enterprise security api doc

Upload: ashish-agarwal

Post on 10-Apr-2018

237 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/8/2019 Enterprise Security API DOC

    1/28

    Enterprise Security API (ESAPI) JavaJava User Group San Antonio

    Jarret RaimJune 3rd, 2010

  • 8/8/2019 Enterprise Security API DOC

    2/28

    What is it?

    ESAPI (The OWASP Enterprise Security API) is a free, open source, web

    application security control library that makes it easier forprogrammers to write lower-risk applications. The ESAPI libraries are

    designed to make it easier for programmers to retrofit security intoexisting applications. The ESAPI libraries also serve as a solid

    foundation for new development.

  • 8/8/2019 Enterprise Security API DOC

    3/28

    Who cares?

  • 8/8/2019 Enterprise Security API DOC

    4/28

    How Does it Work?

    There is a set of security control interfaces. They define forexample types of parameters that are passed to types of securitycontrols.

    There is a reference implementation for each securitycontrol. The logic is not organizationspecific and the logic is notapplicationspecific. An example: stringbased input validation.

    There are optionally your own implementations for each securitycontrol. There may be application logic contained in these classeswhich may be developed by or for your organization. An example:enterprise authentication.

    Allowing for language-specific differences, all OWASPESAPI versions have the same basic design:

  • 8/8/2019 Enterprise Security API DOC

    5/28

    There are several supported languages

    Java EE

    PHP

    Classic ASP .NET

    Coldfusion

    Python

    JavaScript

    Haskell

    Force.com And they have a plan. Maybe.

  • 8/8/2019 Enterprise Security API DOC

    6/28

    Tyranny of Choice

    JavaLogging

    BouncyCastle

    Spring

    Log4j

    Jasypt

    JCEJAASCryptix

    HDIVxml-dsig

    xml-enc

    ManyMore

    ACEGI

    CommonsValidator

    Struts

    Reform Anti-XSS

    Stinger

    StandardControl

    JavaPattern

    JavaURL

    Encoder

    WriteCustomCode

  • 8/8/2019 Enterprise Security API DOC

    7/28

    Vulnerability Theory

    Vector

    Vector

    Vector

    Vector

    Vector

    Vulnerability

    Vulnerability

    Asset

    Technical Impact Business ImpactVulnerabilityVectorThreat Agent

    Vulnerability

    Vulnerability

    BusinessImpact

    BusinessImpact

    Function

    Asset

    BusinessImpact

    Control

    Control

    Control

    MissingControl

  • 8/8/2019 Enterprise Security API DOC

    8/28

    Where do Vulnerabilities Come From? Missing Controls

    Lack of encryption

    Failure to perform access control

    Broken Controls Weak hash algorithm

    Fail open

    Ignored Controls Failure to use encryption

    Forgot to use output encoding

    ESAPI Solves Missing

    Broken

    Process Solves Ignored

  • 8/8/2019 Enterprise Security API DOC

    9/28

    Custom Enterprise Web Application

    Enterprise Security API

    Authenticator

    User

    AccessControlle

    r

    AccessReferenceM

    ap

    Validator

    Encoder

    HTTPUtilities

    Encryptor

    En

    cryptedProperties

    Randomizer

    Ex

    ceptionHandling

    Logger

    IntrusionDetect

    or

    Sec

    urityConfigura

    tion

    Existing Enterprise Security Services/Libraries

  • 8/8/2019 Enterprise Security API DOC

    10/28

    Encoder

    Hello,

    Hello,

    Typical output in most webframeworks leads to XSS andCSRF vulnerabilities.

    The ESAPI encoder allows

    direct encoding depending oncontext.

    Web (HTML, JavaScript, CSS)

    Databases (MySQL, Oracle)

    URL

    Shells (Unix, Windows) XML

    LDAP

    Also provides a canonnicalizemethod to remove anyencodings.

