Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation The Open Web Application Security Project The OWASP Enterprise Security API Jeff Williams OWASP Foundation Chair Aspect Security CEO

Java Logging The Challenge… 2 Reform ACEGI Struts Stinger Anti-XSS BouncyCastle Spring Log4j Commons Validator Commons Validator Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More

Philosophy  Using security controls is different from building  All the security guidelines, courses, tutorials, websites, books, etc… are all mixed up because everyone builds their own controls  Most developers shouldn’t build security controls  When to use a control  How to use a control  Why to use a control (maybe)  Most enterprises need the same set of calls 3

Design  Only include methods that…  Are widely useful and focus on the most risky areas  Designed to be simple to understand and use  Interfaces with concrete reference implementation  Full documentation and usage examples  Same basic API across common platforms  Java EE,.NET, PHP, others?  Useful to Rich Internet Applications? 4

Architecture Overview 5 Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries

Create Your ESAPI Implementation  Your Security Services  Wrap your existing libraries and services  Extend and customize your ESAPI implementation  Fill in gaps with the reference implementation  Your Coding Guideline  Tailor the ESAPI coding guidelines  Retrofit ESAPI patterns to existing code 6

Frameworks and ESAPI  ESAPI is NOT a framework  Just a collection of security functions, not “lock in”  Frameworks already have some security  Controls are frequently missing, incomplete, or wrong  ESAPI Framework Integration Project  We’ll share best practices for integrating  Hopefully, framework teams like Struts adopt ESAPI 7

Project Plan and Status 8 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 11/07 - Release RC – Start Collecting 9/07 – Sneak Peek

Quality 9

Backend Handling Authentication and Identity ControllerBusiness Functions User Data Layer ESAPI Access Control Logging Intrusion Detection Authentication Users

Authenticator  Key Methods  createUser(accountName, pass1, pass2) createUser  generateStrongPassword() generateStrongPassword  getCurrentUser() getCurrentUser  login(request, response) login  logout() logout  verifyAccountNameStrength(acctName) verifyAccountNameStrength  verifyPasswordStrength(newPass, oldPass) verifyPasswordStrength  Use threadlocal variable to store current User  Automatically change session on login and logout 11

User  Key Methods  changePassword(old, new1, new2) changePassword  disable() enable() disableenable  getAccountName() getScreenName() getAccountNamegetScreenName  getCSRFToken() getCSRFToken  getLastFailedLoginTime() getLastLoginTime() getLastFailedLoginTimegetLastLoginTime  getRoles() isInRole(role) getRolesisInRole  isEnabled() isExpired() isLocked() isEnabledisExpiredisLocked  loginWithPassword(password, request, response) loginWithPassword  resetCSRFToken() resetPassword() resetCSRFTokenresetPassword  verifyCSRFToken(token) verifyCSRFToken 12

Enforcing Access Control Controller User Interface Business Functions Web Service Database Mainframe File System User Data Layer Etc… Function Check

AccessController  Key Methods  isAuthorizedForData(key) isAuthorizedForData  isAuthorizedForFile(filepath) isAuthorizedForFile  isAuthorizedForFunction(functionName) isAuthorizedForFunction  isAuthorizedForService(serviceName) isAuthorizedForService  isAuthorizedForURL(url) isAuthorizedForURL  Reference Implementation (not required)  /admin/* | admin | allow | admin access to /admin  /* | any | deny | default deny rule 14

Handling Direct Object References Web Service Database Mainframe File System User Access Reference Map Etc… Indirect Reference Direct Reference Report123.xls

AccessReferenceMap  Key Methods  getDirectReference(indirectReference) getDirectReference  getIndirectReference(directReference) getIndirectReference  iterator() iterator  update(directReferences) update  Example  

Validating and Encoding Untrusted Input Web Service Directory Database File System User Business Processing Etc… EncodeForHTML Validate

Validator  Key Methods  isValidFileUpload(filepath, filename, content) isValidFileUpload  getValidDataFromBrowser(type, input) getValidDataFromBrowser  isValidDataFromBrowser(type, input) isValidDataFromBrowser  isValidHTTPRequest (request) isValidHTTPRequest  isValidRedirectLocation(location) isValidRedirectLocation  isValidSafeHTML(input), getValidSafeHTML(input) isValidSafeHTMLgetValidSafeHTML  safeReadLine(inputStream, maxchars) safeReadLine  Canonicalization is really important always ignored  Global validation of HTTP requests 18

