SlideShare a Scribd company logo

Entreprise Security API - OWASP Montreal

Philippe Gamache, profile picture
Philippe Gamache

The document outlines the Enterprise Security API (ESAPI) and its role in addressing common security problems such as input validation, authentication, access control, and encryption. It references the OWASP Top 10 security risks and discusses the architecture of ESAPI, including components like access controllers, validators, and encryptors. Additionally, it highlights the importance of community resources and provides contact information for further inquiries.

Technology
1 of 50
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Enteprise Security API ESAPI Saturday, 2011-02-26
Saturday, 2011-02-26
Saturday, 2011-02-26
I answer question Saturday, 2011-02-26
The problems Saturday, 2011-02-26
The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control Saturday, 2011-02-26
The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Saturday, 2011-02-26
OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and Forwards Saturday, 2011-02-26
And over 300 others security problems types Saturday, 2011-02-26
Vulnerabilities and Security Controls Ignored Misused Broken Missing Saturday, 2011-02-26
Why Input Validation Is Hard? Saturday, 2011-02-26
< Saturday, 2011-02-26
Percent (url) Encoding • %3c • %3C Saturday, 2011-02-26
HTML Entity Encoding • &#60 • &#60; • &#060 • &#060; • &#0060 • &#0060; • &#00060 • &#00060; • &#000060 • &#000060; • &#0000060 • &#0000060; Saturday, 2011-02-26
HTML Entity Encoding • &#x3c • &#x3c; • &#x03c • &#x03c; • &#x003c • &#x003c; • &#x0003c • &#x0003c; • &#x00003c • &#x00003c; • &#x000003c • &#x000003c; Saturday, 2011-02-26
HTML Entity Encoding • &#X3c • &#X3c; • &#X03c • &#X03c; • &#X003c • &#X003c; • &#X0003c • &#X0003c; • &#X00003c • &#X00003c; • &#X000003c • &#X000003c; Saturday, 2011-02-26
HTML Entity Encoding • &#x3C • &#x3C; • &#x03C • &#x03C; • &#x003C • &#x003C; • &#x0003C • &#x0003C; • &#x00003C • &#x00003C; • &#x000003C • &#x000003C; Saturday, 2011-02-26
HTML Entity Encoding • &#X3C • &#X3C; • &#X03C • &#X03C; • &#X003C • &#X003C; • &#X0003C • &#X0003C; • &#X00003C • &#X00003C; • &#X000003C • &#X000003C; Saturday, 2011-02-26
HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT; Saturday, 2011-02-26
JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003c Saturday, 2011-02-26
CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003C Saturday, 2011-02-26
UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bc Saturday, 2011-02-26
1,677,721,600,000,000 ways to encode <script> Saturday, 2011-02-26
The Solutions? Saturday, 2011-02-26
What is Enterprise Security API? Saturday, 2011-02-26
ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
Overview of the Architectural Impact Saturday, 2011-02-26
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?> Saturday, 2011-02-26
Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName() Saturday, 2011-02-26
Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine() Saturday, 2011-02-26
Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPath Saturday, 2011-02-26
Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring Encryption Saturday, 2011-02-26
Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •Timestamp Saturday, 2011-02-26
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationException Saturday, 2011-02-26
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController Forwards Saturday, 2011-02-26
Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0 Saturday, 2011-02-26
Adopters Saturday, 2011-02-26
Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-dev Saturday, 2011-02-26
Questions ? • philippe@ph-il.ca • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferences Saturday, 2011-02-26
Saturday, 2011-02-26

More Related Content

PDF
Strong authetification - ConFoo 2011
Philippe Gamache
 
PDF
Entreprise Security API - ConFoo 2011
Philippe Gamache
 
PDF
Kaizen ou l'amélioration continue
Philippe Gamache
 
PPS
Nueva presentacion de organo gold 2011
juancito2807
 
PDF
Une application en une heure avec symfony - Collège de Mainsonneuve
Philippe Gamache
 
PPT
Styrkeproven
Kai Pettersen
 
PPT
Årsmøte 2010
Kai Pettersen
 
PDF
Google AdWords
Teguh Nugraha
 
Strong authetification - ConFoo 2011
Philippe Gamache
 
Entreprise Security API - ConFoo 2011
Philippe Gamache
 
Kaizen ou l'amélioration continue
Philippe Gamache
 
Nueva presentacion de organo gold 2011
juancito2807
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Philippe Gamache
 
