ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
Discovered bug where %2C&html=&& should throw a MixedEncodingException but instead constructs a URL sequence of ,&html=null&=null&
Note that this does not result in an exploitable URL string, the & is never decoded. It's also debatable whether this is a false negative.
It's possible that this bug might be acceptable, it isn't clear as per RFC what the correct behavior should be in this circumstance. (double-ampersand) However, there's some possible nuance and a possible false negative implied here and it's unclear what the correct path should be.
Per Issue #824
Discovered bug where
%2C&html=&&
should throw a MixedEncodingException but instead constructs a URL sequence of,&html=null&=null&
Note that this does not result in an exploitable URL string, the
&
is never decoded. It's also debatable whether this is a false negative.It's possible that this bug might be acceptable, it isn't clear as per RFC what the correct behavior should be in this circumstance. (double-ampersand) However, there's some possible nuance and a possible false negative implied here and it's unclear what the correct path should be.
@kwwall @jeremiahjstacey