OWASP Enterprise Security API (ESAPI)



Similar documents
Don t Write Your Own Security Code The Enterprise Security API Project OWASP. The OWASP Foundation

Enterprise Security API (ESAPI) Java Java User Group San Antonio. Jarret Raim June 3 rd, 2010

Points of View. CxO s point of view. Developer s point of view. Attacker s point of view

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Still Aren't Doing. Frank Kim

Web Application Guidelines

How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Project 2: Web Security Pitfalls

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Security

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Enterprise Application Security Workshop Series

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

elearning for Secure Application Development

Check list for web developers

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

JVA-122. Secure Java Web Development

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Sichere Software- Entwicklung für Java Entwickler

Web Application Security

Intrusion detection for web applications

Web application security

Criteria for web application security check. Version

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

NO SQL! NO INJECTION?

Hacking de aplicaciones Web

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

How To Fix A Web Application Security Vulnerability

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

DIPLOMA IN WEBDEVELOPMENT

Where every interaction matters.

Webapps Vulnerability Report

Implementation of Web Application Firewall

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Security Testing with Selenium

Introduction. Two levels of security vulnerabilities:

Java Web Security Antipatterns

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Towards More Security in Data Exchange

OWASP TOP 10 ILIA

Advanced Security for Systems Engineering VO 01: Web Application Security

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

No SQL! no injection? A talk on the state of NoSQL security

APPLICATION SECURITY AND ITS IMPORTANCE

(WAPT) Web Application Penetration Testing

Ruby on Rails Secure Coding Recommendations

Web Application Attacks And WAF Evasion

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Chapter 1 Web Application (In)security 1

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

CTF Web Security Training. Engin Kirda

Validation Procedure. ANNEX 4. Security Testing Basis

Cyber Security Challenge Australia 2014

Advanced Web Development SCOPE OF WEB DEVELOPMENT INDUSTRY

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Application Security. Petr Křemen.

REDCap Technical Overview

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Sitefinity Security and Best Practices

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

What is Web Security? Motivation

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Testing the OWASP Top 10 Security Issues

Web Application Security Assessment and Vulnerability Mitigation Tests

Security Code Review- Identifying Web Vulnerabilities

OpenSAMM Software Assurance Maturity Model

OWASP Secure Coding Practices Quick Reference Guide

Finding XSS in Real World

A Survey on Security and Vulnerabilities of Web Application

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Hack Proof Your Webapps

Adobe Systems Incorporated

Web Security - Hardening estudy

Certified Secure Web Application Secure Development Checklist

Institutionen för datavetenskap

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

OWASP Top Ten Tools and Tactics

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Application Security Vulnerabilities, Mitigation, and Consequences

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

HTTPParameter Pollution. ChrysostomosDaniel

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Web Application Report

IoT-Ticket.com. Your Ticket to the Internet of Things and beyond. IoT API

Web Application Penetration Testing

SQL Injection for newbie

Transcription:

OWASP Enterprise Security API (ESAPI) Zehra Saadet Öztürk Oksijen ARGE 9 Haziran 2012 1 12 June 2012

ESAPI nedir? > Web uygulamaları için güvenlik kontrol kütüphanesi > Güvenlik problemlerini gidermek için arayüzleri sağlar > Java,.Net, ASP, PHP, Phyton, Javascript,C, CPP sürümleri vardır > Ücretsiz, açık kaynak kodlu > BSD lisanslı 2 12 June 2012

Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration ESAPI Custom Enterprise Web Application Enterprise Security API Existing Enterprise Security Services/Libraries 3 12 June 2012

ESAPI Girdi Doğrulama > White List Validation > Canonicalize > Intrusion Detection > Örnek metodlar > getvalidsafehtml > getvaliddate > getvalidnumber > getvalidfilecontent > getvalidfilename > getvalidcreditcard > isvalidfileupload > isvalidhttprequestparameterset 12 June 2012

ESAPI Girdi Doğrulama < Percent Encoding %3c %3C HTML Entity Encoding &#60 &#060 &#0060 &#00060 &#000060 &#0000060 < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3c &#X03c &#X003c &#X0003c &#X00003c &#X000003c < < < < < < &#x3c &#x03c &#x003c &#x0003c &#x00003c &#x000003c < < < < < < &#X3C &#X03C &#X003C &#X0003C &#X00003C &#X000003C < < < < < < &lt &lt &Lt &LT < &lt; &Lt; &LT; JavaScript Escape \< \x3c \X3c \u003c \U003c \x3c \X3C \u003c \U003C CSS Escape \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Overlong UTF-8 %c0%bc %e0%80%bc %f0%80%80%bc %f8%80%80%80%bc %fc%80%80%80%80 %bc US-ASCII ¼ UTF-7 +ADw- Punycode <- 12 June 2012

