one of rest apis have query parameter named "partners" list of integers, can specify multiple values in url. prevention xss attacks, stripping out malicious content in input using esapi. here problem:
i noticed esapi encoder cannonicalize method (which uses default codecs: htmlentitycodec,percentcodec,javascriptcodec), changes query parameter values, because thinks &p or &pa kind of encoding. see examples below
something like
http://localhost:8080/product?partner=1 works expected.
on other hand like
http://localhost:8080/product/?pidentity=1&pidentity=2 the input after canonicalizing becomes
`pidentity=1Ď€dentity=2` which framework has trouble parsing since thinks 1 query parameters 2 splitters.
if request url
http://localhost:8080/product?partner=1&partner=2 the input after canonicalizing becomes
partner=1∂rtner=2 and &pa changed '∂'.
as can guess, tried changing name of query param , worked fine (probably because there not corresponding encoding). has seen before, or can guide me must causing such behavior? may sound inexperience, in order ensure prevention xss attacks, not sure if should try remove codecs default encoder.
the approach using refer "big hammer" approach attempting encode entire url opposed encoding untrusted or tainted data being supplied untrusted source (ie, user)
the best approach encode values of each parameter individually rather attempting encode entire parameter string single piece of data. primary purpose of output encoding eliminate possibility of user breaking out the "data" context "control" context data providing.
in example, string partner=1&partner=2 looks parser
partner=1&partner=2
(where bold control , italic data) - want encode data context of string since control context not provided untrusted source.
if user provide data 1&partner=2 encoded string should like
partner=1%26partner=2&partner=2
another important note here canonicalization used simplify given string it's base format - encoding in provided string decoded double , mixed encoding attacks cannot performed.
the short answer question encode values of parameters individually opposed encoding entire url parameter string.
references:
Comments
Post a Comment