This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Projects Dashboard 2.0/By Alphabetical Order"

From OWASP
Jump to: navigation, search
(Created page with "{{:Template:OWASP_Project_About/Columns}} {{:Projects/OWASP Academy Portal Project | OWASP Project About/Rows}} {{:Projects/OWASP Alchemist Project | OWASP Project About/Rows}}...")
(No difference)

Revision as of 16:35, 19 April 2011

Project Leader(s) Contributor(s)
PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Academy Portal Project (home page)
Purpose: Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum.
License: Choose wisely
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases
OWASP Alchemist Project Naveen Rudrappa @ Chandrakanth Reddy Narreddy @ Bishan Singh @ N/A
OWASP Application Security Assessment Standards Project Matteo Michelini @ N/A
OWASP Application Security Program for Manager Matteo Meucci @ Marco Morana @ Giorgio Fedon @ Stefano di Paola @
OWASP Application Security Skills Assessment Neil Smithline @ N/A
OWASP Application Security Verification Standard Project Sahba Kazerooni @ Daniel Cuthbert @ Dave Wichers @ Jeff Williams @ Mike Boberski
OWASP AppSensor Project Michael Coates @ John Melton @ Colin Watson @ Dennis Groves @ Ryan Barnett @ Simon Bennetts August Detlefsen Randy Janida Jim Manico @ Giri Nambari Eric Sheridan Kevin Wall Dennis Groves
OWASP Project Header.jpg

OWASP ASIDE/ESIDE

OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [here].

OWASP ASIDE is led by [Mahmoud Mohammadi] and Bill Chu. Other major contributors include Jun Zhu ,Jing Xie, Heather Richter Lipford, Tyler Thomas, John Melton & Will Stranathan.

We have presented our talk Using Interactive Static Analysis for Early Detection of Software Vulnerabilities at AppSec USA 2012. You can view and download our presentation here.
We have presented our talk Secure Programming Support in IDE at AppSec USA 2011 in Minneapolis. You can view and download our presentation here.

Introduction

ASIDE is an abbreviation for Application Security plugin for Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.

Description

ASIDE currently has three prototype implementations: ASIDE CodeRefactoring for Education, ASIDE CodeAnnotate which consists of two implementations, ASIDE JavaCodeAnnotate and ASIDE PHPCodeAnnotate.

ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code.

ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code.

An older version of ASIDE DEMO shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.

Research Activities

1. Mahmoud Mohammadi, Bill Chu and Heather Richter Lipford, “POSTER : Using Unit Testing to Detect Sanitization Flaws,” in CCS’15: The 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, Denver, USA

2. Jun Zhu, Bill Chu, Heather Richter Lipford, Tyler Thomas, Mitigating Access Control Vulnerabilities through Interactive Static Analysis , In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies, June 2015, Vienna, Austria

3. Jun Zhu, Jing Xie, and Bill Chu, Supporting Secure Programming in Web Applications through Interactive Static Analysis, In Journal of Advanced Research, Elsevier, December, 2013.

4. Jing Xie, Heather Richter Lipford, and Bill Chu, Evaluating Interactive Support for Secure Programming, In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA

5. Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton, ASIDE:IDE Support for Web Application Security, In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA

6. Jing Xie, Heather Richter Lipford, and Bill Chu, Why do programmers make security errors?, In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA

7. Jing Xie, Bill Chu, and Heather Richter Lipford Interactive Support for Secure Software Development, In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain

Relevant Research

8. Heather Richter Lipford, Jing Xie, Bill Chu, etc The Impact of A Structured Application Development Framework on Web Application Security

Licensing

OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


What is ASIDE/ESIDE?

OWASP ASIDE provides:

  • Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code
  • Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices

ESIDE provides:

  • Identification of targeted Java code patterns.
  • Interactive instructional opportunities for students in the IDE.
  • Real-time IDE support for secure code education (Java).

p.s. (Details about ESIDE are described [here].)

