owasp enterprise security api (esapi) · esapi kodlama – Örnek: sql injection 11 12 june 2012...
Post on 11-Aug-2020
17 Views
Preview:
TRANSCRIPT
1 12 June 2012
OWASP Enterprise Security API (ESAPI)
Zehra Saadet Öztürk Oksijen ARGE
9 Haziran 2012
2 12 June 2012
ESAPI nedir?
>Web uygulamaları için güvenlik kontrol kütüphanesi
> Güvenlik problemlerini gidermek için arayüzleri sağlar
> Java, .Net, ASP, PHP, Phyton, Javascript,C , CPP sürümleri vardır
> Ücretsiz, açık kaynak kodlu
>BSD lisanslı
3 12 June 2012
ESAPI
Custom Enterprise Web Application
Enterprise Security API
Au
then
tica
tor
User
AccessC
on
tro
ller
AccessR
efe
ren
ceM
ap
Va
lid
ato
r
En
co
der
HT
TP
Uti
liti
es
En
cry
pto
r
En
cry
pte
dP
rop
ert
ies
Ra
nd
om
izer
Ex
cep
tio
n H
an
dlin
g
Lo
gg
er
Intr
usio
nD
ete
cto
r
Secu
rity
Co
nfi
gu
rati
on
Existing Enterprise Security Services/Libraries
ESAPI Girdi Doğrulama
>White List Validation
>Canonicalize
> Intrusion Detection
> Örnek metodlar
> getValidSafeHTML
> getValidDate
> getValidNumber
> getValidFileContent
> getValidFileName
> getValidCreditCard
> isValidFileUpload
> isValidHTTPRequestParameterSet
12 June 2012
ESAPI Girdi Doğrulama
<
Percent Encoding
%3c
%3C
HTML Entity Encoding
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
&lT
&Lt
<
<
&lT;
≪
<
JavaScript Escape
\<
\x3c
\X3c
\u003c
\U003c
\x3C
\X3C
\u003C
\U003C
CSS Escape
\3c
\03c
\003c
\0003c
\00003c
\3C
\03C
\003C
\0003C
\00003C
Overlong UTF-8
%c0%bc
%e0%80%bc
%f0%80%80%bc
%f8%80%80%80%bc
%fc%80%80%80%80%bc
US-ASCII
¼
UTF-7
+ADw-
Punycode
<- 12 June 2012
ESAPI Girdi Doğrulama
> getValidInput
> validation.properties
> Validator.MSISDN=^(9054[0-9]{8}|9050[0-9]{8}|9053[0-9]{8}|9055[0-9]{8})$
> Validator.employeeID=^([A-Za-z0-9]{20,50})$
+isValidInput()
+...()
«interface»
Validator
+isValidInput()
+...()
+isValidEmployeeID()
MyValidator
+isValidInput()
+...()
DefaultValidator ESAPI reference
implementation
(does not include a
“isValidEmployeeID” function)
ESAPI interface
Your implementation
(has additional and/or
perhaps changed functions
compared to reference
implementation)
May also be modified
12 June 2012
try {
String cleanMarkup = ESAPI.validator().getValidSafeHTML(
"htmlInput", htmlInput, 1000, true);
String cleanMsisdn = ESAPI.validator().getValidInput(
"msisdn:"+msisdnInput, msisdnInput, "MSISDN", 12, false);
String cleanPassword = ESAPI.validator().getValidInput(
"pwd:" + pwdInput, pwdInput, "pwdWhiteList", 15, true);
} catch (ValidationException e) {
logger.error("[Validation Failed]" + e.getMessage());
} catch (IntrusionException e) {
logger.error("[Intrusion] " + e.getMessage());
}
ESAPI Girdi Doğrulama - Örnek
12 June 2012
ESAPI Çıktı Kodlama (Output Encoding)
> Çıktı Kodlaması yaparken...
> Hedef Yorumlayıcı & doğru kodlama metodu
> Hangi karakterler?
> Double encoding!
