Download as PDF, PPTX
Uploaded byConFoo
OWASP Enterprise Security API
The document discusses input validation and common web application security vulnerabilities. It introduces the OWASP Top 10 security risks and describes Enterprise Security API (ESAPI) as a solution to many of these problems. ESAPI is an open source web application security control library that standardizes how common vulnerabilities should be addressed.
OWASP Enterprise Security API
- 1. Enteprise Security API ESAPI Thursday, 2011-03-10
- 2.
- 3. OWASP The Open Web Application Project Thursday, 2011-03-10
- 4.
- 5. I answer question Thursday,2011-03-10
- 6.
- 7. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control Thursday, 2011-03-10
- 8. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Thursday, 2011-03-10
- 9. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and Forwards Thursday, 2011-03-10
- 10. And over 300 others security problems types Thursday, 2011-03-10
- 11. Vulnerabilities and Security Controls Ignored Misused Broken Missing Thursday, 2011-03-10
- 12. Why Input Validation Is Hard? Thursday, 2011-03-10
- 13.
- 14. Percent (url) Encoding • %3c • %3C Thursday, 2011-03-10
- 15. HTML Entity Encoding • < • < • < • < • < • < • < • < • < • < • < • < Thursday, 2011-03-10
- 16. HTML Entity Encoding • < • < • < • < • < • < • < • < • < • < • < • < Thursday, 2011-03-10
- 17. HTML Entity Encoding • < • < • < • < • < • < • < • < • < • < • < • < Thursday, 2011-03-10
- 18. HTML Entity Encoding • < • < • < • < • < • < • < • < • < • < • < • < Thursday, 2011-03-10
- 19. HTML Entity Encoding • < • < • < • < • < • < • < • < • < • < • < • < Thursday, 2011-03-10
- 20. HTML Entity Encoding • < • < • &lT • &lT; • &Lt • ≪ • < • < Thursday, 2011-03-10
- 21. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003c Thursday, 2011-03-10
- 22. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003C Thursday, 2011-03-10
- 23. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bc Thursday, 2011-03-10
- 24. 1,677,721,600,000,000 ways to encode <script> Thursday, 2011-03-10
- 25.
- 26. What is Enterprise Security API? Thursday, 2011-03-10
- 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
- 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
- 29. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Thursday, 2011-03-10
- 30. Overview of the Architectural Impact Thursday, 2011-03-10
- 31. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 32. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
- 33. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 34. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?> Thursday, 2011-03-10
- 35. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName() Thursday, 2011-03-10
- 36. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine() Thursday, 2011-03-10
- 37. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPath Thursday, 2011-03-10
- 38. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring Encryption Thursday, 2011-03-10
- 39. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •Timestamp Thursday, 2011-03-10
- 40. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 41. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 42. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationException Thursday, 2011-03-10
- 43. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 44. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 45. Authenticator Thursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
- 46. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController Forwards Thursday, 2011-03-10
- 47. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0 Thursday, 2011-03-10
- 48.
- 49. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-dev Thursday, 2011-03-10
- 50. Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferences Thursday, 2011-03-10
- 51.