esapi

NoClassDefFoundError encountered while fixing CRLF sequence in HttpHeader

半腔热情 提交于 2021-02-11 12:19:02
问题 After performing Vera code scan on my code, a flaw was reported saying " Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting - CWE ID 113') on the below code. public void writeCookies() { for (final Cookie cookie : cookies) { super.addCookie(cookie); } The flaw code reported is super.addCookie(cookie). To fix this I added below code public void writeCookies() { for (final Cookie cookie : cookies) { cookie.setSecure(true); ESAPI.httpUtilities().addCookie((

ColdFusion doing OWASP esapi via Java

假装没事ソ 提交于 2021-01-28 02:26:57
问题 I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016. application.cfc local.esapi = createObject("java", "org.owasp.esapi.ESAPI"); application.esapiEncoder = local.esapi.encoder() Much later Regular page form.Reason = application.esapiEncoder.encodeForHtml(form.Reason); I am thinking of replacing this with form.Reason = encodeForHTML(form.Reason); Do these function the same? 回答1: Yes, the encodeForX() functions use OWASP's ESAPI behind the

ColdFusion doing OWASP esapi via Java

南笙酒味 提交于 2021-01-27 22:40:56
问题 I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016. application.cfc local.esapi = createObject("java", "org.owasp.esapi.ESAPI"); application.esapiEncoder = local.esapi.encoder() Much later Regular page form.Reason = application.esapiEncoder.encodeForHtml(form.Reason); I am thinking of replacing this with form.Reason = encodeForHTML(form.Reason); Do these function the same? 回答1: Yes, the encodeForX() functions use OWASP's ESAPI behind the

On ESAPI Log Events

青春壹個敷衍的年華 提交于 2020-02-25 07:21:08
问题 Hi can anyone help me as I am new to this concept as ESAPI has given 6 log events SECURITY_SUCCESS, SECURITY_FAILURE, SECURITY_AUDIT, EVENT_SUCCESS, EVENT_FAILURE, EVENT_UNSPECIFIED what these events do as I googled but I dint get anywhere please help me to understand this concept or suggest me some websites 回答1: Hmm... I didn't have the same problems finding the answer with google. Did you read the JavaDoc? 来源: https://stackoverflow.com/questions/46604009/on-esapi-log-events

On ESAPI Log Events

寵の児 提交于 2020-02-25 07:20:26
问题 Hi can anyone help me as I am new to this concept as ESAPI has given 6 log events SECURITY_SUCCESS, SECURITY_FAILURE, SECURITY_AUDIT, EVENT_SUCCESS, EVENT_FAILURE, EVENT_UNSPECIFIED what these events do as I googled but I dint get anywhere please help me to understand this concept or suggest me some websites 回答1: Hmm... I didn't have the same problems finding the answer with google. Did you read the JavaDoc? 来源: https://stackoverflow.com/questions/46604009/on-esapi-log-events

Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue

♀尐吖头ヾ 提交于 2020-01-15 17:54:40
问题 Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding ESAPI.encoder().encodeForHTML(request.getParameter("")) But I get an exception as below org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439) I understand the problem is

Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue

假如想象 提交于 2020-01-15 17:52:10
问题 Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding ESAPI.encoder().encodeForHTML(request.getParameter("")) But I get an exception as below org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439) I understand the problem is

OWASP-ESAPI logger help needed

自作多情 提交于 2020-01-13 03:57:47
问题 In my current project I am using Maven and Spring. I am currently using SLF4J logger for logging services. In place of that I want to use OWASP-ESAPI logger. I don't want to use OWASP-ESAPI security, just the log services. Can anybody please guide me how to use OWASP-ESAPI logger by replacing slf4j logger with minimum efforts ? I tried a lot of google search but nothing helps. I will really appreciate some links to gain knowledge about OWASP-ESAPI logger as well. 回答1: Refactoring your code to

I am getting Cross-Site Scripting: Poor Validation on a struts call to a bean class

放肆的年华 提交于 2020-01-07 03:19:07
问题 I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application. <%@ taglib prefix="s" uri="/struts-tags" %> <form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'> public String printApplications() throws IOException, ServletException { request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean); } What would be the proper syntax to use