0

I'm try to use ESAPI(https://owasp.org/www-project-enterprise-security-api/)

But I try the test code below:

                try {
                
                    System.out.println("ESAPI TEST:"+ESAPI.encoder().encodeForHTML("<a href='sdfs'></a> < script > alert(); </ script >"));
                } catch (Exception e) {
                    // TODO: handle exception
                    System.out.println("ESAPI TEST exp:"+e);
                }

the code always show error below:

System property [org.owasp.esapi.opsteam] is not set
Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: /Users/myname/Documents/james/project/WebWorkspace/WebProject/src/main/resources/ESAPI.properties
System property [org.owasp.esapi.devteam] is not set
Loaded 'ESAPI.properties' properties file
SecurityConfiguration for Validator.ConfigurationFile.MultiValued not found in ESAPI.properties. Using default: false
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Found in 'org.owasp.esapi.resources' directory: /Users/myname/Documents/james/project/WebWorkspace/WebProject/src/main/resources/validation.properties
Loaded 'validation.properties' properties file
ESAPI TEST exp:org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.

I had put the ESAPI.properties and validation.properties in the resources folder.

And I was set the Run configurations in the VM arguments panel:

Dorg.owasp.esapi.resources="/Users/myname/Documents/james/project/WebWorkspace/WebProject/src/main/resources"

have anyone can give me a hand , tell me how can I set the ESAPI?What wrong in my setting?

thank you very much.

dickfala
  • 3,246
  • 3
  • 31
  • 52
  • The only obvious thing is that 'Dorg.owasp.esapi.resources=' should be '-Dorg.owasp.esapi.resources=' – avgvstvs Sep 08 '21 at 05:36
  • if that's what's actually happening, what do you mean by "VM arguments panel?" – avgvstvs Sep 08 '21 at 05:37
  • Thank you. I had renew last ESAPI Version, it is can work. – dickfala Sep 08 '21 at 07:22
  • It *is* finding the ESAPI.properties file and the validation.properties file in /Users/myname/Documents/james/project/WebWorkspace/WebProject/src/main/resources/, which I think is what you expected. Looks like you already found the problems (probably the ESAPI.Logger property if you had been using an older ESAPI), but next time please show us the full exception stack trace. – Kevin W. Wall Sep 08 '21 at 13:38
  • I wrote the content is full exception message, thank you @KevinW.Wall – dickfala Sep 08 '21 at 13:41
  • So I think this is a duplicate and this is related to ESAPI logging: https://stackoverflow.com/q/68305702/557153 <-- That question/Answer should get you in the right ballpark. – avgvstvs Sep 10 '21 at 04:32
  • @dickfala - I think you misunderstand what I was asking for. You catch block only does ```System.out.println("ESAPI TEST exp:"+e);```. I want to see ```e.printStackTrace(System.out)```. – Kevin W. Wall Sep 11 '21 at 03:21
  • @KevinW.Wall ok,thanks! – dickfala Sep 11 '21 at 08:38

0 Answers0