ESAPI Girdi Doğrulama > getvalidinput > validation.properties > Validator.MSISDN=^(9054[0-9]{8} 9050[0-9]{8} 9053[0-9]{8} 9055[0-9]{8})$ > Validator.employeeID=^([A-Za-z0-9]{20,50})$ MyValidator +isvalidinput() +...() +isvalidemployeeid() Your implementation (has additional and/or perhaps changed functions compared to reference implementation) ESAPI interface «interface» Validator +isvalidinput() +...() May also be modified DefaultValidator +isvalidinput() +...() ESAPI reference implementation (does not include a isvalidemployeeid function) 12 June 2012

ESAPI Girdi Doğrulama - Örnek try { String cleanmarkup = ESAPI.validator().getValidSafeHTML( "htmlinput", htmlinput, 1000, true); String cleanmsisdn = ESAPI.validator().getValidInput( "msisdn:"+msisdninput, msisdninput, "MSISDN", 12, false); String cleanpassword = ESAPI.validator().getValidInput( "pwd:" + pwdinput, pwdinput, "pwdwhitelist", 15, true); } catch (ValidationException e) { logger.error("[validation Failed]" + e.getmessage()); } catch (IntrusionException e) { logger.error("[intrusion] " + e.getmessage()); } 12 June 2012

ESAPI Çıktı Kodlama (Output Encoding) > Çıktı Kodlaması yaparken... > Hedef Yorumlayıcı & doğru kodlama metodu > Hangi karakterler? > Double encoding! > encodeforjavascript(string input) > encodeforhtml(string input) > encodeforcss(string input) > encodeforldap(string input) > encodeforxpath(string input) > encodeforxml(string input) > String canonicalize(string input) 12 June 2012

ESAPI Çıktı kodlama Örnek: XSS Rule #0 : Never Insert Untrusted Data Except Allowed Locations Rule #1: HTML escape in HTML Element Content ESAPI.encoder.encodeForHTML(input) Rule #2: Atribute escape in HTML Common Attributes ESAPI.encoder.encodeForHTMLAttribute(input) Rule #3: Javascript Escape in HTML Javascript Data Values ESAPI.encoder.encodeForJavaScript(input) Rule #4: CSS Escape HTML Style Property Values ESAPI.encoder.encodeForCSS(input) Rule #5: URL Escape HTML URL Attributes ESAPI.encoder.encodeForURL(input) 12 June 2012

ESAPI Çıktı kodlama XSS <script> x=<%=request.getparameter( "input")%> </script> <Table> <TR> <TD>Full Name:</TD> <TD><%=user.getFirstName()%> <%=user.getlastname()%></td> <TD> <a href= sendmessage?userid= <%=user.getid()%> >Send Message</a> </TD> <script> x=<%=esapi.encoder().encodeforjavascript( request.getparameter( "input"))%> </script> <Table><TR> <TD> Full Name:</TD> <TD> <%=ESAPI.encodeForHTML( user.getfirstname())%> <%= ESAPI.encodeForHTML( user.getlastname())%></td> <TD><a href= sendmessage?userid= <%=ESAPI.encoder().encodeFor URL(user.getId()%>) >Send Message</a> </TD> 12 June 2012

ESAPI Kodlama Örnek: SQL Injection > encodeforsql tavsiye edilmeyen bir yöntem > Asıl yapılması gereken PreparedStatement kullanmak String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getparameter("customername"); String query = "SELECT account_balance FROM user_data WHERE user_name = " + ESAPI.encoder().encodeForSQL(new OracleCodec(),request.getParameter("customerName")); 11 12 June 2012

Kullanıcı Doğrulama (Authentication) > ESAPI.properties ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator ESAPI.Authenticator=com.vodafone.myapp.auth.MyAuthenticator MyAuthenticator +login() +...() Your implementation (has the same functions as reference implementation) ESAPI interface «interface» Authenticator +login() +...() DefaultAuthenticator +login() +...() ESAPI reference implementation 12 12 June 2012

Kullanıcı Doğrulama (Authentication) > Kullanıcı yaratma Kullanıcı adı ve şifre güçlülüğünü sınama Password hash (sha2 hash & username salt ) User user = ESAPI.authenticator().createUser("saadet", "Password1?", "Password1?"); 13 12 June 2012

Kullanıcı Doğrulama (Authentication) > Login Ip değişikliği yakalama Session Id değiştirilmesi Fazla denemede hesap kilitleme Beni hatırla not POST, non-ssl User user = ESAPI.authenticator().login(httpServletRequest, httpservletresponse); 14 12 June 2012

Kullanıcı Doğrulama (Authentication) ESAPI.authenticator().getUser("saadet").lock(); ESAPI.authenticator().getUser("saadet").disable(); ESAPI.authenticator().verifyPasswordStrength("oldP assword", "newpassword", ESAPI.authenticator().getUser("saadet")); 15 12 June 2012

Erişim Kontrolleri (Access Control) > assertauthorizedforurl(java.lang.string url) > assertauthorizedforfunction(java.lang.string functionname) > assertauthorizedforservice(java.lang.string servicename) > Indirect Object reference RandomAccessReferenceMap 16 12 June 2012

