Where can I find ESAPI.properties?

Asked 26/3, 2015 at 3:25 Answered 18/10, 2017 at 8:9

Am trying to use OWASP ESAPI library in my web app to escape request parameters in JSPs as below ESAPI.encoder().encodeForHTML(request.getParameter()).

I have added esapi-2.1.0.jar under WEB-INF/lib but I get the below exception

org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)

But I couldnt find ESAPI.properties in the JAR file. Any idea where I can get this? Also where should I place this properties file? Please help.

Baa answered 26/3, 2015 at 3:25 Comment(1)

Thanks. But it still doesnt answer my question. Do I need to create ESAPI.properties myself ? I thought API provides it but cant find where can I download the file. – Baa 26/3, 2015 at 5:18

Here is the reference: ESAPI installation guide.

You can download ESAPI.properties from here.

You can create ESAPI.properties file yourself and place the same content there. It should be placed in your 'src/main/resources' folder.

Also you will need validation.properties file to handle XSS, which should be placed in 'src/test/resources' folder.

Please make sure to change the application name in these properties file to your application as in

Validator.Redirect=^\\/test.*$

test should be replaced with your application name.

Homesick answered 8/4, 2015 at 15:34 Comment(7)

Installation guide for Java: owasp.org/images/4/4c/JavaEE-ESAPI_2.0a_install.doc – Riggle 25/1, 2016 at 21:26

Can we get an updated link for the ESAPI.properties file, as the current one is dead. – Trumpeter 14/9, 2016 at 15:22

Think the new link for ESAPI.properties is: code.google.com/p/owasp-esapi-java/source/browse/trunk/… – Trumpeter 14/9, 2016 at 15:26

Both links to ESAPI.properties in answer and comment above are broken – Halloran 7/11, 2016 at 13:16

I found it inside the distribution file repo1.maven.org/maven2/org/owasp/esapi/esapi/2.1.0.1/… – Rigamarole 28/12, 2016 at 8:46

Since all links to ESAPI.properties are broken can someone add it's content in the answer. Should be helpful. – Holinshed 8/3, 2017 at 7:45

Updated details and my findings in answer below. – Holinshed 8/3, 2017 at 8:2

Ok since the above links are all broken or will be outdated in a while (e.g. link to a specific version) here is the Github Link:

https://github.com/ESAPI/esapi-java-legacy/tree/develop/configuration/esapi

Rese answered 18/10, 2017 at 8:9 Comment(1)

Thanks I found required files – Photoelasticity 26/8, 2020 at 11:3

I was looking for the same file as while deploying my webapp I was getting -

Mar 08, 2017 1:23:12 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [mvc-dispatcher] in context with path [/WebDynamo] threw exception [org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception.] with root cause
java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
    at org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfigurationFromClasspath(DefaultSecurityConfiguration.java:667)

Anyway for my webapp I just added ESAPI.properties in source root folder (src folder) (don't add it in any package). And the file is just empty. And web app works just fine. I see following logs in the webapp so if you are ever wondering where this file is being searched then refer this -

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/ESAPI.properties
Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader!
SecurityConfiguration for Validator.ConfigurationFile not found in ESAPI.properties. Using default: validation.properties
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in 'org.owasp.esapi.resources' directory or file not readable: /Applications/Eclipse.app/Contents/MacOS/validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties
Not found in 'user.home' (/Users/athakur) directory: /Users/athakur/esapi/validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
validation.properties could not be loaded by any means. fail. Exception was: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource.
SecurityConfiguration for ESAPI.printProperties not found in ESAPI.properties. Using default: false
SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding
SecurityConfiguration for ESAPI.Encoder not found in ESAPI.properties. Using default: org.owasp.esapi.reference.DefaultEncoder
SecurityConfiguration for ESAPI.Logger not found in ESAPI.properties. Using default: org.owasp.esapi.reference.JavaLogFactory
SecurityConfiguration for Logger.LogApplicationName not found in ESAPI.properties. Using default: true
SecurityConfiguration for Logger.LogServerIP not found in ESAPI.properties. Using default: true
SecurityConfiguration for Logger.ApplicationName not found in ESAPI.properties. Using default: DefaultName

I am sure these are configurable and other files too you can add it src folder. Also I found this file in -

https://github.com/OWASP/EJSF/blob/master/esapi_master_FULL/WebContent/ESAPI.properties

The file is pretty big to paste it's contents here but based on default values it is setting as per logs above following things are required -

ESAPI.printProperties=true
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
Logger.LogApplicationName=true
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
Logger.LogServerIP=true
# Set the application name if these logs are combined with other applications
Logger.ApplicationName=ExampleApplication

Holinshed answered 8/3, 2017 at 8:0 Comment(0)

Recommended topics

Hot tags