SlideShare une entreprise Scribd logo

Development Security Framework based on Owasp Esapi for JSF2.0

R
Rakesh Kachhadiya
1  sur  13
Télécharger pour lire hors ligne
Development of Security Framework based on OWASP ESAPI for JSF2.0
About Us • About Us – Rakesh Kachhadiya • Master work, Univeristy of Freiburg (Germany) – Emmanuel Benoist • Professor, Bern University of Applied Sciences (Swizerland)
ESAPI • Enterprise Security API – OWASP Project – Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python, Objective C, Tuby, C, Perl, … • Groups all security features into one library: – Authentication, Authorization – Access control, logging and intrusion detection – Validation, decoding, encoding (for HTML, XML, SQL, Ldap, …) – Crypto functionalities
Java Server Faces • JSF: Advantages – Model View Controler • Controler: Faces Servlet • View : xhtml files – Component tree • Model: Java files using notations – Separation of layers • Front End: xhtml and components • Back End: Java – Libraries with reusable components • Apache, RichFaces, Oracle, etc… – Concepts like: Validators and Converters
Integrating ESAPI in JSF • At different levels – In the Model • Authorization, Access control, logging, SQL/LDAP/XML/- encoding, … – In the View • Create Validators – In the Controler (in the Faces Servlet) • Enhancing HTTP • HTML Encoding
Project goals • Provide a library for integrating ESAPI in JSF – Reduces the work for the developers – Secure implementation • Adapt ESAPI to JSF ”culture” – Provide out of the box tools – Easy to integrate in a project – Can be used by simple developers
Architecture
Demo1 : Render Response
Demo2: Validation
Demo3 : Filtering
Demo4: File based Authorization
Conclusion • Integrate ESAPI into JSF – It will help programmers – Makes security “invisible” • Known issues – Access Control: prevent updating of the model – CSRF: make it transparent for the programmer • Need feedback from security experts – What are the common vulnerabilities for JSF
Questions • Feedback for OWASP • Contacts us: – Emmanuel.Benoist (AT) bfh.ch – RakeshKachhadiya (AT) gmail.com QUESTIONS ?

Recommandé

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 

Recommandé

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyEoin Keary
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Laravel ppt
Laravel pptLaravel ppt
Laravel pptMayank Panchal
 
Scala in the Enterprise
Scala in the EnterpriseScala in the Enterprise
Scala in the EnterpriseEric Pederson
 

Contenu connexe

Tendances

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 

Tendances (20)

Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Secure code
Secure codeSecure code
Secure code
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 

Similaire à Development Security Framework based on Owasp Esapi for JSF2.0

Scala in the Enterprise
Scala in the EnterpriseScala in the Enterprise
Scala in the EnterpriseEric Pederson
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratchtutorialsruby
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratchtutorialsruby
 
Software Development with Open Source
Software Development with Open SourceSoftware Development with Open Source
Software Development with Open SourceOpusVL
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Evolving IGN’s New APIs with Scala
Evolving IGN’s New APIs with Scala Evolving IGN’s New APIs with Scala
Evolving IGN’s New APIs with ScalaManish Pandit
 
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...mfrancis
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyoneTft Us
 
OpenNaaS Overview Complete
OpenNaaS Overview CompleteOpenNaaS Overview Complete
OpenNaaS Overview CompleteJoan Garcia
 
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Nicole Szigeti
 
Let's Build an Inverted Index: Introduction to Apache Lucene/Solr
Let's Build an Inverted Index: Introduction to Apache Lucene/SolrLet's Build an Inverted Index: Introduction to Apache Lucene/Solr
Let's Build an Inverted Index: Introduction to Apache Lucene/SolrSease
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 

Similaire à Development Security Framework based on Owasp Esapi for JSF2.0 (20)

Laravel ppt
Laravel pptLaravel ppt
Laravel ppt
 
Scala in the Enterprise
Scala in the EnterpriseScala in the Enterprise
Scala in the Enterprise
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratch
 
symfony_from_scratch
symfony_from_scratchsymfony_from_scratch
symfony_from_scratch
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
Software Development with Open Source
Software Development with Open SourceSoftware Development with Open Source
Software Development with Open Source
 
Laravel 4 presentation
Laravel 4 presentationLaravel 4 presentation
Laravel 4 presentation
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Evolving IGN’s New APIs with Scala
Evolving IGN’s New APIs with Scala Evolving IGN’s New APIs with Scala
Evolving IGN’s New APIs with Scala
 
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...Native OSGi, Modular Software Development in a Native World - Alexander Broek...
Native OSGi, Modular Software Development in a Native World - Alexander Broek...
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
OCCIware
OCCIwareOCCIware
OCCIware
 
Selenium for everyone
Selenium for everyoneSelenium for everyone
Selenium for everyone
 
OpenNaaS Overview Complete
OpenNaaS Overview CompleteOpenNaaS Overview Complete
OpenNaaS Overview Complete
 
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
Alfresco Coding mit dem Alfresco SDK (auf Englisch) - Julien Bruinaud, Techni...
 
Let's Build an Inverted Index: Introduction to Apache Lucene/Solr
Let's Build an Inverted Index: Introduction to Apache Lucene/SolrLet's Build an Inverted Index: Introduction to Apache Lucene/Solr
Let's Build an Inverted Index: Introduction to Apache Lucene/Solr
 
2012: Passw3rd
2012: Passw3rd2012: Passw3rd
2012: Passw3rd
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 

Development Security Framework based on Owasp Esapi for JSF2.0

  • 1. Development of Security Framework based on OWASP ESAPI for JSF2.0
  • 2. About Us • About Us – Rakesh Kachhadiya • Master work, Univeristy of Freiburg (Germany) – Emmanuel Benoist • Professor, Bern University of Applied Sciences (Swizerland)
  • 3. ESAPI • Enterprise Security API – OWASP Project – Support for : Java, Dot NET, Classic ASP, PHP, ColdFusion, Python, Objective C, Tuby, C, Perl, … • Groups all security features into one library: – Authentication, Authorization – Access control, logging and intrusion detection – Validation, decoding, encoding (for HTML, XML, SQL, Ldap, …) – Crypto functionalities
  • 4. Java Server Faces • JSF: Advantages – Model View Controler • Controler: Faces Servlet • View : xhtml files – Component tree • Model: Java files using notations – Separation of layers • Front End: xhtml and components • Back End: Java – Libraries with reusable components • Apache, RichFaces, Oracle, etc… – Concepts like: Validators and Converters
  • 5. Integrating ESAPI in JSF • At different levels – In the Model • Authorization, Access control, logging, SQL/LDAP/XML/- encoding, … – In the View • Create Validators – In the Controler (in the Faces Servlet) • Enhancing HTTP • HTML Encoding
  • 6. Project goals • Provide a library for integrating ESAPI in JSF – Reduces the work for the developers – Secure implementation • Adapt ESAPI to JSF ”culture” – Provide out of the box tools – Easy to integrate in a project – Can be used by simple developers
  • 8. Demo1 : Render Response
  • 11. Demo4: File based Authorization
  • 12. Conclusion • Integrate ESAPI into JSF – It will help programmers – Makes security “invisible” • Known issues – Access Control: prevent updating of the model – CSRF: make it transparent for the programmer • Need feedback from security experts – What are the common vulnerabilities for JSF
  • 13. Questions • Feedback for OWASP • Contacts us: – Emmanuel.Benoist (AT) bfh.ch – RakeshKachhadiya (AT) gmail.com QUESTIONS ?