OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

2,305 views

Published on

This is the presentation from the ColdFusion Unconference session at Adobe MAX 2011 in Los Angeles. This covers a brief look at implementing the ESAPI project into your ColdFusion applications and what methods it has available to help secure your sites.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,305
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

  1. 1. Matt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011
  2. 2. MAKE STUFFSECURE!Matt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011
  3. 3. KEEP IT TIGHT ANDOUT OF SIGHTMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011
  4. 4. HOW TO SLAYDRAGONS USING AJET PACK & ATOOTHBRUSHMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011
  5. 5. THE OWASP ENTERPRISESECURITY API &AVAILABLE METHODS TOHELP LOCK DOWN ACOLDFUSION APPLICATIONMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011
  6. 6. WHO I AM NOT... • Security expert of the highest order • Sales man trying to pitch an idea for your $$6
  7. 7. WHO I AM... • Lead RIA Developer • Author • Inquisitive • Open to new ideas and methods7
  8. 8. INITIAL REACTIONS
  9. 9. DEVELOPERS - A BROAD GENERALISATION 1239
  10. 10. SECURING YOUR APPLICATIONS
  11. 11. WHO IS OWASP?
  12. 12. WHAT IS ESAPI? Enterprise Security API Open-source project that aims to fill gaps in specs and server technology implementations Uses current best practices to mitigate the vulnerabilities mentioned in the OWASP Top 1012
  13. 13. WHAT IS ESAPI? Enterprise Security API A set of interfaces that provide functions for most of the common security needs of enterprise developers13
  14. 14. WHAT IS ESAPI? Enterprise Security API “ ESAPI is designed to make it easy to retrofit security into existing applications as well as providing a solid foundation for new ” development14
  15. 15. WHAT IS ESAPI? Enterprise Security API Supported in multiple languages: Java Python .NET JavaScript Classic ASP & ColdFusion PHP15
  16. 16. WHY USE ESAPI? It’s aim is to make secure application development easier17
  17. 17. OWASP TOP 10 A1 Injection A6 Security Misconfiguration A2 Cross-Site Scripting A7 Insecure Storage (crypto) A3 Authentication & Sessions A8 URL Access Restrictions A4 Insecure Direct Object References A9 Poor Transport Layer Protection A5 Cross-Site Request Forgery A10 Unvalidated Redirects And this is just the top 10...18
  18. 18. YOU MAY ALREADY HAVE IT • ColdFusion 8 hotfix shipped with the ESAPI library under the hood • ColdFusion 9 included an updated version20
  19. 19. COMING IN ZEUS! • ESAPI integration will be included at a greater level in ColdFusion X (Zeus) • encodeForXXX functions to help you protect your applications against XSS attacks • You can use those now!21
  20. 20. ENCODER<cfoutput> <p>Hey, #URL.name#!</p> <p>Hey, #encodeForHTML(URL.name)#!</p></cfoutput>
  21. 21. SECURITY CONFIGURATION
  22. 22. SECURITY CONFIGURATIONIncludes (but not restricted to)the following:• Master encryption passwords (for salt and hashing)• Validation whitelists• Logging levels and details• Intrusion detection• and more...
  23. 23. SECURITY CONFIGURATION• You can select the path for a specific resource directory• Ideal for handling multiple security levels / validations for subsystems and micro-applications ESAPI().securityConfiguration().setResourceDirectory("/path/to/.esapi/");
  24. 24. SECURITY CONFIGURATION#===========================================# ESAPI Authenticator#Authenticator.AllowedLoginAttempts=3Authenticator.MaxOldPasswordHashes=13Authenticator.UsernameParameterName=usernameAuthenticator.PasswordParameterName=password# RememberTokenDuration (in days)Authenticator.RememberTokenDuration=14# Session Timeouts (in minutes)Authenticator.IdleTimeoutDuration=20Authenticator.AbsoluteTimeoutDuration=120
  25. 25. AUTHENTICATION
  26. 26. AUTHENTICATION<cfquery name="qLogin" datasource="blah"> SELECT * FROM tbl_Users WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#" /> AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#" /></cfquery><!--- Check to see we have a user returned ---><cfif qLogin.recordcount> <!--- Set user into SESSION ---> <cfset session.userID = qLogin.userID /> <cfset session.isLoggedIn = true /> <!--- DO LOGGED-IN STUFF ---> <cfelse> <!--- Invalid credentials or no match found ---> <p>Sorry, we could not find a match.</p> </cfif>
