Small java
project with single class to showcase how OWASP ESAPI can be used.
Here the input is read from JSON file which can be thought of as JSON request to web application in real time scenario.
1. Project is maven converted . So the
pom.xml will be as shown below
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>InputValidation</groupId>
<artifactId>InputValidation</artifactId>
<version>0.0.1-SNAPSHOT</version>
<build>
<sourceDirectory>src</sourceDirectory>
<plugins>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.9</version>
</dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.0_rc9</version>
</dependency>
<dependency>
<groupId>com.googlecode.json-simple</groupId>
<artifactId>json-simple</artifactId>
<version>1.1</version>
</dependency>
</dependencies>
</project>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
(adsbygoogle = window.adsbygoogle || []).push({
google_ad_client: "ca-pub-3320597435647728",
enable_page_level_ads: true
});
</script>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
(adsbygoogle = window.adsbygoogle || []).push({
google_ad_client: "ca-pub-3320597435647728",
enable_page_level_ads: true
});
</script>
2. In order to set regex pattern on
which esapi works , it is required to supply ESAPI.properties and
Validation.properties which can be found at below location
https://svn.apache.org/repos/asf/ofbiz/tags/REL-12.04.02/framework/base/config/ESAPI.properties
https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.6/src/main/resources/validation.properties
https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.6/src/main/resources/validation.properties
Note we need to place these in project resource folder. With same name .
We can change these files as per or need.
3. Simple JSON fed input has below
content.
{
"userId":"select
* from dual"
}
4. Java program to validate this JSON
input through OWASP api is below
package com.valid;
import
java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import
org.json.simple.JSONObject;
import
org.json.simple.parser.JSONParser;
import
org.json.simple.parser.ParseException;
import
org.owasp.esapi.ESAPI;
import
org.owasp.esapi.Validator;
public class StringValidation {
private static final String filePath ="E:\\Abhishek\\Imp\\testjson.json";
public
StringValidation() {
}
public static void main(String[] args) throws IOException {
String
luserId = null;
try {
FileReader
reader = new FileReader(filePath);
JSONParser
jsonParser = new JSONParser();
JSONObject
jsonObject = (JSONObject) jsonParser.parse(reader);
luserId = (String) jsonObject.get("userId");
}
catch
(FileNotFoundException ex) {
ex.printStackTrace();
}
catch (IOException ex) {
ex.printStackTrace();
}
catch (ParseException ex) {
ex.printStackTrace();
}
catch
(NullPointerException ex) {
ex.printStackTrace();
}
Validator
lvalidator = ESAPI.validator();
boolean lstatus = lvalidator.isValidInput("userInput", luserId, "SafeString", 100 , false);
if(lstatus){
System.out.println("Proceed");
}else
{
System.out.println("Something
Fishy");
}
}
}
5. Output for above code is as below
Attempting to load ESAPI.properties via
file I/O.
Attempting to load ESAPI.properties as
resource file via file I/O.
Found in 'user.home' directory:
C:\Users\..\esapi\ESAPI.properties
Loaded 'ESAPI.properties' properties
file
Attempting to load
validation.properties via file I/O.
Attempting to load
validation.properties as resource file via file I/O.
Found in 'user.home' directory:
C:\Users\..\esapi\validation.properties
Loaded 'validation.properties'
properties file
Dec 02, 2014 2:09:49 PM
org.owasp.esapi.reference.JavaLogFactory$JavaLogger log
WARNING: [SECURITY FAILURE
Anonymous:null@unknown -> /DefaultName/IntrusionDetector] Invalid input:
context=userInput, type(SafeString)=^[.\p{Alnum}\p{Space}]{0,1024}$,
input=select * from dual
org.owasp.esapi.errors.ValidationException: userInput: Invalid
input. Please conform to regex ^[.\p{Alnum}\p{Space}]{0,1024}$ with a maximum
length of 100
at
org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:144)
at
org.owasp.esapi.reference.validation.StringValidationRule.checkWhitelist(StringValidationRule.java:160)
at
org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:284)
at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:214)
at
org.owasp.esapi.reference.DefaultValidator.isValidInput(DefaultValidator.java:152)
at
org.owasp.esapi.reference.DefaultValidator.isValidInput(DefaultValidator.java:143)
at
com.valid.StringValidation.main(StringValidation.java:53)
SecurityConfiguration for ESAPI.Authenticator
not found in ESAPI.properties. Using default:
org.owasp.esapi.reference.FileBasedAuthenticator
Something
Fishy
So in this
way we validated a malformed user input.
Nice Article. Sweet and Short.
ReplyDeleteIf possible, please update the links for Validation.properties and ESAPI.properties file.
(Could not find the properties file in the google code repo, so its best if an example can be put up with all the available options)
Thanks Sagar.
ReplyDeletePlease find properties files at below location
https://svn.apache.org/repos/asf/ofbiz/tags/REL-12.04.02/framework/base/config/ESAPI.properties
https://svn.apache.org/repos/asf/sling/tags/org.apache.sling.xss-1.0.6/src/main/resources/validation.properties
Thank you.Well it was nice post and very helpful information on Ruby on rails Online Course
ReplyDelete