Contenu connexe Similaire à Entreprise Security API - OWASP Montreal (20) Plus de Philippe Gamache (14) Entreprise Security API - OWASP Montreal6. The problems
• Input Validation and Output Encoding
• Authentication and Identity
• URL Access Control
• Business Function Access Control
• Data Layer Access Control
Saturday, 2011-02-26
7. The problems
• Presentation Layer Access Control
• Errors, Logging, and Intrusion
Detection
• Encryption, Hashing, and
Randomness
Saturday, 2011-02-26
8. OWASP TOP 10
A2 – Cross-Site Scripting
A1 – Injection
(XSS)
A3 – Broken Authentication A4 – Insecure Direct
and Session Management Object References
A5 – Cross-Site Request A6 – Security
Forgery (CSRF) Misconfiguration
A7 – Insecure A8 - Failure to Restrict
Cryptographic Storage URL Access
A9 - Insufficient Transport A10 – Unvalidated
Layer Protection Redirects and Forwards
Saturday, 2011-02-26
9. And over 300
others security
problems types
Saturday, 2011-02-26
14. HTML Entity Encoding
• < • <
• < • <
• < • <
• < • <
• < • <
• < • <
Saturday, 2011-02-26
15. HTML Entity Encoding
• < • <
• < • <
• < • <
• < • <
• < • <
• < • <
Saturday, 2011-02-26
16. HTML Entity Encoding
• < • <
• < • <
• < • <
• < • <
• < • <
• < • <
Saturday, 2011-02-26
17. HTML Entity Encoding
• < • <
• < • <
• < • <
• < • <
• < • <
• < • <
Saturday, 2011-02-26
18. HTML Entity Encoding
• < • <
• < • <
• < • <
• < • <
• < • <
• < • <
Saturday, 2011-02-26
20. JavaScript Escape
• < • x3C
• x3c • X3C
• X3c • u003C
• u003c • U003C
• U003c
Saturday, 2011-02-26
21. CSS Escape
• 3c • 3C
• 03c • 03C
• 003c • 003C
• 0003c • 0003C
• 00003c • 00003C
Saturday, 2011-02-26
22. UTF-7 vs UTF-8
• +ADw-
• %c0%bc
• %e0%80%bc
• %f0%80%80%bc
• %f8%80%80%80%bc
• %fc%80%80%80%80%bc
Saturday, 2011-02-26
26. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Saturday, 2011-02-26
27. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Saturday, 2011-02-26
28. ESAPI Community
Communauté ESAPI
Library Wiki Mailing List
Users
Developers
Objective-C
Saturday, 2011-02-26
30. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
31. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
isAuthorizedForURL()
isAuthorizedForFile()
isAuthorizedForData()
Logger
isAuthorizedForService()
isAuthorizedForFunction()
IntrusionDetector
SecurityConfiguration
32. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
33. Entreprise Security API
<?php echo $ESAPI
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
->validator()
Exception Handling
IntrusionDetector
AccessController
->getValidInput(
Randomizer
Authenticator
HTTPUtilities
String $context,
Encryptor
Validator
Encoder
Logger
String $input,
User
String type,
int $maxLength,
boolean allowNull,
ValidationErrorList
$errorList);
?>
Saturday, 2011-02-26
34. Entreprise Security API
assertIsValidHttpRequest()
interface
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
assertIsValidHttpRequest
Exception Handling
ValidationRule
IntrusionDetector
AccessController
ParameterSet()
Randomizer
Authenticator
HTTPUtilities
assertIsValidFileUpload()
Encryptor
Validator
Encoder
Logger
User
abstract
BaseValidationRule
getValidDate()
getValidDouble()
getValidDirectoryPath()
getValidDouble()
CreditCard getValidFileContent()
ValidationRule
getValidFileName()
Saturday, 2011-02-26
35. Entreprise Security API
isValidCreditCard()
interface
SecurityConfiguration
isValidDataFromBrowse()
AccessReferenceMap
EncryptedProperties
Exception Handling
ValidationRule
IntrusionDetector
AccessController
isValidDirectoryPath()
Authenticator
HTTPUtilities
Randomizer
isValidFileContent()
Encryptor
Validator
Encoder
isValidFileName()
Logger
User
abstract isValidHTTPRequest()
BaseValidationRule
isValidListItem()
isValidRedirectLocation()
isValidSafeHTML()
CreditCard isValidPrintable()
ValidationRule
safeReadLine()
Saturday, 2011-02-26
36. Entreprise Security API
encodeForCSS <?php echo $ESAPI
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
