Enterprise Security API (ESAPI) Java
Java User Group – San Antonio



Jarret Raim
June 3rd, 2010
What is it?


ESAPI (The OWASP Enterprise Security API) is a free, open source, web
         application security control ...
Who cares?
How Does it Work?
   Allowing for language-specific differences, all OWASP
       ESAPI versions have the same basic desig...
There are several supported languages

  •   Java EE
  •   PHP
  •   Classic ASP
  •   .NET
  •   Coldfusion
  •   Python
...
Tyranny of Choice
                                  Write
                 Spring          Custom
 Java     Jasypt        ...
Vulnerability Theory


Threat Agent      Vector   Vulnerability     Control    Technical Impact   Business Impact

       ...
Where do Vulnerabilities Come From?
• Missing Controls
   – Lack of encryption
   – Failure to perform access control
• Br...
Authenticator

                                                          User

                                           ...
Encoder
• Typical output in most web         <p>Hello, <%=name%></p>
  frameworks leads to XSS and
                       ...
User            Controller       Business        Data Layer      Backend
                                           Functi...
Validator
EXAMPLE: <script>alert(document.cookie)</script>        • The Validator interface defines a
                    ...
Validator Example




                    • ESAPI provides the ValidationRule and
                      Validator interfac...
Global Validate                                        Any Interpreter
                                                   ...
Authenticator
• Interface with a simple, file   •   Locale
  based example implementation    •   Roles
• Log In / Log Out ...
User       Controller       Business              Data Layer          Backend
                            Functions




  ...
isAuthorizedForURL             isAuthorizedForData


                                                                     ...
Encryption

• Encryption failures can lead to violations of the “Big Three”
    – Confidentiality
    – Integrity
    – Av...
User        Controller     Business       Data Layer      Backend
                                     Functions




Integ...
Direct Object Reference
• Occurs when a developer exposes a reference to an internal
  implementation object, such as a fi...
ref=jfo8we4oji                        Acct:9182374
                                                                 Web Se...
Logging & Exceptions

• For many applications, logging is only used to detect application
  errors.
• Is usually geared to...
User           Controller     Business    Data Layer       Backend
                                           Functions


...
Handling HTTP

• Many applications make heavy use of HTTP for functionality
   – Classic ASP uses redirects for flow contr...
User       Controller      Business        Data Layer       Backend
                                    Functions




Add ...
OWASP Top Ten 2007                                OWASP ESAPI
A1. Cross Site Scripting (XSS)            Validator, Encoder...
Special Thanks




• Supports OWASP and ESAPI
• Many of the diagrams for in the slides are from a similar presentation
  b...
Conclusion
Denim Group, Ltd.
(210) 572-4400

Web: www.denimgroup.com
Blog: blog.denimgroup.com




                       ...
Upcoming SlideShare
Loading in …5
×

Enterprise Security API (ESAPI) Java - Java User Group San Antonio

5,065 views
4,919 views

Published on

Discussion of the OWASP Enterprise Security API (ESAPI) for the Java User Group of San Antonio

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,065
On SlideShare
0
From Embeds
0
Number of Embeds
55
Actions
Shares
0
Downloads
97
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Enterprise Security API (ESAPI) Java - Java User Group San Antonio

