esapi / owasp-esapi-js Goto Github PK

Please review your coding style:
destructivity, security, performance and JavaScript language quality
of your own code.

Please see this for short teaser;-)
http://ainthek.blogspot.com/2010/08/interesting-project-owasp-esapi-js.html

Sorry to post directly here, but none of you have public mail here....

What steps will reproduce the problem?
1. Reference esapi related libraries in the existing html.
   <script type="text/javascript" language="JavaScript" src="../esapi4js/lib/log4js.js"></script>
<script type="text/javascript" language="JavaScript" 
src="../esapi4js/esapi.js"></script>
<script type="text/javascript" language="JavaScript" 
src="../esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js"></script>
<script type="text/javascript" language="JavaScript" 
src="../esapi4js/resources/Base.esapi.properties.js">

2. Open the html file using firefox browser.
3. The browser hangs for sometime and displays the following message: 
"Unresponsive script: A script on this page might be busy, or may have stopped 
responding"
4. If the esapi references are removed, the browser launches fine.

What is the expected output? What do you see instead?
The expected output is that the browser should launch fine after integration 
with esapi. Instead the script becomes unresponsive.

What version of the product are you using? On what operating system?
Browser: Mozilla Firefox 22.0
OS: Windows 7


Please provide any additional information below.

What is the expected output? What do you see instead?
The canonicalize method is spelled wrong. It appears as 
"cananicalize: function(sInput, bStrict)"

What version of the product are you using? On what operating system?
This appears in trunk and in version 0.1.3
Link to file:
http://code.google.com/p/owasp-esapi-js/source/browse/trunk/src/main/javascript/
org/owasp/esapi/reference/encoding/DefaultEncoder.js

This needs to be corrected as usage of this library increases. Worst case, 
leave it spelled incorrectly and have it call the one that is spelled correctly.

I am using the below code to check the passing URL is valid or not.
Its giving true irrespective of the input I pass.Please let me know ,I am doing 
anything wrong.Attached in the jsp file contains the code.
What steps will reproduce the problem?
1. Please use the JSP file attached herewith to reproduce the issue.
2.
3.

What is the expected output? What do you see instead?
true or false depends on the input gets passed.

What version of the product are you using? On what operating system?
esapi4j-0.1.3 ,Windows 7 64 bit


Please provide any additional information below.
For Ex : I am passing input as <script>alert(1);</script>. The isValidInput fn 
returning true 

The XHR API is capable of making Cross domain calls now thanks to HTML5. There 
are applications that include user controlled data as the request URL in 
XHR.open().

This was assumed to be safe because this value could only be set to file hosted 
on the same domain. But with HTML5 this value can be set to file on an attacker 
controlled domain.
Real life example on touch.facebook.com: http://m-austin.com/blog/?p=19

Server-side ESAPI provides secure equivalent of the request and response 
object. Similarly ESAPI4JS can provide a secure equivalent of XMLHttpRequest 
object by turning off support of COR by default(a little similar to this - 
http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html).

A new property can be added to the extended XHR API called 'cor'. Only if this 
flag is set would Cross Domain Requests be allowed. As explained towards the 
end of this post - 
http://blog.andlabs.org/2010/08/xssing-client-side-dynamic-html.html

Ideally this change must be made to the underlying API itself but until then 
ESAPI4JS can fill the gap I guess.

What steps will reproduce the problem?
1. decodeForHTML returns same character for Ù and ù  This is true 
for all named entities with upper/lower case versions. 

What is the expected output? What do you see instead?

Ù should return upper case U with accent, and ù should return 
lower case u with accent.

What version of the product are you using? On what operating system?

Latest version on Linux.

Please provide any additional information below.

In HTMLEntityCodec.js, you should probably not do a case insensitive look-up at 
the end of the getNamedEntity function.

Thanks!

 esapi.validator().isValidInteger("Integer", 500, false, 1, 99);

Implement a security control for ensuring that only intended documents have
access to the DataTransferObject during a drag operation by providing a
wrapped implementation. For information see the following link.

http://www.w3.org/TR/html5/editing.html#security-risks-in-the-drag-and-drop-mode
l

In comments, discuss possible mitigation of MiTM and XSS risks associated
with the new HTML Drag and Drop functionality.