  • 8/8/2019 Enterprise Security API DOC

    11/28

    BackendController BusinessFunctions

    User Data Layer

    Validator Encoder encodeForURL

    encodeForJavaScriptencodeForVBScript

    encodeForDN

    encodeForHTML

    encodeForHTMLAttribute

    encodeForLDAP

    encodeForSQL

    encodeForXML

    encodeForXMLAttribute

    encodeForXPath

    isValidDirectoryPath

    isValidCreditCardisValidDataFromBrowser

    isValidListItem

    isValidFileContent

    isValidFileName

    isValidHTTPRequest

    isValidRedirectLocation

    isValidSafeHTML

    isValidPrintable

    safeReadLine

    CanonicalizationDouble Encoding Protection

    Normalization

    Sanitization

  • 8/8/2019 Enterprise Security API DOC

    12/28

    Validator The Validator interface defines a

    set of methods for canonicalizingand validating untrusted input. Returns booleans as not all

    validation problems are securityissues.

    Invalid input will generate adescriptive ValidationExceptionwhich will be stored in theValidationErrorList

    Input that is clearly an attack willgenerate a descriptiveIntrusionException

    EXAMPLE: alert(document.cookie)

    ESAPI.validator().getValidInput(String context,String

    input,String type,int maxLength,boolean

    allowNull,ValidationErrorList errorList)

    assertIsValidHttpRequest()

    assertIsValidHttpRequestParameterSet()

    assertIsValidFileUpload()

    getValidCreditCard()

    getValidDate()

    getValidDirectoryPath()

    getValidDouble()

    getValidFileContent()

    getValidFileName()

  • 8/8/2019 Enterprise Security API DOC

    13/28

    Validator Example

    ESAPI provides the ValidationRule andValidator interfaces.

    Implement your own validators for yourdata.

    Reference Regex codes in the ESAPIproperties from generic to specific.

  • 8/8/2019 Enterprise Security API DOC

    14/28

    Controller

    User

    Interface

    BusinessFunctions

    Web Service

    Database

    Mainframe

    File System

    User DataLayer

    Etc

    Set Character Set

    Encode For HTML

    Any Encoding

    Global Validate Any Interpreter

    CanonicalizeSpecific Validate

    Sanitize

    Canonicalize

    Validate

  • 8/8/2019 Enterprise Security API DOC

    15/28

    Authenticator Interface with a simple, file

    based example implementation

    Log In / Log Out

    Password Verification

    Create User

    Password Generation

    Change Password

    Expirations

    Logging Per User Session

    Anonymous User

    Locale

    Roles

    Disable / Enable

    Locked / Unlocked

    CSRF Tokens

    Last Login

    Last Invalid Login

    Password Age

    Screen Name Failed Log In Count

    Last Logged in Host

  • 8/8/2019 Enterprise Security API DOC

    16/28

    BackendController BusinessFunctions

    User Data Layer

    ESAPI

    Access

    Control

    Logging

    Intrusion

    Detection

    Authenticat

    ion

    Users

    Note that theESAPI projectdoes not haveout of the box

    support for

    projects likeSpring, but can

    be made towork.

  • 8/8/2019 Enterprise Security API DOC

    17/28

    Controller

    User

    Interface

    BusinessFunctions

    Web Service

    Database

    Mainframe

    File System

    User DataLayer

    Etc

    isAuthorizedForURL

    isAuthorizedForFunction

    isAuthorizedForFunctionisAuthorizedForService

    isAuthorizedForData

    isAuthorizedForFile

  • 8/8/2019 Enterprise Security API DOC

    18/28

    Encryption

    Encryption failures can lead to violations of the Big Three

    Confidentiality

    Integrity

    Availability (maybe)

    Encryption is surprisingly difficult to get right. You are probably doing it wrong right now.

    The Encryptor interface provides a set of methods for performingcommon encryption, random number, and hashing operations.

    encrypted = ESAPI.encryptor().encrypt( decrypted );

    decrypted = ESAPI.encryptor().decrypt( encrypted );

  • 8/8/2019 Enterprise Security API DOC

    19/28

    BackendController BusinessFunctions

    User Data Layer

    EncryptedProperties Encryptor

    Encryption

    Digital Signatures

    Integrity Seals

    Strong GUID

    Random Tokens Timestamp Salted HashSafe Config Details

  • 8/8/2019 Enterprise Security API DOC

    20/28

    Direct Object Reference Occurs when a developer exposes a reference to an internal

    implementation object, such as a file, directory, database record, orkey, as a URL or form parameter.

