enterprise security api doc
TRANSCRIPT
-
8/8/2019 Enterprise Security API DOC
1/28
Enterprise Security API (ESAPI) JavaJava User Group San Antonio
Jarret RaimJune 3rd, 2010
-
8/8/2019 Enterprise Security API DOC
2/28
What is it?
ESAPI (The OWASP Enterprise Security API) is a free, open source, web
application security control library that makes it easier forprogrammers to write lower-risk applications. The ESAPI libraries are
designed to make it easier for programmers to retrofit security intoexisting applications. The ESAPI libraries also serve as a solid
foundation for new development.
-
8/8/2019 Enterprise Security API DOC
3/28
Who cares?
-
8/8/2019 Enterprise Security API DOC
4/28
How Does it Work?
There is a set of security control interfaces. They define forexample types of parameters that are passed to types of securitycontrols.
There is a reference implementation for each securitycontrol. The logic is not organizationspecific and the logic is notapplicationspecific. An example: stringbased input validation.
There are optionally your own implementations for each securitycontrol. There may be application logic contained in these classeswhich may be developed by or for your organization. An example:enterprise authentication.
Allowing for language-specific differences, all OWASPESAPI versions have the same basic design:
-
8/8/2019 Enterprise Security API DOC
5/28
There are several supported languages
Java EE
PHP
Classic ASP .NET
Coldfusion
Python
JavaScript
Haskell
Force.com And they have a plan. Maybe.
-
8/8/2019 Enterprise Security API DOC
6/28
Tyranny of Choice
JavaLogging
BouncyCastle
Spring
Log4j
Jasypt
JCEJAASCryptix
HDIVxml-dsig
xml-enc
ManyMore
ACEGI
CommonsValidator
Struts
Reform Anti-XSS
Stinger
StandardControl
JavaPattern
JavaURL
Encoder
WriteCustomCode
-
8/8/2019 Enterprise Security API DOC
7/28
Vulnerability Theory
Vector
Vector
Vector
Vector
Vector
Vulnerability
Vulnerability
Asset
Technical Impact Business ImpactVulnerabilityVectorThreat Agent
Vulnerability
Vulnerability
BusinessImpact
BusinessImpact
Function
Asset
BusinessImpact
Control
Control
Control
MissingControl
-
8/8/2019 Enterprise Security API DOC
8/28
Where do Vulnerabilities Come From? Missing Controls
Lack of encryption
Failure to perform access control
Broken Controls Weak hash algorithm
Fail open
Ignored Controls Failure to use encryption
Forgot to use output encoding
ESAPI Solves Missing
Broken
Process Solves Ignored
-
8/8/2019 Enterprise Security API DOC
9/28
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessControlle
r
AccessReferenceM
ap
Validator
Encoder
HTTPUtilities
Encryptor
En
cryptedProperties
Randomizer
Ex
ceptionHandling
Logger
IntrusionDetect
or
Sec
urityConfigura
tion
Existing Enterprise Security Services/Libraries
-
8/8/2019 Enterprise Security API DOC
10/28
Encoder
Hello,
Hello,
Typical output in most webframeworks leads to XSS andCSRF vulnerabilities.
The ESAPI encoder allows
direct encoding depending oncontext.
Web (HTML, JavaScript, CSS)
Databases (MySQL, Oracle)
URL
Shells (Unix, Windows) XML
LDAP
Also provides a canonnicalizemethod to remove anyencodings.
-
8/8/2019 Enterprise Security API DOC
11/28
BackendController BusinessFunctions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScriptencodeForVBScript
encodeForDN
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
isValidDirectoryPath
isValidCreditCardisValidDataFromBrowser
isValidListItem
isValidFileContent
isValidFileName
isValidHTTPRequest
isValidRedirectLocation
isValidSafeHTML
isValidPrintable
safeReadLine
CanonicalizationDouble Encoding Protection
Normalization
Sanitization
-
8/8/2019 Enterprise Security API DOC
12/28
Validator The Validator interface defines a
set of methods for canonicalizingand validating untrusted input. Returns booleans as not all
validation problems are securityissues.
Invalid input will generate adescriptive ValidationExceptionwhich will be stored in theValidationErrorList
Input that is clearly an attack willgenerate a descriptiveIntrusionException
EXAMPLE: alert(document.cookie)
ESAPI.validator().getValidInput(String context,String
input,String type,int maxLength,boolean
allowNull,ValidationErrorList errorList)
assertIsValidHttpRequest()
assertIsValidHttpRequestParameterSet()
assertIsValidFileUpload()
getValidCreditCard()
getValidDate()
getValidDirectoryPath()
getValidDouble()
getValidFileContent()
getValidFileName()
-
8/8/2019 Enterprise Security API DOC
13/28
Validator Example
ESAPI provides the ValidationRule andValidator interfaces.
Implement your own validators for yourdata.
Reference Regex codes in the ESAPIproperties from generic to specific.