%26lt; 19

Encoder  Key Methods  canonicalize(input), normalize(input) canonicalizenormalize  encodeForBase64(input) encodeForBase64  encodeForDN(input) encodeForDN  encodeForHTML(input) encodeForHTML  encodeForHTMLAttribute(input) encodeForHTMLAttribute  …, encodeForJavascript, encodeForLDAP, encodeForSQL, encodeForURL, encodeForVBScript, encodeForXML, encodeForXMLAttribute, encodeForXPathencodeForJavascriptencodeForLDAP encodeForSQLencodeForURL encodeForVBScriptencodeForXML encodeForXMLAttributeencodeForXPath 20

Enhancing HTTP User Business Processing HTTP Utilities Logging Add CSRF Token Secure Cookies Secure Redirect No Cache Headers Verify CSRF Token Safe Request Logging Safe File Upload Add Safe Header

HTTPUtilities  Key Methods  addCSRFToken(href), checkCSRFToken(href) addCSRFTokencheckCSRFToken  addSafeCookie(name, value, age, domain, path) addSafeCookie  addSafeHeader(header, value) addSafeHeader  changeSessionIdentifier() changeSessionIdentifier  getFileUploads(tempDir, finalDir) getFileUploads  isSecureChannel () isSecureChannel  killCookie(name) killCookie  sendSafeRedirect(href) sendSafeRedirect  setContentType () setContentType  setNoCacheHeaders() setNoCacheHeaders  Safer ways of dealing with HTTP, secure cookies 22

Encryptor  Key Methods  decrypt(ciphertext) decrypt  encrypt(plaintext) encrypt  hash(plaintext, salt) hash  loadCertificateFromFile(file) loadCertificateFromFile  getTimeStamp() getTimeStamp  seal(data, expiration) verifySeal(seal, data) sealverifySeal  sign(data) verifySignature(signature, data) signverifySignature  Simple master key in configuration  Minimal certificate support 23

EncryptedProperties  Key Methods  getProperty(key) getProperty  setProperty(key, value) setProperty  keySet() keySet  load(inputStream) load  store(outputStream, comments) store  Simple protected storage for configuration data  Main program to preload encrypted data! 24

Randomizer  Key Methods  getRandomGUID() getRandomGUID  getRandomInteger(min, max) getRandomInteger  getRandomReal(min, max) getRandomReal  getRandomString(length, characterSet) getRandomString  Several pre-defined character sets  Lowers, uppers, digits, specials, letters, alphanumerics, password, etc… 25

Exception Handling  EnterpriseSecurityException  AccessControlException(userMsg, logMsg) AccessControlException  AuthenticationException(userMsg, logMsg) AuthenticationException  AvailabilityException(userMsg, logMsg) AvailabilityException  CertificateException(userMsg, logMsg) CertificateException  EncodingException(userMsg, logMsg) EncodingException  EncryptionException(userMsg, logMsg) EncryptionException  ExecutorException(userMsg, logMsg) ExecutorException  IntrusionException(userMsg, logMsg) IntrusionException  ValidationException(userMsg, logMsg) ValidationException  Sensible security exception framework 26

Logger  Key Methods  getLogger(applicationName,moduleName) getLogger  formatHttpRequestForLog(request, sensitiveList) formatHttpRequestForLog  logCritical(type, message, throwable) logCritical  logDebug(type, message, throwable) logDebug  logError(type, message, throwable) logError  logSuccess(type, message, throwable) logSuccess  logTrace(type, message, throwable) logTrace  logWarning(type, message, throwable) logWarning  All EASPI exceptions are automatically logged 27

Detecting Intrusions User Business Processing Backend ESAPI IntrusionDetector Tailorable Quotas Log, Logout, and Disable

IntrusionDetector  Key Methods  addException(exception) addException  addEvent(event) addEvent  Model  EnterpriseSecurityExceptions automatically added  Specify a threshold for each event type  org.owasp.esapi.ValidationException.count=3  org.owasp.esapi.ValidationException.interval=3 (seconds)  org.owasp.esapi.ValidationException.action=logout  Actions are log message, disable account 29

SecurityConfiguration  Customizable…  Crypto algorithms  Encoding algorithms  Character sets  Global validation rules  Logging preferences  Intrusion detection thresholds and actions  Etc…  All security-relevant configuration in one place 30

Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic Storage A9. Insecure CommunicationsA10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptor HTTPUtilities (secure cookie, channel)AccessController

Closing Thoughts  I have learned an amazing amount (I thought I knew)  An ESAPI is a key part of a balanced breakfast  Build rqmts, guidelines, training, tools around your ESAPI  Secondary benefits  May help static analysis do better  Enables security upgrades across applications  Simplifies developer training  Next year – experiences moving to ESAPI 32