Presentation

1. Our talk Using Interactive Static Analysis for Early Detection of Software Vulnerabilities at AppSec USA 2012. You can view and download our presentation.

2. Our talk Secure Programming Support in IDE at AppSec USA 2011 in Minneapolis. You can view and download our presentation.

Project Leaders

[Mahmoud Mohammadi], Bill Chu, Jun Zhu

Related Projects

Openhub

Quick Download

Runnable plugins and installation guidelines

The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from here. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from here. ASIDE CodeAnnotate is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here.

New! We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon Eclipse PDT framework, you can download the plugin here. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded here, and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. A good PHP open source project you can try the plugin against is Moodle;

Source Code

ASIDE Education with CodeRefactoring: https://github.com/JunZhuSecurity/ASIDE-Education ASIDE PHPCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-PHPCodeAnnotate ASIDE JavaCodeAnnotate: https://github.com/JunZhuSecurity/ASIDE-JavaCodeAnnotate

Email List

Project Email List: https://lists.owasp.org/mailman/listinfo/owasp-aside-project

News and Events

  • [18-19 September 2014] Bill will be hosting a session about ASIDE project at AppSec USA 2014 in Denver!
  • [30 April 2014] ASIDE PHPCodeAnnotate plugin for Eclipse PHP IDE released!
  • [07 December 2013] ASIDE paper titled "Supporting Secure Programming in Web Applications through Interactive Static Analysis" accepted!
  • [10 May 2013] ASIDE Education with CodeRefactoring plugin for Eclipse Java IDE released!
  • [22 October 2012] ASIDE paper titled "Interactive Support for Secure Programming Education" accepted!
  • [September 2012] Bill and Jun delivered ASIDE talk titled "Using Interactive Static Analysis for Early Detection of Software Vulnerabilities" at OWASP AppSec USA in Austin!
  • [8-10 August 2012] Jun gave a poster about ASIDE at USENIX Security 12!
  • [10 May 2012] ASIDE JavaCodeAnnotate plugin for Eclipse Java IDE released!

In Print

N/A

Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

ASIDE project has been continuously under active research, development, and evaluation. Involvement in the development and promotion of ASIDE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Try ASIDE and email your feedback, comments to the project leaders.
  • Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!

ESIDE

The education branch of ASIDE, named ESIDE (Educational Security in the IDE), is led by Michael Whitney and Heather Richter Lipford. Other major contributors include Bill Chu and [Jun Zhu].

Introduction

ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning the student's IDE into a real-time secure programming instructional resource. This approach capitalizes on the out of class, in the IDE time by providing layered educational opportunities whenever the student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding principles and practices concurrently with the lessons they are learning in their respective courses.

Description

Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns (e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an interactive system that provides a layered educational opportunity. Because students are contextually “in the moment” when the support becomes available, they are more receptive to making the connection between classroom principles and coding practices. A secondary effect is the exponential increase in instructional exposure which has been proven to be successful in other instructional areas. The overall goal of ESIDE is to serve as an effective means to educate students at every level on the principles and practices of secure coding throughout their educational experience. To this end, we have developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates a layered educational intervention based on the targeted code. The first layer is a warning icon that is placed in the left margin of the code editor. Hovering the icon reveals a short message that encourages further interaction. When the student clicks the icon, ESIDE generates a content specific list of educational options. Each of these options are accompanied with a short explanation of the issue at hand. For each generated list, there also exists the option to access an explanation page that provides a more comprehensive explanation of what was discovered, why it is important, and how to integrate the provided principles into coding practices.

A video of an interaction designed for early students can be found at http://www.youtube.com/watch?v=k-FIcrr1ff8

What ESIDE provides?

• Real-time IDE support for secure code education (Java).

• Identification of targeted Java code patterns.

• Interactive instructional opportunities for students in the IDE.

