OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

Matt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

MAKE STUFFSECURE!Matt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

KEEP IT TIGHT ANDOUT OF SIGHTMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

HOW TO SLAYDRAGONS USING AJET PACK & ATOOTHBRUSHMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

THE OWASP ENTERPRISESECURITY API &AVAILABLE METHODS TOHELP LOCK DOWN ACOLDFUSION APPLICATIONMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

WHO I AM NOT... • Security expert of the highest order • Sales man trying to pitch an idea for your $$6

WHO I AM... • Lead RIA Developer • Author • Inquisitive • Open to new ideas and methods7

INITIAL REACTIONS

DEVELOPERS - A BROAD GENERALISATION 1239

SECURING YOUR APPLICATIONS

WHO IS OWASP?

WHAT IS ESAPI? Enterprise Security API Open-source project that aims to fill gaps in specs and server technology implementations Uses current best practices to mitigate the vulnerabilities mentioned in the OWASP Top 1012

WHAT IS ESAPI? Enterprise Security API A set of interfaces that provide functions for most of the common security needs of enterprise developers13

WHAT IS ESAPI? Enterprise Security API “ ESAPI is designed to make it easy to retrofit security into existing applications as well as providing a solid foundation for new ” development14

WHAT IS ESAPI? Enterprise Security API Supported in multiple languages: Java Python .NET JavaScript Classic ASP & ColdFusion PHP15

WHY USE ESAPI? It’s aim is to make secure application development easier17

OWASP TOP 10 A1 Injection A6 Security Misconfiguration A2 Cross-Site Scripting A7 Insecure Storage (crypto) A3 Authentication & Sessions A8 URL Access Restrictions A4 Insecure Direct Object References A9 Poor Transport Layer Protection A5 Cross-Site Request Forgery A10 Unvalidated Redirects And this is just the top 10...18

YOU MAY ALREADY HAVE IT • ColdFusion 8 hotfix shipped with the ESAPI library under the hood • ColdFusion 9 included an updated version20

COMING IN ZEUS! • ESAPI integration will be included at a greater level in ColdFusion X (Zeus) • encodeForXXX functions to help you protect your applications against XSS attacks • You can use those now!21

ENCODER<cfoutput> Hey, #URL.name#! Hey, #encodeForHTML(URL.name)#!</cfoutput>

SECURITY CONFIGURATION

SECURITY CONFIGURATIONIncludes (but not restricted to)the following:• Master encryption passwords (for salt and hashing)• Validation whitelists• Logging levels and details• Intrusion detection• and more...

SECURITY CONFIGURATION• You can select the path for a specific resource directory• Ideal for handling multiple security levels / validations for subsystems and micro-applications ESAPI().securityConfiguration().setResourceDirectory("/path/to/.esapi/");

SECURITY CONFIGURATION#===========================================# ESAPI Authenticator#Authenticator.AllowedLoginAttempts=3Authenticator.MaxOldPasswordHashes=13Authenticator.UsernameParameterName=usernameAuthenticator.PasswordParameterName=password# RememberTokenDuration (in days)Authenticator.RememberTokenDuration=14# Session Timeouts (in minutes)Authenticator.IdleTimeoutDuration=20Authenticator.AbsoluteTimeoutDuration=120

AUTHENTICATION

AUTHENTICATION<cfquery name="qLogin" datasource="blah"> SELECT * FROM tbl_Users WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#" /> AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#" /></cfquery><cfif qLogin.recordcount>  <cfset session.userID = qLogin.userID /> <cfset session.isLoggedIn = true />  <cfelse>  Sorry, we could not find a match. </cfif>

AUTHENTICATION

AUTHENTICATION ESAPI().authenticator().login();• Username & password combination (invisibly)• Reading a “Remember me” cookie• Currently logged in user based upon the session-id value 32

AUTHENTICATIONKey methods:• createUser()• generateStrongPassword()• getcurrentUser()• logout()• verifyAccountnameStrength()• verifyPasswordStrength 33

