Solving Real-World Problems With An Enterprise Security API (ESAPI)
Solving Real-World Problems With An Enterprise Security API (ESAPI)
Solving Real-World Problems With An Enterprise Security API (ESAPI)
Chris Schmidt
ESAPI Project Manager
ESAPI4JS Project Owner
Application Security Engineer
Aspect)Security
[email protected]
AppSec DC 2010
Who the heck am I?
[Rumour has it I should be presenting my credentials]
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
• Case Study: Direct Object Reference
• Case Study: Yours!
• Additional Resources
• Questions?
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
OWASP
What is an Enterprise Security API?
The ESAPI Family Community Breakdown
OWASP
What is an Enterprise Security API?
• High-Level API that provides access to common
security functions as services to the calling code.
• Centrally configured to keep
configuration separate from implementation.
• Developers don't have to focus on writing custom
security controls for components.
• Compliments a Secure Software Development
Environment and Secure Coding Conventions
• Enforces a common API (interfaces) but also
allows customization or extension to adapt to specific
environments.
OWASP
What is an Enterprise Security API?
OWASP
What is an Enterprise Security API?
Addressing The OWASP Top Ten
OWASP
What is an Enterprise Security API?
OWASP ESAPI Project Scorecard
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
Getting OWASP’s ESAPI (Java)
Download from Google Code:
http://owasp-esapi-java.googlecode.com
Use Maven:
<dependencies>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
</dependency>
</dependencies>
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
Basics
OWASP ESAPI Uses a Service Locator class to access
implementations of core interfaces. This locator is
currently configured via the ESAPI.properties file.
ESAPI.encoder() ESAPI.logger()
ESAPI.encryptor() ESAPI.authenticator()
ESAPI.validator() ESAPI.randomizer()
ESAPI.accessController() ESAPI.httpUtilities()
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
The Problem
Contact Form is vulnerable to XSS
The Solution
<% String fullname = StringUtilities.replaceNull( request.getParameter( “firstname” ), “” ); %>
<form action=“/SubmitContactInformation” method=“POST”>
<input type=“text” name=“fullname” id=“full-name” value=“<%=ESAPI.encoder().encodeForHTMLAttribute(fullname)%>”>
<label for=“full-name”>Full Name</label>
</form>
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
• Case Study: Direct Object Reference
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
The Problem
Direct Reference to File allows writing to Filesystem
Behavior:
1. Servlet POSTs to /save.action
2. Filename is stored in a hidden form field
3. Content is entered through a textfield on the page
filename=user-info.txt&content=test
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
The Solution
class SaveFileServlet extends HttpServlet {
// List of accessible files
static Set<String> VALID_FILES = new HashSet<String>();
// add file paths to set
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
The Solution - Continued
<%
AccessReferenceMap<String> validFiles = ESAPI.httpUtilities().getRequestAttribute(“valid-files”);
String fileToken = validFiles.getIndirectReference(“user-info.txt”);
String existingContent = FileHelper.readFile( validFiles.getDirectReference(fileToken));
%>
<form action=“/save.action” method=“POST”>
<input type=“hidden” name=“fileToken” value=“<%=ESAPI.encoder().encodeForHTMLAttribute(fileToken)%>”/>
<textarea cols=“50” rows=“4” name=“content”>
<%=ESAPI.encoder().encodeForHTML(existingContent)%>
</textarea>
<input type=“submit”/>
</form>
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
• Case Study: Direct Object Reference
• Case Study: Yours!
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
The Problem
YOU TELL ME!
Describe a problem or requirement that you have encountered and let’s discuss how using an ESAPI you could
resolve the issue, or meet the requirement.
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
• Case Study: Direct Object Reference
• Case Study: Yours!
• Additional Resources
OWASP
Additional Resources
• E-Mail Me
o [email protected]
• Follow me on Twitter
o http://twitter.com/carne
OWASP
Solving Real World Problems with An Enterprise
Security API (ESAPI)
• What is an ESAPI?
• Using OWASP ESAPI
• Case Study: Cross Site Scripting
• Case Study: Direct Object Reference
• Case Study: Yours!
• Additional Resources
• Questions?
OWASP
Questions? Comments?
Cycles to Spare?
We are looking for people to contribute cycles to ESAPI on
documentation and helping to bring non-java languages up
to date with the 2.0 API.
OWASP
GET IN TOUCH WITH ME
Twitter twitter.com/carne
Email [email protected]