> encodeForJavaScript(String input)
> encodeForHTML(String input)
> encodeForCSS(String input)
> encodeForLDAP(String input)
> encodeForXPath(String input)
> encodeForXML(String input)
> String canonicalize(String input)
12 June 2012
Rule #0 : Never Insert Untrusted Data Except Allowed Locations
Rule #1: HTML escape in HTML Element Content
ESAPI.encoder.encodeForHTML(input)
Rule #2: Atribute escape in HTML Common Attributes
ESAPI.encoder.encodeForHTMLAttribute(input)
Rule #3: Javascript Escape in HTML Javascript Data Values
ESAPI.encoder.encodeForJavaScript(input)
Rule #4: CSS Escape HTML Style Property Values
ESAPI.encoder.encodeForCSS(input)
Rule #5: URL Escape HTML URL Attributes
ESAPI.encoder.encodeForURL(input)
ESAPI Çıktı kodlama – Örnek: XSS
12 June 2012
<script>
x=<%=request.getParameter(
"input")%>
</script>
<Table>
<TR>
<TD>Full Name:</TD>
<TD><%=user.getFirstName()%>
<%=user.getLastName()%></TD>
<TD> <a href=
‘sendMessage?userId=
<%=user.getId()%> >Send
Message</a> </TD>
ESAPI Çıktı kodlama – XSS
<script>
x=<%=ESAPI.encoder()
.encodeForJavaScript(
request.getParameter(
"input"))%>
</script>
<Table><TR>
<TD> Full Name:</TD>
<TD> <%=ESAPI.encodeForHTML(
user.getFirstName())%>
<%= ESAPI.encodeForHTML(
user.getLastName())%></TD>
<TD><a href=
‘sendMessage?userId=
<%=ESAPI.encoder().encodeFor
URL(user.getId()%>)’ >Send
Message</a> </TD>
12 June 2012
ESAPI Kodlama – Örnek: SQL Injection
11 12 June 2012
>encodeForSQL tavsiye edilmeyen bir yöntem
>Asıl yapılması gereken PreparedStatement kullanmak
String query = "SELECT account_balance FROM user_data WHERE
user_name = " + request.getParameter("customerName");
String query = "SELECT account_balance FROM user_data WHERE
user_name = " + ESAPI.encoder().encodeForSQL(new
OracleCodec(),request.getParameter("customerName"));
12 12 June 2012
Kullanıcı Doğrulama (Authentication)
>ESAPI.properties
– ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
– ESAPI.Authenticator=com.vodafone.myapp.auth.MyAuthenticator
+login()
+...()
«interface»
Authenticator
+login()
+...()
MyAuthenticator
+login()
+...()
DefaultAuthenticator
ESAPI reference
implementation
ESAPI interface
Your implementation
(has the same functions as
reference implementation)
13
12 June 2012
Kullanıcı Doğrulama (Authentication)
>Kullanıcı yaratma
– Kullanıcı adı ve şifre güçlülüğünü sınama
– Password hash (sha2 hash & username salt )
User user =
ESAPI.authenticator().createUser("saadet",
"Password1?", "Password1?");
14 12 June 2012
Kullanıcı Doğrulama (Authentication)
>Login
– Ip değişikliği yakalama
– Session Id değiştirilmesi
– Fazla denemede hesap kilitleme
– Beni hatırla
– not POST, non-SSL
User user =
ESAPI.authenticator().login(httpServletRequest,
httpServletResponse);
15 12 June 2012
Kullanıcı Doğrulama (Authentication)
ESAPI.authenticator().getUser("saadet").lock();
ESAPI.authenticator().getUser("saadet").disable();
ESAPI.authenticator().verifyPasswordStrength("oldP
assword", "newPassword",
ESAPI.authenticator().getUser("saadet"));
16 12 June 2012
Erişim Kontrolleri (Access Control)
>assertAuthorizedForURL(java.lang.String url)
>assertAuthorizedForFunction(java.lang.String functionName)
>assertAuthorizedForService(java.lang.String serviceName)
> Indirect Object reference
– RandomAccessReferenceMap
17 12 June 2012
Erişim Kontrolleri (Access Control)
URLAccessRules.txt
/MyApp/userList.action | any | allow |
/MyApp/userEdit.action | admin | allow |
/MyApp/userDelete.action | standart | deny |
try {
ESAPI.accessController().assertAuthorizedForURL(
request.getRequestURI());
return actionInvocation.invoke();
} catch (AccessControlException e) {
logger.info(null, "[AuthorizationInterceptor] User is
not authorized for url:" + request.getRequestURI());
return AUTH_FAILURE;
}
>Linke CSRF token ekleme
> <a href='<%=ESAPI.httpUtilities().addCSRFToken(‘/myapp’)%>
