SlideShare ist ein Scribd-Unternehmen logo

OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

Matt Gifford
Matt Gifford

This is the presentation from the ColdFusion Unconference session at Adobe MAX 2011 in Los Angeles. This covers a brief look at implementing the ESAPI project into your ColdFusion applications and what methods it has available to help secure your sites.

Technologie
1 von 51
Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
MAKE STUFF SECURE! Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
KEEP IT TIGHT AND OUT OF SIGHT Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
HOW TO SLAY DRAGONS USING A JET PACK & A TOOTHBRUSH Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
THE OWASP ENTERPRISE SECURITY API & AVAILABLE METHODS TO HELP LOCK DOWN A COLDFUSION APPLICATION Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
WHO I AM NOT... • Security expert of the highest order • Sales man trying to pitch an idea for your $$ 6
WHO I AM... • Lead RIA Developer • Author • Inquisitive • Open to new ideas and methods 7
INITIAL REACTIONS
DEVELOPERS - A BROAD GENERALISATION 123 9
SECURING YOUR APPLICATIONS
WHO IS OWASP?
WHAT IS ESAPI? Enterprise Security API Open-source project that aims to fill gaps in specs and server technology implementations Uses current best practices to mitigate the vulnerabilities mentioned in the OWASP Top 10 12
WHAT IS ESAPI? Enterprise Security API A set of interfaces that provide functions for most of the common security needs of enterprise developers 13
WHAT IS ESAPI? Enterprise Security API “ ESAPI is designed to make it easy to retrofit security into existing applications as well as providing a solid foundation for new ” development 14
WHAT IS ESAPI? Enterprise Security API Supported in multiple languages: Java Python .NET JavaScript Classic ASP & ColdFusion PHP 15
WHY USE ESAPI? It’s aim is to make secure application development easier 17
OWASP TOP 10 A1 Injection A6 Security Misconfiguration A2 Cross-Site Scripting A7 Insecure Storage (crypto) A3 Authentication & Sessions A8 URL Access Restrictions A4 Insecure Direct Object References A9 Poor Transport Layer Protection A5 Cross-Site Request Forgery A10 Unvalidated Redirects And this is just the top 10... 18
YOU MAY ALREADY HAVE IT • ColdFusion 8 hotfix shipped with the ESAPI library under the hood • ColdFusion 9 included an updated version 20
COMING IN ZEUS! • ESAPI integration will be included at a greater level in ColdFusion X (Zeus) • encodeForXXX functions to help you protect your applications against XSS attacks • You can use those now! 21
ENCODER <cfoutput> <p>Hey, #URL.name#!</p> <p>Hey, #encodeForHTML(URL.name)#!</p> </cfoutput>
SECURITY CONFIGURATION
SECURITY CONFIGURATION Includes (but not restricted to) the following: • Master encryption passwords (for salt and hashing) • Validation whitelists • Logging levels and details • Intrusion detection • and more...
SECURITY CONFIGURATION • You can select the path for a specific resource directory • Ideal for handling multiple security levels / validations for subsystems and micro-applications ESAPI().securityConfiguration().setResourceDirectory("/path/to/.esapi/");
SECURITY CONFIGURATION #=========================================== # ESAPI Authenticator # Authenticator.AllowedLoginAttempts=3 Authenticator.MaxOldPasswordHashes=13 Authenticator.UsernameParameterName=username Authenticator.PasswordParameterName=password # RememberTokenDuration (in days) Authenticator.RememberTokenDuration=14 # Session Timeouts (in minutes) Authenticator.IdleTimeoutDuration=20 Authenticator.AbsoluteTimeoutDuration=120
AUTHENTICATION
AUTHENTICATION <cfquery name="qLogin" datasource="blah"> SELECT * FROM tbl_Users WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#" /> AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#" /> </cfquery> <!--- Check to see we have a user returned ---> <cfif qLogin.recordcount> <!--- Set user into SESSION ---> <cfset session.userID = qLogin.userID /> <cfset session.isLoggedIn = true /> <!--- DO LOGGED-IN STUFF ---> <cfelse> <!--- Invalid credentials or no match found ---> <p>Sorry, we could not find a match.</p> </cfif>
