3. May 2013

  • First execution of ESAPI.jar Encoder methods from O2’s C# REPL

First execution of ESAPI.jar Encoder methods from O2’s C# REPL

In April 2013 (when preparing to do the OWASP AppSensor and O2 Platform at Security B-Sides London workshop with colin), I achieved something that I have been trying to do for a while:

  • Use the O2 Platform’s C# REPL environment to programatically access (in real time) the ESAPI jar apis and methods.
  • Consume AppSensor’s jar directly from a .NET app (in that case TeamMentor)

When I was integrating AppSensor (java) with TeamMentor (.NET) I needed to solve the the problem described in Loading OWASP ESAPI jar and its dependencies from C# since AppSensor has an hard dependency on ESAPI (i.e. without ESAPI, AppSensor doesn’t work)

After a bit of research and coding, here is the first code sample that shows ESAPI being consumed from O2 (via Jni4Net)

image
image

Note how the ESAPI Encoder’s encodeForHTML method is being executed:

image
image

And displayed in the Output window:

image
image

To to clarify, although this code is being triggered and executed from a .Net GUI and CLR, the actual code that is doing the encoding is the one from http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html which is running running on a JVM inside the same process as the CLR (the magic sauce is provided by the amazing Jni4Net)

For example here is the execution result of the ESAPI Encoder’s encodeForJavascript:

image
image

Which is exactly what I wanted :)

I wonder if we can also execute the current ESAPI unit test the same way? For example, now that we have the capability to see what the encodings output of the Java version of ESAPI looks like, we can try to compare it with the ESAPI .NET methods (since they should match right?)

Here is code sample shown in above:

 1 var jni4Net = new API_Jni4Net();
 2 jni4Net.setUpBride();
 3 var jarPath = @"E:\_Code_Tests\OWASP_AppSensor\_O2_Test";
 4 var jars = jarPath.files("*.jar");
 5 
 6 
 7 var classLoader = jni4Net.systemClassLoader().loadJars(jars);
 8 var esapi = classLoader.loadClass("org.owasp.esapi.ESAPI");
 9 var encoder =  esapi.getMethod("encoder",null).invoke(null,null);
10 
11 
12 return encoder.getClass().getMethod("encodeForJavaScript",new Class[] {java.lang.String._clas\
13 s} )
14     	  .invoke(encoder, new java.lang.Object[] { "aaa<h1>bbb<h1>".java_String()});
15 
16 //using net.sf.jni4net.jni;
17 //using java.lang;
18 //using java.net;
19 //O2File:API_Jni4Net.cs
20 //O2Ref:jni4net.n-0.8.6.0.dll

Here is the current folder set-up and jars loaded:

image
image

A key to make it work is the fact that the ESAPI.properties file is in the same path as the ESAPI.jar

Up next

4. June 2013