SlideShare a Scribd company logo
Enteprise Security
                              API
                              ESAPI




Saturday, 2011-02-26
Saturday, 2011-02-26
Saturday, 2011-02-26
I answer question

Saturday, 2011-02-26
The problems



Saturday, 2011-02-26
The problems

                  • Input Validation and Output Encoding
                  • Authentication and Identity
                  • URL Access Control
                  • Business Function Access Control
                  • Data Layer Access Control


Saturday, 2011-02-26
The problems

                  • Presentation Layer Access Control
                  • Errors, Logging, and Intrusion
                       Detection

                  • Encryption, Hashing, and
                       Randomness



Saturday, 2011-02-26
OWASP TOP 10
                                              A2 – Cross-Site Scripting
                       A1 – Injection
                                                       (XSS)

                 A3 – Broken Authentication       A4 – Insecure Direct
                  and Session Management           Object References

                 A5 – Cross-Site Request          A6 – Security
                    Forgery (CSRF)               Misconfiguration

                      A7 – Insecure           A8 - Failure to Restrict
                  Cryptographic Storage             URL Access

             A9 - Insufficient Transport         A10 – Unvalidated
                  Layer Protection            Redirects and Forwards



Saturday, 2011-02-26
And over 300
                       others security
                       problems types


Saturday, 2011-02-26
Vulnerabilities and
                        Security Controls
                              Ignored   Misused




                          Broken              Missing




Saturday, 2011-02-26
Why Input Validation
                     Is Hard?



Saturday, 2011-02-26
<
Saturday, 2011-02-26
Percent (url) Encoding



                  • %3c
                  • %3C




Saturday, 2011-02-26
HTML Entity Encoding

                  • &#60          • &#60;
                  • &#060         • &#060;
                  • &#0060        • &#0060;
                  • &#00060       • &#00060;
                  • &#000060      • &#000060;
                  • &#0000060     • &#0000060;

Saturday, 2011-02-26
HTML Entity Encoding
                  • &#x3c         • &#x3c;
                  • &#x03c        • &#x03c;
                  • &#x003c       • &#x003c;
                  • &#x0003c      • &#x0003c;
                  • &#x00003c     • &#x00003c;
                  • &#x000003c    • &#x000003c;

Saturday, 2011-02-26
HTML Entity Encoding
                  • &#X3c         • &#X3c;
                  • &#X03c        • &#X03c;
                  • &#X003c       • &#X003c;
                  • &#X0003c      • &#X0003c;
                  • &#X00003c     • &#X00003c;
                  • &#X000003c    • &#X000003c;

Saturday, 2011-02-26
HTML Entity Encoding
                  • &#x3C         • &#x3C;
                  • &#x03C        • &#x03C;
                  • &#x003C       • &#x003C;
                  • &#x0003C      • &#x0003C;
                  • &#x00003C     • &#x00003C;
                  • &#x000003C    • &#x000003C;

Saturday, 2011-02-26
HTML Entity Encoding
                  • &#X3C         • &#X3C;
                  • &#X03C        • &#X03C;
                  • &#X003C       • &#X003C;
                  • &#X0003C      • &#X0003C;
                  • &#X00003C     • &#X00003C;
                  • &#X000003C    • &#X000003C;

Saturday, 2011-02-26
HTML Entity Encoding

                  • &lt           • &lt;
                  • &lT           • &lT;
                  • &Lt           • &Lt;
                  • &LT           • &LT;




Saturday, 2011-02-26
JavaScript Escape
                  • <          • x3C
                  • x3c        • X3C
                  • X3c        • u003C
                  • u003c      • U003C
                  • U003c



Saturday, 2011-02-26
CSS Escape
                  • 3c            • 3C
                  • 03c           • 03C
                  • 003c          • 003C
                  • 0003c         • 0003C
                  • 00003c        • 00003C



Saturday, 2011-02-26
UTF-7 vs UTF-8

                  • +ADw-
                  • %c0%bc
                  • %e0%80%bc
                  • %f0%80%80%bc
                  • %f8%80%80%80%bc
                  • %fc%80%80%80%80%bc

Saturday, 2011-02-26
1,677,721,600,000,000
                       ways to encode <script>




Saturday, 2011-02-26
The Solutions?



