Enterprise Security API (ESAPI) Java

Java User Group – San Antonio

Jarret Raim
June 3rd, 2010
What is it?

ESAPI (The OWASP Enterprise Security API) is a free, open source, web
application security control library that makes it easier for
programmers to write lower-risk applications. The ESAPI libraries are
designed to make it easier for programmers to retrofit security into
existing applications. The ESAPI libraries also serve as a solid
foundation for new development.
Who cares?
How Does it Work?
Allowing for language-specific differences, all OWASP
ESAPI versions have the same basic design:
• There is a set of security control interfaces. They define for
example types of parameters that are passed to types of security
controls.
• There is a reference implementation for each security
control. The logic is not organization‐specific and the logic is not
application‐specific. An example: string‐based input validation.
• There are optionally your own implementations for each security
control. There may be application logic contained in these classes
which may be developed by or for your organization. An example:
enterprise authentication.
There are several supported languages

• Java EE
• PHP
• Classic ASP
• .NET
• Coldfusion
• Python
• JavaScript
• Haskell
• Force.com And they have a plan. Maybe.
Tyranny of Choice
Write
Spring Custom
Java Jasypt Java
Code
Pattern URL
Commons xml-enc EncoderLog4j
Validator
Cryptix JAAS
JCE ACEGI Stinger
Struts BouncyCastle
Reform Anti-XSS Many
HDIV More Standard
xml-dsig Java Control
Logging
 Vulnerability Theory

Threat Agent Vector Vulnerability Control Technical Impact Business Impact

Vector
Business
Impact

Vector Vulnerability Control

Asset Business
Impact
Missing
Vector Vulnerability
Control

Function Business
Impact
Vector Vulnerability

Asset
Vector Vulnerability Control
Where do Vulnerabilities Come From?
• Missing Controls
– Lack of encryption
– Failure to perform access control
• Broken Controls
– Weak hash algorithm
– Fail open
• Ignored Controls
– Failure to use encryption
– Forgot to use output encoding
• ESAPI Solves
– Missing
– Broken
• Process Solves
– Ignored
 Authenticator

User

AccessController

AccessReferenceMap

Validator

Encoder

HTTPUtilities

Encryptor

EncryptedProperties

Randomizer
Enterprise Security API

Exception Handling
Custom Enterprise Web Application

Logger

IntrusionDetector
Existing Enterprise Security Services/Libraries

SecurityConfiguration
Encoder
• Typical output in most web <p>Hello, <%=name%></p>
frameworks leads to XSS and
<p>Hello,
CSRF vulnerabilities.
<%=ESAPI.encoder().encodeForHTML(name)%>
• The ESAPI encoder allows </p>
direct encoding depending on
context.
• Web (HTML, JavaScript, CSS)
• Databases (MySQL, Oracle)
• URL
• Shells (Unix, Windows)
• XML
• LDAP
• Also provides a canonnicalize
method to remove any
encodings.
 User Controller Business Data Layer Backend
Functions

isValidCreditCard encodeForJavaScript
isValidDataFromBrowser encodeForVBScript
isValidDirectoryPath Validator Encoder encodeForURL
isValidFileContent encodeForHTML
isValidFileName encodeForHTMLAttribute
isValidHTTPRequest encodeForLDAP
isValidListItem Canonicalization encodeForDN
isValidRedirectLocation Double Encoding Protection encodeForSQL
isValidSafeHTML Sanitization encodeForXML
isValidPrintable Normalization encodeForXMLAttribute
safeReadLine encodeForXPath
 Validator
EXAMPLE: <script>alert(document.cookie)</script> • The Validator interface defines a
set of methods for canonicalizing
ESAPI.validator().getValidInput(String context,String
input,String type,int maxLength,boolean
and validating untrusted input.
allowNull,ValidationErrorList errorList) – Returns booleans as not all
validation problems are security
issues.
assertIsValidHttpRequest()
assertIsValidHttpRequestParameterSet()
• Invalid input will generate a
assertIsValidFileUpload() descriptive ValidationException
getValidCreditCard() which will be stored in the
getValidDate() ValidationErrorList
getValidDirectoryPath()
getValidDouble()
• Input that is clearly an attack will
getValidFileContent() generate a descriptive
getValidFileName() IntrusionException
…
Validator Example

• ESAPI provides the ValidationRule and

Validator interfaces.
• Implement your own validators for your
data.
• Reference Regex codes in the ESAPI
properties from generic to specific.
 Global Validate Any Interpreter
Specific Validate
Canonicalize

