Your SlideShare is downloading. ×
0
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
OWASP ESAPI WAF AppSec DC 2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP ESAPI WAF AppSec DC 2009

4,315

Published on

A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.

A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,315
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
71
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Title of Presentation<br />Name<br />Title<br />Company Name<br />
  • 2. OWASP ESAPI WAF<br />Developed by Arshan Dabirsiaghi (w/ Jeff Williams)<br />A sub-project under the ESAPI umbrella<br />The Star Trek: TNG of WAFs<br />Robust<br />Usable<br />Free<br />Open Source<br />Performant<br />Pragmatic<br />
  • 3. “Yeah, well I hate WAFs”<br />Perfect! Me too.<br />
  • 4. WAFs were for Federalists (part 1)<br />Development Team A<br />Development Team B<br />Security Team<br />Development Team C<br />
  • 5. WAFs were for Federalists (part 2)<br />Development Team A<br />Development Team B<br />Development Team C<br />
  • 6. Why fix in ESAPI WAF vs. fix in code?<br />
  • 7. Why fix in ESAPI WAF vs. fix in code?<br />
  • 8. Advantages of Application-Layer WAFs<br />Performance – only your rules are checked, plus state is already managed by the app server<br />Capability – being closer to the app lets us do more and I can’t wait to tell you about it<br />Process – rules are closer to application owner, shortening discovery-to-patch time, also fix-to-patch-removal time<br />
  • 9. Principle: Make common tasks easy, uncommon tasks possible<br />Easy!<br />&lt;virtual-patches&gt;<br /> &lt;virtual-patch <br /> id=“bugtracker-id-1234&quot; <br /> path=&quot;/vulnerable.do&quot; <br /> variable=&quot;request.parameters.bar&quot;<br />pattern=&quot;[0-9a-zA-Z]*&quot; <br />message=&quot;zmg attax&quot; /&gt;<br />&lt;/virtual-patches&gt;<br />Possible… still easy!<br />&lt;bean-shell-rules&gt;<br /> &lt;bean-shell-script <br /> id=“user-lockout-rule&quot; <br /> file=“/enforce_user_lockout.bsh&quot; <br /> stage=&quot;before-request-body&quot;/&gt;<br />&lt;/bean-shell-rules&gt;<br />import org.acme.user.*;<br />User user = session.getAttribute(“u”);<br />If ( user.isLocked() )<br /> action = new RedirectAction();<br />
  • 10. Fixing Injection Flaws<br />
  • 11. Business Logic Flaws<br />/viewAccount?id=1826<br />/admin/shutdown<br />/ws/ImptWebService.rest<br />
  • 12. Adding “Outbound” Security<br /><ul><li> Add anti-clickjacking header
  • 13. Set uniform content-type</li></li></ul><li>Yes, we know all about early failing<br />
  • 14. Meet JForum 2.1.8<br />Awesome, free, fully featured<br />forum software.<br />4 hours of code review/pen testing:<br />10 findings<br />
  • 15.
  • 16.
  • 17.
  • 18. &lt;virtual-patch/&gt;<br />
  • 19. &lt;virtual-patch/&gt;<br />&lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />
  • 20. &lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />&lt;add-header/&gt;<br />
  • 21. &lt;virtual-patch/&gt;<br />&lt;add-http-only-flag&gt;<br />&lt;add-header/&gt;<br />&lt;bean-shell-rule/&gt;<br />
  • 22. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc3/index.html<br />JavaDocs<br />
  • 23. http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20WAF%20Configuration%20Guide.pdf<br />Policy file specification<br />
  • 24. OWASP ESAPI WAF<br />AVAILABLE NOW!<br />$0<br />Arshan Dabirsiaghi<br />Director of Research, Aspect Security<br />@nahsra, i8&lt;messiah&gt;.com<br />http://www.aspectsecurity.com/<br />

×