OWASP ESAPI WAF AppSec DC 2009

5,119 views
4,841 views

Published on

A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,119
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
73
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OWASP ESAPI WAF AppSec DC 2009

  1. 1. Title of Presentation<br />Name<br />Title<br />Company Name<br />
  2. 2. OWASP ESAPI WAF<br />Developed by Arshan Dabirsiaghi (w/ Jeff Williams)<br />A sub-project under the ESAPI umbrella<br />The Star Trek: TNG of WAFs<br />Robust<br />Usable<br />Free<br />Open Source<br />Performant<br />Pragmatic<br />
  3. 3. “Yeah, well I hate WAFs”<br />Perfect! Me too.<br />
  4. 4. WAFs were for Federalists (part 1)<br />Development Team A<br />Development Team B<br />Security Team<br />Development Team C<br />
  5. 5. WAFs were for Federalists (part 2)<br />Development Team A<br />Development Team B<br />Development Team C<br />
  6. 6. Why fix in ESAPI WAF vs. fix in code?<br />
  7. 7. Why fix in ESAPI WAF vs. fix in code?<br />
  8. 8. Advantages of Application-Layer WAFs<br />Performance – only your rules are checked, plus state is already managed by the app server<br />Capability – being closer to the app lets us do more and I can’t wait to tell you about it<br />Process – rules are closer to application owner, shortening discovery-to-patch time, also fix-to-patch-removal time<br />
  9. 9. Principle: Make common tasks easy, uncommon tasks possible<br />Easy!<br />&lt;virtual-patches&gt;<br /> &lt;virtual-patch <br /> id=“bugtracker-id-1234&quot; <br /> path=&quot;/vulnerable.do&quot; <br /> variable=&quot;request.parameters.bar&quot;<br />pattern=&quot;[0-9a-zA-Z]*&quot; <br />message=&quot;zmg attax&quot; /&gt;<br />&lt;/virtual-patches&gt;<br />Possible… still easy!<br />&lt;bean-shell-rules&gt;<br /> &lt;bean-shell-script <br /> id=“user-lockout-rule&quot; <br /> file=“/enforce_user_lockout.bsh&quot; <br /> stage=&quot;before-request-body&quot;/&gt;<br />&lt;/bean-shell-rules&gt;<br />import org.acme.user.*;<br />User user = session.getAttribute(“u”);<br />If ( user.isLocked() )<br /> action = new RedirectAction();<br />
  10. 10. Fixing Injection Flaws<br />
  11. 11. Business Logic Flaws<br />/viewAccount?id=1826<br />/admin/shutdown<br />/ws/ImptWebService.rest<br />
  12. 12. Adding “Outbound” Security<br /><ul><li> Add anti-clickjacking header
  13. 13. Set uniform content-type</li></li></ul><li>Yes, we know all about early failing<br />
  14. 14. Meet JForum 2.1.8<br />Awesome, free, fully featured<br />forum software.<br />4 hours of code review/pen testing:<br />10 findings<br />
  15. 15.
  16. 16.
  17. 17.
  18. 18. &lt;virtual-patch/&gt;<br />
  19. 19. &lt;virtual-patch/&gt;<br />&lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />
  20. 20. &lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />&lt;add-header/&gt;<br />
  21. 21. &lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />&lt;add-header/&gt;<br />&lt;bean-shell-rule/&gt;<br />
  22. 22. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc3/index.html<br />JavaDocs<br />
  23. 23. http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20WAF%20Configuration%20Guide.pdf<br />Policy file specification<br />
  24. 24. OWASP ESAPI WAF<br />AVAILABLE NOW!<br />$0<br />Arshan Dabirsiaghi<br />Director of Research, Aspect Security<br />@nahsra, i8&lt;messiah&gt;.com<br />http://www.aspectsecurity.com/<br />

×