Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.3.0
    • Component/s: Web
    • Labels:
      None

      Description

      To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).

      The solution could be resolved as follows:

      Create a new UrlEncoder interface:

      public interface UrlEncoder

      { String encodeUrl(EncodeUrlRequest request); }

      The EncodeUrlRequest:

      public interface EncodeUrlRequest

      { String getUrl(); HttpServletRequest getHttpServletRequest(); HttpServletResponse getHttpServletResponse(); ServletContext getServletContext(); }

      Update WebEnvironment to have a new property:

      UrlEncoder getUrlEncoder();

        Issue Links

          Activity

          Hide
          Jim Manico added a comment -

          Agreed on needing to support session re-writing. Would love to see a
          security log event, JavaDoc or both warning against this practice.

          Aloha folks,
          Jim


          Jim Manico

          Connections Committee Chair
          Cheatsheet Series Product Manager
          OWASP Podcast Producer/Host

          jim@owasp.org
          www.owasp.org

          Show
          Jim Manico added a comment - Agreed on needing to support session re-writing. Would love to see a security log event, JavaDoc or both warning against this practice. Aloha folks, Jim – Jim Manico Connections Committee Chair Cheatsheet Series Product Manager OWASP Podcast Producer/Host jim@owasp.org www.owasp.org
          Hide
          Les Hazlewood added a comment -

          Hi Jim,

          I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today.

          However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here.

          Thanks for the feedback!!!

          Les

          Show
          Les Hazlewood added a comment - Hi Jim, I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today. However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here. Thanks for the feedback!!! Les
          Hide
          Jim Manico added a comment -

          This same encoding function is necessary when trying to stop some
          classes of XSS defense.

          <a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA
          %>">Link</a>

          And of course, adding a session ID to a URL is a security vulnerability
          known as session rewriting and is not recommended.

          Aloha,
          Jim


          Jim Manico

          Connections Committee Chair
          Cheatsheet Series Product Manager
          OWASP Podcast Producer/Host

          jim@owasp.org
          www.owasp.org

          Show
          Jim Manico added a comment - This same encoding function is necessary when trying to stop some classes of XSS defense. <a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA %>">Link</a> And of course, adding a session ID to a URL is a security vulnerability known as session rewriting and is not recommended. Aloha, Jim – Jim Manico Connections Committee Chair Cheatsheet Series Product Manager OWASP Podcast Producer/Host jim@owasp.org www.owasp.org

            People

            • Assignee:
              Unassigned
              Reporter:
              Les Hazlewood
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Development