Stack Overflow
Stack Overflow

Questions tagged [esapi]

The Enterprise Security API (ESAPI) is a library developed by the Open Web Application Security Project (OWASP). It is available for numerous languages with the aim of providing web security related features missing in those languages (and its internal APIs) itself.

Part of the Open Web Application Security Project. Details are available on the ESAPI homepage. Currently the API is available for:

  • Java
  • .Net
  • Classic ASP
  • PHP
  • ColdFusion and CFML
  • Python
  • JavaScript
307 questions
3
votes
2 answers

Setting resource directory for ESAPI

Working with OWASP's ESAPI, I found myself stuck at this particular line of code. private static String customDirectory = System.getProperty("org.owasp.esapi.resources"); The code returns null as there is no such system property…
Nelo Angelo
  • 977
  • 3
  • 11
  • 16
3
votes
2 answers

OWASP ESAPI - JavaEncryptor can't be found / not in classpath - but ESAPI is working in other functions

I already had problems with the esapi, but at the end it worked... I included the OWASP ESAPI in my pom.xml like this org.owasp.esapi esapi
Joergi
  • 1,527
  • 3
  • 39
  • 82
3
votes
0 answers

Enterprise Security API for C++

We are currently working on an open source project for OWASP, creating a C++ API of enterprise security controls. The Enterprise Security API (ESAPI) has already been defined for Java EE. We are well aware that requirements of security controls for…
Dan
  • 647
  • 6
  • 9
3
votes
2 answers

ESAPI - Getting ClassNotFoundException with ESAPI 2.2.3.1

My Code was working with org.owasp.esapi 2.2.0.0 but after upgrading to 2.2.3.1 I am getting ClassNotFoundException. My Code is something like: Properties esapiProps = new Properties(); try { esapiProps.load(…
B. A.
  • 33
  • 1
  • 1
  • 4
3
votes
1 answer

Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception

I am trying to run a sample program which encodes using ESAPI. Here is the sample program package hello; import java.io.UnsupportedEncodingException; import org.owasp.esapi.ESAPI; import org.owasp.esapi.Encoder; import…
Adharsh
  • 31
  • 1
  • 1
  • 5
3
votes
1 answer

How to write a slf4j logger that adds an esapi filter for all parameters

We use the SLF4J interface, with our logger configuration in the logback.xml file. We have a need to filter all parameters sent to the logger through the esapi html encoding filter. The ugly solution is simply to wrap each parameter with…
David M. Karr
  • 14,317
  • 20
  • 94
  • 199
3
votes
3 answers

How to resolve External Control of File Name or Path (CWE ID 73)

I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code. Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName) How do I…
Nicolas
  • 554
  • 2
  • 11
  • 27
3
votes
3 answers

Minimum required properties in ESAPI.properties

My web application uses only the following ESAPI encode methods: ESAPI.encoder().encodeForLDAP() ESAPI.encoder().encodeForHTML() In this case, what is the minimum required properties in ESAPI.properties? Now I'm using ESAPI 2.1.0.1 and this…
Kohei TAMURA
  • 4,970
  • 7
  • 25
  • 49
3
votes
3 answers

where should I locate a common ESAPI.properties file used by multiple wars inside an ear?

I have two modules that will use ESAPI with the same properties files (ESAPI and validation.properties). These modules output to wars that are contained in an ear. I have the properties files inside one of the war files, where they are found at…
davidjmcclelland
  • 430
  • 9
  • 20
3
votes
3 answers

Migrating log4j from 1 to 2 causing ESAPI errors

I've upgraded my log4j from 1.X to 2.3. The logging works fine. However, I'm using ESAPI and it is giving me errors now. This is my ESAPI import statement: import org.owasp.esapi.ESAPI; This is how I'm using…
AspUser7724
  • 109
  • 2
  • 10
3
votes
1 answer

filter out encoded javascript content from request

I have a problem where I am trying to cleanse the request content to strip out HTML and javascript if included in the input parameters. This is basically to protect against XSS attacks and the ideal mechanism would be to validate input and encode…
Ash
  • 128
  • 2
  • 11
3
votes
2 answers

ESAPI for XSS prevention not working

I am working on fixing Cross site scripting issues in our code mainly in JSPS. Below is the original code //scriplet code <% String userId = request.getParameter("sid"); ...%> and in the same Jsp they have
Pro
  • 582
  • 2
  • 8
  • 23
3
votes
1 answer

Java Jersey REST Request Parameter Sanitation

I'm trying to make sure my Jersey request parameters are sanitized. When processing a Jersey GET request, do I need to filter non String types? For example, if the parameter submitted is an integer are both option 1 (getIntData) and option 2…
Voltron
  • 77
  • 1
  • 7
3
votes
0 answers

ESAPI + Spring MVC

I want to implement the ESAPI in spring-mvc for XSS. We have to use the ESAPI validator API to implement it. The ESAPI property holds the acceptable value for each form field. How should the configuration look like to use the ESAPI within Spring…
Rameez Raja
  • 39
  • 3
3
votes
1 answer

How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?

I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The encoder utilities are pretty straight forward and I believe I have them working fine. My problem is with…
Miguel-F
  • 13,450
  • 6
  • 38
  • 63
1 2
3
20 21