THE USER

THE USERESAPI().authenticator().createUser(”random01”,”657fhg",” 657fhg");objUser = ESAPI ().authenticator().login(request, response);objUser = ESAPI ().authenticator().getCurrentUser();objUser = ESAPI ().authenticator().getUser(” random01”);Token creation: objUser.resetCSRFToken();Accessing the token: objUser.getCSRFToken(); 35

THE USERKey methods:• changePassword() • isInRole()• disable() • isEnabled()• enable() • isExpired()• getAccountName() • isLocked()• getCSRFToken() • resetCSRFToken()• getLastFailedLoginTime() • resetPassword()• getLastLoginTime() • isSessionTimeout()• getRoles() • isSessionAbsoluteTimeout()

HTTP UTILITIESProvides a safe version of therequest and response object

HTTP UTILITIESKey methods:• addCSRFToken() • encryptStateInCookie()• verifyCSRFToken() • decryptStateFromCookie()• assertSecureRequest() • getSafeFileUploads()• changeSessionIdentifier() • safeSendForward()• encryptHiddenField() • safeSetContentType()• decryptHiddenField() • setNoCacheHeaders()• encryptQueryString() • setRememberToken()• decryptQueryString()

ACCESS CONTROLLERThe gatekeeper for your ESAPIapplication implementation<cfscript> if ((role == admin) && (coffeeIntake != small)) { // Take them to the Admin Console location(/admin/hiddenPages.cfm); } else { // Direct user elsewhere location(/standardPage.cfm); }</cfscript>

ACCESS CONTROLLER• isAuthorizedForData()• isAuthorizedForFile()• isAuthorizedForURL()• assertAuthorizedForData()• assertAuthorizedForFile()• assertAuthorizedForURL()

ENCRYPTOR• decrypt()• encrypt()• hash()• seal()• sign(String data)• unseal()• verifySeal()• verifySignature()

VALIDATOR• White-list based ﬁlters• Data canonicalization prior to being passed to ﬁlters• Detects double-encoding and throws an exception

VALIDATOR CONFIGURATION#================================================# ESAPI ValidationValidator.ConfigurationFile=validation.properties# Validators used by ESAPIValidator.RoleName=^[a-z]{1,20}$# Global HTTP Validation RulesValidator.HTTPScheme=^(http|https)$Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$Validator.HTTPParameterValue=^[a-zA-Z0-9.-/

VALIDATOR CONFIGURATIONValidator.SafeString=^[.p{Alnum}p{Space}]{0,1024}$Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[a-zA-Z]{2,4}$Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$Validator.URL=^(ht|f)tp(s?)://[0-9a-zA-Z]([-.w]*[0-9a-zA-Z])*(:(0-9)*)*(/?)([a-zA-Z0-9-.?,:/+=&%$#_]*)?$Validator.CreditCard=^(d{4}[- ]?){3}d{4}$Validator.SSN=^(?!000)([0-6]d{2}|7([0-6]d|7[012]))([ -]?)(?!00)dd3(?!0000)d{4}$

VALIDATOR CONFIGURATIONCustom white-list values can be added into the ESAPI.properties file:Declaring: Example User ID - MatGif0075 White-list entry: Validator.UserId= ^[A-Z]{6}[0-9]{4}$Validating: isValidInput(“User ID”, “MatGif0075”, “UserId", 10, false);

THE PROS • Designed by security experts • Multiple language support • Highly extensible • Works invisibly in many ways (voodoo magic) • It’s open-source!!47

THE CONS • Paradigm shift (a new way of thinking) • Worth the time retrofitting? • Documentation levels (with clear working examples) • It’s only an API - it’s not the miracle cure48

MORE INFO • OWASP ESAPI Official Page http://bit.ly/owasp_esapi • ESAPI Javadocs http://bit.ly/esapi-javadocs • CFESAPI on github http://bit.ly/cfesapi50

NOW GRAB YOURTOOTHBRUSH ANDGO SLAY SOMEDRAGONSMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

by Matt Gifford

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 12

Statistics

OWASP Enterprise Security API and available methods to help lock down a ColdFusion application Presentation Transcript