Styrkeproven
Kai Pettersen
 
Årsmøte 2010
Kai Pettersen
 
Google AdWords
Teguh Nugraha
 

Similar to Entreprise Security API - OWASP Montreal (20)

PDF
OWASP Enterprise Security API
ConFoo
 
PDF
The Departed: Exploit Next Generation® – The Philosophy
Nelson Brito
 
PDF
Frontal Attacks - From basic compromise to Advanced Persistent Threat
High-Tech Bridge SA (HTBridge)
 
PDF
Affrontare in modo efficace la sfida dei microservizi
wellD
 
PPTX
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
PDF
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
PDF
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
PPTX
OWASP top 10-2013
tmd800
 
PDF
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
PPTX
Von Bayern in die Cloud
Alexey Gravanov
 
PPTX
DWX2015 - Von Bayern in die Cloud
philippgarbe
 
PPTX
OWASP TOP 10
Robert MacLean
 
PDF
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
Mark Tabladillo
 
PPTX
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
PDF
An overview of Microsoft data mining technology
Mark Tabladillo
 
PPTX
Your Web Application Is Most Likely Insecure
Achievers Tech
 
PDF
Admin Tech Ed Presentation Hardening Sql Server
rsnarayanan
 
PDF
An overview of microsoft data mining technology
Mark Tabladillo
 
PDF
MySQL Ecosystem in 2020
Alkin Tezuysal
 
PDF
MySQL Cluster
Mario Beck
 
OWASP Enterprise Security API
ConFoo
 
The Departed: Exploit Next Generation® – The Philosophy
Nelson Brito
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
High-Tech Bridge SA (HTBridge)
 
Affrontare in modo efficace la sfida dei microservizi
wellD
 
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
hashdays 2011: Christian Bockermann - Protecting Databases with Trees
Area41
 
Full MSSQL Injection PWNage
Prathan Phongthiproek
 
OWASP top 10-2013
tmd800
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Von Bayern in die Cloud
Alexey Gravanov
 
DWX2015 - Von Bayern in die Cloud
philippgarbe
 
OWASP TOP 10
Robert MacLean
 
SQL Saturday 79 Enterprise Data Mining for SQL Server 2008 R2
Mark Tabladillo
 
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
An overview of Microsoft data mining technology
Mark Tabladillo
 
Your Web Application Is Most Likely Insecure
Achievers Tech
 
Admin Tech Ed Presentation Hardening Sql Server
rsnarayanan
 
An overview of microsoft data mining technology
Mark Tabladillo
 
MySQL Ecosystem in 2020
Alkin Tezuysal
 
MySQL Cluster
Mario Beck
 
Ad

More from Philippe Gamache (15)

PDF
Loi 25 - Loi modernisant des dispositions législatives en matière de protecti...
Philippe Gamache
 
PDF
Cryptographie 101 Pour les programmeurs (PHP)
Philippe Gamache
 
PDF
Content-Security-Policy 2018.0
Philippe Gamache
 
PDF
Mentor et votre équipe
Philippe Gamache
 
PDF
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
PDF
Browser Serving Your We Application Security - ZendCon 2017
Philippe Gamache
 
PDF
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
Browser Serving Your Web Application Security - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PDF
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Philippe Gamache
 
PDF
One hour application - PHP Quebec Conference 2009
Philippe Gamache
 
PDF
Une application en deux heure - PHP Québec Janvier 2009
Philippe Gamache
 
PDF
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Philippe Gamache
 
PDF
Auditing and securing PHP applications - FRHACK 2009
Philippe Gamache
 
Loi 25 - Loi modernisant des dispositions législatives en matière de protecti...
Philippe Gamache
 
Cryptographie 101 Pour les programmeurs (PHP)
Philippe Gamache
 
Content-Security-Policy 2018.0
Philippe Gamache
 
Mentor et votre équipe
Philippe Gamache
 
Multi Factor Authetification - ZendCon 2017
Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Philippe Gamache
 
Ad

Recently uploaded (20)

PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Software Development Methodologies in 2025
KodekX
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 