Publications

1. Michael Whitney, Heather Richter Lipford, Bill Chu, and Jun Zhu. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In Proceedings of the 46th ACM Technical Symposium on Computer Science Education (SIGCSE '15). ACM, New York, NY, USA, 60-65. DOI=10.1145/2676723.2677280 http://doi.acm.org/10.1145/2676723.2677280

2. Jun Zhu, Heather Richter Lipford, and Bill Chu, Interactive Support for Secure Programming Education, In Proceedings of ACM Technical Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA

Runnable ESIDE Prototype and Installation Guidelines

The recent publicly available ESIDE plugin can be downloaded from here. You also need to download the complementary logging facility to make ESIDE work properly. ESIDE is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

Open Source Code

The most recent source code of ESIDE can be accessed via https://github.com/witny23/ESIDE.

Priorities and get involved

As of March 17, 2015 the priorities are:

1. Move xml into a database.

2. Create a public repository of customized ESIDE support for specific courses.

Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!

OWASP Browser Security ACID Tests Project Dave Wichers (as coproject manager) @ John Wilander (as coproject manager) @ David Lindsay (as technical lead) @ Isaac Dawson @
OWASP Cloud ‐ 10 Project Vinay Bansal @ Shankar Babu Chebrolu @ Pankaj Telang Ken Huang Ove Hansen Ludovic Petit @
OWASP Code Review Project Larry Conklin @ N/A
OWASP Common Numbering Project Dave Wichers (ASVS) @ Jeff Williams (ASVS) @ Vishal Garg (Development Guide) @ Eoin Keary (Code Review Guide) @ Matteo Meucci (Testing Guide) @ Keith Turpin (Secure Coding Quick Reference) @ Brad Causey (Global Projects Commitee) @ Rick Mitchell
OWASP CTF Project Steven van der Baan @ Martin Knobloch @ Brad Causey @ Ralf Allar @ Andres Riancho @ Danny Chrastil
OWASP Enterprise Application Security Project Alexander Polyakov @ N/A Dmitriy Chastuhin @
OWASP ESAPI Objective - C Project Deepak Subramanian @ N/A
Owasp Esapi Ruby Paolo Perego @ Kuai Hinojosa @ Sal Scotto @ Paco Schiaffella @
OWASP ESAPI Swingset Demo Project Craig Younkins @ N/A
OWASP ESAPI Swingset Interactive Project Fabio Cerullo @ Cathal Courtney @ N/A
OWASP Enhancing Security Options Framework (ESOP Framework) Amber Marfatia @ N/A
OWASP Exams Project Jason Taylor @ N/A
OWASP Forward Exploit Tool Project Marcos Mateos Garcia @ N/A
OWASP German Language Project Matthias Rohr @ N/A
OWASP Hackademic Challenges Project Konstantinos Papapanagiotou @ Spyros Gasteratos @ Andreas Venieris (Core Developer) (Founder) @ Alex Papanikolaou @ Vasileios Vlachos @ Anastasios Stasinopoulos (Founder) @
OWASP Hatkit Datafiddler Project Martin Holst Swende @ N/A
OWASP Hatkit Proxy Project Martin Holst Swende @ N/A
HTMLReg Gareth Heyes @ N/A
OWASP HTTP Post Tool Tom Brenann @ N/A
OWASP JavaScript Sandboxes Gareth Heyes @ Eduardo Vela Mario Heiderich
Incubator big.jpg

OWASP Java Encoder Project

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts (primarily JavaScript) are injected into otherwise trusted web sites. You can read more about Cross Site Scripting here: Cross-site_Scripting_(XSS). One of the primary defenses to stop Cross Site Scripting is a technique called Contextual Output Encoding. WARNING: Please note that XSS prevention requires other defensive strategies besides encoding! For more information, please read about Cross Site Scripting prevention here: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

As of September 16, 2018 there are no security issues submitted against this project! https://github.com/OWASP/owasp-java-encoder/issues. We actively track project issues and seek to remediate any issues that arise. The project owners feel this project is stable and ready for production use and are seeking project status promotion.

Introduction

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.2.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.2.2.jar.

Happy Encoding!

Licensing

The OWASP Java Encoder is free to use under the New BSD License.


What is this?