' target="_blank">Transfer Funds</a>
>Linke tıklandığında CSRF token doğrulama
try {
ESAPI.httpUtilities().verifyCSRFToken();
logger.debug("CSRF Token Validated ");
} catch (IntrusionException e) {
logger.fatal(Logger.SECURITY_FAILURE, "[Intrusion] CSRF Token Not Validated "+e.getLogMessage());
return e.getUserMessage();
}
12 June 2012 18
ESAPI ve CSRF( Cross Site Request Forgery)
19 12 June 2012
Oturum Yönetimi
>Oturum Sabitleme (Session Fixation) Zaafiyeti
>Oturum anahtarının saldırgan tarafından kullanıcıya kabul ettirilmesi
>ESAPI.httpUtilities().changeSessionIdentifier()
20 ESAPI 12 June 2012
ESAPI Kriptorafi
Encryptor Interface
> String hash(String plainText, String salt) (sha-2)
> CipherText encrypt(SecretKey key, PlainText plain)
> CipherText encrypt(PlainText plain) ( Masterkey in ESAPI.prop)
> PlainText decrypt(CipherText ciphertext)
> PlainText decrypt(SecretKey key, CipherText ciphertext)
> String seal(java.lang.String data, long timestamp)
> String unseal(java.lang.String seal)
> boolean verifySeal(java.lang.String seal)
21 12 June 2012
ESAPI Kriptorafi
Randomizer Interface
> boolean getRandomBoolean()
> String getRandomFilename(String extension)
> String getRandomGUID()
> int getRandomInteger(int min, int max)
> long getRandomLong()
> loat getRandomReal(float min, float max)
> String getRandomString(int length, char[] characterSet)
22 12 June 2012
ESAPI Loglama
private static final Logger logger =
ESAPI.getLogger(TransferFunds.class);
logger.fatal(Logger.SECURITY_FAILURE, "[Intrusion] CSRF Token
Not Validated "+e.getLogMessage());
> Etiketleme mekanizması: SECURITY_SUCCESS, SECURITY_FAILURE, EVENT_SUCCESS, EVENT_FAILURE
> Encode CRLF
> Encode HTML characters
> Log4JLogFactory, JavaLogFactory
23 12 June 2012
ESAPI HTTP Utilities
> ESAPI.httpUtilities().setNoCacheHeaders()
> Reader.readLine() -> Validator.safeReadLine()
> Math.Random.* -> Randomizer.*
> ServletResponse.setContentType() -> HTTPUtilities.setContentType()
> ServletResponse.sendRedirect() -> HTTPUtilities.sendSafeRedirect()
> RequestDispatcher.forward() -> HTTPUtilities.sendSafeForward()
> ServletResponse.addHeader() -> HTTPUtilities.addSafeHeader()
> ServletResponse.addCookie() -> HTTPUtilities.addSafeCookie()
> ServletRequest.isSecure() -> HTTPUtilties.isSecureChannel()
> ServletResponse.encodeURL -> HTTPUtilities.safeEncodeURL (better not to use at all)
> ServletResponse.encodeRedirectURL -> HTTPUtilities.safeEncodeRedirectURL (better not to use at all)
> java.security and javax.crypto -> Encryptor.*
> java.net.URLEncoder/Decoder -> Encoder.encodeForURL/decodeForURL
ESAPI Swingset
25 12 June 2012
?
26 12 June 2012
Teşekkürler...
ESAPI Girdi Doğrulama
> getValidSafeHTML(String context, String input, int maxLength, boolean allowNull)
> getValidDate(String context, String input, java.text.DateFormat format, boolean allowNull)
> getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull)
> getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull)
> getValidFileName(String context, String input, boolean allowNull)
> boolean getValidCreditCard(String context, String input, boolean allowNull)
> isValidFileUpload(String context, String filepath, String filename, byte[] content, int maxBytes, boolean allowNull)
> isValidHTTPRequestParameterSet(String context, Set required, Set optional)
ESAPI Girdi & Çıktı Denetimi
Backend Controller Business Functions
User Data Layer
Validator Encoder encodeForURL
encodeForJavaScript
encodeForVBScript
encodeForDN
encodeForHTML
encodeForHTMLAttribute
encodeForLDAP
encodeForSQL
encodeForXML
encodeForXMLAttribute
encodeForXPath
getValidDirectoryPath
getValidCreditCard
getValidDirectoryPath
getValidFileContent
getValidFileName
getValidInput
getValidRedirectLocation
getValidDate
getValidPrintable
safeReadLine
Canonicalization
Double Encoding Protection
Normalization
Sanitization
top related