ESAPI 라이브러리를 이용한 보안 코딩 기법



ESAPI(Enterprise Security API)는 웹 애플리케이션 개발 과정에서 발생하는 다양한 보안 침해사고를 해결하기 위해 OWASP에서 OWASP TOP10과 함께 해당 문제점을 개선하기 위해 제작, 배포되는 보안 라이브러리이다. 


The ESAPI library 는 여러 플랫폼 버전에서 적용할 수 있도록 지원되고 있으며,  PHP, .NET, Pthon, Java 언어를 지원한다.  ESAPI 라이브러리를 사용하기 위해서는 OWASP에서 제공하는 esapi-2.0.1.jar 파일을 다운로드 받는다.

 download link.

 

ESAPI는 애플리케이션 보안에 필요한 다양한 종류의 인터페이스를 제공하고 있다.

  • Authenticator : 일반 사용자와 관리자 등으로 권한을 분류하여 관리해주는 규격을 정의하고 있으며, 로그인, 로그아웃, 로그인한 사용자의 User 정보 설정과 같은 기능을 제공한다.

  • User : 사용자의 로그인 상태, 이름, 권한, 마지막 로그인 시간, IP, 세션유지 상태등 사용자들을 관리하기 위한 상세한 정보를 정의한다.

  • AccessController : 파일, 서비스, URL과 같은 리소스에 접근가능한 권한을 Authenticator와 User 객체를 이용하여 역할 기반의 접근을 관리할 수 있도록 정의한다.

  • AccessReferenceMap : 리소스에 직접 점근하지 않고 리소스를 처리할 수 있도록 관리한다. 예를 들어, 파일 업로드/다운로드시 해당 파일명 대신 랜덤하게 생성된 문자열을 파일에 매핑하여 실제 파일명을 숨긴다.

  • HTTPUtilities : 쿠키, 세션, 토큰 등을 관리하는 기능을 정의한다. 파일 업로드, 인코딩/디코딩 기능을 지원하며 HTTP헤더 분석과 같은 기능도 정의한다.

  • Encoder : 인코딩과 디코딩을 수행하는 메서드들을 정의한다.

  • Encryptor : 다양한 암호화 알고리즘을 지원하는 기능을 정의한다.

  • EncryptedProperties : 암호화 관련 설정 파일 관리를 정의한다.

  • Validator : 입력되는 무자열이 정의된 정규식에 적합한지를 확인한다. 문자입력값 확인, 숫자 입력값 확인,  날짜, 카드번호, IP 등 특정 문자열에 대한 정규식을 정의하거 입력값이 정해진 규칙에 적합한지를 검증하는 작업을 수행한다.

  • Randomizer : 임의의 난수를 생성하기 위한 메서드들을 정의한다.

  • ExceptionHandling : 다양한 보안 예외 상황을 처리하기 위한 메서드를 정의한다.

  • IntrusionDetector : 소스 레벨에서 해킹 시도를 탐지하는 메서드들을 정의한다.

  • SecurityConfiguration : ESAPI 모듈의 환경 설정을 정의한다.

  • Logger : 로그 생성 및 처리를 위한 메서드를 정의한다.


ESAPI Authenticator 사용을 위한  SSL 설정(Tomcat)


ESAPI Authenticator는 SSL 환경에서만 사용가능하다. 먼저 사용하고 있는 서버가 SSL 이 지원되도록 수정한다.


인증서 생성

keytool -genkey -alias tomcat -keyalg RSA -keystore D:\config\keystore




server.xml 설정


- Tomcat 7 일 때 

<Connector port="8443" maxThreads="150" 

  scheme="https" secure="true" SSLEnabled="true"

  clientAuth="false" sslProtocol="TLS"
  keystoreFile="D:\config\keystore"
  keystorePass=“kim123" />


- Tomcat 6 일 때

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" 
  
keystoreFile="D:\config\keystore"
  keystorePass=“kim123"
 />



[출처] Tomcat SSL 설정|작성자 정주최



 

ESAPI 환경설정


ESAPI를 프로젝트에 적용하려면 먼저 ESAPI 라이브러리를 프로젝트 라이브러리에 등록한다.



1. ESAPI 라이브러리 프로젝트에 추가.


    Project > Properties > Java Build Path > Libraries use “Add JARS…”

   >  “Add External JARS” if you maintain a separate directory of jar dependencies.


   또는 esapi-2.x.x.jar 파일을 /WEB-INF/lib 폴더에 복사한다.