The OWASP Java Encoder provides:

  • Output Encoding functions to help stop XSS
  • Java 1.5+ standalone library

Important Links

Java Encoder at GitHub
Issue Tracker

Mailing List

Java Encoder Mailing List

Project Leaders

Author: Jeff Ichnowski @
Jim Manico @
Jeremy Long @

Related Projects

Quick Download

News and Events

  • [14 September 2018] 1.2.2 Released!
  • [19 February 2017] 1.2.1 Released!
  • [11 June 2016] No reported issues and library use is strong!
  • [1 May 2015] Moved to GitHub
  • [12 Apr 2015] 1.2 Released!
  • [10 Apr 2015] GitHub move
  • [1 Feb 2015] Removed ThreadLocal
  • [20 Mar 2014] Doc additions
  • [5 Feb 2014] New Wiki
  • [4 Feb 2014] 1.1.1 Released

In Print

We will be releasing a user guide soon!

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
New BSD License
Project Type Files CODE.jpg

The general API pattern is to utilize the Java Encoder Project in your user interface code and wrap all variables added dynamically to HTML with a proper encoding function. The encoding pattern is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" is untrusted output.

Basic HTML Context

<body><%= Encode.forHtml(UNTRUSTED) %></body>

HTML Content Context

<textarea name="text"><%= Encode.forHtmlContent(UNTRUSTED) %></textarea>

HTML Attribute context

<input type="text" name="address" value="<%= Encode.forHtmlAttribute(UNTRUSTED) %>" />

Generally Encode.forHtml(UNTRUSTED) is also safe but slightly less efficient for the above two contexts (for textarea content and input value text) since it encodes more characters than necessary but might be easier for developers to use.

CSS contexts

<div style="width:<= Encode.forCssString(UNTRUSTED) %>">
<div style="background:<= Encode.forCssUrl(UNTRUSTED) %>">

Javascript Block context

 <script type="text/javascript">
 var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED) %>";
 alert(msg);
 </script>

Javascript Variable context

 <button 
 onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED) %>');">
 click me</button>

JavaScript Content Notes: Encode.forJavaScript(UNTRUSTED) is safe for the above two contexts, but encodes more characters and is less efficient.

Encode URL parameter values

<a href="/search?value=<%= Encode.forUriComponent(UNTRUSTED) %>&order=1#top">

Encode REST URL parameters

<a href="/page/<%= Encode.forUriComponent(UNTRUSTED) %>">

Handling a Full Untrusted URL

When handling a full URL with the OWASP Java encoder, first verify the URL is a legal URL. 

String url = validateURL(untrustedInput);

Then encode the URL as an HTML attribute when outputting to the page. Note the linkable text needs to be encoded in a different context. 

 <a href="<%= Encode.forHtmlAttribute(untrustedUrl) %>">
 <%= Encode.forHtmlContent(untrustedLinkName) %>
 </a>

To use in a JSP with EL

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<html>
   <head>
       <title><e:forHtml value="${param.title}" /></title>
   </head>
   <body>
       <h1>${e:forHtml(param.data)}</h1>
   </body>
</html>

Other contexts can be found in the org.owasp.Encode class methods, including XML contexts and more.

Numbers don’t need encoding since they cannot cause XSS. There are no numbers that will break out of a javascript context. If (and only if) ‘javaNumber’ is a numeric type (primitive or box wrapper), just use: 

var javaScriptNumber = <%= javaNumber %>;

This is true even for the special cases of java.lang.Double.POSITIVE_INFINITY, NEGATIVE_INFINITY, NaN, and java.lang.Float equivalents.

On the other hand, if ‘javaNumber’ is some user provided data that is NOT a numeric type, then you should either (1) convert it to a number on the java side, or (2) encode it to a string and handle it on the javascript side. E.g. 

