the owasp enterprise security api

The OWASP Foundation

OWASP & WASC AppSec

2007 Conference

San Jose – Nov 2007

http://www.owasp.org/http://www.webappsec.org/

Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASPEnterprise Security API

Jeff WilliamsOWASP Foundation [email protected]

Aspect Security [email protected]

OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007

The Challenge…

Your enterprise has hundreds of applications

Every one of them needs:Authentication, access control, input validation,

encoding, encryption, logging, error handling, etc…

You can use these building blocks:Log4j, Reform, ACEGI, Struts, Stinger, Spring,

Validator, Jasypt, JCE, JAAS, Cryptix, BouncyCastle, Anti-XSS, HDIV, xml-dsig, xml-enc, lots lots more….

2


Java LoggingJava Logging

The Challenge…

3

ReformReform

ACEGIACEGIStrutsStruts

StingerStinger

Anti-XSSAnti-XSS

BouncyCastleBouncyCastle

SpringSpring

Log4jLog4j

CommonsValidatorCommonsValidator

JasyptJasypt

JCEJCE

JAASJAASCryptixCryptix

HDIVHDIVxml-dsigxml-dsig

xml-encxml-enc


Philosophy

Using security controls is different from buildingAll the security guidelines, courses, tutorials,

websites, books, etc… are all mixed up because everyone builds their own controls

Most developers shouldn’t build security controlsWhen to use a controlHow to use a controlWhy to use a control (maybe)

Most enterprises need the same set of calls4


Design

Only include methods that…Are widely useful and focus on the most risky areas

Designed to be simple to understand and use Interfaces with concrete reference implementation Full documentation and usage examples

Same basic API across common platforms Java EE, .NET, PHP, others?Useful to Rich Internet Applications?

5


Architecture Overview

6


Create Your ESAPI Implementation

Your Security ServicesWrap your existing libraries and servicesExtend and customize your ESAPI

implementationFill in gaps with the reference implementation

Your Coding GuidelineTailor the ESAPI coding guidelinesRetrofit ESAPI patterns to existing code

7


Frameworks and ESAPI

ESAPI is NOT a framework Just a collection of security functions, not “lock in”

Frameworks already have some securityControls are frequently missing, incomplete, or

wrong

ESAPI Framework Integration ProjectWe’ll share best practices for integratingHopefully, framework teams like Struts adopt

ESAPI

8


Project Plan and Status

9

2002 – Start Collecting

9/07 – Sneak Peek


Quality

10


Handling Authentication and Identity

Users

11


Authenticator

Key MethodscreateUser(accountName, pass1, pass2)generateStrongPassword()getCurrentUser() login(request, response) logout()verifyAccountNameStrength(acctName)verifyPasswordStrength(newPass, oldPass)

Use threadlocal variable to store current User Automatically change session on login and logout

12


User

Key MethodschangePassword(old, new1, new2) disable() enable() getAccountName() getScreenName() getCSRFToken()getLastFailedLoginTime() getLastLoginTime()getRoles() isInRole(role) isEnabled() isExpired() isLocked() loginWithPassword(password, request, response) resetCSRFToken() resetPassword()verifyCSRFToken(token)

13


Enforcing Access Control

FunctionChec

k

14


AccessController

Key Methods isAuthorizedForData(key) isAuthorizedForFile(filepath) isAuthorizedForFunction(functionName) isAuthorizedForService(serviceName) isAuthorizedForURL(url)

Reference Implementation (not required) /admin/* | admin | allow | admin access to

/admin /* | any | deny | default deny rule

15


Handling Direct Object References

Indirect

Reference

Direct Refere

nce

http://app?file=7d3J93

Report123.xls

16


AccessReferenceMap

Key MethodsgetDirectReference(indirectReference)getIndirectReference(directReference) iterator()update(directReferences)

