esapi

问题 After performing Vera code scan on my code, a flaw was reported saying " Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting - CWE ID 113') on the below code. public void writeCookies() { for (final Cookie cookie : cookies) { super.addCookie(cookie); } The flaw code reported is super.addCookie(cookie). To fix this I added below code public void writeCookies() { for (final Cookie cookie : cookies) { cookie.setSecure(true); ESAPI.httpUtilities().addCookie((

问题 I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016. application.cfc local.esapi = createObject("java", "org.owasp.esapi.ESAPI"); application.esapiEncoder = local.esapi.encoder() Much later Regular page form.Reason = application.esapiEncoder.encodeForHtml(form.Reason); I am thinking of replacing this with form.Reason = encodeForHTML(form.Reason); Do these function the same? 回答1: Yes, the encodeForX() functions use OWASP's ESAPI behind the

问题 I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016. application.cfc local.esapi = createObject("java", "org.owasp.esapi.ESAPI"); application.esapiEncoder = local.esapi.encoder() Much later Regular page form.Reason = application.esapiEncoder.encodeForHtml(form.Reason); I am thinking of replacing this with form.Reason = encodeForHTML(form.Reason); Do these function the same? 回答1: Yes, the encodeForX() functions use OWASP's ESAPI behind the

来源： https://stackoverflow.com/questions/36202459/esapi-with-spring-mvc

问题 Hi can anyone help me as I am new to this concept as ESAPI has given 6 log events SECURITY_SUCCESS, SECURITY_FAILURE, SECURITY_AUDIT, EVENT_SUCCESS, EVENT_FAILURE, EVENT_UNSPECIFIED what these events do as I googled but I dint get anywhere please help me to understand this concept or suggest me some websites 回答1: Hmm... I didn't have the same problems finding the answer with google. Did you read the JavaDoc? 来源： https://stackoverflow.com/questions/46604009/on-esapi-log-events

问题 Hi can anyone help me as I am new to this concept as ESAPI has given 6 log events SECURITY_SUCCESS, SECURITY_FAILURE, SECURITY_AUDIT, EVENT_SUCCESS, EVENT_FAILURE, EVENT_UNSPECIFIED what these events do as I googled but I dint get anywhere please help me to understand this concept or suggest me some websites 回答1: Hmm... I didn't have the same problems finding the answer with google. Did you read the JavaDoc? 来源： https://stackoverflow.com/questions/46604009/on-esapi-log-events

问题 Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding ESAPI.encoder().encodeForHTML(request.getParameter("")) But I get an exception as below org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439) I understand the problem is

问题 Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding ESAPI.encoder().encodeForHTML(request.getParameter("")) But I get an exception as below org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439) I understand the problem is

问题 In my current project I am using Maven and Spring. I am currently using SLF4J logger for logging services. In place of that I want to use OWASP-ESAPI logger. I don't want to use OWASP-ESAPI security, just the log services. Can anybody please guide me how to use OWASP-ESAPI logger by replacing slf4j logger with minimum efforts ? I tried a lot of google search but nothing helps. I will really appreciate some links to gain knowledge about OWASP-ESAPI logger as well. 回答1: Refactoring your code to

问题 I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application. <%@ taglib prefix="s" uri="/struts-tags" %> <form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'> public String printApplications() throws IOException, ServletException { request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean); } What would be the proper syntax to use