Saturday, 2011-02-26
What is Enterprise
                        Security API?



Saturday, 2011-02-26
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Saturday, 2011-02-26
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Saturday, 2011-02-26
ESAPI Community
                                    Communauté ESAPI




                       Library             Wiki        Mailing List



                                                             Users

                                                       Developers

                             Objective-C



Saturday, 2011-02-26
Overview of the
                       Architectural Impact




Saturday, 2011-02-26
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                                            Entreprise Security API




                        Exception Handling
                                isAuthorizedForURL()
                                isAuthorizedForFile()
                                isAuthorizedForData()




                             Logger
                                isAuthorizedForService()
                                isAuthorizedForFunction()




                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Entreprise Security API

                                                                                  <?php echo $ESAPI




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                   ->validator()




                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                   ->getValidInput(




                                                                                                                                              Randomizer
       Authenticator




                                                                                            HTTPUtilities
                                                                                      String $context,




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
                                                                                      String $input,
                       User




                                                                                      String type,
                                                                                      int $maxLength,
                                                                                      boolean allowNull,
                                                                                      ValidationErrorList
                                                                                          $errorList);
                                                                                  ?>



Saturday, 2011-02-26
Entreprise Security API

                                                                                  assertIsValidHttpRequest()
                    interface




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                  assertIsValidHttpRequest




                                                                                                                                                           Exception Handling
                 ValidationRule




                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                      ParameterSet()




                                                                                                                                              Randomizer
       Authenticator




                                                                                            HTTPUtilities
                                                                                  assertIsValidFileUpload()




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




             abstract
        BaseValidationRule
                                                                                  getValidDate()
                                                                                  getValidDouble()
                                                                                  getValidDirectoryPath()
                                                                                  getValidDouble()
                  CreditCard                                                      getValidFileContent()
                 ValidationRule
                                                                                  getValidFileName()



Saturday, 2011-02-26
Entreprise Security API

                                                                                  isValidCreditCard()
                    interface




                                                                                                                                                                                                             SecurityConfiguration
                                                                                  isValidDataFromBrowse()
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling
                 ValidationRule




                                                                                                                                                                                         IntrusionDetector
                              AccessController

                                                                                  isValidDirectoryPath()
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                  isValidFileContent()




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder
                                                                                  isValidFileName()




                                                                                                                                                                                Logger
                       User




             abstract                                                             isValidHTTPRequest()
        BaseValidationRule
                                                                                  isValidListItem()
                                                                                  isValidRedirectLocation()
                                                                                  isValidSafeHTML()
                  CreditCard                                                      isValidPrintable()
                 ValidationRule
                                                                                  safeReadLine()



Saturday, 2011-02-26
Entreprise Security API

      encodeForCSS                                                                            <?php echo $ESAPI




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
      encodeForDN                                                                              ->encoder()




                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
                              AccessController

      encodeForHTML                                                                            ->encodeForHTML($name)
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
      encodeForLDAP                                                                           ?>




                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder




                                                                                                                                                                                Logger
      encodeForSQL
                       User




      encodeForURL                                                                             encodeForJavaScript
      encodeForXML                                                                             encodeForHTMLAttribute
      encodeForXPath                                                                           encodeForVBScript
                                                                                               encodeForXMLAttribute
                                                                                               encodeForXPath



Saturday, 2011-02-26
Entreprise Security API

        •Add Safe Header                                                                                    •isSecureChannel




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties
                                                                                                            •Safe Request Logging




                                                                                                                                                           Exception Handling
        •No Cache Headers




                                                                                                                                                                                         IntrusionDetector
                              AccessController


        •Set Content Type                                                                                   •Safe File Uploads
       Authenticator




                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
        •Add Safe Cookie
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




