Enterprise Security API (ESAPI) JavaJava User Group – San Antonio

Jarret Raim

June 3rd, 2010

What is it?

ESAPI (The OWASP Enterprise Security API) is a free, open source, web

application security control library that makes it easier for

programmers to write lower-risk applications. The ESAPI libraries are

designed to make it easier for programmers to retrofit security into

existing applications. The ESAPI libraries also serve as a solid

foundation for new development.

Who cares?

How Does it Work?

• There is a set of security control interfaces. They define for

example types of parameters that are passed to types of security

controls.

• There is a reference implementation for each security

control. The logic is not organization‐specific and the logic is not

application‐specific. An example: string‐based input validation.

• There are optionally your own implementations for each security

control. There may be application logic contained in these classes

which may be developed by or for your organization. An example:

enterprise authentication.

Allowing for language-specific differences, all OWASP

ESAPI versions have the same basic design:

There are several supported languages

• Java EE

• PHP

• Classic ASP

• .NET

• Coldfusion

• Python

• JavaScript

• Haskell

• Force.com And they have a plan. Maybe.

Tyranny of Choice

Java

Logging

BouncyCastle

Spring

Log4j

Jasypt

JCEJAASCryptix

HDIVxml-dsig

xml-enc

Many

More

ACEGI

Commons

Validator

Struts

Reform Anti-XSS

Stinger

Standard

Control

Java

Pattern

Java

URL

Encoder

Write

Custom

Code

Vulnerability Theory

Vector

Vector

Vector

Vector

Vector

Vulnerability

Vulnerability

Asset

Technical Impact Business ImpactVulnerabilityVectorThreat Agent

Vulnerability

Vulnerability

Business

Impact

Business

Impact

Function

Asset

Business

Impact

Control

Control

Control

MissingControl

Where do Vulnerabilities Come From?

• Missing Controls

– Lack of encryption

– Failure to perform access control

• Broken Controls

– Weak hash algorithm

– Fail open

• Ignored Controls

– Failure to use encryption

– Forgot to use output encoding

• ESAPI Solves

– Missing

– Broken

• Process Solves

– Ignored

Custom Enterprise Web Application

Enterprise Security API

Au

the

nti

ca

tor

Use

r

Acce

ssC

on

tro

lle

r

Acce

ssR

efe

ren

ce

Ma

p

Va

lid

ato

r

En

co

de

r

HT

TP

Uti

liti

es

En

cry

pto

r

En

cry

pte

dP

rop

ert

ies

Ra

nd

om

ize

r

Ex

ce

pti

on

Ha

nd

lin

g

Lo

gg

er

Intr

usio

nD

ete

cto

r

Se

cu

rity

Co

nfi

gu

rati

on

Existing Enterprise Security Services/Libraries

Encoder

<p>Hello, <%=name%></p>

<p>Hello,

<%=ESAPI.encoder().encodeForHTML(name)%>

</p>

• Typical output in most web

frameworks leads to XSS and

CSRF vulnerabilities.

• The ESAPI encoder allows

direct encoding depending on

context.

• Web (HTML, JavaScript, CSS)

• Databases (MySQL, Oracle)

• URL

• Shells (Unix, Windows)

• XML

• LDAP

• Also provides a canonnicalize

method to remove any

encodings.

BackendController Business Functions

User Data Layer

Validator Encoder encodeForURL

encodeForJavaScript

encodeForVBScript

encodeForDN

encodeForHTML

encodeForHTMLAttribute

encodeForLDAP

encodeForSQL

encodeForXML

encodeForXMLAttribute

encodeForXPath

isValidDirectoryPath

isValidCreditCard

isValidDataFromBrowser

isValidListItem

isValidFileContent

isValidFileName

isValidHTTPRequest

isValidRedirectLocation

isValidSafeHTML

isValidPrintable

safeReadLine

CanonicalizationDouble Encoding Protection

Normalization

Sanitization

Validator

• The Validator interface defines a

set of methods for canonicalizing

and validating untrusted input.

– Returns booleans as not all

validation problems are security

issues.

• Invalid input will generate a

descriptive ValidationException

which will be stored in the

ValidationErrorList

• Input that is clearly an attack will

generate a descriptive

IntrusionException

EXAMPLE: <script>alert(document.cookie)</script>

ESAPI.validator().getValidInput(String context,Stringinput,String type,int maxLength,booleanallowNull,ValidationErrorList errorList)

assertIsValidHttpRequest()

assertIsValidHttpRequestParameterSet()

assertIsValidFileUpload()

getValidCreditCard()

getValidDate()

getValidDirectoryPath()

getValidDouble()

getValidFileContent()

getValidFileName()

…

Validator Example

• ESAPI provides the ValidationRule and

Validator interfaces.

• Implement your own validators for your

data.

• Reference Regex codes in the ESAPI

properties from generic to specific.

