Your SlideShare is downloading. ×
0
Enteprise Security                              API                              ESAPIThursday, 2011-03-10
Thursday, 2011-03-10
OWASP                       The Open Web Application ProjectThursday, 2011-03-10
Thursday, 2011-03-10
I answer questionThursday, 2011-03-10
The problemsThursday, 2011-03-10
The problems                  • Input Validation and Output Encoding                  • Authentication and Identity       ...
The problems                  • Presentation Layer Access Control                  • Errors, Logging, and Intrusion       ...
OWASP TOP 10                                             A2 – Cross-Site Scripting                       A1 – Injection   ...
And over 300                       others security                       problems typesThursday, 2011-03-10
Vulnerabilities and                        Security Controls                              Ignored   Misused               ...
Why Input Validation                     Is Hard?Thursday, 2011-03-10
<Thursday, 2011-03-10
Percent (url) Encoding                  • %3c                  • %3CThursday, 2011-03-10
HTML Entity Encoding                  • &#60        • <                  • &#060       • <                  • &#0060      ...
HTML Entity Encoding                  • &#x3c        • <                  • &#x03c       • <                  • &#x003c   ...
HTML Entity Encoding                  • &#X3c        • <                  • &#X03c       • <                  • &#X003c   ...
HTML Entity Encoding                  • &#x3C        • <                  • &#x03C       • <                  • &#x003C   ...
HTML Entity Encoding                  • &#X3C        • <                  • &#X03C       • <                  • &#X003C   ...
HTML Entity Encoding                  • &lt       • &lt;                  • &lT       • &lT;                  • &Lt       ...
JavaScript Escape                  • <          • x3C                  • x3c        • X3C                  • X3c        • ...
CSS Escape                  • 3c            • 3C                  • 03c           • 03C                  • 003c          •...
UTF-7 vs UTF-8                  • +ADw-                  • %c0%bc                  • %e0%80%bc                  • %f0%80%8...
1,677,721,600,000,000                       ways to encode <script>Thursday, 2011-03-10
The Solutions?Thursday, 2011-03-10
What is Enterprise                        Security API?Thursday, 2011-03-10
ESAPI Community                                    Communauté ESAPI                       Library             Wiki        ...
ESAPI Community                                    Communauté ESAPI                       Library             Wiki        ...
ESAPI Community                                    Communauté ESAPI                       Library             Wiki        ...
Overview of the                       Architectural ImpactThursday, 2011-03-10
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
Entreprise Security API                                                                                  <?php echo $ESAPI...
Entreprise Security API                                                                                  assertIsValidHttp...
Entreprise Security API                                                                                  isValidCreditCard...
Entreprise Security API      encodeForCSS                                                                            <?php...
Entreprise Security API        •Add Safe Header                                                                           ...
Entreprise Security API                                                                                                   ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
Entreprise Security API               •AccessControlException                                                             ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
AuthenticatorThursday, 2011-03-10                                User                         AccessController            ...
AuthenticatorThursday, 2011-03-10                              User                         AccessController              ...
OWASP TOP 10                             ESAPI                A1: Injection                                               ...
Objective -C               Authentication     2.0   1.4   1.4   1.4                       Identity   2.0   1.4   1.4   1.4...
AdoptersThursday, 2011-03-10
Additional Resources             • OWASP Home Page                             http://www.owasp.org             • ESAPI Pr...
Questions ?                       • philippe@ph-il.ca                       • http://www.ph-il.ca                       • ...
Thursday, 2011-03-10
Upcoming SlideShare
Loading in...5
×

OWASP Enterprise Security API

2,872

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,872
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
98
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "OWASP Enterprise Security API"

  1. 1. Enteprise Security API ESAPIThursday, 2011-03-10
  2. 2. Thursday, 2011-03-10
  3. 3. OWASP The Open Web Application ProjectThursday, 2011-03-10
  4. 4. Thursday, 2011-03-10
  5. 5. I answer questionThursday, 2011-03-10
  6. 6. The problemsThursday, 2011-03-10
  7. 7. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access ControlThursday, 2011-03-10
  8. 8. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and RandomnessThursday, 2011-03-10
  9. 9. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and ForwardsThursday, 2011-03-10
  10. 10. And over 300 others security problems typesThursday, 2011-03-10
  11. 11. Vulnerabilities and Security Controls Ignored Misused Broken MissingThursday, 2011-03-10
  12. 12. Why Input Validation Is Hard?Thursday, 2011-03-10
  13. 13. <Thursday, 2011-03-10
  14. 14. Percent (url) Encoding • %3c • %3CThursday, 2011-03-10
  15. 15. HTML Entity Encoding • &#60 • < • &#060 • < • &#0060 • < • &#00060 • < • &#000060 • < • &#0000060 • <Thursday, 2011-03-10
  16. 16. HTML Entity Encoding • &#x3c • < • &#x03c • < • &#x003c • < • &#x0003c • < • &#x00003c • < • &#x000003c • &#x000003c;Thursday, 2011-03-10
  17. 17. HTML Entity Encoding • &#X3c • < • &#X03c • < • &#X003c • < • &#X0003c • < • &#X00003c • < • &#X000003c • &#X000003c;Thursday, 2011-03-10
  18. 18. HTML Entity Encoding • &#x3C • < • &#x03C • < • &#x003C • < • &#x0003C • < • &#x00003C • < • &#x000003C • &#x000003C;Thursday, 2011-03-10
  19. 19. HTML Entity Encoding • &#X3C • < • &#X03C • < • &#X003C • < • &#X0003C • < • &#X00003C • < • &#X000003C • &#X000003C;Thursday, 2011-03-10
  20. 20. HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT;Thursday, 2011-03-10
  21. 21. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003cThursday, 2011-03-10
  22. 22. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003CThursday, 2011-03-10
  23. 23. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bcThursday, 2011-03-10
  24. 24. 1,677,721,600,000,000 ways to encode <script>Thursday, 2011-03-10
  25. 25. The Solutions?Thursday, 2011-03-10
  26. 26. What is Enterprise Security API?Thursday, 2011-03-10
  27. 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  28. 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  29. 29. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CThursday, 2011-03-10
  30. 30. Overview of the Architectural ImpactThursday, 2011-03-10
  31. 31. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  32. 32. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  33. 33. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  34. 34. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?>Thursday, 2011-03-10
  35. 35. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName()Thursday, 2011-03-10
  36. 36. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine()Thursday, 2011-03-10
  37. 37. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPathThursday, 2011-03-10
  38. 38. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring EncryptionThursday, 2011-03-10
  39. 39. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •TimestampThursday, 2011-03-10
  40. 40. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  41. 41. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  42. 42. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationExceptionThursday, 2011-03-10
  43. 43. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  44. 44. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  45. 45. AuthenticatorThursday, 2011-03-10 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  46. 46. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController ForwardsThursday, 2011-03-10
  47. 47. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0Thursday, 2011-03-10
  48. 48. AdoptersThursday, 2011-03-10
  49. 49. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-devThursday, 2011-03-10
  50. 50. Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferencesThursday, 2011-03-10
  51. 51. Thursday, 2011-03-10
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×