Entreprise Security API - OWASP Montreal

  • 1. Enteprise Security API ESAPI Saturday, 2011-02-26
  • 6. The problems • Input Validation and Output Encoding • Authentication and Identity • URL Access Control • Business Function Access Control • Data Layer Access Control Saturday, 2011-02-26
  • 7. The problems • Presentation Layer Access Control • Errors, Logging, and Intrusion Detection • Encryption, Hashing, and Randomness Saturday, 2011-02-26
  • 8. OWASP TOP 10 A2 – Cross-Site Scripting A1 – Injection (XSS) A3 – Broken Authentication A4 – Insecure Direct and Session Management Object References A5 – Cross-Site Request A6 – Security Forgery (CSRF) Misconfiguration A7 – Insecure A8 - Failure to Restrict Cryptographic Storage URL Access A9 - Insufficient Transport A10 – Unvalidated Layer Protection Redirects and Forwards Saturday, 2011-02-26
  • 9. And over 300 others security problems types Saturday, 2011-02-26
  • 10. Vulnerabilities and Security Controls Ignored Misused Broken Missing Saturday, 2011-02-26
  • 11. Why Input Validation Is Hard? Saturday, 2011-02-26
  • 13. Percent (url) Encoding • %3c • %3C Saturday, 2011-02-26
  • 14. HTML Entity Encoding • &#60 • &#60; • &#060 • &#060; • &#0060 • &#0060; • &#00060 • &#00060; • &#000060 • &#000060; • &#0000060 • &#0000060; Saturday, 2011-02-26
  • 15. HTML Entity Encoding • &#x3c • &#x3c; • &#x03c • &#x03c; • &#x003c • &#x003c; • &#x0003c • &#x0003c; • &#x00003c • &#x00003c; • &#x000003c • &#x000003c; Saturday, 2011-02-26
  • 16. HTML Entity Encoding • &#X3c • &#X3c; • &#X03c • &#X03c; • &#X003c • &#X003c; • &#X0003c • &#X0003c; • &#X00003c • &#X00003c; • &#X000003c • &#X000003c; Saturday, 2011-02-26
  • 17. HTML Entity Encoding • &#x3C • &#x3C; • &#x03C • &#x03C; • &#x003C • &#x003C; • &#x0003C • &#x0003C; • &#x00003C • &#x00003C; • &#x000003C • &#x000003C; Saturday, 2011-02-26
  • 18. HTML Entity Encoding • &#X3C • &#X3C; • &#X03C • &#X03C; • &#X003C • &#X003C; • &#X0003C • &#X0003C; • &#X00003C • &#X00003C; • &#X000003C • &#X000003C; Saturday, 2011-02-26
  • 19. HTML Entity Encoding • &lt • &lt; • &lT • &lT; • &Lt • &Lt; • &LT • &LT; Saturday, 2011-02-26
  • 20. JavaScript Escape • < • x3C • x3c • X3C • X3c • u003C • u003c • U003C • U003c Saturday, 2011-02-26
  • 21. CSS Escape • 3c • 3C • 03c • 03C • 003c • 003C • 0003c • 0003C • 00003c • 00003C Saturday, 2011-02-26
  • 22. UTF-7 vs UTF-8 • +ADw- • %c0%bc • %e0%80%bc • %f0%80%80%bc • %f8%80%80%80%bc • %fc%80%80%80%80%bc Saturday, 2011-02-26
  • 23. 1,677,721,600,000,000 ways to encode <script> Saturday, 2011-02-26
  • 25. What is Enterprise Security API? Saturday, 2011-02-26
  • 26. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 27. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 28. ESAPI Community Communauté ESAPI Library Wiki Mailing List Users Developers Objective-C Saturday, 2011-02-26
  • 29. Overview of the Architectural Impact Saturday, 2011-02-26
  • 30. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 31. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling isAuthorizedForURL() isAuthorizedForFile() isAuthorizedForData() Logger isAuthorizedForService() isAuthorizedForFunction() IntrusionDetector SecurityConfiguration
  • 32. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 33. Entreprise Security API <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties ->validator() Exception Handling IntrusionDetector AccessController ->getValidInput( Randomizer Authenticator HTTPUtilities String $context, Encryptor Validator Encoder Logger String $input, User String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList); ?> Saturday, 2011-02-26
  • 34. Entreprise Security API assertIsValidHttpRequest() interface SecurityConfiguration AccessReferenceMap EncryptedProperties assertIsValidHttpRequest Exception Handling ValidationRule IntrusionDetector AccessController ParameterSet() Randomizer Authenticator HTTPUtilities assertIsValidFileUpload() Encryptor Validator Encoder Logger User abstract BaseValidationRule getValidDate() getValidDouble() getValidDirectoryPath() getValidDouble() CreditCard getValidFileContent() ValidationRule getValidFileName() Saturday, 2011-02-26