<% // option (1)
String javaNumber = (untrusted data);
Double actualNumber = Double.parseDouble(javaNumber); // don’t forget to catch NumberFormatException
%>
<script>
var jsNumber = <%= actualNumber %>;
</script>

-- OR -- 

<% // option (2)
String javaNumber = (untrusted data);
%>
<script>
var jsNumber = parseInt("<%=Encode.forJavaScript(javaNumber)%>");
</script>

The OWASP Java Encoder version 1.2.2 is now available in central!

OWASP Encoder at Maven Central.

Core

Direct Download: encoder-1.2.2.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder</artifactId>
   <version>1.2.2</version>
</dependency>

JSP Tag Library

Direct Download: encoder-jsp-1.2.2.jar

Maven

<dependency>
   <groupId>org.owasp.encoder</groupId>
   <artifactId>encoder-jsp</artifactId>
   <version>1.2.2</version>
</dependency>

The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention and to Jeff Ichnowski for the workaround.

Introduction

The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.

Background

In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent: 

<input value="this is the value">
<input value=`this is the value`>

It is an IE extension, is not in HTML specifications (HTML4, HTML5), and is probably not well supported in other browsers.

The Issue

The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer: 

<div id=a><input value="``onmouseover=alert(1)"></div> 
<div id=b></div>
<script>b.innerHTML=a.innerHTML</script>

When this snippet is run in Internet Explorer the following steps happen:

  1. Two div elements are created with id's "a" and "b"
  2. The script executes "a.innerHTML" which returns:
<input value=``onmouseover=alert(1)>
  1. The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of
<input value="" onmouseover="alert(1)">

The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.

When... 

<input value="``onmouseover=alert(1)">

...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.

Recommend Solution

Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "`". As an example, the following change to the XSS vulnerable code above fixes the issue: 

<script>a.innerHTML=b.innerHTML.replace(/`/g, "`");</script>

This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to: 

<input value=&#96;&#96;onmouseover=alert(1)>

Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.

Other Possible Solutions

As there is no encoding option available, the following options are available to web application authors:

  1. Do not use innerHTML copies
  2. Filter out the accent grave from any user input
  3. Clean up grave accents when using an innerHTML copy

OWASP Java Encoder Library Related Changes

The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.

Several users of the Java Encoder have asked how to properly use the OWASP Java Encoder in combination with template literals.

The best way to encode template literal variables is to first escape the untrusted data in a JavaScript variable and then place that variable in the template literal. 

var user = "<%= Encode.forJavaScript(user) %>";
`Hello ${user}, here is your total: ${total}`

Another method is to properly escape the variable in-line. 

`Hello ${"<%= Encode.forJavaScript(user) $>"}, here is your total ${total}`

2017-2018 Roadmap

  • Add decoders and canonicalization
  • Write a users guide including more complex examples
  • Build a mature test site
  • Optimize encoding to use new Java 8+ performance String utilities


Main

OWASP Project Header.jpg

OWASP HTML Sanitizer Project

The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md.

Benefits

  • Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  • Actively maintained by Mike Samuel from Google's AppSec team!
  • Passing 95+% of AntiSamy's unit tests plus many more.
  • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
  • Java 1.5+
  • Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.

Licensing

The OWASP HTML Sanitizer is free to use and is dual licensed under the Apache 2 License and the New BSD License.

What is this?

The OWASP HTML Sanitizer Projects provides Java based HTML sanitization of untrusted HTML!

Code Repo

OWASP HTML Sanitizer at GitHub

Email List

Questions? Please sign up for our Project Support List

Project Leaders

Author/Project Leader
Mike Samuel @

Project Manager
Jim Manico @

Related Projects

Ohloh

Quick Download

OWASP HTML Sanitizer at Maven Central

News and Events

  • [20 Feb 2018] Update 20180219.1 addresses iOS/MacOS "text bomb"
  • [3 April 2017] HTML5 Support Update
  • [28 June 2016] v20160628.1 Released
  • [14 Apr 2016] v20160413.1 Released
  • [1 May 2015] Move to GitHub
  • [2 July 2014] v239 Released
  • [3 Mar 2014] v226 Released
  • [5 Feb 2014] New Wiki
  • [4 Sept 2013] v209 Released

Change Log

For recent release notes, please visit the changelog on GitHub.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Apache 2 License
Project Type Files CODE.jpg

Creating a HTML Policy

You can view a few basic prepackaged policies for links, tables, integers, images and more here: https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/Sanitizers.java. 