AUTHENTICATION
AUTHENTICATION ESAPI().authenticator().login(); • Username & password combination (invisibly) • Reading a “Remember me” cookie • Currently logged in user based upon the session-id value 32
AUTHENTICATION Key methods: • createUser() • generateStrongPassword() • getcurrentUser() • logout() • verifyAccountnameStrength() • verifyPasswordStrength 33
THE USER
THE USER ESAPI().authenticator().createUser(”random01”,”657fhg",” 657fhg"); objUser = ESAPI ().authenticator().login(request, response); objUser = ESAPI ().authenticator().getCurrentUser(); objUser = ESAPI ().authenticator().getUser(” random01”); Token creation: objUser.resetCSRFToken(); Accessing the token: objUser.getCSRFToken(); 35
THE USER Key methods: • changePassword() • isInRole() • disable() • isEnabled() • enable() • isExpired() • getAccountName() • isLocked() • getCSRFToken() • resetCSRFToken() • getLastFailedLoginTime() • resetPassword() • getLastLoginTime() • isSessionTimeout() • getRoles() • isSessionAbsoluteTimeout()
HTTP UTILITIES Provides a safe version of the request and response object
HTTP UTILITIES Key methods: • addCSRFToken() • encryptStateInCookie() • verifyCSRFToken() • decryptStateFromCookie() • assertSecureRequest() • getSafeFileUploads() • changeSessionIdentifier() • safeSendForward() • encryptHiddenField() • safeSetContentType() • decryptHiddenField() • setNoCacheHeaders() • encryptQueryString() • setRememberToken() • decryptQueryString()
ACCESS CONTROLLER The gatekeeper for your ESAPI application implementation <cfscript> if ((role == 'admin') && (coffeeIntake != 'small')) { // Take them to the Admin Console location('/admin/hiddenPages.cfm'); } else { // Direct user elsewhere location('/standardPage.cfm'); } </cfscript>
ACCESS CONTROLLER • isAuthorizedForData() • isAuthorizedForFile() • isAuthorizedForURL() • assertAuthorizedForData() • assertAuthorizedForFile() • assertAuthorizedForURL()
ENCRYPTOR • decrypt() • encrypt() • hash() • seal() • sign(String data) • unseal() • verifySeal() • verifySignature()
VALIDATOR • White-list based filters • Data canonicalization prior to being passed to filters • Detects double-encoding and throws an exception
VALIDATOR CONFIGURATION #================================================ # ESAPI Validation Validator.ConfigurationFile=validation.properties # Validators used by ESAPI Validator.RoleName=^[a-z]{1,20}$ # Global HTTP Validation Rules Validator.HTTPScheme=^(http|https)$ Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ Validator.HTTPParameterValue=^[a-zA-Z0-9.-/
VALIDATOR CONFIGURATION Validator.SafeString=^[.p{Alnum}p{Space}]{0,1024}$ Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[a-zA-Z]{2,4}$ Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?) .){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ Validator.URL=^(ht|f)tp(s?)://[0-9a-zA-Z]([-.w]*[0-9a-zA- Z])*(:(0-9)*)*(/?)([a-zA-Z0-9-.?,:'/+=&amp; %$#_]*)?$ Validator.CreditCard=^(d{4}[- ]?){3}d{4}$ Validator.SSN=^(?!000)([0-6]d{2}|7([0-6]d|7[012]))([ -]?)(?! 00)dd3(?!0000)d{4}$
VALIDATOR CONFIGURATION Custom white-list values can be added into the ESAPI.properties file: Declaring: Example User ID - MatGif0075 White-list entry: Validator.UserId= ^[A-Z]{6}[0-9]{4}$ Validating: isValidInput(“User ID”, “MatGif0075”, “UserId", 10, false);
THE PROS • Designed by security experts • Multiple language support • Highly extensible • Works invisibly in many ways (voodoo magic) • It’s open-source!! 47
THE CONS • Paradigm shift (a new way of thinking) • Worth the time retrofitting? • Documentation levels (with clear working examples) • It’s only an API - it’s not the miracle cure 48
MORE INFO • OWASP ESAPI Official Page http://bit.ly/owasp_esapi • ESAPI Javadocs http://bit.ly/esapi-javadocs • CFESAPI on github http://bit.ly/cfesapi 50
NOW GRAB YOUR TOOTHBRUSH AND GO SLAY SOME DRAGONS Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011

