• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]






Total Views
Views on SlideShare
Embed Views



13 Embeds 764

http://www.dragonjar.org 410
http://feedly.com 181
http://www.guadalajaracon.org 113
http://feeds.feedburner.com 20
http://digg.com 20
http://www.inoreader.com 6
http://www.feedspot.com 4
http://inoreader.com 3
https://reader.aol.com 2
http://feedproxy.google.com 2
http://www.newsblur.com 1
http://reader.aol.com 1
http://summary 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • OWASP Testing Guide v3 V4 is not finalize
  • Decision maker

Protección web con ESAPI y AppSensor [GuadalajaraCON 2013] Protección web con ESAPI y AppSensor [GuadalajaraCON 2013] Presentation Transcript

  • Protecting Web Applications with ESAPIand AppSensorManuel Lopez Arredondomanuel.lopez@owasp.org
  • “The cost of cybercrime is greater than thecombined effect on the global economy oftrafficking in marijuana, heroin and cocaine”|http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_traffickinghttp://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
  • Why Security is important?Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.
  • Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.Why Security is important?
  • Why Security is important?
  • Mission DrivenNonprofit | World Wide | UnbiasedOWASP does not endorse or recommendcommercial products or servicesWhat is OWASP6
  • Community Driven30,000 Mail List Participants200 Active Chapters in 70 countries1600+ Members, 56 Corporate Supporters69 Academic SupportersWhat is OWASP7
  • OWASP Guadalajara ChapterWhat do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environmentsMeetings Workshops Conference News Letter Page Visit3 1 1 3 2,528+https://www.owasp.org/index.php/GuadalajaraMarch 2012 – Till Date
  • Quality Resources200+ Projects15,000+ downloads of tools, documentation250,000+ unique visitors800,000+ page views (monthly)What is OWASP9
  • 50%10% 40%Quality Resources10
  • OWASP Top Ten (2010 Edition)
  • A1 – Injection• Tricking an application into including unintended commands in the data sent toan interpreterInjection means…• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…Interpreters…• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoidSQL injection is still quite common• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level accessTypical Impact
  • SQL Injection – IllustratedFirewallHardened OSWeb ServerApp ServerFirewallDatabasesLegacySystemsWebServicesDirectoriesHumanResrcsBillingCustom CodeAPPLICATIONATTACKNetworkLayerApplicationLayerAccountsFinanceAdministrationTransactionsCommunicationKnowledgeMgmtE-CommerceBus.FunctionsHTTPrequestSQLqueryDB TableHTTPresponse"SELECT * FROMaccounts WHEREacct=‘’ OR1=1--’"1. Application presents a form tothe attacker2. Attacker sends an attack in theform data3. Application forwards attack tothe database in a SQL queryAccount SummaryAcct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-02934. Database runs query containingattack and sends encrypted resultsback to application5. Application decrypts data asnormal and sends results to theuserAccount:SKU:Account:SKU:
  • A2 – Cross-Site Scripting (XSS)• Raw data from attacker is sent to an innocent user’s browserOccurs any time…• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript clientRaw data…• Try this in your browser – javascript:alert(document.cookie)Virtually every web application has this problem• Steal user’s session, steal sensitive data, rewrite web page, redirect user tophishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct alluser’s behavior on vulnerable site and force user to other sitesTypical Impact
  • Cross-Site Scripting IllustratedApplication withstored XSSvulnerability32Attacker sets the trap – update my profileAttacker enters amalicious script into a webpage that stores the dataon the server1Victim views page – sees attacker profileScript silently sends attacker Victim’s session cookieScript runs inside victim’sbrowser with full access tothe DOM and cookiesCustom CodeAccountsFinanceAdministrationTransactionsCommunicationKnowledgeMgmtE-CommerceBus.Functions
  • Project Leader: Chris Schmidt, Chris.Schmidt@owasp.orgPurpose: A free, open source, web application security control librarythat makes it easier for programmers to write lower-risk applicationshttps://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_APIEnterprise Security API16
  • ESAPI - Vision Build a common set of security controls fortodays most popular programming languages. Have interfaces in common across programminglanguages as much as possible and natural. Provide at least a simple reference implementationfor each security control to serve as example if notuseful in itself. Easily extensible Provide functionality that is most often needed,but lacking (or inconsistent) in various frameworks/ languages.
  • Using ESAPI (1 of 3) Getting started https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Download: http://code.google.com/p/owasp-esapi-java/ ESAPI Cheat Sheet:https://www.owasp.org/index.php/ESAPI_Cheat_Sheet ESAPI Swingset: http://code.google.com/p/owasp-esapi-java-swingset/
  • Using ESAPI (2 of 3) Getting help ESAPI User mailing list (focuses on Java version):https://lists.owasp.org/mailman/listinfo/esapi-user ESAPI Developer mailing list:https://lists.owasp.org/mailman/listinfo/esapi-dev ESAPI Project page: http://www.esapi.org/ (comingsoon)