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

There tests illustrate how to configure your own policy here: https://github.com/OWASP/java-html-sanitizer/blob/master/src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java 

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("a")
   .allowUrlProtocols("https")
   .allowAttributes("href").onElements("a")
   .requireRelNofollowOnLinks()
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

... or you can write custom policies ... 

PolicyFactory policy = new HtmlPolicyBuilder()
   .allowElements("p")
   .allowElements(
       new ElementPolicy() {
         public String apply(String elementName, List<String> attrs) {
           attrs.add("class");
           attrs.add("header-" + elementName);
           return "div";
         }
       }, "h1", "h2", "h3", "h4", "h5", "h6"))
   .build();
String safeHTML = policy.sanitize(untrustedHTML);

Please note that the elements "a", "font", "img", "input" and "span" need to be explicitly whitelisted using the `allowWithoutAttributes()` method if you want them to be allowed through the filter when these elements do not include any attributes.

You can also use the default "ebay" and "slashdot" policies. The Slashdot policy (defined here https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/SlashdotPolicyExample.java) allows the following tags ("a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong"n "br", "ul", "ol", "li") and only certain attributes. This policy also allows for the custom slashdot tags, "quote" and "ecode".

CSS Sanitization

CSS sanitization is challenging.

We disallow position:sticky and position:fixed so that client code can use a position:relative;overflow:hidden to contain self-styling sanitized snippets. Embedders of sanitized content do have to consistently do that and make sure that contributed content is clearly demarcated.

Most CSS attacks require a payload to specify selectors which the sanitizer should not allow. Unproxied images do allow tracking and, by positioning below the fold, can track whether a user scrolls down. Embedders do need to use URL rewriting if they allow background styling and use sensible Referrer-Policy and related headers.

That said, even if care is taken, CSS has a large attack surface, so not using it puts you in a safer place.

Inline/Embedded Images

Inline images use the data URI scheme to embed images directly within web pages. The following describes how to allow inline images in an HTML Sanitizer policy.

1) Add the "data" protocol do your whitelist. See: https://static.javadoc.io/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer/20160628.1/org/owasp/html/HtmlPolicyBuilder.html#allowUrlProtocols 

.allowUrlProtocols("data")

2) You can then allow an attribute with an extra check thus 

.allowAttributes("src")
.matching(...)
.onElements("img")

3) There are a number of things you can do in the matching part such as allow the following instead of just allowing data. 

data:image/...

4) Since allowUrlProtocols("data") allows data URLs anywhere data URLs are allowed, you might want to also add a matcher to any other URL attributes that reject anything with a colon that does not start with http: or https: or mailto: 

.allowAttributes("href")
.matching(...)
.onElements("a")

Questions

How was this project tested?
This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.

How is this project deployed?
This project is best deployed through Maven https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md

