ESAPI Swingset Interactive - XSS

Background

Validation is the cornerstone of a secure application.

The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.

In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation. For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks. However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications. Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against. Detecting attempts to find these weaknesses is a critical protection mechanism.

Input validation using ESAPI's Validator interface:

The Validator interface defines a set of methods for canonicalizing and validating untrusted input. Implementors should feel free to extend this interface to accommodate their own data formats. Rather than throw exceptions, this interface returns boolean results because not all validation problems are security issues. Boolean returns allow developers to handle both valid and invalid results more cleanly than exceptions.

This lesson demonstrates the use of ESAPI's Validator interface to validate user input. In the insecure demonstration, the user input is not validated, any input in the box becomes a part of the webpage.

If you enter a script in the field, it will become a part of the page and will run.

EXAMPLE: <script>alert(document.cookie)</script>

To fix this problem, we can use the following function of the ESAPI's Validator interface

ESAPI.validator().getValidInput(String context,String input,String type,int maxLength,boolean allowNull,ValidationErrorList errorList)


It Returns canonicalized and validated input as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException. Instead of throwing a ValidationException on error, this variant will store the exception inside of the ValidationErrorList.

ESAPI's Validator Interface includes following functions:

• void assertIsValidHTTPRequest() Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed characters.



• void assertIsValidHTTPRequestParameterSet(String context, Set required, Set optional) Validates that the parameters in the current request contain all required parameters and only optional ones in addition.



• void assertIsValidHTTPRequestParameterSet(String context, Set required, Set optional, ValidationErrorList errorList) Validates that the parameters in the current request contain all required parameters and only optional ones in addition.



• void assertValidFileUpload(String context, String filepath, String filename, byte[] content, int maxBytes, boolean allowNull) Validates the filepath, filename, and content of a file.



• void assertValidFileUpload(String context, String filepath, String filename, byte[] content, int maxBytes, boolean allowNull, ValidationErrorList errorList) Validates the filepath, filename, and content of a file.



• String getValidCreditCard(String context, String input, boolean allowNull) Returns a canonicalized and validated credit card number as a String.



• String getValidCreditCard(String context, String input, boolean allowNull, ValidationErrorList errorList) Returns a canonicalized and validated credit card number as a String.
• Date getValidDate(String context, String input, java.text.DateFormat format, boolean allowNull) Returns a valid date as a Date.



• Date getValidDate(String context, String input, java.text.DateFormat format, boolean allowNull, ValidationErrorList errorList) Returns a valid date as a Date.



• String getValidDirectoryPath(String context, String input, boolean allowNull) Returns a canonicalized and validated directory path as a String. Returns a canonicalized and validated directory path as a String.



• String getValidDirectoryPath(String context, String input, boolean allowNull, ValidationErrorList errorList) Returns a canonicalized and validated directory path as a String.



• Double getValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull) Returns a validated real number as a double.



• Double getValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errorList) Returns a validated real number as a double.



• byte[] getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) Returns validated file content as a byte array.



• byte[] getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errorList) Returns validated file content as a byte array.



• String getValidFileName(String context, String input, boolean allowNull) Returns a canonicalized and validated file name as a String.



• String getValidFileName(String context, String input, boolean allowNull, ValidationErrorList errorList) Returns a canonicalized and validated file name as a String.



• String getValidInput(String context, String input, String type, int maxLength, boolean allowNull) Returns canonicalized and validated input as a String.



• String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errorList) Returns canonicalized and validated input as a String.



• Integer getValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) Returns a validated integer.



• Integer getValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errorList) Returns a validated integer.



• String getValidListItem(String context, String input, List list) Returns the list item that exactly matches the canonicalized input.



• String getValidListItem(String context, String input, List list, ValidationErrorList errorList) Returns the list item that exactly matches the canonicalized input.



• Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) Returns a validated number as a double within the range of minValue to maxValue.



• Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errorList) Returns a validated number as a double within the range of minValue to maxValue.



• byte[] getValidPrintable(String context, byte[] input, int maxLength, boolean allowNull) Returns canonicalized and validated printable characters as a byte array.



• byte[] getValidPrintable(String context, byte[] input, int maxLength, boolean allowNull, ValidationErrorList errorList) Returns canonicalized and validated printable characters as a byte array.



• String getValidPrintable(String context, String input, int maxLength, boolean allowNull) Returns canonicalized and validated printable characters as a String.



• String getValidPrintable(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) Returns canonicalized and validated printable characters as a String.



• String getValidRedirectLocation(String context, String input, boolean allowNull) Returns canonicalized and validated printable characters as a String.



• String getValidRedirectLocation(String context, String input, boolean allowNull, ValidationErrorList errorList) Returns canonicalized and validated printable characters as a String.



• String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) Returns canonicalized and validated "safe" HTML.



• String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) Returns canonicalized and validated "safe" HTML.



• boolean isValidCreditCard(String context, String input, boolean allowNull) Returns true if input is a valid credit card.



• boolean isValidDate(String context, String input, java.text.DateFormat format, boolean allowNull) Returns true if input is a valid date according to the specified date format.



• boolean isValidDirectoryPath(String context, String input, boolean allowNull) Returns true if input is a valid directory path.



• boolean isValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull) Returns true if input is a valid double within the range of minValue to maxValue.



• boolean isValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) Returns true if input is valid file content.



• boolean isValidFileName(String context, String input, boolean allowNull) Returns true if input is a valid file name.



• boolean isValidFileUpload(String context, String filepath, String filename, byte[] content, int maxBytes, boolean allowNull) Returns true if a file upload has a valid name, path, and content.



• boolean isValidHTTPRequest() Validate the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed characters.



• boolean isValidHTTPRequestParameterSet(String context, Set required, Set optional) Returns true if the parameters in the current request contain all required parameters and only optional ones in addition.



• boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull) Returns true if input is valid according to the specified type.



• boolean isValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) Returns true if input is a valid integer within the range of minValue to maxValue.



• boolean isValidListItem(String context, String input, List list) Returns true if input is a valid list item.



• boolean isValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) Returns true if input is a valid number within the range of minValue to maxValue.



• boolean isValidPrintable(String context, byte[] input, int maxLength, boolean allowNull) Returns true if input contains only valid printable ASCII characters (32-126).



• boolean isValidPrintable(String context, String input, int maxLength, boolean allowNull) Returns true if input contains only valid printable ASCII characters (32-126).



• boolean isValidRedirectLocation(String context, String input, boolean allowNull) Returns true if input is a valid redirect location, as defined by "ESAPI.properties".



• boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) Returns true if input is "safe" HTML.



• boolean safeReadLine(InputStream inputStream, int maxLength) Reads from an input stream until end-of-line or a maximum number of characters.

---

OWASP Enterprise Security API Project