esapi: a guided tour - owasp
TRANSCRIPT
![Page 1: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
ESAPI: A GUIDED TOUR
Joe Combs
OWASP Cincinnati
SEI - Cincinnati, LLC
26 August 2008
![Page 2: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/2.jpg)
2OWASP
AGENDA
�What Problem Are We Trying To Solve?
�What Is ESAPI?
�Architecture
�Example Usage
�Future Direction
![Page 3: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/3.jpg)
3OWASP
The Problem Defined
Java LoggingJava Logging
ReformReform
ACEGIACEGIStrutsStruts
StingerStinger
Anti-XSSAnti-XSS
BouncyCastleBouncyCastle
SpringSpring
Log4jLog4jCommonsValidator
CommonsValidator
JasyptJasypt
JCEJCE
JAASJAASCryptixCryptix
HDIVHDIVxml-dsigxml-dsig
xml-encxml-enc
ManyMore
ManyMore
![Page 4: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/4.jpg)
4OWASP
The Problem Defined
�Getting security controls right is hard stuff
�texts, articles and tutorials are overflowing withexamples of bad security
�developers copy from other existing code
�Nearly 1/3 of all security code reviewed containssecurity flaws
�Most developers shouldn’t build security controls
![Page 5: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/5.jpg)
5OWASP
The Problem Defined
�In many enterprise environments, securitycontrols evolve over time in a reactive fashion.
�Most enterprises need the same set of calls inmost (or all!) of their applications
�A common approach to security controls can aidstatic analysis
![Page 6: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/6.jpg)
6OWASP
What is ESAPI?
�Enterprise Security API
�Open Source - BSD license
�Create a standardized mechanism for Java EEapplications to address security concerns
�ESAPI is NOT a framework. It’s a set of welldefined interfaces and a referenceimplementation of the “right” way to do securitycontrols
�Not a silver bullet
![Page 7: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/7.jpg)
7OWASP
Getting Started
�Pull the latest code from SVN –http://code.google.com/p/owasp-esapi-java/� the jar offered as a courtesy download is HORRIBLY out of date
�Set up a resources directory and put a copy ofESAPI.properties inside it�Change the master password
�Make this location “safe”
�Set up user accounts� java -Dorg.owasp.esapi.resources="c:\resources" -classpath
owasp-esapi-java-1.1.1.jar org.owasp.esapi.Authenticatoryourname yourpass admin
�Build, deploy and run the test app, also found in SVN
![Page 8: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/8.jpg)
8OWASP
Architecture
![Page 9: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/9.jpg)
9OWASP
Input Validation & Encoding
![Page 10: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/10.jpg)
10OWASP
Input Validation & Encoding
�Canonicalizing - reducing a possibly encodedstring down to its simplest form.
�Double encoding is not something a user does sogenerally regarded as an attack
�Encoding - various methods for differentdestinations. Whitelist acceptable charactersand encode those that don’t pass muster
�Validating - after canonicalizing, ensures data isof the correct type, in acceptable ranges, etc.
![Page 11: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/11.jpg)
11OWASP
Input Validation & Encoding
�Supports either boolean returns or throwingexceptions “to allow maximum flexibility becausenot all validation errors are security problems”
�safeReadLine() to prevent DoS attack
�File name and directory path validation
�Basic credit card validation
�AntiSamy protection
![Page 12: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/12.jpg)
12OWASP
Encryption
![Page 13: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/13.jpg)
13OWASP
Encryption
�Reference implementation utilizes JavaCryptography Extension (JCE)
�Ensure strong salt and password values areused - takes away the chance for developers tomake poor choices for these crucial values
�Algorithms configurable via properties
�Seal - encrypts data and includes an expirationtimestamp
![Page 14: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/14.jpg)
14OWASP
Indirect Object References
![Page 15: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/15.jpg)
15OWASP
Indirect Object References
�Reference implementation includes 2 concreteclasses: integer based and random strings
�Defeats parameter tampering attacks
�Can help combat CSRF if per-user accessreference maps are used
![Page 16: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/16.jpg)
16OWASP
HTTP Utilities
![Page 17: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/17.jpg)
17OWASP
HTTP Utilities
�Provides useful methods relating to request,response, cookies, sessions, etc.
�addCSRFToken()
�changeSessionIdentifier()
�encrypt/decrypt fields
�safeXXX() methods for adding headers, sendingforwards & redirects to ensure characterencoding
![Page 18: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/18.jpg)
18OWASP
HTTP Utilities
�Reference implementation utilizes ApacheCommons FileUploader
�Reference implementation relies on currentrequest & response being stored in ThreadLocalvariables - means you have to utilize the ESAPIauthenticator or explicitly callESAPI.authenticator().setCurrentHTTP()
![Page 19: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/19.jpg)
19OWASP
Authentication
![Page 20: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/20.jpg)
20OWASP
Access Control
![Page 21: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/21.jpg)
21OWASP
Authentication & Access Control
�Reference implementation includes a file basedauthenticator.
�Provides login/logout capabilities, userauthentication using hashed passwords
�Utility methods for password generation and toensure account name and password strength
�Carries out some of the required setup for othercomponents such as HTTPUtilities
![Page 22: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/22.jpg)
22OWASP
Intrusion Detection
![Page 23: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/23.jpg)
23OWASP
Intrusion Detection
�Reference implementation has a default detectorthat does rudimentary calculations of number oferrors per time period
![Page 24: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/24.jpg)
24OWASP
ESAPI Versus OWASP Top 10
![Page 25: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/25.jpg)
25OWASP
What’s Next?
�Java reference implementation still under activedevelopment (refactoring, adding a taglib, etc.)
�Porting to PHP and .NET has begun
�Is there need for a client-side security API?
![Page 26: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/26.jpg)
26OWASP
Discussion
![Page 27: ESAPI: A GUIDED TOUR - OWASP](https://reader030.vdocuments.us/reader030/viewer/2022012508/61847c305ec722740b6af226/html5/thumbnails/27.jpg)
27OWASP
References
�http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
�http://msdn.microsoft.com/en-us/magazine/cc188938.aspx