Roadmap

  • Maintaining a fully featured HTML sanitizer is a lot of work. We intend to continue to handle community questions and bug reports in a very timely manner.
  • There are no plans for major new features other than supporting incoming requests for advanced sanitization such as additional HTML5 support.
OWASP Java Project Mirko Richter @ N/A
OWASP Java XML Templates Project Jeff Ichnowski @ N/A
OWASP JBroFuzz Project Ranulf Green @ Yiannis Pavlosoglou @ Markus Miedaner @
JSReg Gareth Heyes @ N/A
PROJECT INFO
What does this OWASP project offer you? 		RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP LAPSE Project (home page)
Purpose: LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE.
License: GNU General Public License v3
who is working on this project?
Project Leader(s):
  • Gregory Disney-Leugers @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Gregory Disney-Leugers @ to contribute to this project
  • Contact Gregory Disney-Leugers @ to review or sponsor this project
current release
LapsePlus 2.8.1 - March 2011 - (download)
Release description: LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases
OWASP Mantra - Security Framework Abhi M BalaKrishnan @ N/A
OWASP Mobile Security Project Jonathan Carter (Overall Project and iGoat Leader) @ Mike Zusman (Mobile Cheat Sheet Leader) @ Tony DeLaGrange (MobiSec Leader) @ Sarath Geethakumar (Mobile Device Management Leader) @ Tom Eston (Mobile Threat Model Leader) @ Don Williams (Mobile Testing Leader) Jonathan Carter (Mobile Top Ten) @ Zach Lanier @ Jim Manico @ Ludovic Petit @ Swapnil Deshmukh @ Beau Woods @
OWASP ModSecurity Core Rule Set Project Chaim Sanders @ N/A
OWASP Myth Breakers Project Stefano Di Paola @ Dinis Cruz @ N/A
OWASP O2 Platform Project Dinis Cruz @ N/A
OWASP Portuguese Language Project Carlos Serrão @ Marcio Machry @ Lucas Ferreira @
OWASP Secure Coding Practices - Quick Reference Guide Keith Turpin @ Dan Kranz Walt Pietrowski Catherine Spencer Caleb McGary @ Jim Manico @ Brad Causey @ Ludovic Petit @ Michael V. Scovetta @ Jason Coleman Tarcizio Vieira Neto
OWASP Secure Password Project Josh Sokol @ James Wickett @ Matt Tesauro @ Ben Broussard @ Genung Gregory @
OWASP Secure the Flag Competition Project Mark Bristow @ N/A
OWASP Secure Web Application Framework Manifesto Rohit Sethi @ Yuk Fai Chan @ Tom Aratyn @ Sahba Kazerooni @ Patrick Szeto @
OWASP Security Baseline Project Marian Ventuneac @ N/A
OWASP Software Security Assurance Process Mateo Martínez @ Martin Pellegrino
OWASP Threat Modelling Project Anurag Agarwal @ N/A


OWASP Inactive Banner.jpg
OWASP Uniform Reporting Guidelines Vlad Gostomelsky @ N/A
OWASP Watcher Project Chris Weber @ N/A
OWASP Web Application Security Accessibility Project Petr Závodský @ Jan Meszáros Tomáš Bakos Jakub Tomšej TEREZA
OWASP Web Browser Testing System Project Isaac Dawson @ N/A
OWASP WebScarab NG Project Daniel Brzozowski @ Rogan Dawes (Past Contributor) @
OWASP X5s Project Chris Weber @ N/A
Flagship big.jpg

Review this project.

For more details about ZAP see the new ZAP website at zaproxy.orgZap-website.png


Share this:  E-mail this story Bookmark with Facebook Share on Digg.com Share on delicious Share on reddit.com Share on stumbleupon.com Share on LinkedIn.com Share on twitter.com Seed on Newsvine

Quick Download

Download OWASP ZAP!

News and Events

Please see the News and Talks tabs

Change Log

Code Repo

Email List

Questions? Please ask on the ZAP User Group

Project Leader

Project Leader
Simon Bennetts @

Co-Project Leaders
Ricardo Pereira @

Rick Mitchell @

Related Projects

Open Hub Stats

Classifications

Mature projects.png Owasp-builders-small.png
Owasp-breakers-small.png
Apache 2 License
Project Type Files TOOL.jpg
OWASP Browser Security Project N/A N/A
OWASP Development Guide N/A Andrew van der Stock @ Ken Owen @
OWASP Related Commercial Services Eoin Keary @ N/A
OWASP RFP-Criteria Tom Brennan @ N/A
Security Ecosystem Project Jeff Williams @ This project is currently seeking volunteers. If you are interested please contact us through the mailing list.
OWASP Student Chapters Program Mateo Martinez @ Antonios Manaras @ N/A
OWASP Testing Project Andrew Muller @ Matteo Meucci @ N/A

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Projects_Dashboard_2.0/By_Alphabetical_Order&oldid=109202"