OWASP ESAPI WAF AppSec DC 2009
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

OWASP ESAPI WAF AppSec DC 2009

on

  • 5,645 views

A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.

A presentation and demo of the ESAPI web application firewall component released at OWASP AppSec DC 2009.

Statistics

Views

Total Views
5,645
Views on SlideShare
5,624
Embed Views
21

Actions

Likes
1
Downloads
63
Comments
0

2 Embeds 21

http://www.slideshare.net 15
http://www.slashdocs.com 6

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

OWASP ESAPI WAF AppSec DC 2009 Presentation Transcript

  • 1. Title of Presentation
    Name
    Title
    Company Name
  • 2. OWASP ESAPI WAF
    Developed by Arshan Dabirsiaghi (w/ Jeff Williams)
    A sub-project under the ESAPI umbrella
    The Star Trek: TNG of WAFs
    Robust
    Usable
    Free
    Open Source
    Performant
    Pragmatic
  • 3. “Yeah, well I hate WAFs”
    Perfect! Me too.
  • 4. WAFs were for Federalists (part 1)
    Development Team A
    Development Team B
    Security Team
    Development Team C
  • 5. WAFs were for Federalists (part 2)
    Development Team A
    Development Team B
    Development Team C
  • 6. Why fix in ESAPI WAF vs. fix in code?
  • 7. Why fix in ESAPI WAF vs. fix in code?
  • 8. Advantages of Application-Layer WAFs
    Performance – only your rules are checked, plus state is already managed by the app server
    Capability – being closer to the app lets us do more and I can’t wait to tell you about it
    Process – rules are closer to application owner, shortening discovery-to-patch time, also fix-to-patch-removal time
  • 9. Principle: Make common tasks easy, uncommon tasks possible
    Easy!
    <virtual-patches>
    <virtual-patch
    id=“bugtracker-id-1234"
    path="/vulnerable.do"
    variable="request.parameters.bar"
    pattern="[0-9a-zA-Z]*"
    message="zmg attax" />
    </virtual-patches>
    Possible… still easy!
    <bean-shell-rules>
    <bean-shell-script
    id=“user-lockout-rule"
    file=“/enforce_user_lockout.bsh"
    stage="before-request-body"/>
    </bean-shell-rules>
    import org.acme.user.*;
    User user = session.getAttribute(“u”);
    If ( user.isLocked() )
    action = new RedirectAction();
  • 10. Fixing Injection Flaws
  • 11. Business Logic Flaws
    /viewAccount?id=1826
    /admin/shutdown
    /ws/ImptWebService.rest
  • 12. Adding “Outbound” Security
    • Add anti-clickjacking header
    • 13. Set uniform content-type
  • Yes, we know all about early failing
  • 14. Meet JForum 2.1.8
    Awesome, free, fully featured
    forum software.
    4 hours of code review/pen testing:
    10 findings
  • 15.
  • 16.
  • 17.
  • 18. <virtual-patch/>
  • 19. <virtual-patch/>
    <virtual-patch/>
    <add-http-only-flag>
  • 20. <virtual-patch/>
    <add-http-only-flag>
    <add-header/>
  • 21. <virtual-patch/>
    <add-http-only-flag>
    <add-header/>
    <bean-shell-rule/>
  • 22. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc3/index.html
    JavaDocs
  • 23. http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/OWASP%20ESAPI%20WAF%20Configuration%20Guide.pdf
    Policy file specification
  • 24. OWASP ESAPI WAF
    AVAILABLE NOW!
    $0
    Arshan Dabirsiaghi
    Director of Research, Aspect Security
    @nahsra, i8<messiah>.com
    http://www.aspectsecurity.com/