    Fix is to generate suitably random garbage, then internally map that to

    the appropriate IDs.

    Doing this is surprisingly annoying, especially if there are no sessions. Not really scalable friendly.

    ESAPI provides a random access map which also helps protectagainst CSRF.

    String directReference = "This is a direct reference.";

    RandomAccessReferenceMap instance = new RandomAccessReferenceMap();

    String ind = instance.addDirectReference((Object)directReference);

  • 8/8/2019 Enterprise Security API DOC

    21/28

    AccessReference Map

    Web Service

    Database

    Mainframe

    File System

    User

    Etc

    Report123.xls

    Direct ReferencesIndirect References

    Acct:9182374ref=jfo8we4oji

  • 8/8/2019 Enterprise Security API DOC

    22/28

    Logging & Exceptions

    For many applications, logging is only used to detect applicationerrors.

    Is usually geared to solving problems in development Hopefully with an eye to production.

    ESAPI provides a logging implementation that integrates with thesecurity substructure. Logs security exceptions that are ESAPI generated with identify information

    Can be used by normal business code to log security exceptions or just log

    information with identify

    Integrates an intrusion detection system that can respond to differenttypes of intrusions by disabling accounts or other actions.

  • 8/8/2019 Enterprise Security API DOC

    23/28

    IntrusionDetector

    Enterprise SecurityExceptions

    Logger

    Log IntrusionLogout UserDisable Account

    AccessControlExceptionAuthenticationException

    AvailabilityExceptionEncodingExceptionEncryptionExceptionExecutorExceptionIntegrityExceptionIntrusionExceptionValidationException

    User Message(no detail)

    Log Message(w/Identity)

    Configurable ThresholdsResponses

    BackendController BusinessFunctions

    User Data Layer

  • 8/8/2019 Enterprise Security API DOC

    24/28

    Handling HTTP

    Many applications make heavy use of HTTP for functionality Classic ASP uses redirects for flow control, error handing, etc.

    The use of data from the request accounts for most web security

    defects

    ESAPI provides methods to interact with the request Helper methods for encryption

    CSRF tokens

    Etc.

    Deals with Characters Sets and Encodings

  • 8/8/2019 Enterprise Security API DOC

    25/28

    BackendController BusinessFunctions

    User Data Layer

    HTTP Utilities

    Add Safe Cookie

    No Cache Headers

    CSRF Tokens

    Safe Request Logging

    Encrypt State in Cookie

    Add Safe Header

    Querystring EncryptionChange SessionID

    isSecureChannel

    sendSafeRedirect

    sendSafeForward

    Safe File Uploads

    Set Content Type

    Kill CookieHidden Field Encryption

  • 8/8/2019 Enterprise Security API DOC

    26/28

    OWASP Top Ten 2007

    A1. Cross Site Scripting (XSS)

    A2. Injection Flaws

    A3. Malicious File Execution

    A4. Insecure Direct Object Reference

    A5. Cross Site Request Forgery (CSRF)

    A6. Leakage and Improper Error Handling

    A7. Broken Authentication and Sessions

    A8. Insecure Cryptographic Storage

    A9. Insecure Communications

    A10. Failure to Restrict URL Access

    OWASP ESAPI

    Validator, Encoder

    Encoder

    HTTPUtilities (Safe Upload)

    AccessReferenceMap, AccessController

    User (CSRF Token)

    EnterpriseSecurityException, HTTPUtils

    Authenticator, User, HTTPUtils

    Encryptor

    HTTPUtilities (Secure Cookie, Channel)

    AccessController

  • 8/8/2019 Enterprise Security API DOC

    27/28

    Special Thanks

    Supports OWASP and ESAPI

    Many of the diagrams for in the slides are from a similar presentation

    by Aspect.

  • 8/8/2019 Enterprise Security API DOC

    28/28

    Conclusion

    Denim Group, Ltd.

    (210) 572-4400

    Web: www.denimgroup.com

    Blog: blog.denimgroup.com

    http://www.denimgroup.com/http://blog.denimgroup.com/http://blog.denimgroup.com/http://www.denimgroup.com/