Download - Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo [email protected]
![Page 2: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/2.jpg)
“The cost of cybercrime is greater than the combined effect on the global economy of
trafficking in marijuana, heroin and cocaine”|
http://www.theregister.co.uk/2011/09/07/cost_is_more_than_some_drug_trafficking http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/
![Page 3: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/3.jpg)
Why Security is important?
Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study:. Ponemon Institute LLC.
![Page 4: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/4.jpg)
Verizon. (2012). 2012 Data BREACH Investigations Report:. Verizon LLC.
Why Security is important?
![Page 5: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/5.jpg)
Why Security is important?
![Page 6: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/6.jpg)
6
Mission Driven
Nonprofit | World Wide | Unbiased
OWASP does not endorse or recommend commercial products or services
What is OWASP
![Page 7: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/7.jpg)
7
Community Driven
30,000 Mail List Participants200 Active Chapters in 70 countries
1600+ Members, 56 Corporate Supporters 69 Academic Supporters
What is OWASP
![Page 8: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/8.jpg)
OWASP Guadalajara Chapter
What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
![Page 9: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/9.jpg)
9
Quality Resources
200+ Projects15,000+ downloads of tools, documentation250,000+ unique visitors 800,000+ page views (monthly)
What is OWASP
![Page 10: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/10.jpg)
10
Documentation
ToolsCode
50%
10% 40%
Quality Resources
![Page 11: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/11.jpg)
OWASP Top Ten (2010 Edition)
A1: Injection A2: Cross-Site Scripting (XSS)
A3: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A5: Cross Site Request Forgery
(CSRF)
A6: Security Misconfiguration
A7: Failure to Restrict URL
Access
A8: Insecure Cryptographic
Storage
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
![Page 12: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/12.jpg)
A1 – Injection
Injection means…
• Tricking an application into including unintended commands in the data sent to an interpreter
Interpreters…
• Take strings and interpret them as commands• SQL, OS Shell, LDAP, XPath, Hibernate, etc…
SQL injection is still quite common
• Many applications still susceptible (really don’t know why)• Even though it’s usually very simple to avoid
Typical Impact
• Usually severe. Entire database can usually be read or modified• May also allow full database schema, or account access, or even OS level access
![Page 13: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/13.jpg)
SQL Injection – Illustrated
Fire
wal
l
Hardened OS
Web Server
App ServerFi
rew
all
Data
base
sLe
gacy
Sys
tem
sW
eb S
ervi
ces
Dire
ctor
ies
Hum
an R
esrc
sBi
lling
Custom Code
APPLICATIONATTACK
Net
wor
k La
yer
Appl
icatio
n La
yer
Acco
unts
Fina
nce
Adm
inist
ratio
nTr
ansa
ction
sCo
mm
unic
ation
Know
ledg
e M
gmt
E-Co
mm
erce
Bus.
Fun
ction
s
HTTP request
SQL
queryDB Table
HTTP response
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
![Page 14: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/14.jpg)
A2 – Cross-Site Scripting (XSS)
Occurs any time…
• Raw data from attacker is sent to an innocent user’s browser
Raw data…
• Stored in database• Reflected from web input (form field, hidden field, URL, etc…)• Sent directly into rich JavaScript client
Virtually every web application has this problem
• Try this in your browser – javascript:alert(document.cookie)
Typical Impact
• Steal user’s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site• Most Severe: Install XSS proxy which allows attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites
![Page 15: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/15.jpg)
Cross-Site Scripting Illustrated
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acco
unts
Fina
nce
Adm
inist
ratio
nTr
ansa
ction
sCo
mm
unic
ation
Know
ledg
e M
gmt
E-Co
mm
erce
Bus.
Fun
ction
s
![Page 16: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/16.jpg)
16
Project Leader: Chris Schmidt, [email protected]
Purpose: A free, open source, web application security control library that makes it easier for programmers to write lower-risk applications
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Enterprise Security API
for Reboot
![Page 17: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/17.jpg)
ESAPI - Vision
Build a common set of security controls for today's most popular programming languages.