2. 구성파일 저장


    d:\config 폴더에

    ESAPI.properties 와 validation.properties 파일을 복사한다.


  Run > Run Configuration (or Debug Configuration) 에서

    VM Arguments: -Dorg.owasp.esapi.resources="/config" 추가 


 

ESAPI.properties

ESAPI 사용을 위한 기본적인 설정들을 정의하는 파일이다. 파일은 .esapi 폴더나 org.owasp.esapi.resources 매크로로 정의된 폴더에 있어야 한다.

#
# OWASP Enterprise Security API (ESAPI) Properties file -- TEST Version
#
# This file is part of the Open Web Application Security Project (OWASP)
# Enterprise Security API (ESAPI) project. For details, please see
# http://www.owasp.org/index.php/ESAPI.
#
# Copyright (c) 2008,2009 - The OWASP Foundation
#
# DISCUSS: This may cause a major backwards compatibility issue, etc. but
#     from a name space perspective, we probably should have prefaced
#     all the property names with ESAPI or at least OWASP. Otherwise
#     there could be problems is someone loads this properties file into
#     the System properties.  We could also put this file into the
#     esapi.jar file (perhaps as a ResourceBundle) and then allow an external
#     ESAPI properties be defined that would overwrite these defaults.
#     That keeps the application's properties relatively simple as usually
#     they will only want to override a few properties. If looks like we
#     already support multiple override levels of this in the
#     DefaultSecurityConfiguration class, but I'm suggesting placing the
#     defaults in the esapi.jar itself. That way, if the jar is signed,
#     we could detect if those properties had been tampered with. (The
#     code to check the jar signatures is pretty simple... maybe 70-90 LOC,
#     but off course there is an execution penalty (similar to the way
#     that the separate sunjce.jar used to be when a class from it was
#     first loaded). Thoughts?
###############################################################################
#
# WARNING: Operating system protection should be used to lock down the .esapi
# resources directory and all the files inside and all the directories all the
# way up to the root directory of the file system.  Note that if you are using
# file-based implementations, that some files may need to be read-write as they
# get updated dynamically.
#
# Before using, be sure to update the MasterKey and MasterSalt as described below.
# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
#  you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
#  re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
#  able to decrypt your data with ESAPI 2.0.
#
#  YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
#
#===========================================================================
# ESAPI Configuration
#
# If true, then print all the ESAPI properties set here when they are loaded.
# If false, they are not printed. Useful to reduce output when running JUnit tests.
# If you need to troubleshoot a properties related problem, turning this on may help,
# but we leave it off for running JUnit tests. (It will be 'true' in the one delivered
# as part of production ESAPI, mostly for backward compatibility.)

ESAPI.printProperties=false

# ESAPI is designed to be easily extensible. You can use the reference implementation
# or implement your own providers to take advantage of your enterprise's security
# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
#
#    String ciphertext =
#  ESAPI.encryptor().encrypt("Secret message");   // Deprecated in 2.0
#    CipherText cipherText =
#  ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
#
# Below you can specify the classname for the provider that you wish to use in your
# application. The only requirement is that it implement the appropriate ESAPI interface.
# This allows you to switch security implementations in the future without rewriting the
# entire application.
#


# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController


# FileBasedAuthenticator requires users.txt file in .esapi directory

ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator

ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor

ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector

# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
#ESAPI.Logger=org.owasp.esapi.reference.ExampleExtendedLog4JLogFactory
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator


#===========================================================================
# ESAPI Authenticator
#
Authenticator.AllowedLoginAttempts=3
Authenticator.MaxOldPasswordHashes=13
Authenticator.UsernameParameterName=username
Authenticator.PasswordParameterName=password
# RememberTokenDuration (in days)
Authenticator.RememberTokenDuration=14
# Session Timeouts (in minutes)
Authenticator.IdleTimeoutDuration=20
Authenticator.AbsoluteTimeoutDuration=120


#===========================================================================
# ESAPI Encoder
#
# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
# Failure to canonicalize input is a very common mistake when implementing validation schemes.
# Canonicalization is automatic when using the ESAPI Validator, but you can also use the
# following code to canonicalize data.
#
#      ESAPI.Encoder().canonicalize( "%22hello world&#x22;" );

# Multiple encoding is when a single encoding format is applied multiple times. Allowing
# multiple encoding is strongly discouraged.
Encoder.AllowMultipleEncoding=false

# Mixed encoding is when multiple different encoding formats are applied, or when
# multiple formats are nested. Allowing multiple encoding is strongly discouraged.
Encoder.AllowMixedEncoding=false

# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec


#===========================================================================
# ESAPI Encryption
#
# The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
# There is not currently any support for key rotation, so be careful when changing your key and salt as it
# will invalidate all signed, encrypted, and hashed data.
#
# WARNING: Not all combinations of algorithms and key lengths are supported.
# If you choose to use a key length greater than 128, you MUST download the
# unlimited strength policy files and install in the lib directory of your JRE/JDK.
# See http://java.sun.com/javase/downloads/index.jsp for more information.
#
# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
# possible, these methods should be avoided as they use ECB cipher mode, which in almost
# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0.  In general, you
# should only use this compatibility setting if you have persistent data encrypted with
# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
# you have decrypted all of your old encrypted data and then re-encrypted it with
# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
# with the new 2.0 methods, make sure that you use the same cipher algorithm for both
# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
# where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
# that requires downloading the special jurisdiction policy files mentioned above.)
#
#  ***** IMPORTANT: These are for JUnit testing. Test files may have been
#       encrypted using these values so do not change these or
#       those tests will fail. The version under
#       src/main/resources/.esapi/ESAPI.properties
#       will be delivered with Encryptor.MasterKey and
#       Encryptor.MasterSalt set to the empty string.
#
#       FINAL NOTE:
#                           If Maven changes these when run, that needs to be fixed.
#       256-bit key... requires unlimited strength jurisdiction policy files
### Encryptor.MasterKey=pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14=
#       128-bit key
Encryptor.MasterKey=a6H9is3hEVGKB4Jut+lOVA==
Encryptor.MasterSalt=SbftnvmEWD5ZHHP+pX3fqugNysc=

# Encryptor.MasterSalt=

# Provides the default JCE provider that ESAPI will "prefer" for its symmetric
# encryption and hashing. (That is it will look to this provider first, but it
# will defer to other providers if the requested algorithm is not implemented
# by this provider.) If left unset, ESAPI will just use your Java VM's current
# preferred JCE provider, which is generally set in the file
# "$JAVA_HOME/jre/lib/security/java.security".
#
# The main intent of this is to allow ESAPI symmetric encryption to be
# used with a FIPS 140-2 compliant crypto-module. For details, see the section
# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
# the ESAPI 2.0 Symmetric Encryption User Guide, at:
# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
# However, this property also allows you to easily use an alternate JCE provider
# such as "Bouncy Castle" without having to make changes to "java.security".
# See Javadoc for SecurityProviderLoader for further details. If you wish to use
# a provider that is not known to SecurityProviderLoader, you may specify the
# fully-qualified class name of the JCE provider class that implements
# java.security.Provider. If the name contains a '.', this is interpreted as
# a fully-qualified class name that implements java.security.Provider.
#
# NOTE: Setting this property has the side-effect of changing it in your application
#       as well, so if you are using JCE in your application directly rather than
#       through ESAPI (you wouldn't do that, would you? ;-), it will change the
#       preferred JCE provider there as well.
#
# Default: Keeps the JCE provider set to whatever JVM sets it to.
Encryptor.PreferredJCEProvider=

# AES is the most widely used and strongest encryption algorithm. This
# should agree with your Encryptor.CipherTransformation property.
# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
# very weak. It is essentially a password-based encryption key, hashed
# with MD5 around 1K times and then encrypted with the weak DES algorithm
# (56-bits) using ECB mode and an unspecified padding (it is
# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
# "AES/CBC/PKCSPadding". If you want to change these, change them here.
# Warning: This property does not control the default reference implementation for
#     ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
#     in the future.
# @deprecated
Encryptor.EncryptionAlgorithm=AES
#  For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding

# Applies to ESAPI 2.0 and later only!
# Comma-separated list of cipher modes that provide *BOTH*
# confidentiality *AND* message authenticity. (NIST refers to such cipher
# modes as "combined modes" so that's what we shall call them.) If any of these
# cipher modes are used then no MAC is calculated and stored
# in the CipherText upon encryption. Likewise, if one of these
# cipher modes is used with decryption, no attempt will be made
# to validate the MAC contained in the CipherText object regardless
# of whether it contains one or not. Since the expectation is that
# these cipher modes support support message authenticity already,
# injecting a MAC in the CipherText object would be at best redundant.
#
# Note that as of JDK 1.5, the SunJCE provider does not support *any*
# of these cipher modes. Of these listed, only GCM and CCM are currently
# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
# padding modes.
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC

# Applies to ESAPI 2.0 and later only!
# Additional cipher modes allowed for ESAPI 2.0 encryption. These
# cipher modes are in _addition_ to those specified by the property
# 'Encryptor.cipher_modes.combined_modes'.
# Note: We will add support for streaming modes like CFB & OFB once
# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
# (probably in ESAPI 2.1).
#
# IMPORTANT NOTE: In the official ESAPI.properties we do *NOT* include ECB
#     here as this is an extremely weak mode. However, we *must*
#     allow it here so we can test ECB mode. That is important
#     since the logic is somewhat different (i.e., ECB mode does
#     not use an IV).
# DISCUSS: Better name?
# NOTE: ECB added only for testing purposes. Don't try this at home!
Encryptor.cipher_modes.additional_allowed=CBC,ECB

# 128-bit is almost always sufficient and appears to be more resistant to
# related key attacks than is 256-bit AES. Use '_' to use default key size
# for cipher algorithms (where it makes sense because the algorithm supports
# a variable key size). Key length must agree to what's provided as the
# cipher transformation, otherwise this will be ignored after logging a
# warning.
#
# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
Encryptor.EncryptionKeyLength=128

# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
# (All cipher modes except ECB require an IV.) There are two choices: we can either
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
# the IV does not need to be hidden from adversaries, it is important that the
# adversary not be allowed to choose it. Also, random IVs are generally much more
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
# such as CFB and OFB use a different IV for each encryption with a given key so
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
# uncomment the Encryptor.fixedIV.
#
# Valid values:  random|fixed|specified  'specified' not yet implemented; planned for 2.1
Encryptor.ChooseIVMethod=random
# If you choose to use a fixed IV, then you must place a fixed IV here that
# is known to all others who are sharing your secret key. The format should
# be a hex string that is the same length as the cipher block size for the
# cipher algorithm that you are using. The following is an example for AES
# from an AES test vector for AES-128/CBC as described in:
# NIST Special Publication 800-38A (2001 Edition)
# "Recommendation for Block Cipher Modes of Operation".
# (Note that the block size for AES is 16 bytes == 128 bits.)
#
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f

# Whether or not CipherText should use a message authentication code (MAC) with it.
# This prevents an adversary from altering the IV as well as allowing a more
# fool-proof way of determining the decryption failed because of an incorrect
# key being supplied. This refers to the "separate" MAC calculated and stored
# in CipherText, not part of any MAC that is calculated as a result of a
# "combined mode" cipher mode.
#
# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
# set this property to false.
Encryptor.CipherText.useMAC=true

# Whether or not the PlainText object may be overwritten and then marked
# eligible for garbage collection. If not set, this is still treated as 'true'.
Encryptor.PlainText.overwrite=true

# Do not use DES except in a legacy situations. 56-bit is way too small key size.
#Encryptor.EncryptionKeyLength=56
#Encryptor.EncryptionAlgorithm=DES

# TripleDES is considered strong enough for most purposes.
# Note: There is also a 112-bit version of DESede. Using the 168-bit version
#   requires downloading the special jurisdiction policy from Sun.
#Encryptor.EncryptionKeyLength=168
#Encryptor.EncryptionAlgorithm=DESede

Encryptor.HashAlgorithm=SHA-512
Encryptor.HashIterations=1024
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
Encryptor.DigitalSignatureKeyLength=1024
Encryptor.RandomAlgorithm=SHA1PRNG
Encryptor.CharacterEncoding=UTF-8

# Currently supported choices for JDK 1.5 and 1.6 are:
# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
# HmacSHA512 (512 bits).
# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though
# these JDKs support it.
Encryptor.KDF.PRF=HmacSHA256


#===========================================================================
# ESAPI HttpUtilties
#
# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
# protect against malicious data from attackers, such as unprintable characters, escaped characters,
# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
# headers, and CSRF tokens.
#
# Default file upload location (remember to escape backslashes with \\)
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
# let this default to java.io.tmpdir for testing
#HttpUtilities.UploadTempDir=C:\\temp
# Force flags on cookies, if you use HttpUtilities to set cookies
HttpUtilities.ForceHttpOnlySession=false
HttpUtilities.ForceSecureSession=false
HttpUtilities.ForceHttpOnlyCookies=true
HttpUtilities.ForceSecureCookies=true

# Maximum size of HTTP headers
HttpUtilities.MaxHeaderSize=4096
# File upload configuration
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
HttpUtilities.MaxUploadFileBytes=500000000

# Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
# container, and any other technologies you may be using. Failure to do this may expose you
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
HttpUtilities.ResponseContentType=text/html; charset=UTF-8
# This is the name of the cookie used to represent the HTTP session
# Typically this will be the default "JSESSIONID"
HttpUtilities.HttpSessionIdName=JSESSIONID

