OWASP Enterprise Security API

Enteprise Security
API
ESAPI

Thursday, 2011-03-10

OWASP
The Open Web Application Project


I answer question


The problems


The problems

• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control


The problems

• Presentation Layer Access Control
• Errors, Logging, and Intrusion
Detection

• Encryption, Hashing, and
Randomness


OWASP TOP 10
A2 – Cross-Site Scripting
A1 – Injection
(XSS)

A3 – Broken Authentication A4 – Insecure Direct
and Session Management Object References

A5 – Cross-Site Request A6 – Security
Forgery (CSRF) Misconﬁguration

A7 – Insecure A8 - Failure to Restrict
Cryptographic Storage URL Access

A9 - Insufﬁcient Transport A10 – Unvalidated
Layer Protection Redirects and Forwards


And over 300
others security
problems types


Vulnerabilities and
Security Controls
Ignored Misused

Broken Missing


Why Input Validation
Is Hard?


Percent (url) Encoding

• %3c
• %3C


HTML Entity Encoding

• &#60 • <
• &#060 • <
• &#0060 • <
• &#00060 • <
• &#000060 • <
• &#0000060 • <


• &#x3c • <
• &#x03c • <
• &#x003c • <
• &#x0003c • <
• &#x00003c • <
• &#x000003c • &#x000003c;


• &#X3c • &#X3c;
• &#X03c • &#X03c;
• &#X003c • &#X003c;
• &#X0003c • &#X0003c;
• &#X00003c • &#X00003c;
• &#X000003c • &#X000003c;


• &#x3C • <
• &#x03C • <
• &#x003C • <
• &#x0003C • <
• &#x00003C • <
• &#x000003C • &#x000003C;


• &#X3C • &#X3C;
• &#X03C • &#X03C;
• &#X003C • &#X003C;
• &#X0003C • &#X0003C;
• &#X00003C • &#X00003C;
• &#X000003C • &#X000003C;



• &lt • <
• &lT • &lT;
• &Lt • &Lt;
• &LT • &LT;


JavaScript Escape
• < • x3C
• x3c • X3C
• X3c • u003C
• u003c • U003C
• U003c


CSS Escape
• 3c • 3C
• 03c • 03C
• 003c • 003C
• 0003c • 0003C
• 00003c • 00003C


UTF-7 vs UTF-8

• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc


1,677,721,600,000,000
ways to encode <script>


The Solutions?


What is Enterprise
Security API?


ESAPI Community
Communauté ESAPI

Library Wiki Mailing List

Users

Developers

Objective-C


Overview of the
Architectural Impact


Authenticator

User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API

Exception Handling
Logger
IntrusionDetector
SecurityConﬁguration

Authenticator

User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer

Exception Handling
isAuthorizedForURL()
isAuthorizedForFile()
isAuthorizedForData()

Logger
isAuthorizedForService()
isAuthorizedForFunction()

IntrusionDetector


<?php echo $ESAPI

AccessReferenceMap

EncryptedProperties
->validator()

Exception Handling

IntrusionDetector
AccessController

->getValidInput(

Randomizer
Authenticator

HTTPUtilities
String $context,

Encryptor
Validator
Encoder

Logger
String $input,
User

String type,
int $maxLength,
boolean allowNull,
ValidationErrorList
$errorList);
?>



assertIsValidHttpRequest()
interface

AccessReferenceMap

EncryptedProperties
assertIsValidHttpRequest

Exception Handling
ValidationRule

IntrusionDetector
AccessController

ParameterSet()

Randomizer
Authenticator

HTTPUtilities
assertIsValidFileUpload()

Encryptor
Validator
Encoder

Logger
User

abstract
BaseValidationRule
getValidDate()
getValidDouble()
getValidDirectoryPath()
getValidDouble()
CreditCard getValidFileContent()
ValidationRule
getValidFileName()



isValidCreditCard()
interface

isValidDataFromBrowse()
AccessReferenceMap

EncryptedProperties

Exception Handling
ValidationRule

IntrusionDetector
AccessController

isValidDirectoryPath()
Authenticator

HTTPUtilities

Randomizer
isValidFileContent()