        •Kill Cookie                                                                                        •sendSafeForward
        •Change SessionID                                                                                   •sendSafeRedirect
        •CSRF Tokens
                                                                                                            •Encrypt State in Cookie
                                                                                                            •Hidden Field Encryption
                                                                                                            •Querystring Encryption


Saturday, 2011-02-26
Entreprise Security API

                                                                                                                        •Integrity Seals




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling
                                                                                                                        •Strong GUID




                                                                                                                                                                                         IntrusionDetector
                              AccessController
       Authenticator




                                                                                                                        •Random Tokens

                                                                                            HTTPUtilities




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
         <?php $encrypted =                                                                                             •Encryption
                                                                                  Encoder




                                                                                                                                                                                Logger
                       User




          $ESAPI->encryptor()
            ->encrypt($text)
                                                                                                                        •Digital Signatures
         ?>                                                                                                             •Salted Hash
                                                                                                                        •Safe Config Details
                                                                                                                        •Timestamp


Saturday, 2011-02-26
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Entreprise Security API


               •AccessControlException




                                                                                                                                                                                                             SecurityConfiguration
                                                 AccessReferenceMap




                                                                                                                        EncryptedProperties


                                                                                                                                                           Exception Handling


                                                                                                                                                                                         IntrusionDetector
               •AuthenticationException
                              AccessController
       Authenticator




                                                                                            HTTPUtilities
               •AvailabilityException




                                                                                                                                              Randomizer
                                                                                                            Encryptor
                                                                      Validator
                                                                                  Encoder
               •EncodingException




                                                                                                                                                                                Logger
                       User




               •EncryptionException
               •ExecutorException
               •IntegrityException
               •IntrusionException
               •ValidationException


Saturday, 2011-02-26
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Saturday, 2011-02-26
                                User
                         AccessController
                       AccessReferenceMap

                           •Responses
                            •Logout User
                            Validator
                            •Log Intrusion
                            •Disable Account
                             Encoder
                          HTTPUtilities
                           •Configurable Thresholds



                            Encryptor
                       EncryptedProperties
                           Randomizer
                                                     Entreprise Security API




                        Exception Handling
                              Logger
                        IntrusionDetector
                       SecurityConfiguration
Authenticator




Saturday, 2011-02-26
                              User
                         AccessController
                       AccessReferenceMap
                            Validator
                             Encoder
                          HTTPUtilities
                            Encryptor
                       EncryptedProperties
                           Randomizer
                                              Entreprise Security API




                        Exception Handling
                             Logger
                        IntrusionDetector
                       SecurityConfiguration
OWASP TOP 10                             ESAPI
                A1: Injection                                                 Encoder

                A2: Cross Site Scripting (XSS)                      Encoder, Validator
                A3: Broken Authentication and
                                                     Authenticator, User, HTTPUtilities
                Session Management
                A4: Insecure Direct Object                       AccessReferenceMap,
                Reference                                            AccessController
                A5: Cross Site Request Forgery
                                                                   User (CSRF Token)
                (CSRF)
                A6: Security Misconfiguration                    SecurityConfiguration
                A7: Insecure Cryptographic
                                                                            Encryptor
                Storage
                A8: Failure to Restrict URL Access                    AccessController
                A9: Insufficient Transport Layer                         HTTPUtilities
                Protection                                   (Secure Cookie, Channel)
                A10: Unvalidated Redirects and
                                                                      AccessController
                Forwards



Saturday, 2011-02-26
Objective -C



               Authentication     2.0   1.4   1.4   1.4
                       Identity   2.0   1.4   1.4   1.4
               Access Control     2.0   1.4   1.4   1.4   1.4
              Input Validation    2.0   1.4   1.4   1.4   1.4   1.4   2.0
              Output Escaping     2.0   1.4   1.4   1.4         1.4   2.0
              Canonicalization    2.0   1.4   1.4   1.4         1.4   2.0
                   Encryption     2.0   1.4   1.4   1.4   1.4
            Random Numbers        2.0   1.4   1.4   1.4   1.4
           Exception Handling     2.0   1.4   1.4   1.4   1.4   1.4   2.0
                       Logging    2.0   1.4   1.4   1.4   1.4   1.4   2.0
           Intrusion Detection    2.0   1.4   1.4   1.4
        Security Configuration 2.0       1.4   1.4   1.4   1.4   1.4   2.0
                        WAF       2.0