Have interfaces in common across programming languages as much as possible and natural.
Provide at least a simple reference implementation for each security control to serve as example if not useful in itself.
Easily extensible Provide functionality that is most often needed, but
lacking (or inconsistent) in various frameworks / languages.
![Page 18: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/18.jpg)
Using ESAPI (1 of 3)
Getting started https://www.owasp.org/index.php/
Category:OWASP_Enterprise_Security_API Download: http://code.google.com/p/owasp-esapi-
java/ ESAPI Cheat Sheet:
https://www.owasp.org/index.php/ESAPI_Cheat_Sheet ESAPI Swingset: http://code.google.com/p/owasp-
esapi-java-swingset/
![Page 19: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/19.jpg)
Using ESAPI (2 of 3)
Getting help ESAPI User mailing list (focuses on Java version):
https://lists.owasp.org/mailman/listinfo/esapi-user ESAPI Developer mailing list:
https://lists.owasp.org/mailman/listinfo/esapi-dev ESAPI Project page: http://www.esapi.org/ (coming
soon)
![Page 20: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/20.jpg)
Using ESAPI (3 of 3)
Getting involved Many other language implementations, all
playing catch up ESAPI for Java version needs help with user
documentation ESAPI 2.1 (Java) starting soon ESAPI Swingset and Swingset Interactive → Port
to use ESAPI 2.0
![Page 21: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/21.jpg)
Enterprise Security API
Custom Enterprise Web Application
Enterprise Security APIAuthenticator
User
AccessController
AccessReferenceMap
Validator
Encode
r
HTTPUtilitie
s
Encryptor
EncryptedPropertie
s
Randomizer
Exception Handling
Logger
IntrusionDetector
SecurityConfiguratio
n
Existing Enterprise Security Services/Libraries
![Page 22: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/22.jpg)
Potential Enterprise ESAPI Cost Savings
![Page 23: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/23.jpg)
Basic ESAPI Approach – Examples
In Java:String input = request.getParameter( "input" );// Throws ValidationException or IntrusionException// if problemString cleaned = ESAPI.validator().getValidInput("Secure input example",
input, "SafeString", // regex spec
200, // max lengyh false, // no nulls true); // canonicalize
String safeHTML = ESAPI.encoder().encoderForHTML(cleaned);
![Page 24: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/24.jpg)
In PHP:
$cleanTmp = array(); // local in scope
$cleanParams = array(); // local in scope
$cleanTmp['username'] =
ESAPI::getValidator()->getValidInput(
"Secure input example",
$input,
"SafeString",
200, false, true);
$cleanParams['username'] =
ESAPI::getEncoder()->encodeForHTML($cleanTmp['username']);
Basic ESAPI Approach – Examples
![Page 25: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/25.jpg)
OWASP ESAPI Project ScorecardFeature Set vs. Programming Language
Authentication 2.0 1.4 1.4 1.4 2.0 planned
Identity 2.0 1.4 1.4 1.4 2.0 planned
Access Control 2.0 1.4 1.4 1.4 1.4 2.0 planned
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 ???
Encryption 2.0 1.4 1.4 1.4 1.4 2.0
Random Numbers 2.0 1.4 1.4 1.4 1.4 2.0
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 2.0
Logging 2.0 1.4 1,4 1.4 1.4 1.4 2.0 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 TBD
WAF 2.0
![Page 26: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/26.jpg)
Source Code and Javadoc Online Now!
http://code.google.com/p/owasp-esapi-java
![Page 27: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/27.jpg)
27
AppSensor
Project Leader(s): Michael Coates, John Melton, Colin WatsonPurpose: Defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application.
