Search code examples
javasecurityxssowaspesapi

Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue


Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding

ESAPI.encoder().encodeForHTML(request.getParameter(""))

But I get an exception as below

org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)

I understand the problem is missing ESAPI.properties file. Should I download this file as well along with esapi-2.1.0.jar? I could see ESAPI.properties is not in esapi-2.1.0.jar. Should I create my own or can I get a default file as am unsure what should be in it ? Appreciate any help.


Solution

  • The most recent public configuration files are located here:

    If you read the comments/code in this file, you'll see how to handle file location.

    You will need BOTH esapi.properties and validation.properties in order to properly use the library.

    Here's an excerpt from the documentation.

    /**
     * The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
     * implementation, resources can be put in several locations, which are searched in the following order:
     * <p>
     * 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
     * <p>
     * 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
     * You can set this on the java command line as follows (for example):
     * <pre>
     *              java -Dorg.owasp.esapi.resources="C:\temp\resources"
     * </pre>
     * You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
     * in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
     * <p>
     * 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
     * inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
     * <p>
     * 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
     * <p>
     * Once the Configuration is initialized with a resource directory, you can edit it to set things like master
     * keys and passwords, logging locations, error thresholds, and allowed file extensions.
     * <p>
     * WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
     *
     * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
     * @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
     * @author Kevin Wall (kevin.w.wall .at. gmail.com)
     */