  • 35. Entreprise Security API isValidCreditCard() interface SecurityConfiguration isValidDataFromBrowse() AccessReferenceMap EncryptedProperties Exception Handling ValidationRule IntrusionDetector AccessController isValidDirectoryPath() Authenticator HTTPUtilities Randomizer isValidFileContent() Encryptor Validator Encoder isValidFileName() Logger User abstract isValidHTTPRequest() BaseValidationRule isValidListItem() isValidRedirectLocation() isValidSafeHTML() CreditCard isValidPrintable() ValidationRule safeReadLine() Saturday, 2011-02-26
  • 36. Entreprise Security API encodeForCSS <?php echo $ESAPI SecurityConfiguration AccessReferenceMap EncryptedProperties encodeForDN ->encoder() Exception Handling IntrusionDetector AccessController encodeForHTML ->encodeForHTML($name) Authenticator HTTPUtilities Randomizer encodeForLDAP ?> Encryptor Validator Encoder Logger encodeForSQL User encodeForURL encodeForJavaScript encodeForXML encodeForHTMLAttribute encodeForXPath encodeForVBScript encodeForXMLAttribute encodeForXPath Saturday, 2011-02-26
  • 37. Entreprise Security API •Add Safe Header •isSecureChannel SecurityConfiguration AccessReferenceMap EncryptedProperties •Safe Request Logging Exception Handling •No Cache Headers IntrusionDetector AccessController •Set Content Type •Safe File Uploads Authenticator HTTPUtilities Randomizer Encryptor Validator •Add Safe Cookie Encoder Logger User •Kill Cookie •sendSafeForward •Change SessionID •sendSafeRedirect •CSRF Tokens •Encrypt State in Cookie •Hidden Field Encryption •Querystring Encryption Saturday, 2011-02-26
  • 38. Entreprise Security API •Integrity Seals SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling •Strong GUID IntrusionDetector AccessController Authenticator •Random Tokens HTTPUtilities Randomizer Encryptor Validator <?php $encrypted = •Encryption Encoder Logger User $ESAPI->encryptor() ->encrypt($text) •Digital Signatures ?> •Salted Hash •Safe Config Details •Timestamp Saturday, 2011-02-26
  • 39. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 40. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 41. Entreprise Security API •AccessControlException SecurityConfiguration AccessReferenceMap EncryptedProperties Exception Handling IntrusionDetector •AuthenticationException AccessController Authenticator HTTPUtilities •AvailabilityException Randomizer Encryptor Validator Encoder •EncodingException Logger User •EncryptionException •ExecutorException •IntegrityException •IntrusionException •ValidationException Saturday, 2011-02-26
  • 42. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 43. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap •Responses •Logout User Validator •Log Intrusion •Disable Account Encoder HTTPUtilities •Configurable Thresholds Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 44. Authenticator Saturday, 2011-02-26 User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Entreprise Security API Exception Handling Logger IntrusionDetector SecurityConfiguration
  • 45. OWASP TOP 10 ESAPI A1: Injection Encoder A2: Cross Site Scripting (XSS) Encoder, Validator A3: Broken Authentication and Authenticator, User, HTTPUtilities Session Management A4: Insecure Direct Object AccessReferenceMap, Reference AccessController A5: Cross Site Request Forgery User (CSRF Token) (CSRF) A6: Security Misconfiguration SecurityConfiguration A7: Insecure Cryptographic Encryptor Storage A8: Failure to Restrict URL Access AccessController A9: Insufficient Transport Layer HTTPUtilities Protection (Secure Cookie, Channel) A10: Unvalidated Redirects and AccessController Forwards Saturday, 2011-02-26
  • 46. Objective -C Authentication 2.0 1.4 1.4 1.4 Identity 2.0 1.4 1.4 1.4 Access Control 2.0 1.4 1.4 1.4 1.4 Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0 Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0 Encryption 2.0 1.4 1.4 1.4 1.4 Random Numbers 2.0 1.4 1.4 1.4 1.4 Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0 Intrusion Detection 2.0 1.4 1.4 1.4 Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0 WAF 2.0 Saturday, 2011-02-26
  • 48. Additional Resources • OWASP Home Page http://www.owasp.org • ESAPI Project Page http://www.esapi.org • ESAPI-Users Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-users • ESAPI-Dev Mailing List https://lists.owasp.org/mailman/ listinfo/esapi-dev Saturday, 2011-02-26
  • 49. Questions ? [email protected] • http://www.ph-il.ca • @SecureSymfony • http://www.ph-il.ca/en/ conferences • http://www.ph-il.ca/fr/ conferences Saturday, 2011-02-26