Esapi4php Paper Monthofphp2010 Newtool
Esapi4php Paper Monthofphp2010 Newtool
Esapi4php Paper Monthofphp2010 Newtool
«interface»
Authenticator
ESAPI interface +login() DefaultValidator ESAPI reference
+...() implementation
(does not include a
+isValidInput()
“isValidEmployeeID” function)
+...()
DefaultAuthenticator
ESAPI reference
implementation Fig. 3. Extended Singleton Pattern Example.
+login()
+...()
Pros of taking this approach are the lessening of the need for
Fig. 2. Built-In Singleton Pattern Example. developers to understand how to call ESAPI functions with the
specific parameters required by your organization and/or
Pros of taking this approach include loose coupling between application. Pros also include minimizing or eliminating the
ESAPI and your own implementations. ability for developers to call ESAPI functions that deviate
Cons include the need for developers to understand how to from your organization’s and/or application’s policies.
call ESAPI functions with the parameters required by your Cons result from the tight coupling between ESAPI and
organization and/or application. your own implementations: you will need to maintain both the
modified security control reference implementations and the
III. THE EXTENDED SINGLETON PATTERN modified security control interfaces (as new versions of ESAPI
are released over time).
While ESAPI security control reference implementations
IV. THE EXTENDED FACTORY PATTERN
may perform the security checks and result in the security
effects required by your organization and/or application, there
may be a need to minimize the need for developers to While ESAPI security control reference implementations
understand how to call ESAPI functions with the parameters may perform the security checks and result in the security
required by your organization and/or application. Availability effects required by your organization and/or application, there
of training may be an issue, for example. Another example may be a need to eliminate the ability of developers to deviate
would be to facilitate enforcing a coding standard. from your organization’s and/or application’s policies. High
The “extended” singleton pattern refers to the replacement developer turnover may be an issue, for example. Another
of security control reference implementations with your own example would be to strongly enforce a coding standard.
implementations and the addition/modification/subtraction of The “extended” factory patterns refers to the addition of a
corresponding security control interfaces. new security control interface and corresponding
implementation, which in turn calls ESAPI security control
A. For example: reference implementations and/or security control reference
...
require_once dirname(__FILE__) . '/../Validator.php'; implementations that were replaced with your own
... implementations. The ESAPI locator class would be called in
//reference implementation
class DefaultValidator implements Validator { order to retrieve a singleton instance of your new security
...
//not defined in Validator interface
control, which in turn would call ESAPI security control
function isValidEmployeeID($eid) { reference implementations and/or security control reference
...
implementations that were replaced with your own
B. Developers would call ESAPI in this example as follows: implementations.
...
$ESAPI = new ESAPI(); A. For example:
$validator = ESAPI::getValidator();
$validator->isValidEmployeeID(1234); In the ESAPI locator class:
... ...
class ESAPI {
...
The UML for the above example is in the figure below. //not defined in ESAPI locator class
private static $adapter = null;
...
//new function
public static function getAdapter() {
MONTH OF PHP SECURITY 2010 – A NEW OPEN SOURCE PHP SECURITY TOOL – OWASP ESAPI FOR PHP 3
if ( is_null(self::$adapter) ) {
require_once
dirname(__FILE__).'/adapters/MyAdapter.php'; Pros of taking this approach are the same as for the
self::$adapter = new MyAdapter(); extended singleton pattern, and additionally include loose
}
coupling between ESAPI and your own implementations,
return self::$adapter;
}
compared to the extended singleton pattern.
Cons include the need to maintain the modified ESAPI
//new function
public static function setAdapter($adapter) { locator class (as new versions of ESAPI are released over
self::$adapter = $adapter; time).
}
V. CONCLUSION
In the new security control class’ interface:
... OWASP is the premier site for Web application security.
//new interface
interface Adapter { The OWASP site hosts many projects, forums, blogs,
presentations, tools, and papers. Additionally, OWASP hosts
function getValidEmployeeID($eid);
function isValidEmployeeID($eid); two major Web application security conferences per year, and
}
has over 80 local chapters. The OWASP ESAPI project page
can be found here http://www.owasp.org/index.php/ESAPI
In the new security control class: The following OWASP projects are most likely to be useful
... to users/adopters of ESAPI:
require_once dirname ( __FILE__ ) . '/../Adapter.php';
//new class with your implementation • OWASP Application Security Verification Standard
class MyAdapter implements Adapter {
(ASVS) Project -
//for your new interface
function getValidEmployeeID($eid) {
http://www.owasp.org/index.php/ASVS
//calls reference implementation • OWASP Top Ten Project -
$val = ESAPI::getValidator();
//calls using hardcoded parameters http://www.owasp.org/index.php/Top_10
$val->getValidInput( • OWASP Code Review Guide -
"My Organization's Employee ID",
$eid, http://www.owasp.org/index.php/Category:OWAS
"EmployeeID", //regex defined in ESAPI config
4, P_Code_Review_Project
false • OWASP Testing Guide -
);
} http://www.owasp.org/index.php/Testing_Guide
• OWASP Legal Project -
//for your new interface http://www.owasp.org/index.php/Category:OWAS
function isValidEmployeeID($eid) {
try { P_Legal_Project
$this->getValidEmployeeID($eid);
return true;
} catch ( Exception $e ) { Similarly, the following Web sites are most likely to be
return false; useful to users/adopters of ESAPI:
}
}
• OWASP - http://www.owasp.org
• MITRE - Common Weakness Enumeration –
B. Developers would call ESAPI in this example as follows: Vulnerability Trends,
... http://cwe.mitre.org/documents/vuln-trends.html
$ESAPI = new ESAPI();
$adapter = ESAPI::getAdapter(); • PCI Security Standards Council - publishers of the
$adapter->isValidEmployeeID(1234);
... //no other ESAPI controls called directly
PCI standards, relevant to all organizations
processing or holding credit card data,
The UML for the above example is in the figure below. https://www.pcisecuritystandards.org
• PCI Data Security Standard (DSS) v1.1 -
ESAPI «interface»
ESAPI
-adapter Adapter https://www.pcisecuritystandards.org/pdfs/pci_dss_
locator
class +...() +isValidEmployeeID()
+...()
v1-1.pdf
+getAdapter() Your
implementation
(calls ESAPI
MyAdapter interfaces)
+isValidEmployeeID()
+...()