Erişim Kontrolleri (Access Control) URLAccessRules.txt /MyApp/userList.action any allow /MyApp/userEdit.action admin allow /MyApp/userDelete.action standart deny try { ESAPI.accessController().assertAuthorizedForURL( request.getrequesturi()); return actioninvocation.invoke(); } catch (AccessControlException e) { logger.info(null, "[AuthorizationInterceptor] User is not authorized for url:" + request.getrequesturi()); } return AUTH_FAILURE; 17 12 June 2012

ESAPI ve CSRF( Cross Site Request Forgery) > Linke CSRF token ekleme > <a href='<%=esapi.httputilities().addcsrftoken( /myapp )%> ' target="_blank">transfer Funds</a> > Linke tıklandığında CSRF token doğrulama try { ESAPI.httpUtilities().verifyCSRFToken(); logger.debug("csrf Token Validated "); } catch (IntrusionException e) { } logger.fatal(logger.security_failure, "[Intrusion] CSRF Token Not Validated "+e.getlogmessage()); return e.getusermessage(); 18 12 June 2012

Oturum Yönetimi > Oturum Sabitleme (Session Fixation) Zaafiyeti > Oturum anahtarının saldırgan tarafından kullanıcıya kabul ettirilmesi > ESAPI.httpUtilities().changeSessionIdentifier() 19 12 June 2012

ESAPI Kriptorafi Encryptor Interface > String hash(string plaintext, String salt) (sha-2) > CipherText encrypt(secretkey key, PlainText plain) > CipherText encrypt(plaintext plain) ( Masterkey in ESAPI.prop) > PlainText decrypt(ciphertext ciphertext) > PlainText decrypt(secretkey key, CipherText ciphertext) > String seal(java.lang.string data, long timestamp) > String unseal(java.lang.string seal) > boolean verifyseal(java.lang.string seal) 20 ESAPI 12 June 2012

ESAPI Kriptorafi Randomizer Interface > boolean getrandomboolean() > String getrandomfilename(string extension) > String getrandomguid() > int getrandominteger(int min, int max) > long getrandomlong() > loat getrandomreal(float min, float max) > String getrandomstring(int length, char[] characterset) 21 12 June 2012

ESAPI Loglama > Etiketleme mekanizması: SECURITY_SUCCESS, SECURITY_FAILURE, EVENT_SUCCESS, EVENT_FAILURE > Encode CRLF > Encode HTML characters > Log4JLogFactory, JavaLogFactory private static final Logger logger = ESAPI.getLogger(TransferFunds.class); logger.fatal(logger.security_failure, "[Intrusion] CSRF Token Not Validated "+e.getlogmessage()); 22 12 June 2012

ESAPI HTTP Utilities > ESAPI.httpUtilities().setNoCacheHeaders() > Reader.readLine() -> Validator.safeReadLine() > Math.Random.* -> Randomizer.* > ServletResponse.setContentType() -> HTTPUtilities.setContentType() > ServletResponse.sendRedirect() -> HTTPUtilities.sendSafeRedirect() > RequestDispatcher.forward() -> HTTPUtilities.sendSafeForward() > ServletResponse.addHeader() -> HTTPUtilities.addSafeHeader() > ServletResponse.addCookie() -> HTTPUtilities.addSafeCookie() > ServletRequest.isSecure() -> HTTPUtilties.isSecureChannel() > ServletResponse.encodeURL -> HTTPUtilities.safeEncodeURL (better not to use at all) > ServletResponse.encodeRedirectURL -> HTTPUtilities.safeEncodeRedirectURL (better not to use at all) > java.security and javax.crypto -> Encryptor.* > java.net.urlencoder/decoder -> Encoder.encodeForURL/decodeForURL 23 12 June 2012

ESAPI Swingset

? 25 12 June 2012

Teşekkürler... 26 12 June 2012

ESAPI Girdi Doğrulama > getvalidsafehtml(string context, String input, int maxlength, boolean allownull) > getvaliddate(string context, String input, java.text.dateformat format, boolean allownull) > getvalidnumber(string context, String input, long minvalue, long maxvalue, boolean allownull) > getvalidfilecontent(string context, byte[] input, int maxbytes, boolean allownull) > getvalidfilename(string context, String input, boolean allownull) > boolean getvalidcreditcard(string context, String input, boolean allownull) > isvalidfileupload(string context, String filepath, String filename, byte[] content, int maxbytes, boolean allownull) > isvalidhttprequestparameterset(string context, Set required, Set optional)

ESAPI Girdi & Çıktı Denetimi User Controller Business Functions Data Layer Backend getvalidcreditcard getvaliddirectorypath getvalidfilecontent getvalidfilename getvalidinput getvaliddirectorypath getvalidredirectlocation getvaliddate getvalidprintable safereadline encodeforjavascript encodeforvbscript Validator Encoder encodeforurl Canonicalization Double Encoding Protection Sanitization Normalization encodeforhtml encodeforhtmlattribute encodeforldap encodefordn encodeforsql encodeforxml encodeforxmlattribute encodeforxpath

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information