OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.

1. Enteprise Security
API
ESAPI
Thursday, 2011-03-10

2. Thursday, 2011-03-10

3. OWASP
The Open Web Application Project
Thursday, 2011-03-10

4. Thursday, 2011-03-10

5. I answer question
Thursday, 2011-03-10

6. The problems
Thursday, 2011-03-10

7. The problems
• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control
Thursday, 2011-03-10

8. The problems
• Presentation Layer Access Control
• Errors, Logging, and Intrusion
Detection
• Encryption, Hashing, and
Randomness
Thursday, 2011-03-10

9. OWASP TOP 10
A2 – Cross-Site Scripting
A1 – Injection
(XSS)
A3 – Broken Authentication A4 – Insecure Direct
and Session Management Object References
A5 – Cross-Site Request A6 – Security
Forgery (CSRF) Misconfiguration
A7 – Insecure A8 - Failure to Restrict
Cryptographic Storage URL Access
A9 - Insufficient Transport A10 – Unvalidated
Layer Protection Redirects and Forwards
Thursday, 2011-03-10

10. And over 300
others security
problems types
Thursday, 2011-03-10

11. Vulnerabilities and
Security Controls
Ignored Misused
Broken Missing
Thursday, 2011-03-10

12. Why Input Validation
Is Hard?
Thursday, 2011-03-10

13. <
Thursday, 2011-03-10

14. Percent (url) Encoding
• %3c
• %3C
Thursday, 2011-03-10

15. HTML Entity Encoding
• &#60 • &#60;
• &#060 • &#060;
• &#0060 • &#0060;
• &#00060 • &#00060;
• &#000060 • &#000060;
• &#0000060 • &#0000060;
Thursday, 2011-03-10

16. HTML Entity Encoding
• &#x3c • &#x3c;
• &#x03c • &#x03c;
• &#x003c • &#x003c;
• &#x0003c • &#x0003c;
• &#x00003c • &#x00003c;
• &#x000003c • &#x000003c;
Thursday, 2011-03-10

17. HTML Entity Encoding
• &#X3c • &#X3c;
• &#X03c • &#X03c;
• &#X003c • &#X003c;
• &#X0003c • &#X0003c;
• &#X00003c • &#X00003c;
• &#X000003c • &#X000003c;
Thursday, 2011-03-10

18. HTML Entity Encoding
• &#x3C • &#x3C;
• &#x03C • &#x03C;
• &#x003C • &#x003C;
• &#x0003C • &#x0003C;
• &#x00003C • &#x00003C;
• &#x000003C • &#x000003C;
Thursday, 2011-03-10

19. HTML Entity Encoding
• &#X3C • &#X3C;
• &#X03C • &#X03C;
• &#X003C • &#X003C;
• &#X0003C • &#X0003C;
• &#X00003C • &#X00003C;
• &#X000003C • &#X000003C;
Thursday, 2011-03-10

20. HTML Entity Encoding
• &lt • &lt;
• &lT • &lT;
• &Lt • &Lt;
• &LT • &LT;
Thursday, 2011-03-10

21. JavaScript Escape
• < • x3C
• x3c • X3C
• X3c • u003C
• u003c • U003C
• U003c
Thursday, 2011-03-10

22. CSS Escape
• 3c • 3C
• 03c • 03C
• 003c • 003C
• 0003c • 0003C
• 00003c • 00003C
Thursday, 2011-03-10

23. UTF-7 vs UTF-8
• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc
Thursday, 2011-03-10

24. 1,677,721,600,000,000
ways to encode <script>
Thursday, 2011-03-10

25. The Solutions?
Thursday, 2011-03-10

26. What is Enterprise
Security API?
Thursday, 2011-03-10

27. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Thursday, 2011-03-10

28. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Thursday, 2011-03-10

29. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Thursday, 2011-03-10

30. Overview of the
Architectural Impact
Thursday, 2011-03-10

31. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

32. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
isAuthorizedForURL()
isAuthorizedForFile()
isAuthorizedForData()
Logger
isAuthorizedForService()
isAuthorizedForFunction()
IntrusionDetector
SecurityConfiguration

33. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

34. Entreprise Security API
<?php echo $ESAPI
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
->validator()
Exception Handling
IntrusionDetector
AccessController
->getValidInput(
Randomizer
Authenticator
HTTPUtilities
String $context,
Encryptor
Validator
Encoder
Logger
String $input,
User
String type,
int $maxLength,
boolean allowNull,
ValidationErrorList
$errorList);
?>
Thursday, 2011-03-10