-
8/8/2019 Enterprise Security API DOC
14/28
Controller
User
Interface
BusinessFunctions
Web Service
Database
Mainframe
File System
User DataLayer
Etc
Set Character Set
Encode For HTML
Any Encoding
Global Validate Any Interpreter
CanonicalizeSpecific Validate
Sanitize
Canonicalize
Validate
-
8/8/2019 Enterprise Security API DOC
15/28
Authenticator Interface with a simple, file
based example implementation
Log In / Log Out
Password Verification
Create User
Password Generation
Change Password
Expirations
Logging Per User Session
Anonymous User
Locale
Roles
Disable / Enable
Locked / Unlocked
CSRF Tokens
Last Login
Last Invalid Login
Password Age
Screen Name Failed Log In Count
Last Logged in Host
-
8/8/2019 Enterprise Security API DOC
16/28
BackendController BusinessFunctions
User Data Layer
ESAPI
Access
Control
Logging
Intrusion
Detection
Authenticat
ion
Users
Note that theESAPI projectdoes not haveout of the box
support for
projects likeSpring, but can
be made towork.
-
8/8/2019 Enterprise Security API DOC
17/28
Controller
User
Interface
BusinessFunctions
Web Service
Database
Mainframe
File System
User DataLayer
Etc
isAuthorizedForURL
isAuthorizedForFunction
isAuthorizedForFunctionisAuthorizedForService
isAuthorizedForData
isAuthorizedForFile
-
8/8/2019 Enterprise Security API DOC
18/28
Encryption
Encryption failures can lead to violations of the Big Three
Confidentiality
Integrity
Availability (maybe)
Encryption is surprisingly difficult to get right. You are probably doing it wrong right now.
The Encryptor interface provides a set of methods for performingcommon encryption, random number, and hashing operations.
encrypted = ESAPI.encryptor().encrypt( decrypted );
decrypted = ESAPI.encryptor().decrypt( encrypted );
-
8/8/2019 Enterprise Security API DOC
19/28
BackendController BusinessFunctions
User Data Layer
EncryptedProperties Encryptor
Encryption
Digital Signatures
Integrity Seals
Strong GUID
Random Tokens Timestamp Salted HashSafe Config Details
-
8/8/2019 Enterprise Security API DOC
20/28
Direct Object Reference Occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, orkey, as a URL or form parameter.
Fix is to generate suitably random garbage, then internally map that to
the appropriate IDs.
Doing this is surprisingly annoying, especially if there are no sessions. Not really scalable friendly.
ESAPI provides a random access map which also helps protectagainst CSRF.
String directReference = "This is a direct reference.";
RandomAccessReferenceMap instance = new RandomAccessReferenceMap();
String ind = instance.addDirectReference((Object)directReference);
-
8/8/2019 Enterprise Security API DOC
21/28
AccessReference Map
Web Service
Database
Mainframe
File System
User
Etc
Report123.xls
Direct ReferencesIndirect References
Acct:9182374ref=jfo8we4oji
-
8/8/2019 Enterprise Security API DOC
22/28
Logging & Exceptions
For many applications, logging is only used to detect applicationerrors.
Is usually geared to solving problems in development Hopefully with an eye to production.
ESAPI provides a logging implementation that integrates with thesecurity substructure. Logs security exceptions that are ESAPI generated with identify information
Can be used by normal business code to log security exceptions or just log
information with identify
Integrates an intrusion detection system that can respond to differenttypes of intrusions by disabling accounts or other actions.
-
8/8/2019 Enterprise Security API DOC
23/28
IntrusionDetector
Enterprise SecurityExceptions
Logger
Log IntrusionLogout UserDisable Account
AccessControlExceptionAuthenticationException
AvailabilityExceptionEncodingExceptionEncryptionExceptionExecutorExceptionIntegrityExceptionIntrusionExceptionValidationException
User Message(no detail)
Log Message(w/Identity)
Configurable ThresholdsResponses
BackendController BusinessFunctions
User Data Layer
-
8/8/2019 Enterprise Security API DOC
24/28
Handling HTTP
Many applications make heavy use of HTTP for functionality Classic ASP uses redirects for flow control, error handing, etc.
The use of data from the request accounts for most web security
defects
ESAPI provides methods to interact with the request Helper methods for encryption
CSRF tokens
Etc.
Deals with Characters Sets and Encodings
-
8/8/2019 Enterprise Security API DOC
25/28
BackendController BusinessFunctions
User Data Layer
HTTP Utilities
Add Safe Cookie
No Cache Headers
CSRF Tokens
Safe Request Logging
Encrypt State in Cookie
Add Safe Header
Querystring EncryptionChange SessionID
isSecureChannel
sendSafeRedirect
sendSafeForward
Safe File Uploads
Set Content Type
Kill CookieHidden Field Encryption
-
8/8/2019 Enterprise Security API DOC
26/28
OWASP Top Ten 2007
A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPI
Validator, Encoder
Encoder
HTTPUtilities (Safe Upload)
AccessReferenceMap, AccessController
User (CSRF Token)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (Secure Cookie, Channel)
AccessController
-
8/8/2019 Enterprise Security API DOC
27/28
Special Thanks
Supports OWASP and ESAPI
Many of the diagrams for in the slides are from a similar presentation
by Aspect.
-
8/8/2019 Enterprise Security API DOC
28/28
Conclusion
Denim Group, Ltd.
(210) 572-4400
Web: www.denimgroup.com
Blog: blog.denimgroup.com
http://www.denimgroup.com/http://blog.denimgroup.com/http://blog.denimgroup.com/http://www.denimgroup.com/