  27. 27. AUTHENTICATION
  28. 28. AUTHENTICATION ESAPI().authenticator().login();• Username & password combination (invisibly)• Reading a “Remember me” cookie• Currently logged in user based upon the session-id value 32
  29. 29. AUTHENTICATIONKey methods:• createUser()• generateStrongPassword()• getcurrentUser()• logout()• verifyAccountnameStrength()• verifyPasswordStrength 33
  30. 30. THE USER
  31. 31. THE USERESAPI().authenticator().createUser(”random01”,”657fhg",” 657fhg");objUser = ESAPI ().authenticator().login(request, response);objUser = ESAPI ().authenticator().getCurrentUser();objUser = ESAPI ().authenticator().getUser(” random01”);Token creation: objUser.resetCSRFToken();Accessing the token: objUser.getCSRFToken(); 35
  32. 32. THE USERKey methods:• changePassword() • isInRole()• disable() • isEnabled()• enable() • isExpired()• getAccountName() • isLocked()• getCSRFToken() • resetCSRFToken()• getLastFailedLoginTime() • resetPassword()• getLastLoginTime() • isSessionTimeout()• getRoles() • isSessionAbsoluteTimeout()
  33. 33. HTTP UTILITIESProvides a safe version of therequest and response object
  34. 34. HTTP UTILITIESKey methods:• addCSRFToken() • encryptStateInCookie()• verifyCSRFToken() • decryptStateFromCookie()• assertSecureRequest() • getSafeFileUploads()• changeSessionIdentifier() • safeSendForward()• encryptHiddenField() • safeSetContentType()• decryptHiddenField() • setNoCacheHeaders()• encryptQueryString() • setRememberToken()• decryptQueryString()
  35. 35. ACCESS CONTROLLERThe gatekeeper for your ESAPIapplication implementation<cfscript> if ((role == admin) && (coffeeIntake != small)) { // Take them to the Admin Console location(/admin/hiddenPages.cfm); } else { // Direct user elsewhere location(/standardPage.cfm); }</cfscript>
  36. 36. ACCESS CONTROLLER• isAuthorizedForData()• isAuthorizedForFile()• isAuthorizedForURL()• assertAuthorizedForData()• assertAuthorizedForFile()• assertAuthorizedForURL()
  37. 37. ENCRYPTOR• decrypt()• encrypt()• hash()• seal()• sign(String data)• unseal()• verifySeal()• verifySignature()
  38. 38. VALIDATOR• White-list based filters• Data canonicalization prior to being passed to filters• Detects double-encoding and throws an exception
  39. 39. VALIDATOR CONFIGURATION#================================================# ESAPI ValidationValidator.ConfigurationFile=validation.properties# Validators used by ESAPIValidator.RoleName=^[a-z]{1,20}$# Global HTTP Validation RulesValidator.HTTPScheme=^(http|https)$Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$Validator.HTTPParameterValue=^[a-zA-Z0-9.-/
  40. 40. VALIDATOR CONFIGURATIONValidator.SafeString=^[.p{Alnum}p{Space}]{0,1024}$Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[a-zA-Z]{2,4}$Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$Validator.URL=^(ht|f)tp(s?)://[0-9a-zA-Z]([-.w]*[0-9a-zA-Z])*(:(0-9)*)*(/?)([a-zA-Z0-9-.?,:/+=&amp;%$#_]*)?$Validator.CreditCard=^(d{4}[- ]?){3}d{4}$Validator.SSN=^(?!000)([0-6]d{2}|7([0-6]d|7[012]))([ -]?)(?!00)dd3(?!0000)d{4}$
  41. 41. VALIDATOR CONFIGURATIONCustom white-list values can be added into the ESAPI.properties file:Declaring: Example User ID - MatGif0075 White-list entry: Validator.UserId= ^[A-Z]{6}[0-9]{4}$Validating: isValidInput(“User ID”, “MatGif0075”, “UserId", 10, false);
  42. 42. THE PROS • Designed by security experts • Multiple language support • Highly extensible • Works invisibly in many ways (voodoo magic) • It’s open-source!!47
  43. 43. THE CONS • Paradigm shift (a new way of thinking) • Worth the time retrofitting? • Documentation levels (with clear working examples) • It’s only an API - it’s not the miracle cure48
  44. 44. MORE INFO • OWASP ESAPI Official Page http://bit.ly/owasp_esapi • ESAPI Javadocs http://bit.ly/esapi-javadocs • CFESAPI on github http://bit.ly/cfesapi50
  45. 45. NOW GRAB YOURTOOTHBRUSH ANDGO SLAY SOMEDRAGONSMatt Gifford (@coldfumonkeh)www.mattgifford.co.ukColdFusion Unconference, Adobe MAX 2011

×