150 likes | 243 Views
ESAPI Pictures. For Javadoc. Architecture Overview. Existing Enterprise Security Services/Libraries. OWASP Top Ten Coverage. Enforcing Access Control. Controller. Business Functions. Data Layer. Presentation Layer. isAuthorizedForFunction (). isAuthorizedForData ().
E N D
ESAPI Pictures For Javadoc
Architecture Overview Existing Enterprise Security Services/Libraries
Enforcing Access Control Controller Business Functions Data Layer PresentationLayer isAuthorizedForFunction() isAuthorizedForData() isAuthorizedForURL() isAuthorizedForService() User Backend isAuthorizedForFunction() isAuthorizedForFile() Roles
Handling Authentication and Identity Controller Business Functions Data Layer PresentationLayer ESAPI AccessControl Logging IntrusionDetection Authentication User Backend Users
Handling Direct Object References Controller Business Functions Data Layer PresentationLayer Access Reference Map getDirectReference() User Backend getIndirectReference() Report123.xls http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 Acct:9182374 http://app?id=7d3J93
Decoding/Encoding Untrusted Data Controller Business Functions Data Layer PresentationLayer Encoding Engine Encoding Engine Codecs: HTML Entity Codec Percent Codec JavaScript Codec VBScript Codec CSS Codec … Validation Engine Decoding Engine Encode: encodeForSQL() encodeForLDAP() encodeForXML() encodeForXPath() encodeForOS() Encode: encodeForHTML() encodeForHTMLAttribute() encodeForJavaScript() encodeForCSS() encodeForURL() User Backend
Validating Untrusted Input/Output Controller Business Functions Data Layer PresentationLayer Validation Engine Validation Engine Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() … Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … User Backend
Enhancing HTTP Controller Business Functions Data Layer PresentationLayer HTTP Utilities HTTP Utilities Input Utilities: assertSecureRequest() getCSRFToken getSafeFileUploads() safeSendForward() verifyCSRFToken() … Output Utilities: addCSRFToken() changeSessionIdentifier() safeSetContentType() setNoCacheHeaders() setRememberToken() verifyCSRFToken() … User Backend
Security Logging ESAPI Logger Controller Business Functions Data Layer PresentationLayer Logging: fatal() error() warning() info() debug() trace() … User Backend
Detecting Intrusions Controller Business Functions Data Layer PresentationLayer ESAPI Logging IntrusionDetection Authentication Tailorable Quotas User Backend Quota Exceeded Users Log Intrusion Event Logout User, Lock Account
Basic Cryptography Controller Business Functions Data Layer PresentationLayer Encryptor Crypto: encrypt() / decrypt() hash() seal() / unseal() sign() verifySeal() verifySignature() User Backend
Encrypted Properties Controller Business Functions Data Layer PresentationLayer Encrypted Properties Encryptor new EncryptedProperties() set() / get() User Backend Encrypted Properties File
Safe OS Command Execution Controller Business Functions Data Layer PresentationLayer executeSystemCommand() User Backend