Release: AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc)
https://www.owasp.org/index.php/AppSensor
Create attack aware applications
![Page 28: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/28.jpg)
![Page 29: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/29.jpg)
![Page 30: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/30.jpg)
Detecting Attacks the Right Way
• Detect INSIDE the Application• Automatic Detection• Comprehensive• Minimize False Positives• Understand Business Logic• Immediate Response• No Manual Efforts Required
![Page 31: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/31.jpg)
![Page 32: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/32.jpg)
Detection Points
Implementing AppSensor
Application Log Server AppSensor Brain
Response Listener
![Page 33: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/33.jpg)
![Page 35: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/35.jpg)
Take aways
• Open Source solutions• Low cost and low effort• Think out of the box for development teams• Techniques used on the Industry• OWASP Google Summer of Code 2013https://www.owasp.org/index.php/GSoC
![Page 36: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/36.jpg)
Q & A
![Page 37: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/37.jpg)
Backup
![Page 38: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/38.jpg)
About OWASP
• Online since December 1st 2001• Not-for-profit charitable organization • OPEN Everything at OWASP is radically transparent from our finances to
our code. • INNOVATION OWASP encourages and supports innovation/experiments
for solutions to software security challenges. • GLOBAL Anyone around the world is encouraged to participate in the
OWASP community. • INTEGRITY OWASP is an honest and truthful, vendor agnostic, global
community.• https://www.owasp.org/index.php
![Page 39: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/39.jpg)
OWASP Success Story
![Page 40: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/40.jpg)
OWASP Guadalajara Chapter
What do we have to offer?• Community of security professional• Monthly meetings• Mailing List• Presentations• Workshops• Open forums for discussion• Vendor neutral environments
Meetings Workshops Conference News Letter Page Visit
3 1 1 3 2,528+
https://www.owasp.org/index.php/Guadalajara
March 2012 – Till Date
![Page 41: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/41.jpg)
Application Developers
New attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons
![Page 42: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/42.jpg)
Application Testers and Quality Assurance
Testing guidePenetration testing tools
Application Security Verification Standard Project
![Page 43: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/43.jpg)
OWASP ZAP Proxy/ WebScarab / CSRF Tester
![Page 44: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/44.jpg)
OWASP Testing Framework
4. Web Application Penetration Testing•4.2 Information Gathering•4.3 Configuration Management Testing•4.4 Business logic testing•4.5 Authentication Testing•4.6 Authorization Testing•4.7 Session Management Testing•4.8 Data Validation Testing•4.9 Testing for Denial of Service•4.10 Web Services Testing•4.11 Ajax Testing
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
![Page 45: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/45.jpg)
45
Application Project Management and Staff
Define the processSDLCCode Review
Code review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net
![Page 47: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/47.jpg)
Business advantages of being associated with OWASP
• The main benefit of becoming an OWASP corporate supporter is to demonstrate the organization's belief that application security is important and that the organization is working to take necessary steps to properly address application security risk in their businesses
• The organization itself gets security benefit at reduced costs– Security code review tools are free– Lots of open & free security testing tools – Security guidelines & best practices
• Opportunity to endorse organization's logo in OWASP events, conferences, & website
• The organization gets listed as a sponsor in the newsletter that goes to over 20,000 individuals around the world on owasp mailing lists and linked 'in group– If you are looking to expand your business in emerging market here is an opportunity to reach out
• When organization becomes a supporter of a security community it helps employees, partners, suppliers and customers to understand the value & importance of security, and improves application security throughout the whole supply chain
• Membership options : https://www.owasp.org/index.php/Membership
![Page 48: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/48.jpg)
Subscribe mailing listhttps://www.owasp.org/index.php/Guadalajara
Chapter Leaders:Eduardo CernaMauel Lopez
Join Us !
![Page 49: Protecting Web Applications with ESAPI and AppSensor Manuel Lopez Arredondo manuel.lopez@owasp.org](https://reader035.vdocuments.mx/reader035/viewer/2022062815/568168b2550346895ddf777a/html5/thumbnails/49.jpg)
App Sensor Design
Demo App
Embedded AppSensorResponse
AppSensor “Brain”
App Logs