Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP OWASP and ESAPI Jeff Williams OWASP Chair October 21, 2008
OWASP OWASP Conferences ( ) 2 NYC Sep 2008 NYC Sep 2008 San Jose Sep 2009 San Jose Sep 2009 Brussels May 2008 Brussels May 2008 Poland May 2009 Poland May 2009 Taiwan Oct 2008 Taiwan Oct 2008 Portugal Nov 2008 Portugal Nov 2008 Israel Sep 2008 Israel Sep 2008 India Aug 2008 India Aug 2008 Gold Coast Feb 2008 Gold Coast Feb 2008 Minnesota Oct 2008 Minnesota Oct 2008 Denver Spring 2009 Denver Spring 2009
OWASP OWASP Projects 3
OWASP OWASP AppSec Body of Knowledge 3,913 total articles 427 presentations 205 blogs monitored 200 wiki updates/day 179 mailing lists 101 projects 80 videos 19 deface attempts OWASP Quality Team
OWASP Finances and Grants 5 100% OWASP Grants OWASP Foundation 55% 45%
OWASP Join OWASP “It’s the right thing to do” – Microsoft 10/2008
OWASP About the ^
OWASP Coverage No malicious developers The design has to be right The controls have to be right Tools Depth – Level of Rigor Breadth – Number of Requirements
OWASP Requirement Summary ToolsManualArchDeep
OWASP More Information 73/OWASP_ASVS_Standard_2008_- _DRAFT001.pdf
OWASP Vulnerabilities and Security Controls
OWASP Enabling Developers Your Secure Coding Guideline Your Enterprise Security API Hands-on Training
OWASP The Problem with Security Libraries Java Logging BouncyCastle Spring Log4j Jasypt JCE JAAS Cryptix HDIV xml-dsig xml-enc Many More ACEGI Commons Validator Commons Validator Struts Reform Anti-XSS Stinger Java Pattern Java URL Encoder Java URL Encoder Write Custom Code Overpowerful Incomplete Not Integrated Broken Can’t Update Custom
OWASP OWASP ESAPI Custom Enterprise Web Application OWASP Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer Exception Handling Logger IntrusionDetector SecurityConfiguration Your Existing Enterprise Services or Libraries
OWASP Deceptively Tricky 1.Input Validation 2.Output Encoding 3.Authentication 4.Access Control 5.Direct Object References 6.Errors, Logging, and Intrusion Detection
OWASP Some Valid Web Encodings for “less-than” < // percent encoding %3c %3C // html entity encoding < < < < &# &# < < < < < &# ; < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < < &lT &Lt < < &lT; ≪ < // javascript escape syntax \< \x3c \X3c \u003c \U003c \x3C \X3C \u003C \U003C // css escape syntax \3c \03c \003c \0003c \00003c \3C \03C \003C \0003C \00003C Double Encoding // double encoding examples < -> lt; (double entity) \ -> %5c -> %255c(double percent) etc... // double encoding with multiple schemes example < -> %26lt%3b (first entity, then percent) %26 -> 26 (first percent, then entity) etc... // nested encoding examples %3c -> %253c (nested encode % with percent) %3c -> %33%63 (nested encode percent both nibbles) %3c -> %33c (nested encode first nibble with percent) %3c -> %3%63 (nested encode second nibble with percent) &&108;t; (nested encode l with entity) etc... // nested encoding with multiple schemes examples &%6ct; (nested encode l with percent) %3c -> %&x33;c (nested encode 3 with entity) etc...
OWASP Handling Double Encoding OriginalDecode 1PartialDecode 2Final %26lt;HTML Entity%26lt;URL Decode< %26lt;URL Decode<HTML Entity< 3cHTML Entity%3cURL Decode< 3cURL Decode3cHTML Entity%3c %2526lt%253BHTML Entity%2526lt%253BURL Decode%26lt%3B %2526lt%253BURL Decode%26lt%3BHTML Entity%26lt%3B %2526lt%253B2x URL Decode<HTML Entity< What components decode what? In what order?