Empfohlen

Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
Philippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
Philippe Gamache
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
Denim Group
 
ESAPI
ESAPIESAPI
ESAPI
n|u - The Open Security Community
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Denim Group
 
OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security API
ConFoo
 
Understanding ESAPI, OWASP Delhi
Understanding ESAPI, OWASP DelhiUnderstanding ESAPI, OWASP Delhi
Understanding ESAPI, OWASP Delhi
lavakumark
 

Empfohlen

Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0Development Security Framework based on Owasp Esapi for JSF2.0
Development Security Framework based on Owasp Esapi for JSF2.0
Rakesh Kachhadiya
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
Philippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
Philippe Gamache
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
Denim Group
 
ESAPI
ESAPIESAPI
ESAPI
n|u - The Open Security Community
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Denim Group
 
OWASP Enterprise Security API
OWASP Enterprise Security APIOWASP Enterprise Security API
OWASP Enterprise Security API
ConFoo
 
Understanding ESAPI, OWASP Delhi
Understanding ESAPI, OWASP DelhiUnderstanding ESAPI, OWASP Delhi
Understanding ESAPI, OWASP Delhi
lavakumark
 
Get Grulping with JavaScript Task Runners
Get Grulping with JavaScript Task RunnersGet Grulping with JavaScript Task Runners
Get Grulping with JavaScript Task Runners
Matt Gifford
 
Swing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and SinatraSwing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and Sinatra
Matt Gifford
 
Automating PhoneGap Build
Automating PhoneGap BuildAutomating PhoneGap Build
Automating PhoneGap Build
Matt Gifford
 
Let jQuery Rock Your World
Let jQuery Rock Your WorldLet jQuery Rock Your World
Let jQuery Rock Your World
Matt Gifford
 
Accessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex ApplicationsAccessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex Applications
Matt Gifford
 
ColdFusion as a Service
ColdFusion as a ServiceColdFusion as a Service
ColdFusion as a Service
Matt Gifford
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)
Matt Gifford
 
Darwin Development
Darwin DevelopmentDarwin Development
Darwin Development
Matt Gifford
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 

Weitere ähnliche Inhalte

Mehr von Matt Gifford

Swing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and SinatraSwing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and Sinatra
Matt Gifford
 
Accessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex ApplicationsAccessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex Applications
Matt Gifford
 
ColdFusion as a Service
ColdFusion as a ServiceColdFusion as a Service
ColdFusion as a Service
Matt Gifford
 

Mehr von Matt Gifford (8)

Get Grulping with JavaScript Task Runners
Get Grulping with JavaScript Task RunnersGet Grulping with JavaScript Task Runners
Get Grulping with JavaScript Task Runners
 
Swing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and SinatraSwing when you're winning - an introduction to Ruby and Sinatra
Swing when you're winning - an introduction to Ruby and Sinatra
 
Automating PhoneGap Build
Automating PhoneGap BuildAutomating PhoneGap Build
Automating PhoneGap Build
 
Let jQuery Rock Your World
Let jQuery Rock Your WorldLet jQuery Rock Your World
Let jQuery Rock Your World
 
Accessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex ApplicationsAccessing ColdFusion Services From Flex Applications
Accessing ColdFusion Services From Flex Applications
 
ColdFusion as a Service
ColdFusion as a ServiceColdFusion as a Service
ColdFusion as a Service
 
OAuth: demystified (hopefully)
OAuth: demystified (hopefully)OAuth: demystified (hopefully)
OAuth: demystified (hopefully)
 
Darwin Development
Darwin DevelopmentDarwin Development
Darwin Development
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