Examplehttp://www.ibank.com?file=report123.xlshttp://www.ibank.com?file=a3nr38

17


Validating and Encoding Untrusted Input

EncodeForHTML

Validate

18


Validator

Key Methodscanonicalize(input), normalize(input) isValidFileUpload(filepath, filename, content)getValidDataFromBrowser(type, input) isValidDataFromBrowser(type, input) isValidHTTPRequest (request) isValidRedirectLocation(location) isValidSafeHTML(input), getValidSafeHTML(input)safeReadLine(inputStream, maxchars)

Canonicalization is really important always ignored

Global validation of HTTP requests19


<input name=“test” value=“test” onblur=“&#x61ler&#116(‘xss’)”>

%26lt;

20

Decode This


Encoder

21


Enhancing HTTP

Add CSRF Token

Secure Cookies

Secure Redirect

No Cache Headers

Verify CSRF Token

Safe Request Logging

Safe File Upload

Add Safe Header

22


HTTPUtilities Key Methods

addCSRFToken(href), checkCSRFToken(href)addSafeCookie(name, value, age, domain, path) addSafeHeader(header, value)changeSessionIdentifier()getFileUploads(tempDir, finalDir) isSecureChannel()killCookie(name)sendSafeRedirect(href)setContentType()setNoCacheHeaders()

Safer ways of dealing with HTTP, secure cookies 23


Encryptor

Key Methodsdecrypt(ciphertext) encrypt(plaintext)hash(plaintext, salt) loadCertificateFromFile(file)getTimeStamp()seal(data, expiration) verifySeal(seal, data) sign(data) verifySignature(signature, data)

Simple master key in configuration Minimal certificate support

24


EncryptedProperties

Key MethodsgetProperty(key)setProperty(key, value) keySet() load(inputStream) store(outputStream, comments)

Simple protected storage for configuration data

Main program to preload encrypted data!

25


Randomizer

Key MethodsgetRandomGUID() getRandomInteger(min, max) getRandomReal(min, max) getRandomString(length, characterSet)

Several pre-defined character setsLowers, uppers, digits, specials, letters,

alphanumerics, password, etc…

26


Exception Handling

EnterpriseSecurityExceptionAccessControlException(userMsg, logMsg)AuthenticationException(userMsg, logMsg)AvailabilityException(userMsg, logMsg)CertificateException(userMsg, logMsg)EncodingException(userMsg, logMsg)EncryptionException(userMsg, logMsg)ExecutorException(userMsg, logMsg) IntrusionException(userMsg, logMsg)ValidationException(userMsg, logMsg)

Sensible security exception framework27


Logger

Key MethodsgetLogger(applicationName,moduleName) formatHttpRequestForLog(request, sensitiveList) logCritical(type, message, throwable) logDebug(type, message, throwable) logError(type, message, throwable) logSuccess(type, message, throwable) logTrace(type, message, throwable) logWarning(type, message, throwable)

All EASPI exceptions are automatically logged

28


Detecting Intrusions

Log, Logout, and Disable

29


IntrusionDetector

Key MethodsaddException(exception) addEvent(event)

ModelEnterpriseSecurityExceptions automatically addedSpecify a threshold for each event type

org.owasp.esapi.ValidationException.count=3 org.owasp.esapi.ValidationException.interval=3

(seconds) org.owasp.esapi.ValidationException.action=logout

Actions are log message, disable account

30


SecurityConfiguration

Customizable…Crypto algorithmsEncoding algorithmsCharacter setsGlobal validation rulesLogging preferences Intrusion detection thresholds and actionsEtc…

All security-relevant configuration in one place

31


Coverage

32


Closing Thoughts

I have learned an amazing amount (I thought I knew)

An ESAPI is a key part of a balanced breakfastBuild rqmts, guidelines, training, tools around your

ESAPI

Secondary benefitsMay help static analysis do betterEnables security upgrades across applicationsSimplifies developer training

Next year – experiences moving to ESAPI33

the owasp enterprise security api

Documents