  • Using ESAPI (3 of 3) Getting involved Many other language implementations, allplaying catch up ESAPI for Java version needs help with userdocumentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Portto use ESAPI 2.0
  • Enterprise Security APICustom Enterprise Web ApplicationEnterprise Security APIAuthenticatorUserAccessControllerAccessReferenceMapValidatorEncoderHTTPUtilitiesEncryptorEncryptedPropertiesRandomizerExceptionHandlingLoggerIntrusionDetectorSecurityConfigurationExisting Enterprise Security Services/Libraries
  • Potential Enterprise ESAPI CostSavings
  • Basic ESAPI Approach – Examples In Java:String input = request.getParameter( "input" );// Throws ValidationException or IntrusionException// if problemString cleaned =ESAPI.validator().getValidInput("Secure inputexample",input,"SafeString", //regex spec200, // max lengyhfalse, // no nullstrue); //canonicalizeString safeHTML =ESAPI.encoder().encoderForHTML(cleaned);
  •  In PHP:$cleanTmp = array(); // local in scope$cleanParams = array(); // local in scope$cleanTmp[username] =ESAPI::getValidator()->getValidInput("Secure input example",$input,"SafeString",200, false, true);$cleanParams[username] =ESAPI::getEncoder()->encodeForHTML($cleanTmp[username]);Basic ESAPI Approach – Examples
  • OWASP ESAPI Project ScorecardFeature Set vs. ProgrammingLanguageAuthentication 2.0 1.4 1.4 1.4 2.0plannedIdentity 2.0 1.4 1.4 1.4 2.0plannedAccess Control 2.0 1.4 1.4 1.4 1.4 2.0plannedInput Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???Encryption 2.0 1.4 1.4 1.4 1.4 2.0Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0Intrusion Detection 2.0 1.4 1.4 1.4Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBDWAF 2.0
  • Source Code and JavadocOnline Now!http://code.google.com/p/owasp-esapi-java
  • AppSensorProject Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offersprescriptive guidance to implement intrusion detection and automatedresponse into an existing application.Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)https://www.owasp.org/index.php/AppSensorCreate attack aware applications27
  • Detecting Attacksthe Right Way• Detect INSIDE the Application• Automatic Detection• Comprehensive• Minimize False Positives• Understand Business Logic• Immediate Response• No Manual Efforts Required
  • Detection PointsImplementing AppSensorApplication Log Server AppSensor BrainResponse Listener
  • Take aways• Open Source solutions• Low cost and low effort• Think out of the box for development teams• Techniques used on the Industry• OWASP Google Summer of Code 2013https://www.owasp.org/index.php/GSoC
  • Q & A
  • Backup
  • About OWASP• Online since December 1st 2001• Not-for-profit charitable organization• OPEN Everything at OWASP is radically transparent from our finances toour code.• INNOVATION OWASP encourages and supports innovation/experimentsfor solutions to software security challenges.• GLOBAL Anyone around the world is encouraged to participate in theOWASP community.• INTEGRITY OWASP is an honest and truthful, vendor agnostic, globalcommunity.• https://www.owasp.org/index.php
  • OWASP Success Story
  • OWASP Guadalajara ChapterWhat do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environmentsMeetings Workshops Conference News Letter Page Visit3 1 1 3 2,528+https://www.owasp.org/index.php/GuadalajaraMarch 2012 – Till Date
  • Application DevelopersNew attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons
  • Application Testers and Quality AssuranTesting guidePenetration testing toolsApplication Security Verification Standard Project
  • OWASP ZAP Proxy/ WebScarab / CSRF Tester
  • OWASP Testing Framework4. Web Application Penetration Testing•4.2 Information Gathering•4.3 Configuration Management Testing•4.4 Business logic testing•4.5 Authentication Testing•4.6 Authorization Testing•4.7 Session Management Testing•4.8 Data Validation Testing•4.9 Testing for Denial of Service•4.10 Web Services Testing•4.11 Ajax Testinghttp://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
  • Application Project Management and Staff45Define the processSDLCCode ReviewCode review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net
  • DownloadGet OWASP Books
  • Business advantages of beingassociated with OWASP• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organizations belief thatapplication security is important and that the organization is working to take necessary steps to properly addressapplication security risk in their businesses• The organization itself gets security benefit at reduced costs– Security code review tools are free– Lots of open & free security testing tools– Security guidelines & best practices• Opportunity to endorse organizations logo in OWASP events, conferences, & website• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the worldon owasp mailing lists and linked in group– If you are looking to expand your business in emerging market here is an opportunity to reach out• When organization becomes a supporter of a security community it helps employees, partners, suppliers andcustomers to understand the value & importance of security, and improves application security throughout thewhole supply chain• Membership options : https://www.owasp.org/index.php/Membership
  • Subscribe mailing listhttps://www.owasp.org/index.php/GuadalajaraChapter Leaders:Eduardo CernaMauel LopezJoin Us !
  • App Sensor DesignDemo AppEmbeddedAppSensorResponseAppSensor “Brain”App Logs