What steps will reproduce the problem?
1.  encodeForURL doesn't URL encode certain special characters such as * @ - _ 
+ . /

What is the expected output? What do you see instead?
The above characters should be URL encoded.


What version of the product are you using? On what operating system?
Latest version on Linux.

Please provide any additional information below.

Looks like in DefaultEncoder.js, the encodeForURL/decodeForURL it is calling 
escape()/unescape().  It should probably call 
encodeURIComponent()/decodeURIComponent() instead.

Input: Message <script>alert("JS XSS ARRRHHH")</script> 1
Encoded: Message &lt;script&gt;alert("JS XSS ARRRHHH")&lt;/script&gt; 1
Decoded: Message <script>alert40"JS XSS ARRRHHH"41<47script> 1

in esapi.js, line 1113
entityToCharacterMap["&image"]           = "8365";  /* 8465 : black-letter 
capital i */

should be changed to 

entityToCharacterMap["&image"]           = "8465";  /* 8465 : black-letter 
capital i */

8365->8465

Create an AjaxLoader mechanism with security controls for securely loading
and executing scripts dynamically.

Drew this is a placeholder for the ESAPI4JS JQuery Plugin.

What steps will reproduce the problem?
1. Initialize org.owasp.esapi.ESAPI.initialize();
2. see the out put of 
$ESAPI.encoder().encodeForHTML("<script>alert('123');</script>");
output:- 
"&lt;script&gt;alert&#x28;&#x27;123&#x27;&#x29;&#x3b;&lt;&#x2f;script&gt;"
3. See the out of decodeForHTML 
$ESAPI.encoder().decodeForHTML("&lt;script&gt;alert&#x28;&#x27;123&#x27;&#x29;&#
x3b;&lt;&#x2f;script&gt;");
output:- "<script>alert4039123394159<47script>"

What is the expected output? What do you see instead?
Actual output:- "<script>alert4039123394159<47script>"
Expected :- "<script>alert('123');</script>"

What version of the product are you using? On what operating system?
Version:- esapi4js-0.1.3
OS:- Mac

Please provide any additional information below.
I have fix this issue, 
Solution:- In org.owasp.esapi.codecs.HTMLEntityCodec, the function parseNumber 
and parseHex returning number directly(return parseInt(out);). it should return 
char code(return String.fromCharCode(parseInt(out));).
Below are the function i have modified (see //Commented to fix esapi bug)

var parseNumber = function(input) {
        var out = '';
        while (input.hasNext()) {
            var c = input.peek();
            if (c.match(/[0-9]/)) {
                out += c;
                input.next();
            } else if (c == ';') {
                input.next();
                break;
            } else {
                break;
            }
        }

        try {
            return String.fromCharCode(parseInt(out));
            //Commented to fix esapi bug
            //return parseInt(out);
        } catch (e) {
            return null;
        }
    };

    var parseHex = function(input) {
        var out = '';
        while (input.hasNext()) {
            var c = input.peek();
            if (c.match(/[0-9A-Fa-f]/)) {
                out += c;
                input.next();
            } else if (c == ';') {
                input.next();
                break;
            } else {
                break;
            }
        }
        try {
            return String.fromCharCode(parseInt(out, 16));
            //Commented to fix esapi bug
            //return parseInt(out, 16);
        } catch (e) {
            return null;
        }
    };

I have fixed this issue in esapi.js and using it for my project.

Thanks
Bikesh Kumar

What steps will reproduce the problem?
1. $ESAPI.validator().getValidInput("test", "[email protected]", "Email", 50, 
true);
2.
3.

What is the expected output? What do you see instead?
Expected : "[email protected]"
seen : null

What version of the product are you using? On what operating system?
esapi4js-0.1.3

Please provide any additional information below.
a couple of issues I encountered while trying to debug:
checkEmpty function returns null or nothing. as a result the following line in 
getValidInput always returns null.


            if ( checkEmpty( sContext, sInput ) == null ) {
                return null;
            }

if I fix this, I still run into an exception in checkWhitelist. Seems like it 
is throwing an error IF the input matches the expression. 

if(sInput.match(p)) {
...
}

should it be if(!sInput.match(p)){}

?

if the Object.lock and/or Object.seal methods are implemented, use them to
lock down the current ESAPI implementation.

http://www.w3.org/TR/html5/editing.html#editing-apis

Discuss in comments. Create additional issues for discovered risks

What steps will reproduce the problem?
Follow the steps in the getting started guide and copy the JS code sample as is

What is the expected output? 
ESAPI methods work.

