parameter values.
<% String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) ); %> <a href='http://www.victim-site.com?test=<%= safe %>'>link</a >
References
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/es…
http://code.google.com/p/owasp-esapi-java/downloads/list
Hi,
I tried using ESAPI for Case#1.
Am trying to use OWASP ESAPI library in my web app to escape request parameters in JSPs as below ESAPI.encoder().encodeForHTML(request.getParameter()).
I have added esapi-2.1.0.jar under WEB-INF/lib but I get the below exception
org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
But I couldnt find ESAPI.properties in the JAR file. Any idea where I can get this? Also where should I place this properties file? Please help.