Controller

UserInterface

Business Functions

Web Service

Database

Mainframe

File System

User Data Layer

Etc…

Set Character Set

Encode For HTML

Any Encoding

Global Validate Any Interpreter

CanonicalizeSpecific Validate

Sanitize

Canonicalize

Validate

Authenticator

• Interface with a simple, file

based example implementation

• Log In / Log Out

• Password Verification

• Create User

• Password Generation

• Change Password

• Expirations

• Logging

• Per User Session

• Anonymous User

• Locale

• Roles

• Disable / Enable

• Locked / Unlocked

• CSRF Tokens

• Last Login

• Last Invalid Login

• Password Age

• Screen Name

• Failed Log In Count

• Last Logged in Host

BackendController Business Functions

User Data Layer

ESAPI

Acce

ss

Co

ntr

ol

Lo

gg

ing

In

tru

sio

nD

ete

cti

on

Au

the

nti

ca

tio

n

Users

Note that the

ESAPI project

does not have

out of the box

support for

projects like

Spring, but can

be made to

work.

Controller

UserInterface

Business Functions

Web Service

Database

Mainframe

File System

User Data Layer

Etc…

isAuthorizedForURL

isAuthorizedForFunction

isAuthorizedForFunctionisAuthorizedForService

isAuthorizedForData

isAuthorizedForFile

Encryption

• Encryption failures can lead to violations of the “Big Three”

– Confidentiality

– Integrity

– Availability (maybe)

• Encryption is surprisingly difficult to get right.

– You are probably doing it wrong right now.

• The Encryptor interface provides a set of methods for performing

common encryption, random number, and hashing operations.

encrypted = ESAPI.encryptor().encrypt( decrypted );

decrypted = ESAPI.encryptor().decrypt( encrypted );

BackendController Business Functions

User Data Layer

Encrypted Properties Encryptor Encryption

Digital Signatures

Integrity Seals

Strong GUID

Random Tokens Timestamp Salted HashSafe Config Details

Direct Object Reference

• Occurs when a developer exposes a reference to an internal

implementation object, such as a file, directory, database record, or

key, as a URL or form parameter.

• Fix is to generate suitably random garbage, then internally map that to

the appropriate IDs.

• Doing this is surprisingly annoying, especially if there are no sessions.

– Not really scalable friendly.

• ESAPI provides a random access map which also helps protect

against CSRF.

String directReference = "This is a direct reference.";

RandomAccessReferenceMap instance = new RandomAccessReferenceMap();

String ind = instance.addDirectReference((Object)directReference);

Access Reference Map

Web Service

Database

Mainframe

File System

User

Etc…

Report123.xls

Direct ReferencesIndirect References

Acct:9182374ref=jfo8we4oji

Logging & Exceptions

• For many applications, logging is only used to detect application

errors.

• Is usually geared to solving problems in development

– Hopefully with an eye to production.

• ESAPI provides a logging implementation that integrates with the

security substructure.

– Logs security exceptions that are ESAPI generated with identify information

– Can be used by normal business code to log security exceptions or just log

information with identify

• Integrates an intrusion detection system that can respond to different

types of intrusions by disabling accounts or other actions.

IntrusionDetector

Enterprise Security Exceptions

Logger

•Log Intrusion•Logout User•Disable Account

AccessControlException

AuthenticationException

AvailabilityException

EncodingException

EncryptionException

ExecutorException

IntegrityException

IntrusionException

ValidationException

User Message

(no detail)

Log Message

(w/Identity)

Configurable ThresholdsResponses

BackendController Business Functions

User Data Layer

Handling HTTP

• Many applications make heavy use of HTTP for functionality

– Classic ASP uses redirects for flow control, error handing, etc.

• The use of data from the request accounts for most web security

defects

• ESAPI provides methods to interact with the request

– Helper methods for encryption

– CSRF tokens

– Etc.

• Deals with Characters Sets and Encodings

BackendController Business Functions

User Data Layer

HTTP Utilities

Add Safe Cookie

No Cache Headers

CSRF Tokens

Safe Request Logging

Encrypt State in Cookie

Add Safe Header

Querystring EncryptionChange SessionID

isSecureChannel

sendSafeRedirect

sendSafeForward

Safe File Uploads

Set Content Type

Kill Cookie

Hidden Field Encryption

OWASP Top Ten 2007

A1. Cross Site Scripting (XSS)

A2. Injection Flaws

A3. Malicious File Execution

A4. Insecure Direct Object Reference

A5. Cross Site Request Forgery (CSRF)

A6. Leakage and Improper Error Handling

A7. Broken Authentication and Sessions

A8. Insecure Cryptographic Storage

A9. Insecure Communications

A10. Failure to Restrict URL Access

OWASP ESAPI

Validator, Encoder

Encoder

HTTPUtilities (Safe Upload)

AccessReferenceMap, AccessController

User (CSRF Token)

EnterpriseSecurityException, HTTPUtils

Authenticator, User, HTTPUtils

Encryptor

HTTPUtilities (Secure Cookie, Channel)

AccessController

Special Thanks

• Supports OWASP and ESAPI

• Many of the diagrams for in the slides are from a similar presentation

by Aspect.

Conclusion

Denim Group, Ltd.

(210) 572-4400

Web: www.denimgroup.com

Blog: blog.denimgroup.com

27