Entreprise Security API - OWASP Montreal

1,776 views

Published on

OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,776
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Entreprise Security API - OWASP Montreal

  1. 1. Enteprise Security API ESAPISaturday, 2011-02-26
  2. 2. Saturday, 2011-02-26
  3. 3. Saturday, 2011-02-26
  4. 4. I answer questionSaturday, 2011-02-26
  5. 5. The problemsSaturday, 2011-02-26
  6. 6. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access ControlSaturday, 2011-02-26
  7. 7. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and RandomnessSaturday, 2011-02-26
  8. 8. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and ForwardsSaturday, 2011-02-26
  9. 9. And over 300 others security problems typesSaturday, 2011-02-26
  10. 10. Vulnerabilities and Security Controls Ignored Misused Broken MissingSaturday, 2011-02-26
  11. 11. Why Input Validation Is Hard?Saturday, 2011-02-26
  12. 12. <Saturday, 2011-02-26
  13. 13. Percent (url) Encoding • %3c • %3CSaturday, 2011-02-26
  14. 14. HTML Entity Encoding • &#60 • < • &#060 • < • &#0060 • < • &#00060 • < • &#000060 • < • &#0000060 • <Saturday, 2011-02-26
  15. 15. HTML Entity Encoding • &#x3c • < • &#x03c • < • &#x003c • < • &#x0003c • < • &#x00003c • < • &#x000003c • &#x000003c;Saturday, 2011-02-26
  16. 16. HTML Entity Encoding • &#X3c • < • &#X03c • < • &#X003c • < • &#X0003c • < • &#X00003c • < • &#X000003c • &#X000003c;Saturday, 2011-02-26
  17. 17. HTML Entity Encoding • &#x3C • < • &#x03C • < • &#x003C • < • &#x0003C • < • &#x00003C • < • &#x000003C • &#x000003C;Saturday, 2011-02-26
  18. 18. HTML Entity Encoding • &#X3C • < • &#X03C • < • &#X003C • < • &#X0003C • < • &#X00003C • < • &#X000003C • &#X000003C;Saturday, 2011-02-26
  19. 19. HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT;Saturday, 2011-02-26
  20. 20. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003cSaturday, 2011-02-26
  21. 21. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003CSaturday, 2011-02-26
  22. 22. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bcSaturday, 2011-02-26
  23. 23. 1,677,721,600,000,000 ways to encode <script>Saturday, 2011-02-26
  24. 24. The Solutions?Saturday, 2011-02-26
  25. 25. What is Enterprise Security API?Saturday, 2011-02-26
  26. 26. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CSaturday, 2011-02-26
  27. 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CSaturday, 2011-02-26
  28. 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-CSaturday, 2011-02-26
  29. 29. Overview of the Architectural ImpactSaturday, 2011-02-26
  30. 30. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  31. 31. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  32. 32. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  33. 33. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?>Saturday, 2011-02-26
  34. 34. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName()Saturday, 2011-02-26
  35. 35. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine()Saturday, 2011-02-26
  36. 36. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPathSaturday, 2011-02-26
  37. 37. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring EncryptionSaturday, 2011-02-26
  38. 38. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •TimestampSaturday, 2011-02-26
  39. 39. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  40. 40. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  41. 41. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationExceptionSaturday, 2011-02-26
  42. 42. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  43. 43. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  44. 44. AuthenticatorSaturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  45. 45. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController ForwardsSaturday, 2011-02-26
  46. 46. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0Saturday, 2011-02-26
  47. 47. AdoptersSaturday, 2011-02-26
  48. 48. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-devSaturday, 2011-02-26
  49. 49. Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferencesSaturday, 2011-02-26
  50. 50. Saturday, 2011-02-26

×