What do you see instead?
JS Errors

What version of the product are you using? On what operating system?
ESAPI4JS 1.3  on Firefox 23 linux 32 bit.

Please provide any additional information below.
The order that the JS libraries load is significant.  The sample code in the 
getting started guide should be:

<!-- esapi4js dependencies -->
    <script type="text/javascript" language="JavaScript" src="scripts/esapi4js/lib/log4js.js"></script>
    <!-- esapi4js core -->
    <script type="text/javascript" language="JavaScript" src="scripts/esapi4js/esapi.js"></script>
    <!-- esapi4js i18n resources -->
    <script type="text/javascript" language="JavaScript" src="scripts/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js"></script>
    <!-- esapi4js configuration -->
    <script type="text/javascript" language="JavaScript" src="scripts/esapi4js/resources/Base.esapi.properties.js"></script>

Investigate a way to implement a factory mechanism to create sandboxed
iframes to simplify the problem of loading potentially untrusted content
into a page (read widgets, microapps, etc.)

Ideally this would be accessed via the Locator like
<script type="text/javascript">
var untrustedWidget = false;
with( $ESAPI.domUtilities() ) {
   untrustedWidget = this.contentFactory.createIFrame({
      id: 'untrusted-widget',
      src: 'http://www.untrusted.com/widget',
      sandboxAttributes: [ 
         this.Sandbox.ALLOW_SAME_ORIGIN 
      ]
   });
};
$ESAPI.select( 'untrusted-widget-container' ).appendChild( untrustedWidget );
</script>

The implementation of the createIFrame method would use the sandbox
attribute of IFrame if supported by the user-agent, and if not create a
IFrame Javascript sandbox using a third party library or by preloading the
content of the page, and wrapping any javascript executed in the frame in
the context of a with() block that provides a limited subset of the
javascript API (whitelist and blacklist) 

There is a great deal of documentation around IFrame Sandboxing in the
HTML5 Specification 

http://dev.w3.org/html5/spec/Overview.html#attr-iframe-sandbox

esapi4js-0.1.3\src\test\javascript\testCore.html

references dist directory which is not part of downloaded package ! 

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>

<!-- esapi4js dependencies -->
 <script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/lib/log4js.js"></script>
 <!-- esapi4js core -->
 <script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/esapi.js"></script>
 <!-- esapi4js i18n resources -->
 <script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js"></script>
 <!-- esapi4js configuration -->
 <script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js"></script>

 <script type="text/javascript" language="JavaScript">
 Base.esapi.properties.logging['ApplicationLogger'] = {
 Level: org.owasp.esapi.Logger.ALL,
 Appenders: [ new Log4js.ConsoleAppender() ],
 LogUrl: true,
 LogApplicationName: true,
 EncodingRequired: true
 };

 Base.esapi.properties.application.Name = "My Application v1.0";
 org.owasp.esapi.ESAPI.initialize();
 $ESAPI.logger('ApplicationLogger').info(org.owasp.esapi.Logger.EventType.
 EVENT_SUCCESS, 'This is a test message');
 document.writeln( $ESAPI.encoder().encodeForHTML("<a href=\"http://owaspesapi-js.googlecode.com\">Check out esapi4js</a>"));


 var validateCreditCard = function() {
 alert($ESAPI.validator().isValidCreditCard($('CreditCard').value));
  //allow.html5.validation: true;
 //return $ESAPI.validator().isValidCreditCard( $('CreditCard').value);
 }
  </script>

</head>
<body>
<form name="user-profile-form" method="post" id="user-profile-form" action="" 
onsubmit="return validateCreditCard();" >
<span>credit Card: </span><input name="CreditCard" type="text" 
class="inputarea" id="CreditCard" maxlength="100"/>
<input  type="submit" name="submit" id="submit"  value="submit"/>
</form>
</body>
</html>



This code not working. Pls post your how to change the working code.