Circumventing OWASP ESAPI for PHP


28-03-2012 00:00 - Zdroj: php.vrana.cz
Enterprise Security API – what a name! You should expect writing “enterprise level” applications with it. Let's start with the code: <?php require_once dirname(__FILE__) . "/ESAPI/src/ESAPI.php"; require_once dirname(__FILE__) . "/ESAPI/src/codecs/HTMLEntityCodec.php"; new ESAPI("ESAPI.xml"); $html = new HTMLEntityCodec; echo $html->encode(array(), "Test."); // prints: Test&#x2e; ?> Maybe you wonder what the line new ESAPI("ESAPI.xml") is good for when the created object is not used anywhere? Well, it specifies a configuration which is used as a global variable in the rest of the library. The application just fatals without it. The method encode has an unusual API: The string to be escaped is passed as the second argument while the first argument is an array of “safe characters”. So the library allows you to shoot you in the foot very easily: <?php echo $html->encode(range('!', '?'), ""); // prints: ?> What's the default behavior? Basically encoding all non-alphanumeric characters, even those with absolutely no special meaning in HTML. So you can tell the HTMLEntityCodec: Don't touch characters with a special meaning in HTML but encode everything else: <?php echo $html->encode(array('<', '&', '"', '>'), "<b>Bold."); // prints: <b>Bold&#x2e; ?> Very useful! Circumventing the library Create a file named Codec.php anywhere in your include_path or in the working directory: <?php class Codec { function __construct() { } function encode($foo, $s) { return $s; } } ?> Now run the code from the beginning of this article. What happens? The library works as expected, no warning is issued. The only difference is that no characters are suddenly encoded: <?php echo $html->encode(array(), ""); // ... - Pokračovat...
addthis





Poslední příspěvky z blogu:
php.vrana.cz



Zašlete svůj blog
Požadavky na Blog
Ochrana osobních údajů
Kontakty

This site uses Thumbshots previews