Saturday, 2011-02-26
Adopters




Saturday, 2011-02-26
Additional Resources
             • OWASP Home Page
                             http://www.owasp.org
             • ESAPI Project Page
                             http://www.esapi.org
             • ESAPI-Users Mailing List
                       https://lists.owasp.org/mailman/
                             listinfo/esapi-users
             • ESAPI-Dev Mailing List
                       https://lists.owasp.org/mailman/
                              listinfo/esapi-dev


Saturday, 2011-02-26
Questions ?
                       • philippe@ph-il.ca
                       • http://www.ph-il.ca
                       • @SecureSymfony
                       • http://www.ph-il.ca/en/
                         conferences

                       • http://www.ph-il.ca/fr/
                         conferences




Saturday, 2011-02-26
Saturday, 2011-02-26

More Related Content

Similar to Entreprise Security API - OWASP Montreal

OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security APIConFoo
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
Nelson Brito
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
High-Tech Bridge SA (HTBridge)
 
Affrontare in modo efficace la sfida dei microservizi
Affrontare in modo efficace la sfida dei microserviziAffrontare in modo efficace la sfida dei microservizi
Affrontare in modo efficace la sfida dei microservizi
wellD
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Von Bayern in die Cloud
Von Bayern in die CloudVon Bayern in die Cloud
Von Bayern in die Cloud
Alexey Gravanov
 
DWX2015 - Von Bayern in die Cloud
DWX2015 - Von Bayern in die CloudDWX2015 - Von Bayern in die Cloud
DWX2015 - Von Bayern in die Cloud
philippgarbe
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
Mark Tabladillo
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
An overview of Microsoft data mining technology
An overview of Microsoft data mining technologyAn overview of Microsoft data mining technology
An overview of Microsoft data mining technology
Mark Tabladillo
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
Achievers Tech
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation   Hardening Sql ServerAdmin Tech Ed Presentation   Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Serverrsnarayanan
 
An overview of microsoft data mining technology
An overview of microsoft data mining technologyAn overview of microsoft data mining technology
An overview of microsoft data mining technology
Mark Tabladillo
 
MySQL Ecosystem in 2020
MySQL Ecosystem in 2020MySQL Ecosystem in 2020
MySQL Ecosystem in 2020
Alkin Tezuysal
 
MySQL Cluster
MySQL ClusterMySQL Cluster
MySQL Cluster
Mario Beck
 

Similar to Entreprise Security API - OWASP Montreal (20)

OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security API
 
The Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The PhilosophyThe Departed: Exploit Next Generation® – The Philosophy
The Departed: Exploit Next Generation® – The Philosophy
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
 
Affrontare in modo efficace la sfida dei microservizi
Affrontare in modo efficace la sfida dei microserviziAffrontare in modo efficace la sfida dei microservizi
Affrontare in modo efficace la sfida dei microservizi
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Treeshashdays 2011: Christian Bockermann - Protecting Databases with Trees
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
 
Full MSSQL Injection PWNage
Full MSSQL Injection PWNageFull MSSQL Injection PWNage
Full MSSQL Injection PWNage
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Von Bayern in die Cloud
Von Bayern in die CloudVon Bayern in die Cloud
Von Bayern in die Cloud
 
DWX2015 - Von Bayern in die Cloud
DWX2015 - Von Bayern in die CloudDWX2015 - Von Bayern in die Cloud
DWX2015 - Von Bayern in die Cloud
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
An overview of Microsoft data mining technology
An overview of Microsoft data mining technologyAn overview of Microsoft data mining technology
An overview of Microsoft data mining technology
 
Your Web Application Is Most Likely Insecure
Your Web Application Is Most Likely InsecureYour Web Application Is Most Likely Insecure
Your Web Application Is Most Likely Insecure
 
