entreprise security api - owasp montreal
DESCRIPTION
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.TRANSCRIPT
Enteprise Security APIESAPI
Saturday, 2011-02-26
Saturday, 2011-02-26
Saturday, 2011-02-26
I answer question
Saturday, 2011-02-26
The problems
Saturday, 2011-02-26
The problems
• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control
Saturday, 2011-02-26
The problems
• Presentation Layer Access Control
• Errors, Logging, and Intrusion Detection
• Encryption, Hashing, and Randomness
Saturday, 2011-02-26
A2 – Cross-Site Scripting (XSS)
OWASP TOP 10A1 – Injection
A3 – Broken Authentication and Session Management
A4 – Insecure DirectObject References
A7 – Insecure Cryptographic Storage
A6 – Security Misconfiguration
A5 – Cross-Site Request Forgery (CSRF)
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 – Unvalidated Redirects and Forwards
Saturday, 2011-02-26
And over 300 others security problems types
Saturday, 2011-02-26
Vulnerabilities and Security Controls
MissingBroken
Ignored Misused
Saturday, 2011-02-26
Why Input Validation Is Hard?
Saturday, 2011-02-26
<Saturday, 2011-02-26
Percent (url) Encoding
• %3c
• %3C
Saturday, 2011-02-26
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Saturday, 2011-02-26
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Saturday, 2011-02-26
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Saturday, 2011-02-26
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Saturday, 2011-02-26
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Saturday, 2011-02-26
HTML Entity Encoding
• <
• &lT
• &Lt
• <
• <
• &lT;
• ≪
• <
Saturday, 2011-02-26
JavaScript Escape
• \<
• \x3c
• \X3c
• \u003c
• \U003c
• \x3C
• \X3C
• \u003C
• \U003C
Saturday, 2011-02-26
CSS Escape
• \3c
• \03c
• \003c
• \0003c
• \00003c
• \3C
• \03C
• \003C
• \0003C
• \00003C
Saturday, 2011-02-26
UTF-7 vs UTF-8
• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc
Saturday, 2011-02-26
1,677,721,600,000,000ways to encode <script>
Saturday, 2011-02-26
The Solutions?
Saturday, 2011-02-26
What is Enterprise Security API?
Saturday, 2011-02-26
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Saturday, 2011-02-26
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Saturday, 2011-02-26
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Saturday, 2011-02-26
Overview of the Architectural Impact
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tionisAuthorizedForData()
isAuthorizedForFile()isAuthorizedForFunction()isAuthorizedForService()isAuthorizedForURL()
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php echo $ESAPI ->validator() ->getValidInput( String $context, String $input, String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList);?>
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
assertIsValidHttpRequest() assertIsValidHttpRequest ParameterSet() assertIsValidFileUpload()
getValidDate()getValidDouble()getValidDirectoryPath() getValidDouble() getValidFileContent() getValidFileName()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
isValidCreditCard() isValidDataFromBrowse()isValidDirectoryPath() isValidFileContent() isValidFileName() isValidHTTPRequest() isValidListItem() isValidRedirectLocation() isValidSafeHTML() isValidPrintable() safeReadLine()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
encodeForCSS encodeForDNencodeForHTMLencodeForLDAPencodeForSQLencodeForURLencodeForXMLencodeForXPath
<?php echo $ESAPI ->encoder() ->encodeForHTML($name)?>
encodeForJavaScriptencodeForHTMLAttributeencodeForVBScriptencodeForXMLAttributeencodeForXPath
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•Add Safe Header
•No Cache Headers•Set Content Type•Add Safe Cookie•Kill Cookie•Change SessionID•CSRF Tokens
•isSecureChannel •Safe Request Logging•Safe File Uploads
•sendSafeForward•sendSafeRedirect
•Encrypt State in Cookie•Hidden Field Encryption•Querystring Encryption
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php $encrypted = $ESAPI->encryptor() ->encrypt($text)?>
•Integrity Seals •Strong GUID•Random Tokens•Encryption•Digital Signatures •Salted Hash
•Safe Config Details•Timestamp
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•AccessControlException
•AuthenticationException •AvailabilityException •EncodingException•EncryptionException•ExecutorException•IntegrityException•IntrusionException•ValidationException
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
•Configurable Thresholds •Responses•Log Intrusion•Logout User •Disable Account
Saturday, 2011-02-26
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Saturday, 2011-02-26
OWASP TOP 10 ESAPIA1: Injection Encoder
A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities
A4: Insecure Direct Object Reference
AccessReferenceMap, AccessController
A5: Cross Site Request Forgery (CSRF) User (CSRF Token)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic Storage Encryptor
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer Protection
HTTPUtilities (Secure Cookie, Channel)
A10: Unvalidated Redirects and Forwards AccessController
Saturday, 2011-02-26
Objective -C
AuthenticationIdentity
Access ControlInput ValidationOutput EscapingCanonicalization
EncryptionRandom Numbers
Exception HandlingLogging
Intrusion DetectionSecurity Configuration
WAF
2.0 1.4 1.4 1.42.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0
Saturday, 2011-02-26
Adopters
Saturday, 2011-02-26
Additional Resources
• OWASP Home Pagehttp://www.owasp.org
• ESAPI Project Pagehttp://www.esapi.org
• ESAPI-Users Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-dev
Saturday, 2011-02-26
Questions ?
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/conferences
• http://www.ph-il.ca/fr/conferences
Saturday, 2011-02-26
Saturday, 2011-02-26