OWASP Enterprise Security API and available methods to help lock down a ColdFusion application

  • 2. MAKE STUFF SECURE! Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
  • 3. KEEP IT TIGHT AND OUT OF SIGHT Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
  • 4. HOW TO SLAY DRAGONS USING A JET PACK & A TOOTHBRUSH Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
  • 5. THE OWASP ENTERPRISE SECURITY API & AVAILABLE METHODS TO HELP LOCK DOWN A COLDFUSION APPLICATION Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011
  • 6. WHO I AM NOT... • Security expert of the highest order • Sales man trying to pitch an idea for your $$ 6
  • 7. WHO I AM... • Lead RIA Developer • Author • Inquisitive • Open to new ideas and methods 7
  • 9. DEVELOPERS - A BROAD GENERALISATION 123 9
  • 12. WHAT IS ESAPI? Enterprise Security API Open-source project that aims to fill gaps in specs and server technology implementations Uses current best practices to mitigate the vulnerabilities mentioned in the OWASP Top 10 12
  • 13. WHAT IS ESAPI? Enterprise Security API A set of interfaces that provide functions for most of the common security needs of enterprise developers 13
  • 14. WHAT IS ESAPI? Enterprise Security API “ ESAPI is designed to make it easy to retrofit security into existing applications as well as providing a solid foundation for new ” development 14
  • 15. WHAT IS ESAPI? Enterprise Security API Supported in multiple languages: Java Python .NET JavaScript Classic ASP & ColdFusion PHP 15
  • 16.
  • 17. WHY USE ESAPI? It’s aim is to make secure application development easier 17
  • 18. OWASP TOP 10 A1 Injection A6 Security Misconfiguration A2 Cross-Site Scripting A7 Insecure Storage (crypto) A3 Authentication & Sessions A8 URL Access Restrictions A4 Insecure Direct Object References A9 Poor Transport Layer Protection A5 Cross-Site Request Forgery A10 Unvalidated Redirects And this is just the top 10... 18
  • 19.
  • 20. YOU MAY ALREADY HAVE IT • ColdFusion 8 hotfix shipped with the ESAPI library under the hood • ColdFusion 9 included an updated version 20
  • 21. COMING IN ZEUS! • ESAPI integration will be included at a greater level in ColdFusion X (Zeus) • encodeForXXX functions to help you protect your applications against XSS attacks • You can use those now! 21
  • 22. ENCODER <cfoutput> <p>Hey, #URL.name#!</p> <p>Hey, #encodeForHTML(URL.name)#!</p> </cfoutput>
  • 23.
  • 25. SECURITY CONFIGURATION Includes (but not restricted to) the following: • Master encryption passwords (for salt and hashing) • Validation whitelists • Logging levels and details • Intrusion detection • and more...
  • 26. SECURITY CONFIGURATION • You can select the path for a specific resource directory • Ideal for handling multiple security levels / validations for subsystems and micro-applications ESAPI().securityConfiguration().setResourceDirectory("/path/to/.esapi/");
  • 27. SECURITY CONFIGURATION #=========================================== # ESAPI Authenticator # Authenticator.AllowedLoginAttempts=3 Authenticator.MaxOldPasswordHashes=13 Authenticator.UsernameParameterName=username Authenticator.PasswordParameterName=password # RememberTokenDuration (in days) Authenticator.RememberTokenDuration=14 # Session Timeouts (in minutes) Authenticator.IdleTimeoutDuration=20 Authenticator.AbsoluteTimeoutDuration=120
  • 29. AUTHENTICATION <cfquery name="qLogin" datasource="blah"> SELECT * FROM tbl_Users WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#" /> AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#" /> </cfquery> <!--- Check to see we have a user returned ---> <cfif qLogin.recordcount> <!--- Set user into SESSION ---> <cfset session.userID = qLogin.userID /> <cfset session.isLoggedIn = true /> <!--- DO LOGGED-IN STUFF ---> <cfelse> <!--- Invalid credentials or no match found ---> <p>Sorry, we could not find a match.</p> </cfif>
