This is the presentation from the ColdFusion Unconference session at Adobe MAX 2011 in Los Angeles. This covers a brief look at implementing the ESAPI project into your ColdFusion applications and what methods it has available to help secure your sites.
3. KEEP IT TIGHT AND
OUT OF SIGHT
Matt Gifford (@coldfumonkeh)
www.mattgifford.co.uk
ColdFusion Unconference, Adobe MAX 2011
4. HOW TO SLAY
DRAGONS USING A
JET PACK & A
TOOTHBRUSH
Matt Gifford (@coldfumonkeh)
www.mattgifford.co.uk
ColdFusion Unconference, Adobe MAX 2011
5. THE OWASP ENTERPRISE
SECURITY API &
AVAILABLE METHODS TO
HELP LOCK DOWN A
COLDFUSION APPLICATION
Matt Gifford (@coldfumonkeh)
www.mattgifford.co.uk
ColdFusion Unconference, Adobe MAX 2011
6. WHO I AM NOT...
• Security expert of the highest order
• Sales man trying to pitch an idea for your $$
6
7. WHO I AM...
• Lead RIA Developer
• Author
• Inquisitive
• Open to new ideas and methods
7
12. WHAT IS ESAPI?
Enterprise Security API
Open-source project that aims to fill gaps in
specs and server technology implementations
Uses current best practices to mitigate the
vulnerabilities mentioned in the
OWASP Top 10
12
13. WHAT IS ESAPI?
Enterprise Security API
A set of interfaces that provide functions for
most of the common security needs of
enterprise developers
13
14. WHAT IS ESAPI?
Enterprise Security API
“ ESAPI is designed to make it easy to retrofit
security into existing applications as well as
providing a solid foundation for new
”
development
14
15. WHAT IS ESAPI?
Enterprise Security API
Supported in multiple languages:
Java Python
.NET JavaScript
Classic ASP & ColdFusion
PHP
15
16.
17. WHY USE ESAPI?
It’s aim is to make secure application
development easier
17
18. OWASP TOP 10
A1 Injection
A6 Security Misconfiguration
A2 Cross-Site Scripting
A7 Insecure Storage (crypto)
A3 Authentication & Sessions
A8 URL Access Restrictions
A4 Insecure Direct Object References
A9 Poor Transport Layer Protection
A5 Cross-Site Request Forgery
A10 Unvalidated Redirects
And this is just the top 10...
18
19.
20. YOU MAY ALREADY HAVE IT
• ColdFusion 8 hotfix shipped with the ESAPI library under the
hood
• ColdFusion 9 included an updated version
20
21. COMING IN ZEUS!
• ESAPI integration will be included at a greater level in
ColdFusion X (Zeus)
• encodeForXXX functions to help you protect your
applications against XSS attacks
• You can use those now!
21
25. SECURITY CONFIGURATION
Includes (but not restricted to)
the following:
• Master encryption
passwords (for salt and
hashing)
• Validation whitelists
• Logging levels and details
• Intrusion detection
• and more...
26. SECURITY CONFIGURATION
• You can select the path for a specific resource directory
• Ideal for handling multiple security levels / validations for
subsystems and micro-applications
ESAPI().securityConfiguration().setResourceDirectory("/path/to/.esapi/");
29. AUTHENTICATION
<cfquery name="qLogin" datasource="blah">
SELECT * FROM tbl_Users
WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.username#" />
AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.password#" />
</cfquery>
<!--- Check to see we have a user returned --->
<cfif qLogin.recordcount>
<!--- Set user into SESSION --->
<cfset session.userID
= qLogin.userID />
<cfset session.isLoggedIn = true />
<!--- DO LOGGED-IN STUFF --->
<cfelse>
<!--- Invalid credentials or no match found --->
<p>Sorry, we could not find a match.</p>
</cfif>
32. AUTHENTICATION
ESAPI().authenticator().login();
• Username & password combination (invisibly)
• Reading a “Remember me” cookie
• Currently logged in user based upon the session-id value
32
39. ACCESS CONTROLLER
The gatekeeper for your ESAPI
application implementation
<cfscript>
if ((role == 'admin')
&& (coffeeIntake != 'small'))
{
// Take them to the Admin Console
location('/admin/hiddenPages.cfm');
}
else
{
// Direct user elsewhere
location('/standardPage.cfm');
}
</cfscript>
45. VALIDATOR CONFIGURATION
Custom white-list values can be added into the ESAPI.properties file:
Declaring:
Example User ID - MatGif0075
White-list entry: Validator.UserId= ^[A-Z]{6}[0-9]{4}$
Validating:
isValidInput(“User ID”, “MatGif0075”, “UserId", 10, false);
46.
47. THE PROS
• Designed by security experts
• Multiple language support
• Highly extensible
• Works invisibly in many ways (voodoo magic)
• It’s open-source!!
47
48. THE CONS
• Paradigm shift (a new way of thinking)
• Worth the time retrofitting?
• Documentation levels (with clear working examples)
• It’s only an API - it’s not the miracle cure
48
49.
50. MORE INFO
• OWASP ESAPI Official Page
http://bit.ly/owasp_esapi
• ESAPI Javadocs
http://bit.ly/esapi-javadocs
• CFESAPI on github
http://bit.ly/cfesapi
50
51. NOW GRAB YOUR
TOOTHBRUSH AND
GO SLAY SOME
DRAGONS
Matt Gifford (@coldfumonkeh)
www.mattgifford.co.uk
ColdFusion Unconference, Adobe MAX 2011