35. Entreprise Security API
assertIsValidHttpRequest()
interface
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
assertIsValidHttpRequest
Exception Handling
ValidationRule
IntrusionDetector
AccessController
ParameterSet()
Randomizer
Authenticator
HTTPUtilities
assertIsValidFileUpload()
Encryptor
Validator
Encoder
Logger
User
abstract
BaseValidationRule
getValidDate()
getValidDouble()
getValidDirectoryPath()
getValidDouble()
CreditCard getValidFileContent()
ValidationRule
getValidFileName()
Thursday, 2011-03-10

36. Entreprise Security API
isValidCreditCard()
interface
SecurityConfiguration
isValidDataFromBrowse()
AccessReferenceMap
EncryptedProperties
Exception Handling
ValidationRule
IntrusionDetector
AccessController
isValidDirectoryPath()
Authenticator
HTTPUtilities
Randomizer
isValidFileContent()
Encryptor
Validator
Encoder
isValidFileName()
Logger
User
abstract isValidHTTPRequest()
BaseValidationRule
isValidListItem()
isValidRedirectLocation()
isValidSafeHTML()
CreditCard isValidPrintable()
ValidationRule
safeReadLine()
Thursday, 2011-03-10

37. Entreprise Security API
encodeForCSS <?php echo $ESAPI
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
encodeForDN ->encoder()
Exception Handling
IntrusionDetector
AccessController
encodeForHTML ->encodeForHTML($name)
Authenticator
HTTPUtilities
Randomizer
encodeForLDAP ?>
Encryptor
Validator
Encoder
Logger
encodeForSQL
User
encodeForURL encodeForJavaScript
encodeForXML encodeForHTMLAttribute
encodeForXPath encodeForVBScript
encodeForXMLAttribute
encodeForXPath
Thursday, 2011-03-10

38. Entreprise Security API
•Add Safe Header •isSecureChannel
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
•Safe Request Logging
Exception Handling
•No Cache Headers
IntrusionDetector
AccessController
•Set Content Type •Safe File Uploads
Authenticator
HTTPUtilities
Randomizer
Encryptor
Validator
•Add Safe Cookie
Encoder
Logger
User
•Kill Cookie •sendSafeForward
•Change SessionID •sendSafeRedirect
•CSRF Tokens
•Encrypt State in Cookie
•Hidden Field Encryption
•Querystring Encryption
Thursday, 2011-03-10

39. Entreprise Security API
•Integrity Seals
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
Exception Handling
•Strong GUID
IntrusionDetector
AccessController
Authenticator
•Random Tokens
HTTPUtilities
Randomizer
Encryptor
Validator
<?php $encrypted = •Encryption
Encoder
Logger
User
$ESAPI->encryptor()
->encrypt($text)
•Digital Signatures
?> •Salted Hash
•Safe Config Details
•Timestamp
Thursday, 2011-03-10

40. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

41. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

42. Entreprise Security API
•AccessControlException
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
Exception Handling
IntrusionDetector
•AuthenticationException
AccessController
Authenticator
HTTPUtilities
•AvailabilityException
Randomizer
Encryptor
Validator
Encoder
•EncodingException
Logger
User
•EncryptionException
•ExecutorException
•IntegrityException
•IntrusionException
•ValidationException
Thursday, 2011-03-10

43. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

44. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
•Responses
•Logout User
Validator
•Log Intrusion
•Disable Account
Encoder
HTTPUtilities
•Configurable Thresholds
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

45. Authenticator
Thursday, 2011-03-10
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration

46. OWASP TOP 10 ESAPI
A1: Injection Encoder
A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and
Authenticator, User, HTTPUtilities
Session Management
A4: Insecure Direct Object AccessReferenceMap,
Reference AccessController
A5: Cross Site Request Forgery
User (CSRF Token)
(CSRF)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic
Encryptor
Storage
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer HTTPUtilities
Protection (Secure Cookie, Channel)
A10: Unvalidated Redirects and
AccessController
Forwards
Thursday, 2011-03-10

47. Objective -C
Authentication 2.0 1.4 1.4 1.4
Identity 2.0 1.4 1.4 1.4
Access Control 2.0 1.4 1.4 1.4 1.4
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0
Encryption 2.0 1.4 1.4 1.4 1.4
Random Numbers 2.0 1.4 1.4 1.4 1.4
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0
WAF 2.0
Thursday, 2011-03-10

48. Adopters
Thursday, 2011-03-10

49. Additional Resources
• OWASP Home Page
http://www.owasp.org
• ESAPI Project Page
http://www.esapi.org
• ESAPI-Users Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-dev
Thursday, 2011-03-10

50. Questions ?
• philippe@ph-il.ca
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/
conferences
• http://www.ph-il.ca/fr/
conferences
Thursday, 2011-03-10

51. Thursday, 2011-03-10