Download - ESAPI JUG
Enterprise Security API (ESAPI) JavaJava User Group – San Antonio
Jarret Raim
June 3rd, 2010
What is it?
ESAPI (The OWASP Enterprise Security API) is a free, open source, web
application security control library that makes it easier for
programmers to write lower-risk applications. The ESAPI libraries are
designed to make it easier for programmers to retrofit security into
existing applications. The ESAPI libraries also serve as a solid
foundation for new development.
Who cares?
How Does it Work?
• There is a set of security control interfaces. They define for
example types of parameters that are passed to types of security
controls.
• There is a reference implementation for each security
control. The logic is not organization‐specific and the logic is not
application‐specific. An example: string‐based input validation.
• There are optionally your own implementations for each security
control. There may be application logic contained in these classes
which may be developed by or for your organization. An example:
enterprise authentication.
Allowing for language-specific differences, all OWASP
ESAPI versions have the same basic design:
There are several supported languages
• Java EE
• PHP
• Classic ASP
• .NET
• Coldfusion
• Python
• JavaScript
• Haskell
• Force.com And they have a plan. Maybe.
Tyranny of Choice
Java
Logging
BouncyCastle
Spring
Log4j
Jasypt
JCEJAASCryptix
HDIVxml-dsig
xml-enc
Many
More
ACEGI
Commons
Validator
Struts
Reform Anti-XSS
Stinger
Standard
Control
Java
Pattern
Java
URL
Encoder
Write
Custom
Code
Vulnerability Theory
Vector
Vector
Vector
Vector
Vector
Vulnerability
Vulnerability
Asset
Technical Impact Business ImpactVulnerabilityVectorThreat Agent
Vulnerability
Vulnerability
Business
Impact
Business
Impact
Function
Asset
Business
Impact
Control
Control
Control
MissingControl
Where do Vulnerabilities Come From?
• Missing Controls
– Lack of encryption
– Failure to perform access control
• Broken Controls
– Weak hash algorithm
– Fail open
• Ignored Controls
– Failure to use encryption
– Forgot to use output encoding
• ESAPI Solves
– Missing
– Broken
• Process Solves
– Ignored
Custom Enterprise Web Application
Enterprise Security API
Au
the
nti
ca
tor
Use
r
Acce
ssC
on
tro
lle
r
Acce
ssR
efe
ren
ce
Ma
p
Va
lid
ato
r
En
co
de
r
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
ize
r
Ex
ce
pti
on
Ha
nd
lin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Se
cu
rity
Co
nfi
gu
rati
on
Existing Enterprise Security Services/Libraries
Encoder
<p>Hello, <%=name%></p>
<p>Hello,
<%=ESAPI.encoder().encodeForHTML(name)%>
</p>
• Typical output in most web
frameworks leads to XSS and
CSRF vulnerabilities.
• The ESAPI encoder allows
direct encoding depending on
context.
• Web (HTML, JavaScript, CSS)
• Databases (MySQL, Oracle)
• URL
• Shells (Unix, Windows)
• XML
• LDAP
• Also provides a canonnicalize
method to remove any
encodings.
BackendController Business Functions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScript
encodeForVBScript
encodeForDN
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
isValidDirectoryPath
isValidCreditCard
isValidDataFromBrowser
isValidListItem
isValidFileContent
isValidFileName
isValidHTTPRequest
isValidRedirectLocation
isValidSafeHTML
isValidPrintable
safeReadLine
CanonicalizationDouble Encoding Protection
Normalization
Sanitization
Validator
• The Validator interface defines a
set of methods for canonicalizing
and validating untrusted input.
– Returns booleans as not all
validation problems are security
issues.
• Invalid input will generate a
descriptive ValidationException
which will be stored in the
ValidationErrorList
• Input that is clearly an attack will
generate a descriptive
IntrusionException
EXAMPLE: <script>alert(document.cookie)</script>
ESAPI.validator().getValidInput(String context,Stringinput,String type,int maxLength,booleanallowNull,ValidationErrorList errorList)
assertIsValidHttpRequest()
assertIsValidHttpRequestParameterSet()
assertIsValidFileUpload()
getValidCreditCard()
getValidDate()
getValidDirectoryPath()
getValidDouble()
getValidFileContent()
getValidFileName()
…
Validator Example
• ESAPI provides the ValidationRule and
Validator interfaces.
• Implement your own validators for your
data.
• Reference Regex codes in the ESAPI
properties from generic to specific.