Sanitize Web Service

Any Encoding
Controller
Database

Mainframe

User Business Data

Functions Layer
Etc…

User
Interface
File System
Set Character Set Canonicalize

Encode For HTML Validate

Authenticator
• Interface with a simple, file • Locale
based example implementation • Roles
• Log In / Log Out • Disable / Enable
• Password Verification • Locked / Unlocked
• Create User • CSRF Tokens
• Password Generation • Last Login
• Change Password • Last Invalid Login
• Expirations • Password Age
• Logging • Screen Name
• Per User Session • Failed Log In Count
• Anonymous User • Last Logged in Host
User Controller Business Data Layer Backend
Functions

Note that the

ESAPI
ESAPI project
does not have
out of the box
Authentication

support for

Detection
Intrusion
projects like
Logging
Control
Access

Spring, but can

Users
be made to
work.
 isAuthorizedForURL isAuthorizedForData

Web Service
isAuthorizedForFunction
isAuthorizedForService
Controller
Database

Mainframe

User Business Data

Functions Layer
Etc…

isAuthorizedForFile
User
Interface
File System

isAuthorizedForFunction
Encryption

• Encryption failures can lead to violations of the “Big Three”

– Confidentiality
– Integrity
– Availability (maybe)
• Encryption is surprisingly difficult to get right.
– You are probably doing it wrong right now.
• The Encryptor interface provides a set of methods for performing
common encryption, random number, and hashing operations.
encrypted = ESAPI.encryptor().encrypt( decrypted );

decrypted = ESAPI.encryptor().decrypt( encrypted );

 User Controller Business Data Layer Backend
Functions

Integrity Seals Encrypted Encryption

Properties Encryptor

Strong GUID Digital Signatures

Safe Config Details Random Tokens Timestamp Salted Hash

Direct Object Reference
• Occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or
key, as a URL or form parameter.
• Fix is to generate suitably random garbage, then internally map that to
the appropriate IDs.
• Doing this is surprisingly annoying, especially if there are no sessions.
– Not really scalable friendly.
• ESAPI provides a random access map which also helps protect
against CSRF.
String directReference = "This is a direct reference.";

RandomAccessReferenceMap instance = new RandomAccessReferenceMap();

String ind = instance.addDirectReference((Object)directReference);
 ref=jfo8we4oji Acct:9182374
Web Service

Database

Mainframe

User Access
Reference Map
Etc…

Report123.xls
File System

Indirect References Direct References

Logging & Exceptions

• For many applications, logging is only used to detect application

errors.
• Is usually geared to solving problems in development
– Hopefully with an eye to production.
• ESAPI provides a logging implementation that integrates with the
security substructure.
– Logs security exceptions that are ESAPI generated with identify information
– Can be used by normal business code to log security exceptions or just log
information with identify
• Integrates an intrusion detection system that can respond to different
types of intrusions by disabling accounts or other actions.
 User Controller Business Data Layer Backend
Functions

User Message Log Message

Enterprise Security Logger
(no detail) Exceptions (w/Identity)

AccessControlException
AuthenticationException
AvailabilityException Configurable Thresholds
Intrusion
EncodingException Detector Responses
EncryptionException •Log Intrusion
ExecutorException •Logout User
IntegrityException •Disable Account
IntrusionException
ValidationException
Handling HTTP

• Many applications make heavy use of HTTP for functionality

– Classic ASP uses redirects for flow control, error handing, etc.
• The use of data from the request accounts for most web security
defects
• ESAPI provides methods to interact with the request
– Helper methods for encryption
– CSRF tokens
– Etc.
• Deals with Characters Sets and Encodings
 User Controller Business Data Layer Backend
Functions

Add Safe Header

sendSafeForward
No Cache Headers HTTP Utilities
sendSafeRedirect
Set Content Type
Add Safe Cookie
Kill Cookie Encrypt State in Cookie
isSecureChannel
Change SessionID Hidden Field Encryption
Safe Request Logging
Querystring Encryption
CSRF Tokens Safe File Uploads
 OWASP Top Ten 2007 OWASP ESAPI
A1. Cross Site Scripting (XSS) Validator, Encoder

A2. Injection Flaws Encoder

A3. Malicious File Execution HTTPUtilities (Safe Upload)

A4. Insecure Direct Object Reference AccessReferenceMap, AccessController

A5. Cross Site Request Forgery (CSRF) User (CSRF Token)

A6. Leakage and Improper Error Handling EnterpriseSecurityException, HTTPUtils

A7. Broken Authentication and Sessions Authenticator, User, HTTPUtils

A8. Insecure Cryptographic Storage Encryptor

A9. Insecure Communications HTTPUtilities (Secure Cookie, Channel)

A10. Failure to Restrict URL Access AccessController

Special Thanks

• Supports OWASP and ESAPI

• Many of the diagrams for in the slides are from a similar presentation
by Aspect.
Conclusion
Denim Group, Ltd.
(210) 572-4400

Web: www.denimgroup.com
Blog: blog.denimgroup.com

27