this post was submitted on 18 Nov 2023
555 points (95.7% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54476 readers
585 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 32 points 11 months ago (1 children)

That's... Surprising. If you're doing things right, double quotes should be no trouble at all:

  • HTTP requests have simple, automatic encoding
  • SQL queries with prepared statements don't need any special handling for double quotes
  • Rendering the data should happen with proper escaping etc.

They are usually only trouble if you're doing SQL queries wrong (concatenation etc.) or if you're not escaping your output.

[–] [email protected] 28 points 11 months ago* (last edited 11 months ago) (2 children)

The issue is the filter that we're using to avoid multiple encoding attacks de-escapes everything via multiple rounds, then tries to pass it to the next layer of filtering with the de-escaped request body as a json string. Your absolutely right that this is a silly way of doing it, but sometimes we have to live with decisions that were made before we were onboarded to a project. In this particular case, I pushed to improve the filters but all our PO heard was "spend development time weakening security" and at the end of the day they decide what to do and we do it.

[–] [email protected] 11 points 11 months ago

Ah, that's understandable. Sorry you have to go through that!

[–] [email protected] 1 points 11 months ago (1 children)

The filter you're using to avoid multiple encoding attacks creates multiple encoding attacks.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

You should tell that to OWASP then, they wrote it. org.owasp.esapi 2.5.2.0, class is Encoder, method is canonicalize(String, bool, bool)

[–] [email protected] 2 points 11 months ago

This method is a band-aid patch when your downstream code is all messed up and you can't fix it. Instead of treating the input string correctly, it just removes anything that might possibly trigger some vulnerability in wrong code.