encodeForDN ->encoder()
Exception Handling
IntrusionDetector
AccessController
encodeForHTML ->encodeForHTML($name)
Authenticator
HTTPUtilities
Randomizer
encodeForLDAP ?>
Encryptor
Validator
Encoder
Logger
encodeForSQL
User
encodeForURL encodeForJavaScript
encodeForXML encodeForHTMLAttribute
encodeForXPath encodeForVBScript
encodeForXMLAttribute
encodeForXPath
Saturday, 2011-02-26
37. Entreprise Security API
•Add Safe Header •isSecureChannel
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
•Safe Request Logging
Exception Handling
•No Cache Headers
IntrusionDetector
AccessController
•Set Content Type •Safe File Uploads
Authenticator
HTTPUtilities
Randomizer
Encryptor
Validator
•Add Safe Cookie
Encoder
Logger
User
•Kill Cookie •sendSafeForward
•Change SessionID •sendSafeRedirect
•CSRF Tokens
•Encrypt State in Cookie
•Hidden Field Encryption
•Querystring Encryption
Saturday, 2011-02-26
38. Entreprise Security API
•Integrity Seals
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
Exception Handling
•Strong GUID
IntrusionDetector
AccessController
Authenticator
•Random Tokens
HTTPUtilities
Randomizer
Encryptor
Validator
<?php $encrypted = •Encryption
Encoder
Logger
User
$ESAPI->encryptor()
->encrypt($text)
•Digital Signatures
?> •Salted Hash
•Safe Config Details
•Timestamp
Saturday, 2011-02-26
39. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
40. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
41. Entreprise Security API
•AccessControlException
SecurityConfiguration
AccessReferenceMap
EncryptedProperties
Exception Handling
IntrusionDetector
•AuthenticationException
AccessController
Authenticator
HTTPUtilities
•AvailabilityException
Randomizer
Encryptor
Validator
Encoder
•EncodingException
Logger
User
•EncryptionException
•ExecutorException
•IntegrityException
•IntrusionException
•ValidationException
Saturday, 2011-02-26
42. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
43. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
•Responses
•Logout User
Validator
•Log Intrusion
•Disable Account
Encoder
HTTPUtilities
•Configurable Thresholds
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
44. Authenticator
Saturday, 2011-02-26
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
Entreprise Security API
Exception Handling
Logger
IntrusionDetector
SecurityConfiguration
45. OWASP TOP 10 ESAPI
A1: Injection Encoder
A2: Cross Site Scripting (XSS) Encoder, Validator
A3: Broken Authentication and
Authenticator, User, HTTPUtilities
Session Management
A4: Insecure Direct Object AccessReferenceMap,
Reference AccessController
A5: Cross Site Request Forgery
User (CSRF Token)
(CSRF)
A6: Security Misconfiguration SecurityConfiguration
A7: Insecure Cryptographic
Encryptor
Storage
A8: Failure to Restrict URL Access AccessController
A9: Insufficient Transport Layer HTTPUtilities
Protection (Secure Cookie, Channel)
A10: Unvalidated Redirects and
AccessController
Forwards
Saturday, 2011-02-26
46. Objective -C
Authentication 2.0 1.4 1.4 1.4
Identity 2.0 1.4 1.4 1.4
Access Control 2.0 1.4 1.4 1.4 1.4
Input Validation 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Output Escaping 2.0 1.4 1.4 1.4 1.4 2.0
Canonicalization 2.0 1.4 1.4 1.4 1.4 2.0
Encryption 2.0 1.4 1.4 1.4 1.4
Random Numbers 2.0 1.4 1.4 1.4 1.4
Exception Handling 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Logging 2.0 1.4 1.4 1.4 1.4 1.4 2.0
Intrusion Detection 2.0 1.4 1.4 1.4
Security Configuration 2.0 1.4 1.4 1.4 1.4 1.4 2.0
WAF 2.0
Saturday, 2011-02-26
48. Additional Resources
• OWASP Home Page
http://www.owasp.org
• ESAPI Project Page
http://www.esapi.org
• ESAPI-Users Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-users
• ESAPI-Dev Mailing List
https://lists.owasp.org/mailman/
listinfo/esapi-dev
Saturday, 2011-02-26
49. Questions ?
• philippe@ph-il.ca
• http://www.ph-il.ca
• @SecureSymfony
• http://www.ph-il.ca/en/
conferences
• http://www.ph-il.ca/fr/
conferences
Saturday, 2011-02-26