owasp enterprise security api
DESCRIPTION
TRANSCRIPT
![Page 1: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/1.jpg)
Enteprise Security APIESAPI
Thursday, 2011-03-10
![Page 2: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/2.jpg)
Thursday, 2011-03-10
![Page 3: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/3.jpg)
OWASPThe Open Web Application Project
Thursday, 2011-03-10
![Page 4: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/4.jpg)
Thursday, 2011-03-10
![Page 5: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/5.jpg)
I answer question
Thursday, 2011-03-10
![Page 6: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/6.jpg)
The problems
Thursday, 2011-03-10
![Page 7: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/7.jpg)
The problems
• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control
Thursday, 2011-03-10
![Page 8: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/8.jpg)
The problems
• Presentation Layer Access Control
• Errors, Logging, and Intrusion Detection
• Encryption, Hashing, and Randomness
Thursday, 2011-03-10
![Page 9: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/9.jpg)
A2 – Cross-Site Scripting (XSS)
OWASP TOP 10A1 – Injection
A3 – Broken Authentication and Session Management
A4 – Insecure DirectObject References
A7 – Insecure Cryptographic Storage
A6 – Security Misconfiguration
A5 – Cross-Site Request Forgery (CSRF)
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 – Unvalidated Redirects and Forwards
Thursday, 2011-03-10
![Page 10: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/10.jpg)
And over 300 others security problems types
Thursday, 2011-03-10
![Page 11: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/11.jpg)
Vulnerabilities and Security Controls
MissingBroken
Ignored Misused
Thursday, 2011-03-10
![Page 12: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/12.jpg)
Why Input Validation Is Hard?
Thursday, 2011-03-10
![Page 13: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/13.jpg)
<Thursday, 2011-03-10
![Page 14: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/14.jpg)
Percent (url) Encoding
• %3c
• %3C
Thursday, 2011-03-10
![Page 15: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/15.jpg)
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
![Page 16: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/16.jpg)
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
![Page 17: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/17.jpg)
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
![Page 18: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/18.jpg)
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
![Page 19: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/19.jpg)
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
![Page 20: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/20.jpg)
HTML Entity Encoding
• <
• &lT
• &Lt
• <
• <
• &lT;
• ≪
• <
Thursday, 2011-03-10
![Page 21: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/21.jpg)
JavaScript Escape
• \<
• \x3c
• \X3c
• \u003c
• \U003c
• \x3C
• \X3C
• \u003C
• \U003C
Thursday, 2011-03-10
![Page 22: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/22.jpg)
CSS Escape
• \3c
• \03c
• \003c
• \0003c
• \00003c
• \3C
• \03C
• \003C
• \0003C
• \00003C
Thursday, 2011-03-10
![Page 23: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/23.jpg)
UTF-7 vs UTF-8
• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc
Thursday, 2011-03-10
![Page 24: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/24.jpg)
1,677,721,600,000,000ways to encode <script>
Thursday, 2011-03-10
![Page 25: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/25.jpg)
The Solutions?
Thursday, 2011-03-10
![Page 26: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/26.jpg)
What is Enterprise Security API?
Thursday, 2011-03-10
![Page 27: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/27.jpg)
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
![Page 28: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/28.jpg)
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
![Page 29: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/29.jpg)
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
![Page 30: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/30.jpg)
Overview of the Architectural Impact
Thursday, 2011-03-10
![Page 31: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/31.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 32: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/32.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tionisAuthorizedForData()
isAuthorizedForFile()isAuthorizedForFunction()isAuthorizedForService()isAuthorizedForURL()
Thursday, 2011-03-10
![Page 33: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/33.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 34: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/34.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php echo $ESAPI ->validator() ->getValidInput( String $context, String $input, String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList);?>
Thursday, 2011-03-10
![Page 35: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/35.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
assertIsValidHttpRequest() assertIsValidHttpRequest ParameterSet() assertIsValidFileUpload()
getValidDate()getValidDouble()getValidDirectoryPath() getValidDouble() getValidFileContent() getValidFileName()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Thursday, 2011-03-10
![Page 36: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/36.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
isValidCreditCard() isValidDataFromBrowse()isValidDirectoryPath() isValidFileContent() isValidFileName() isValidHTTPRequest() isValidListItem() isValidRedirectLocation() isValidSafeHTML() isValidPrintable() safeReadLine()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Thursday, 2011-03-10
![Page 37: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/37.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
encodeForCSS encodeForDNencodeForHTMLencodeForLDAPencodeForSQLencodeForURLencodeForXMLencodeForXPath
<?php echo $ESAPI ->encoder() ->encodeForHTML($name)?>
encodeForJavaScriptencodeForHTMLAttributeencodeForVBScriptencodeForXMLAttributeencodeForXPath
Thursday, 2011-03-10
![Page 38: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/38.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•Add Safe Header
•No Cache Headers•Set Content Type•Add Safe Cookie•Kill Cookie•Change SessionID•CSRF Tokens
•isSecureChannel •Safe Request Logging•Safe File Uploads
•sendSafeForward•sendSafeRedirect
•Encrypt State in Cookie•Hidden Field Encryption•Querystring Encryption
Thursday, 2011-03-10
![Page 39: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/39.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php $encrypted = $ESAPI->encryptor() ->encrypt($text)?>
•Integrity Seals •Strong GUID•Random Tokens•Encryption•Digital Signatures •Salted Hash
•Safe Config Details•Timestamp
Thursday, 2011-03-10
![Page 40: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/40.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 41: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/41.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 42: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/42.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•AccessControlException
•AuthenticationException •AvailabilityException •EncodingException•EncryptionException•ExecutorException•IntegrityException•IntrusionException•ValidationException
Thursday, 2011-03-10
![Page 43: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/43.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 44: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/44.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
•Configurable Thresholds •Responses•Log Intrusion•Logout User •Disable Account
Thursday, 2011-03-10
![Page 45: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/45.jpg)
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
![Page 46: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/46.jpg)
OWASP TOP 10 ESAPIA1: Injection Encoder
A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities
A4: Insecure Direct Object Reference
AccessReferenceMap, AccessController
A5: Cross Site Request Forgery (CSRF) User (CSRF Token)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic Storage Encryptor
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer Protection
HTTPUtilities (Secure Cookie, Channel)
A10: Unvalidated Redirects and Forwards AccessController
Thursday, 2011-03-10
![Page 47: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/47.jpg)
Objective -C
AuthenticationIdentity
Access ControlInput ValidationOutput EscapingCanonicalization
EncryptionRandom Numbers
Exception HandlingLogging
Intrusion DetectionSecurity Configuration
WAF
2.0 1.4 1.4 1.42.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0
Thursday, 2011-03-10
![Page 48: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/48.jpg)
Adopters
Thursday, 2011-03-10
![Page 49: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/49.jpg)
Additional Resources
• OWASP Home Pagehttp://www.owasp.org
• ESAPI Project Pagehttp://www.esapi.org
• ESAPI-Users Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-dev
Thursday, 2011-03-10
![Page 50: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/50.jpg)
Questions ?
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/conferences
• http://www.ph-il.ca/fr/conferences
Thursday, 2011-03-10
![Page 51: OWASP Enterprise Security API](https://reader035.vdocuments.mx/reader035/viewer/2022081716/54708d50b4af9f980a8b4791/html5/thumbnails/51.jpg)
Thursday, 2011-03-10