Entreprise Security API - ConFoo 2011
-
Upload
philippe-gamache -
Category
Technology
-
view
1.086 -
download
5
description
Transcript of Entreprise Security API - ConFoo 2011
Enteprise Security APIESAPI
Thursday, 2011-03-10
Thursday, 2011-03-10
OWASPThe Open Web Application Project
Thursday, 2011-03-10
Thursday, 2011-03-10
I answer question
Thursday, 2011-03-10
The problems
Thursday, 2011-03-10
The problems
• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control
Thursday, 2011-03-10
The problems
• Presentation Layer Access Control
• Errors, Logging, and Intrusion Detection
• Encryption, Hashing, and Randomness
Thursday, 2011-03-10
A2 – Cross-Site Scripting (XSS)
OWASP TOP 10A1 – Injection
A3 – Broken Authentication and Session Management
A4 – Insecure DirectObject References
A7 – Insecure Cryptographic Storage
A6 – Security Misconfiguration
A5 – Cross-Site Request Forgery (CSRF)
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 – Unvalidated Redirects and Forwards
Thursday, 2011-03-10
And over 300 others security problems types
Thursday, 2011-03-10
Vulnerabilities and Security Controls
MissingBroken
Ignored Misused
Thursday, 2011-03-10
Why Input Validation Is Hard?
Thursday, 2011-03-10
<Thursday, 2011-03-10
Percent (url) Encoding
• %3c
• %3C
Thursday, 2011-03-10
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
HTML Entity Encoding
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
• <
Thursday, 2011-03-10
HTML Entity Encoding
• <
• &lT
• &Lt
• <
• <
• &lT;
• ≪
• <
Thursday, 2011-03-10
JavaScript Escape
• \<
• \x3c
• \X3c
• \u003c
• \U003c
• \x3C
• \X3C
• \u003C
• \U003C
Thursday, 2011-03-10
CSS Escape
• \3c
• \03c
• \003c
• \0003c
• \00003c
• \3C
• \03C
• \003C
• \0003C
• \00003C
Thursday, 2011-03-10
UTF-7 vs UTF-8
• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc
Thursday, 2011-03-10
1,677,721,600,000,000ways to encode <script>
Thursday, 2011-03-10
The Solutions?
Thursday, 2011-03-10
What is Enterprise Security API?
Thursday, 2011-03-10
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
ESAPI CommunityCommunauté ESAPI
Mailing ListLibrary Wiki
Users
Developers
Objective-C
Thursday, 2011-03-10
Overview of the Architectural Impact
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tionisAuthorizedForData()
isAuthorizedForFile()isAuthorizedForFunction()isAuthorizedForService()isAuthorizedForURL()
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php echo $ESAPI ->validator() ->getValidInput( String $context, String $input, String type, int $maxLength, boolean allowNull, ValidationErrorList $errorList);?>
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
assertIsValidHttpRequest() assertIsValidHttpRequest ParameterSet() assertIsValidFileUpload()
getValidDate()getValidDouble()getValidDirectoryPath() getValidDouble() getValidFileContent() getValidFileName()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
isValidCreditCard() isValidDataFromBrowse()isValidDirectoryPath() isValidFileContent() isValidFileName() isValidHTTPRequest() isValidListItem() isValidRedirectLocation() isValidSafeHTML() isValidPrintable() safeReadLine()
interfaceValidationRule
abstractBaseValidationRule
CreditCardValidationRule
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
encodeForCSS encodeForDNencodeForHTMLencodeForLDAPencodeForSQLencodeForURLencodeForXMLencodeForXPath
<?php echo $ESAPI ->encoder() ->encodeForHTML($name)?>
encodeForJavaScriptencodeForHTMLAttributeencodeForVBScriptencodeForXMLAttributeencodeForXPath
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•Add Safe Header
•No Cache Headers•Set Content Type•Add Safe Cookie•Kill Cookie•Change SessionID•CSRF Tokens
•isSecureChannel •Safe Request Logging•Safe File Uploads
•sendSafeForward•sendSafeRedirect
•Encrypt State in Cookie•Hidden Field Encryption•Querystring Encryption
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
<?php $encrypted = $ESAPI->encryptor() ->encrypt($text)?>
•Integrity Seals •Strong GUID•Random Tokens•Encryption•Digital Signatures •Salted Hash
•Safe Config Details•Timestamp
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion•AccessControlException
•AuthenticationException •AvailabilityException •EncodingException•EncryptionException•ExecutorException•IntegrityException•IntrusionException•ValidationException
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
•Configurable Thresholds •Responses•Log Intrusion•Logout User •Disable Account
Thursday, 2011-03-10
Entreprise Security API
Aut
hent
icat
or
Use
r
Acc
essC
ontr
olle
r
Acc
essR
efer
ence
Map
Valid
ator
Enco
der
HTT
PUti
litie
s
Encr
ypto
r
Encr
ypte
dPro
pert
ies
Ran
dom
izer
Exce
ptio
n H
andl
ing
Logg
er
Intr
usio
nDet
ecto
r
Secu
rity
Confi
gura
tion
Thursday, 2011-03-10
OWASP TOP 10 ESAPIA1: Injection Encoder
A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and Session Management Authenticator, User, HTTPUtilities
A4: Insecure Direct Object Reference
AccessReferenceMap, AccessController
A5: Cross Site Request Forgery (CSRF) User (CSRF Token)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic Storage Encryptor
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer Protection
HTTPUtilities (Secure Cookie, Channel)
A10: Unvalidated Redirects and Forwards AccessController
Thursday, 2011-03-10
Objective -C
AuthenticationIdentity
Access ControlInput ValidationOutput EscapingCanonicalization
EncryptionRandom Numbers
Exception HandlingLogging
Intrusion DetectionSecurity Configuration
WAF
2.0 1.4 1.4 1.42.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.4 1.4 1.4 2.02.0 1.4 1.4 1.42.0 1.4 1.4 1.4 1.4 1.4 2.02.0
Thursday, 2011-03-10
Adopters
Thursday, 2011-03-10
Additional Resources
• OWASP Home Pagehttp://www.owasp.org
• ESAPI Project Pagehttp://www.esapi.org
• ESAPI-Users Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing Listhttps://lists.owasp.org/mailman/
listinfo/esapi-dev
Thursday, 2011-03-10
Questions ?
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/conferences
• http://www.ph-il.ca/fr/conferences
Thursday, 2011-03-10
Thursday, 2011-03-10