  • 30.
  • 32. AUTHENTICATION ESAPI().authenticator().login(); • Username & password combination (invisibly) • Reading a “Remember me” cookie • Currently logged in user based upon the session-id value 32
  • 33. AUTHENTICATION Key methods: • createUser() • generateStrongPassword() • getcurrentUser() • logout() • verifyAccountnameStrength() • verifyPasswordStrength 33
  • 35. THE USER ESAPI().authenticator().createUser(”random01”,”657fhg",” 657fhg"); objUser = ESAPI ().authenticator().login(request, response); objUser = ESAPI ().authenticator().getCurrentUser(); objUser = ESAPI ().authenticator().getUser(” random01”); Token creation: objUser.resetCSRFToken(); Accessing the token: objUser.getCSRFToken(); 35
  • 36. THE USER Key methods: • changePassword() • isInRole() • disable() • isEnabled() • enable() • isExpired() • getAccountName() • isLocked() • getCSRFToken() • resetCSRFToken() • getLastFailedLoginTime() • resetPassword() • getLastLoginTime() • isSessionTimeout() • getRoles() • isSessionAbsoluteTimeout()
  • 37. HTTP UTILITIES Provides a safe version of the request and response object
  • 38. HTTP UTILITIES Key methods: • addCSRFToken() • encryptStateInCookie() • verifyCSRFToken() • decryptStateFromCookie() • assertSecureRequest() • getSafeFileUploads() • changeSessionIdentifier() • safeSendForward() • encryptHiddenField() • safeSetContentType() • decryptHiddenField() • setNoCacheHeaders() • encryptQueryString() • setRememberToken() • decryptQueryString()
  • 39. ACCESS CONTROLLER The gatekeeper for your ESAPI application implementation <cfscript> if ((role == 'admin') && (coffeeIntake != 'small')) { // Take them to the Admin Console location('/admin/hiddenPages.cfm'); } else { // Direct user elsewhere location('/standardPage.cfm'); } </cfscript>
  • 40. ACCESS CONTROLLER • isAuthorizedForData() • isAuthorizedForFile() • isAuthorizedForURL() • assertAuthorizedForData() • assertAuthorizedForFile() • assertAuthorizedForURL()
  • 41. ENCRYPTOR • decrypt() • encrypt() • hash() • seal() • sign(String data) • unseal() • verifySeal() • verifySignature()
  • 42. VALIDATOR • White-list based filters • Data canonicalization prior to being passed to filters • Detects double-encoding and throws an exception
  • 43. VALIDATOR CONFIGURATION #================================================ # ESAPI Validation Validator.ConfigurationFile=validation.properties # Validators used by ESAPI Validator.RoleName=^[a-z]{1,20}$ # Global HTTP Validation Rules Validator.HTTPScheme=^(http|https)$ Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ Validator.HTTPParameterValue=^[a-zA-Z0-9.-/
  • 45. VALIDATOR CONFIGURATION Custom white-list values can be added into the ESAPI.properties file: Declaring: Example User ID - MatGif0075 White-list entry: Validator.UserId= ^[A-Z]{6}[0-9]{4}$ Validating: isValidInput(“User ID”, “MatGif0075”, “UserId", 10, false);
  • 46.
  • 47. THE PROS • Designed by security experts • Multiple language support • Highly extensible • Works invisibly in many ways (voodoo magic) • It’s open-source!! 47
  • 48. THE CONS • Paradigm shift (a new way of thinking) • Worth the time retrofitting? • Documentation levels (with clear working examples) • It’s only an API - it’s not the miracle cure 48
  • 49.
  • 50. MORE INFO • OWASP ESAPI Official Page http://bit.ly/owasp_esapi • ESAPI Javadocs http://bit.ly/esapi-javadocs • CFESAPI on github http://bit.ly/cfesapi 50
  • 51. NOW GRAB YOUR TOOTHBRUSH AND GO SLAY SOME DRAGONS Matt Gifford (@coldfumonkeh) www.mattgifford.co.uk ColdFusion Unconference, Adobe MAX 2011