Controller
UserInterface
Business Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
Set Character Set
Encode For HTML
Any Encoding
Global Validate Any Interpreter
CanonicalizeSpecific Validate
Sanitize
Canonicalize
Validate
Authenticator
• Interface with a simple, file
based example implementation
• Log In / Log Out
• Password Verification
• Create User
• Password Generation
• Change Password
• Expirations
• Logging
• Per User Session
• Anonymous User
• Locale
• Roles
• Disable / Enable
• Locked / Unlocked
• CSRF Tokens
• Last Login
• Last Invalid Login
• Password Age
• Screen Name
• Failed Log In Count
• Last Logged in Host
BackendController Business Functions
User Data Layer
ESAPI
Acce
ss
Co
ntr
ol
Lo
gg
ing
In
tru
sio
nD
ete
cti
on
Au
the
nti
ca
tio
n
Users
Note that the
ESAPI project
does not have
out of the box
support for
projects like
Spring, but can
be made to
work.
Controller
UserInterface
Business Functions
Web Service
Database
Mainframe
File System
User Data Layer
Etc…
isAuthorizedForURL
isAuthorizedForFunction
isAuthorizedForFunctionisAuthorizedForService
isAuthorizedForData
isAuthorizedForFile
Encryption
• Encryption failures can lead to violations of the “Big Three”
– Confidentiality
– Integrity
– Availability (maybe)
• Encryption is surprisingly difficult to get right.
– You are probably doing it wrong right now.
• The Encryptor interface provides a set of methods for performing
common encryption, random number, and hashing operations.
encrypted = ESAPI.encryptor().encrypt( decrypted );
decrypted = ESAPI.encryptor().decrypt( encrypted );
BackendController Business Functions
User Data Layer
Encrypted Properties Encryptor Encryption
Digital Signatures
Integrity Seals
Strong GUID
Random Tokens Timestamp Salted HashSafe Config Details
Direct Object Reference
• Occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or
key, as a URL or form parameter.
• Fix is to generate suitably random garbage, then internally map that to
the appropriate IDs.
• Doing this is surprisingly annoying, especially if there are no sessions.
– Not really scalable friendly.
• ESAPI provides a random access map which also helps protect
against CSRF.
String directReference = "This is a direct reference.";
RandomAccessReferenceMap instance = new RandomAccessReferenceMap();
String ind = instance.addDirectReference((Object)directReference);
Access Reference Map
Web Service
Database
Mainframe
File System
User
Etc…
Report123.xls
Direct ReferencesIndirect References
Acct:9182374ref=jfo8we4oji
Logging & Exceptions
• For many applications, logging is only used to detect application
errors.
• Is usually geared to solving problems in development
– Hopefully with an eye to production.
• ESAPI provides a logging implementation that integrates with the
security substructure.
– Logs security exceptions that are ESAPI generated with identify information
– Can be used by normal business code to log security exceptions or just log
information with identify
• Integrates an intrusion detection system that can respond to different
types of intrusions by disabling accounts or other actions.
IntrusionDetector
Enterprise Security Exceptions
Logger
•Log Intrusion•Logout User•Disable Account
AccessControlException
AuthenticationException
AvailabilityException
EncodingException
EncryptionException
ExecutorException
IntegrityException
IntrusionException
ValidationException
User Message
(no detail)
Log Message
(w/Identity)
Configurable ThresholdsResponses
BackendController Business Functions
User Data Layer
Handling HTTP
• Many applications make heavy use of HTTP for functionality
– Classic ASP uses redirects for flow control, error handing, etc.
• The use of data from the request accounts for most web security
defects
• ESAPI provides methods to interact with the request
– Helper methods for encryption
– CSRF tokens
– Etc.
• Deals with Characters Sets and Encodings
BackendController Business Functions
User Data Layer
HTTP Utilities
Add Safe Cookie
No Cache Headers
CSRF Tokens
Safe Request Logging
Encrypt State in Cookie
Add Safe Header
Querystring EncryptionChange SessionID
isSecureChannel
sendSafeRedirect
sendSafeForward
Safe File Uploads
Set Content Type
Kill Cookie
Hidden Field Encryption
OWASP Top Ten 2007
A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPI
Validator, Encoder
Encoder
HTTPUtilities (Safe Upload)
AccessReferenceMap, AccessController
User (CSRF Token)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (Secure Cookie, Channel)
AccessController
Special Thanks
• Supports OWASP and ESAPI
• Many of the diagrams for in the slides are from a similar presentation
by Aspect.