  1. 1. Enterprise Security API (ESAPI) Java Java User Group – San Antonio Jarret Raim June 3rd, 2010
  2. 2. What is it? ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.
  3. 3. Who cares?
  4. 4. How Does it Work? Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design: • There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls. • There is a reference implementation for each security control. The logic is not organization‐specific and the logic is not application‐specific. An example: string‐based input validation. • There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
  5. 5. There are several supported languages • Java EE • PHP • Classic ASP • .NET • Coldfusion • Python • JavaScript • Haskell • Force.com And they have a plan. Maybe.
  6. 6. Tyranny of Choice Write Spring Custom Java Jasypt Java Code Pattern URL Commons xml-enc EncoderLog4j Validator Cryptix JAAS JCE ACEGI Stinger Struts BouncyCastle Reform Anti-XSS Many HDIV More Standard xml-dsig Java Control Logging
  7. 7. Vulnerability Theory Threat Agent Vector Vulnerability Control Technical Impact Business Impact Vector Business Impact Vector Vulnerability Control Asset Business Impact Missing Vector Vulnerability Control Function Business Impact Vector Vulnerability Asset Vector Vulnerability Control
  8. 8. Where do Vulnerabilities Come From? • Missing Controls – Lack of encryption – Failure to perform access control • Broken Controls – Weak hash algorithm – Fail open • Ignored Controls – Failure to use encryption – Forgot to use output encoding • ESAPI Solves – Missing – Broken • Process Solves – Ignored
  9. 9. Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Enterprise Security API Exception Handling Custom Enterprise Web Application Logger IntrusionDetector Existing Enterprise Security Services/Libraries SecurityConfiguration
  10. 10. Encoder • Typical output in most web <p>Hello, <%=name%></p> frameworks leads to XSS and <p>Hello, CSRF vulnerabilities. <%=ESAPI.encoder().encodeForHTML(name)%> • The ESAPI encoder allows </p> direct encoding depending on context. • Web (HTML, JavaScript, CSS) • Databases (MySQL, Oracle) • URL • Shells (Unix, Windows) • XML • LDAP • Also provides a canonnicalize method to remove any encodings.
  11. 11. User Controller Business Data Layer Backend Functions isValidCreditCard encodeForJavaScript isValidDataFromBrowser encodeForVBScript isValidDirectoryPath Validator Encoder encodeForURL isValidFileContent encodeForHTML isValidFileName encodeForHTMLAttribute isValidHTTPRequest encodeForLDAP isValidListItem Canonicalization encodeForDN isValidRedirectLocation Double Encoding Protection encodeForSQL isValidSafeHTML Sanitization encodeForXML isValidPrintable Normalization encodeForXMLAttribute safeReadLine encodeForXPath
  12. 12. Validator EXAMPLE: <script>alert(document.cookie)</script> • The Validator interface defines a set of methods for canonicalizing ESAPI.validator().getValidInput(String context,String input,String type,int maxLength,boolean and validating untrusted input. allowNull,ValidationErrorList errorList) – Returns booleans as not all validation problems are security issues. assertIsValidHttpRequest() assertIsValidHttpRequestParameterSet() • Invalid input will generate a assertIsValidFileUpload() descriptive ValidationException getValidCreditCard() which will be stored in the getValidDate() ValidationErrorList getValidDirectoryPath() getValidDouble() • Input that is clearly an attack will getValidFileContent() generate a descriptive getValidFileName() IntrusionException …
  13. 13. Validator Example • ESAPI provides the ValidationRule and Validator interfaces. • Implement your own validators for your data. • Reference Regex codes in the ESAPI properties from generic to specific.
  14. 14. Global Validate Any Interpreter Specific Validate Canonicalize Sanitize Web Service Any Encoding Controller Database Mainframe User Business Data Functions Layer Etc… User Interface File System Set Character Set Canonicalize Encode For HTML Validate
  15. 15. Authenticator • Interface with a simple, file • Locale based example implementation • Roles • Log In / Log Out • Disable / Enable • Password Verification • Locked / Unlocked • Create User • CSRF Tokens • Password Generation • Last Login • Change Password • Last Invalid Login • Expirations • Password Age • Logging • Screen Name • Per User Session • Failed Log In Count • Anonymous User • Last Logged in Host
  16. 16. User Controller Business Data Layer Backend Functions Note that the ESAPI ESAPI project does not have out of the box Authentication support for Detection Intrusion projects like Logging Control Access Spring, but can Users be made to work.
  17. 17. isAuthorizedForURL isAuthorizedForData Web Service isAuthorizedForFunction isAuthorizedForService Controller Database Mainframe User Business Data Functions Layer Etc… isAuthorizedForFile User Interface File System isAuthorizedForFunction
  18. 18. Encryption • Encryption failures can lead to violations of the “Big Three” – Confidentiality – Integrity – Availability (maybe) • Encryption is surprisingly difficult to get right. – You are probably doing it wrong right now. • The Encryptor interface provides a set of methods for performing common encryption, random number, and hashing operations. encrypted = ESAPI.encryptor().encrypt( decrypted ); decrypted = ESAPI.encryptor().decrypt( encrypted );
  19. 19. User Controller Business Data Layer Backend Functions Integrity Seals Encrypted Encryption Properties Encryptor Strong GUID Digital Signatures Safe Config Details Random Tokens Timestamp Salted Hash
  20. 20. Direct Object Reference • Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. • Fix is to generate suitably random garbage, then internally map that to the appropriate IDs. • Doing this is surprisingly annoying, especially if there are no sessions. – Not really scalable friendly. • ESAPI provides a random access map which also helps protect against CSRF. String directReference = "This is a direct reference."; RandomAccessReferenceMap instance = new RandomAccessReferenceMap(); String ind = instance.addDirectReference((Object)directReference);
  21. 21. ref=jfo8we4oji Acct:9182374 Web Service Database Mainframe User Access Reference Map Etc… Report123.xls File System Indirect References Direct References
  22. 22. Logging & Exceptions • For many applications, logging is only used to detect application errors. • Is usually geared to solving problems in development – Hopefully with an eye to production. • ESAPI provides a logging implementation that integrates with the security substructure. – Logs security exceptions that are ESAPI generated with identify information – Can be used by normal business code to log security exceptions or just log information with identify • Integrates an intrusion detection system that can respond to different types of intrusions by disabling accounts or other actions.
  23. 23. User Controller Business Data Layer Backend Functions User Message Log Message Enterprise Security Logger (no detail) Exceptions (w/Identity) AccessControlException AuthenticationException AvailabilityException Configurable Thresholds Intrusion EncodingException Detector Responses EncryptionException •Log Intrusion ExecutorException •Logout User IntegrityException •Disable Account IntrusionException ValidationException
  24. 24. Handling HTTP • Many applications make heavy use of HTTP for functionality – Classic ASP uses redirects for flow control, error handing, etc. • The use of data from the request accounts for most web security defects • ESAPI provides methods to interact with the request – Helper methods for encryption – CSRF tokens – Etc. • Deals with Characters Sets and Encodings
  25. 25. User Controller Business Data Layer Backend Functions Add Safe Header sendSafeForward No Cache Headers HTTP Utilities sendSafeRedirect Set Content Type Add Safe Cookie Kill Cookie Encrypt State in Cookie isSecureChannel Change SessionID Hidden Field Encryption Safe Request Logging Querystring Encryption CSRF Tokens Safe File Uploads
  26. 26. OWASP Top Ten 2007 OWASP ESAPI A1. Cross Site Scripting (XSS) Validator, Encoder A2. Injection Flaws Encoder A3. Malicious File Execution HTTPUtilities (Safe Upload) A4. Insecure Direct Object Reference AccessReferenceMap, AccessController A5. Cross Site Request Forgery (CSRF) User (CSRF Token) A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils A8. Insecure Cryptographic Storage Encryptor A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel) A10. Failure to Restrict URL Access AccessController
  27. 27. Special Thanks • Supports OWASP and ESAPI • Many of the diagrams for in the slides are from a similar presentation by Aspect.
  28. 28. Conclusion Denim Group, Ltd. (210) 572-4400 Web: www.denimgroup.com Blog: blog.denimgroup.com 27

×