Admin Tech Ed Presentation Hardening Sql Server
Admin Tech Ed Presentation   Hardening Sql ServerAdmin Tech Ed Presentation   Hardening Sql Server
Admin Tech Ed Presentation Hardening Sql Server
 
An overview of microsoft data mining technology
An overview of microsoft data mining technologyAn overview of microsoft data mining technology
An overview of microsoft data mining technology
 
MySQL Ecosystem in 2020
MySQL Ecosystem in 2020MySQL Ecosystem in 2020
MySQL Ecosystem in 2020
 
MySQL Cluster
MySQL ClusterMySQL Cluster
MySQL Cluster
 

More from Philippe Gamache

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
Philippe Gamache
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
Philippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
Philippe Gamache
 

More from Philippe Gamache (14)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Recently uploaded

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

Entreprise Security API - OWASP Montreal

  • 1. Enteprise Security API ESAPI Saturday, 2011-02-26
  • 6. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control Saturday, 2011-02-26
  • 7. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Saturday, 2011-02-26
  • 8. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and Forwards Saturday, 2011-02-26
  • 9. And over 300 others security problems types Saturday, 2011-02-26
  • 10. Vulnerabilities and Security Controls Ignored Misused Broken Missing Saturday, 2011-02-26
  • 11. Why Input Validation Is Hard? Saturday, 2011-02-26
  • 13. Percent (url) Encoding • %3c • %3C Saturday, 2011-02-26
  • 14. HTML Entity Encoding • &#60 • &#60; • &#060 • &#060; • &#0060 • &#0060; • &#00060 • &#00060; • &#000060 • &#000060; • &#0000060 • &#0000060; Saturday, 2011-02-26
  • 15. HTML Entity Encoding • &#x3c • &#x3c; • &#x03c • &#x03c; • &#x003c • &#x003c; • &#x0003c • &#x0003c; • &#x00003c • &#x00003c; • &#x000003c • &#x000003c; Saturday, 2011-02-26
  • 16. HTML Entity Encoding • &#X3c • &#X3c; • &#X03c • &#X03c; • &#X003c • &#X003c; • &#X0003c • &#X0003c; • &#X00003c • &#X00003c; • &#X000003c • &#X000003c; Saturday, 2011-02-26
  • 17. HTML Entity Encoding • &#x3C • &#x3C; • &#x03C • &#x03C; • &#x003C • &#x003C; • &#x0003C • &#x0003C; • &#x00003C • &#x00003C; • &#x000003C • &#x000003C; Saturday, 2011-02-26
  • 18. HTML Entity Encoding • &#X3C • &#X3C; • &#X03C • &#X03C; • &#X003C • &#X003C; • &#X0003C • &#X0003C; • &#X00003C • &#X00003C; • &#X000003C • &#X000003C; Saturday, 2011-02-26
  • 19. HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT; Saturday, 2011-02-26
  • 20. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003c Saturday, 2011-02-26
  • 21. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003C Saturday, 2011-02-26
  • 22. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bc Saturday, 2011-02-26
  • 23. 1,677,721,600,000,000 ways to encode <script> Saturday, 2011-02-26
  • 25. What is Enterprise Security API? Saturday, 2011-02-26
  • 26. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 29. Overview of the Architectural Impact Saturday, 2011-02-26
  • 30. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 31. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  • 32. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 33. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?> Saturday, 2011-02-26
  • 34. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName() Saturday, 2011-02-26
  • 35. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine() Saturday, 2011-02-26
  • 36. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPath Saturday, 2011-02-26
  • 37. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring Encryption Saturday, 2011-02-26
  • 38. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •Timestamp Saturday, 2011-02-26
  • 39. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 40. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 41. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationException Saturday, 2011-02-26
  • 42. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 43. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 44. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 45. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController Forwards Saturday, 2011-02-26
  • 46. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0 Saturday, 2011-02-26
  • 48. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-dev Saturday, 2011-02-26
  • 49. Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferences Saturday, 2011-02-26