Encryptor
Validator
Encoder
isValidFileName()

Logger
User

abstract isValidHTTPRequest()
BaseValidationRule
isValidListItem()
isValidRedirectLocation()
isValidSafeHTML()
CreditCard isValidPrintable()
ValidationRule
safeReadLine()



encodeForCSS <?php echo $ESAPI

AccessReferenceMap

EncryptedProperties
encodeForDN ->encoder()

Exception Handling

IntrusionDetector
AccessController

encodeForHTML ->encodeForHTML($name)
Authenticator

HTTPUtilities

Randomizer
encodeForLDAP ?>

Encryptor
Validator
Encoder

Logger
encodeForSQL
User

encodeForURL encodeForJavaScript
encodeForXML encodeForHTMLAttribute
encodeForXPath encodeForVBScript
encodeForXMLAttribute
encodeForXPath



•Add Safe Header •isSecureChannel

AccessReferenceMap

EncryptedProperties
•Safe Request Logging

Exception Handling
•No Cache Headers

IntrusionDetector
AccessController

•Set Content Type •Safe File Uploads
Authenticator

HTTPUtilities

Randomizer
Encryptor
Validator
•Add Safe Cookie
Encoder

Logger
User

•Kill Cookie •sendSafeForward
•Change SessionID •sendSafeRedirect
•CSRF Tokens
•Encrypt State in Cookie
•Hidden Field Encryption
•Querystring Encryption



•Integrity Seals

AccessReferenceMap

EncryptedProperties

Exception Handling
•Strong GUID

IntrusionDetector
AccessController
Authenticator

•Random Tokens

HTTPUtilities

Randomizer
Encryptor
Validator
<?php $encrypted = •Encryption
Encoder

Logger
User

$ESAPI->encryptor()
->encrypt($text)
•Digital Signatures
?> •Salted Hash
•Safe Conﬁg Details
•Timestamp



•AccessControlException

AccessReferenceMap

EncryptedProperties

Exception Handling

IntrusionDetector
•AuthenticationException
AccessController
Authenticator

HTTPUtilities
•AvailabilityException

Randomizer
Encryptor
Validator
Encoder
•EncodingException

Logger
User

•EncryptionException
•ExecutorException
•IntegrityException
•IntrusionException
•ValidationException


Authenticator

User
AccessController
AccessReferenceMap

•Responses
•Logout User
Validator
•Log Intrusion
•Disable Account
Encoder
HTTPUtilities
•Conﬁgurable Thresholds

Encryptor
EncryptedProperties
Randomizer

Exception Handling
Logger
IntrusionDetector

OWASP TOP 10 ESAPI
A1: Injection Encoder

A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and
Authenticator, User, HTTPUtilities
Session Management
A4: Insecure Direct Object AccessReferenceMap,
Reference AccessController
A5: Cross Site Request Forgery
User (CSRF Token)
(CSRF)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic
Encryptor
Storage
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer HTTPUtilities
Protection (Secure Cookie, Channel)
A10: Unvalidated Redirects and
AccessController
Forwards


Objective -C

Authentication 2.0 1.4 1.4 1.4
Identity 2.0 1.4 1.4 1.4
Access Control 2.0 1.4 1.4 1.4 1.4
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0
Encryption 2.0 1.4 1.4 1.4 1.4
Random Numbers 2.0 1.4 1.4 1.4 1.4
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Conﬁguration 2.0 1.4 1.4 1.4 1.4 1.4 2.0
WAF 2.0


Adopters


Additional Resources
• OWASP Home Page
http://www.owasp.org
• ESAPI Project Page
http://www.esapi.org
• ESAPI-Users Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-dev


Questions ?
• philippe@ph-il.ca
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/
conferences

• http://www.ph-il.ca/fr/
conferences


OWASP Enterprise Security API

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a OWASP Enterprise Security API

Semelhante a OWASP Enterprise Security API (20)

Mais de ConFoo

Mais de ConFoo (20)

OWASP Enterprise Security API