OWASP 1. ESAPI Input Validation Any Encoding Any Interpreter Backend Controller Business Functions User Data Layer Presentation Layer Decoding Engine Codecs: HTML Entity Encoding Percent Encoding JavaScript Encoding VBScript Encoding CSS Encoding MySQL Encoding Oracle Encoding LDAP Encoding … Validation Engine Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() …
OWASP HTML Execution Contexts CSS JavaScript HTML Attributes HTML Elements Event Handlers URI Attributes \any \xHH \uHHHH \000 (octal) \specials \xHH \uHHHH &#DD &#xHH &entity; " ' &#DD &#xHH " ' \specials \xHH \uHHHH %HH
OWASP 2. ESAPI Output Encoding Backend Controller Business Functions User Data Layer Presentation Layer Encoding Engine Encode: setCharacterEncoding() encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForVBScript() encodeForCSS() encodeForURL() encodeForXML() encodeForLDAP() encodeForDN() …
OWASP 3. ESAPI Authentication Web Application User Authentication Users logout() login() Also Supported: Encrypted Cookies CSRF Protection Change SESSIONID Verify Secure Channel Strong Credentials Remember Me Cookie Screen Name Timeout Lockout …
OWASP 4. ESAPI Access Control isAuthorizedForURL() isAuthorizedForFunction() isAuthorizedForService() isAuthorizedForData() isAuthorizedForFile() Backend Controller Business Functions User Data Layer Presentation Layer Roles
OWASP 5. ESAPI Direct Object Reference Protection Report123.xls Acct: Backend Controller Business Functions User Data Layer Presentation Layer Access Reference Map getIndirectReference() getDirectReference()
OWASP 6. Errors, Logging, and Detection Intrusion Detector Enterprise Security Exceptions Logger Log Intrusion Logout User Disable Account Configurable Thresholds Responses Backend Controller Business Functions User Data Layer Presentation Layer throw new ValidationException(“User message”, “Log message”);
OWASP Data Protection Challenges Encrypted Properties Encryptor Random Tokens and GUIDs Web Application User encrypt/decrypt() seal/unseal() sign/verify() hash() getTimeStamp()
OWASP SafeRequest and SafeResponse User Web Application SafeRequest SafeResponse
OWASP Coverage OWASP Top Ten A1. Cross Site Scripting (XSS)A2. Injection FlawsA3. Malicious File ExecutionA4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error HandlingA7. Broken Authentication and SessionsA8. Insecure Cryptographic StorageA9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, EncoderEncoderHTTPUtilities (Safe Upload)AccessReferenceMap, AccessController User (CSRF Token) EnterpriseSecurityException, HTTPUtilsAuthenticator, User, HTTPUtilsEncryptorHTTPUtilities (Secure Cookie, Channel) AccessController
OWASP Tools – Time to Go Positive! Searching for negative signatures is hard We need research in verifying the positive
OWASP Project Plan and Status 6/06 – Sketch Informal API 4/07 - Formalize Strawman API 5/07 – Start Java EE Reference Implementation 7/07 - Form Expert Panel 12/07 - Release RC – Start Collecting 9/08 - Latest Release – v1.3.1 Future - Rich client extensions - Web service extensions - Framework integration 12/08 –Summit
OWASP Source Code and Javadoc Online Now! Project Home Page: Code Repository:
OWASP Quality
OWASP Microsoft Secure Development Lifecycle (SDL)
OWASP Potential Enterprise ESAPI Cost Savings Cost AreaTypicalWith ESAPI AppSec Training (semiannual)$270K$135K AppSec Requirements250 days ($150K)50 days ($30K) AppSec Design (Threat Model, Arch Review) 500 days ($300K)250 days ($150K) AppSec Implementation (Build and Use Controls) 1500 days ($900K)500 days ($300K) AppSec Verification (Scan, Code Review, Pen Test) 500 days ($300K)250 days ($150K) AppSec Remediation500 days ($300K)150 days ($90K) AppSec Standards and Guidelines 100 days ($60K)20 days ($12K) AppSec Inventory, Metrics, and Management 250 days ($150K)200 days ($120K) Totals$2.43M$1.00M
OWASP More Information ESAPI BOOK ages/7/79/ESAPI_Book.pdf
OWASP Questions and Answers Existing security libraries? Would this be valuable to your enterprise? Technical questions? Contact Information: Jeff Williams Work: Main: