owasp enterprise security api

51
Enteprise Security API ESAPI Thursday, 2011-03-10

Upload: confoo

Post on 22-Nov-2014

3.251 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: OWASP Enterprise Security API

Enteprise Security APIESAPI

Thursday, 2011-03-10

Page 2: OWASP Enterprise Security API

Thursday, 2011-03-10

Page 3: OWASP Enterprise Security API

OWASPThe Open Web Application Project

Thursday, 2011-03-10

Page 4: OWASP Enterprise Security API

Thursday, 2011-03-10

Page 5: OWASP Enterprise Security API

I answer question

Thursday, 2011-03-10

Page 6: OWASP Enterprise Security API

The problems

Thursday, 2011-03-10

Page 7: OWASP Enterprise Security API

The problems

• Input Validation and Output Encoding

• Authentication and Identity

• URL Access Control

• Business Function Access Control

• Data Layer Access Control

Thursday, 2011-03-10

Page 8: OWASP Enterprise Security API

The problems

• Presentation Layer Access Control

• Errors, Logging, and Intrusion Detection

• Encryption, Hashing, and Randomness

Thursday, 2011-03-10

Page 9: OWASP Enterprise Security API

A2 – Cross-Site Scripting (XSS)

OWASP TOP 10A1 – Injection

A3 – Broken Authentication and Session Management

A4 – Insecure DirectObject References

A7 – Insecure Cryptographic Storage

A6 – Security Misconfiguration

A5 – Cross-Site Request Forgery (CSRF)

A8 - Failure to Restrict URL Access

A9 - Insufficient Transport Layer Protection

A10 – Unvalidated Redirects and Forwards

Thursday, 2011-03-10

Page 10: OWASP Enterprise Security API

And over 300 others security problems types

Thursday, 2011-03-10

Page 11: OWASP Enterprise Security API

Vulnerabilities and Security Controls

MissingBroken

Ignored Misused

Thursday, 2011-03-10

Page 12: OWASP Enterprise Security API

Why Input Validation Is Hard?

Thursday, 2011-03-10

Page 13: OWASP Enterprise Security API

<Thursday, 2011-03-10

Page 14: OWASP Enterprise Security API

Percent (url) Encoding

• %3c

• %3C

Thursday, 2011-03-10

Page 15: OWASP Enterprise Security API

HTML Entity Encoding

• &#60

• &#060

• &#0060

• &#00060

• &#000060

• &#0000060

• &#60;

• &#060;

• &#0060;

• &#00060;

• &#000060;

• &#0000060;

Thursday, 2011-03-10

Page 16: OWASP Enterprise Security API

HTML Entity Encoding

• &#x3c

• &#x03c

• &#x003c

• &#x0003c

• &#x00003c

• &#x000003c

• &#x3c;

• &#x03c;

• &#x003c;

• &#x0003c;

• &#x00003c;

• &#x000003c;

Thursday, 2011-03-10

Page 17: OWASP Enterprise Security API

HTML Entity Encoding

• &#X3c

• &#X03c

• &#X003c

• &#X0003c

• &#X00003c

• &#X000003c

• &#X3c;

• &#X03c;

• &#X003c;

• &#X0003c;

• &#X00003c;

• &#X000003c;

Thursday, 2011-03-10

Page 18: OWASP Enterprise Security API

HTML Entity Encoding

• &#x3C

• &#x03C

• &#x003C

• &#x0003C

• &#x00003C

• &#x000003C

• &#x3C;

• &#x03C;

• &#x003C;

• &#x0003C;

• &#x00003C;

• &#x000003C;

Thursday, 2011-03-10

Page 19: OWASP Enterprise Security API

HTML Entity Encoding

• &#X3C

• &#X03C

• &#X003C

• &#X0003C

• &#X00003C

• &#X000003C

• &#X3C;

• &#X03C;

• &#X003C;

• &#X0003C;

• &#X00003C;

• &#X000003C;

Thursday, 2011-03-10

Page 20: OWASP Enterprise Security API

HTML Entity Encoding

• &lt

• &lT

• &Lt

• &LT

• &lt;

• &lT;

• &Lt;

• &LT;

Thursday, 2011-03-10

Page 21: OWASP Enterprise Security API

JavaScript Escape

• \<

• \x3c

• \X3c

• \u003c

• \U003c

• \x3C

• \X3C

• \u003C

• \U003C

Thursday, 2011-03-10

Page 22: OWASP Enterprise Security API

CSS Escape

• \3c

• \03c

• \003c

• \0003c

• \00003c

• \3C

• \03C

• \003C

• \0003C

• \00003C

Thursday, 2011-03-10

Page 23: OWASP Enterprise Security API

UTF-7 vs UTF-8

• +ADw-

• %c0%bc

• %e0%80%bc

• %f0%80%80%bc

• %f8%80%80%80%bc

• %fc%80%80%80%80%bc

Thursday, 2011-03-10

Page 24: OWASP Enterprise Security API

1,677,721,600,000,000ways to encode <script>

Thursday, 2011-03-10

Page 25: OWASP Enterprise Security API

The Solutions?

Thursday, 2011-03-10

Page 26: OWASP Enterprise Security API

What is Enterprise Security API?

Thursday, 2011-03-10

Page 27: OWASP Enterprise Security API

ESAPI CommunityCommunauté ESAPI

Mailing ListLibrary Wiki

Users

Developers

Objective-C

Thursday, 2011-03-10

Page 28: OWASP Enterprise Security API

ESAPI CommunityCommunauté ESAPI

Mailing ListLibrary Wiki

Users

Developers

Objective-C

Thursday, 2011-03-10

Page 29: OWASP Enterprise Security API

ESAPI CommunityCommunauté ESAPI

Mailing ListLibrary Wiki

Users

Developers

Objective-C

Thursday, 2011-03-10

Page 30: OWASP Enterprise Security API

Overview of the Architectural Impact

Thursday, 2011-03-10

Page 31: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 32: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tionisAuthorizedForData()

isAuthorizedForFile()isAuthorizedForFunction()isAuthorizedForService()isAuthorizedForURL()

Thursday, 2011-03-10

Page 33: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 34: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

<?php echo $ESAPI ->validator() ->getValidInput( String $context, String $input, String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList);?>

Thursday, 2011-03-10

Page 35: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

assertIsValidHttpRequest() assertIsValidHttpRequest ParameterSet() assertIsValidFileUpload()

getValidDate()getValidDouble()getValidDirectoryPath() getValidDouble() getValidFileContent() getValidFileName()

interfaceValidationRule

abstractBaseValidationRule

CreditCardValidationRule

Thursday, 2011-03-10

Page 36: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

isValidCreditCard() isValidDataFromBrowse()isValidDirectoryPath() isValidFileContent() isValidFileName() isValidHTTPRequest() isValidListItem() isValidRedirectLocation() isValidSafeHTML() isValidPrintable() safeReadLine()

interfaceValidationRule

abstractBaseValidationRule

CreditCardValidationRule

Thursday, 2011-03-10

Page 37: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

encodeForCSS encodeForDNencodeForHTMLencodeForLDAPencodeForSQLencodeForURLencodeForXMLencodeForXPath

<?php echo $ESAPI ->encoder() ->encodeForHTML($name)?>

encodeForJavaScriptencodeForHTMLAttributeencodeForVBScriptencodeForXMLAttributeencodeForXPath

Thursday, 2011-03-10

Page 38: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion•Add Safe Header

•No Cache Headers•Set Content Type•Add Safe Cookie•Kill Cookie•Change SessionID•CSRF Tokens

•isSecureChannel •Safe Request Logging•Safe File Uploads

•sendSafeForward•sendSafeRedirect

•Encrypt State in Cookie•Hidden Field Encryption•Querystring Encryption

Thursday, 2011-03-10

Page 39: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

<?php $encrypted = $ESAPI->encryptor() ->encrypt($text)?>

•Integrity Seals •Strong GUID•Random Tokens•Encryption•Digital Signatures •Salted Hash

•Safe Config Details•Timestamp

Thursday, 2011-03-10

Page 40: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 41: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 42: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion•AccessControlException

•AuthenticationException •AvailabilityException •EncodingException•EncryptionException•ExecutorException•IntegrityException•IntrusionException•ValidationException

Thursday, 2011-03-10

Page 43: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 44: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

•Configurable Thresholds •Responses•Log Intrusion•Logout User •Disable Account

Thursday, 2011-03-10

Page 45: OWASP Enterprise Security API

Entreprise Security API

Aut

hent

icat

or

Use

r

Acc

essC

ontr

olle

r

Acc

essR

efer

ence

Map

Valid

ator

Enco

der

HTT

PUti

litie

s

Encr

ypto

r

Encr

ypte

dPro

pert

ies

Ran

dom

izer

Exce

ptio

n H

andl

ing

Logg

er

Intr

usio

nDet

ecto

r

Secu

rity

Confi

gura

tion

Thursday, 2011-03-10

Page 46: OWASP Enterprise Security API

OWASP TOP 10 ESAPIA1: Injection Encoder

A2: Cross Site Scripting (XSS) Encoder, Validator

A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities

A4: Insecure Direct Object Reference

AccessReferenceMap, AccessController

A5: Cross Site Request Forgery (CSRF) User (CSRF Token)

A6: Security Misconfiguration SecurityConfiguration

A7: Insecure Cryptographic Storage Encryptor

A8: Failure to Restrict URL Access AccessController

A9: Insufficient Transport Layer Protection

HTTPUtilities (Secure Cookie, Channel)

A10: Unvalidated Redirects and Forwards AccessController

Thursday, 2011-03-10

Page 47: OWASP Enterprise Security API

Objective -C

AuthenticationIdentity

Access ControlInput ValidationOutput EscapingCanonicalization

EncryptionRandom Numbers

Exception HandlingLogging

Intrusion DetectionSecurity Configuration

WAF

2.0 1.4 1.4 1.42.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0

Thursday, 2011-03-10

Page 48: OWASP Enterprise Security API

Adopters

Thursday, 2011-03-10

Page 51: OWASP Enterprise Security API

Thursday, 2011-03-10