 

#===========================================================================
# ESAPI Executor
# CHECKME - Not sure what this is used for, but surely it should be made OS independent.
Executor.WorkingDirectory=C:\\Windows\\Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe


#===========================================================================
# ESAPI Logging
# Set the application name if these logs are combined with other applications
Logger.ApplicationName=ExampleApplication
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
Logger.LogEncodingRequired=false
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
Logger.LogApplicationName=true
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
Logger.LogServerIP=true
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
# want to place it in a specific directory.
Logger.LogFileName=ESAPI_logging_file
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
Logger.MaxLogFileSize=10000000


#===========================================================================
# ESAPI Intrusion Detection
#
# Each event has a base to which .count, .interval, and .action are added
# The IntrusionException will fire if we receive "count" events within "interval" seconds
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
#  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
#
# Custom Events
# Names must start with "event." as the base
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
# You can also disable intrusion detection completely by changing
# the following parameter to true
#
IntrusionDetector.Disable=false
#
IntrusionDetector.event.test.count=2
IntrusionDetector.event.test.interval=10
IntrusionDetector.event.test.actions=disable,log

# Exception Events
# All EnterpriseSecurityExceptions are registered automatically
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
# Use the fully qualified classname of the exception as the base

# any intrusion is an attack
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

# for test purposes
# CHECKME: Shouldn't there be something in the property name itself that designates
#     that these are for testing???
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

# rapid validation errors indicate scans or attacks in progress
# org.owasp.esapi.errors.ValidationException.count=10
# org.owasp.esapi.errors.ValidationException.interval=10
# org.owasp.esapi.errors.ValidationException.actions=log,logout

# sessions jumping between hosts indicates session hijacking
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout


#===========================================================================
# ESAPI Validation
#
# The ESAPI Validator works on regular expressions with defined names. You can define names
# either here, or you may define application specific patterns in a separate file defined below.
# This allows enterprises to specify both organizational standards as well as application specific
# validation rules.
#
Validator.ConfigurationFile=validation.properties

# Validators used by ESAPI
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
Validator.RoleName=^[a-z]{1,20}$
Validator.Redirect=^\\/test.*$

# Global HTTP Validation Rules
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
Validator.HTTPScheme=^(http|https)$
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
Validator.HTTPURL=^.*$
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$

# Contributed by Fraenku@gmx.ch
# Googlecode Issue 116 (http://code.google.com/p/owasp-esapi-java/issues/detail?id=116)
Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$
Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$
Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$
Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$
Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$


# Validation of file related input
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$

# Validation of dates. Controls whether or not 'lenient' dates are accepted.
# See DataFormat.setLenient(boolean flag) for further details.
Validator.AcceptLenientDates=false 

   

validation.properties

# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
#   Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
#
# Then you can validate in your code against the pattern like this:
#     ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);
# Where maxLength and allowNull are set for you needs, respectively.
#
# But note, when you use boolean variants of validation functions, you lose critical
# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and
# and use the returned user input which is in canonical form. Consider the following:

# try {
#    someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));
#
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$

 

 

 

ESAPI FileBaseAuthenticator 사용예제

<참고>파일기반의인증을 사용하기 위해서는 users.txt 파일을 구성파일 저장폴더에 먼저 생성해야한다. LAB에서는 D:\config\users.txt 를 생성한다.

ESAPI 요청을 처리는 ESAPIController.java 에서 처리한다.


(1)  사용자 등록


ESAPI 인증을 처리하기 위해 먼저 사용자를 등록한다.

testAuthenticator.txt


 @RequestMapping(value="/test/esapi_authenticator_test.do", method = RequestMethod.POST)

 @ResponseBody

 public String testAuthenticator(HttpServletRequest request, 

                                              HttpServletResponse response, HttpSession session){

         StringBuffer buffer=new StringBuffer();
         String id=request.getParameter("id");
         String passwd=request.getParameter("passwd");
         try {
              User user= ESAPI.authenticator().createUser(id, passwd, passwd);
              user.enable();
              buffer.append("계정등록완료<br/>");
         } catch (AuthenticationException e) {
             e.printStackTrace();
    buffer.append("계정등록 오류발생");    
   }
         return buffer.toString();
  }


  

(2) 로그인 처리 

ESAPI Authenticator 를 이용하여 로그인을 처리한다.   

testLogin.txt


@RequestMapping(value="/test/esapi_login_test.do", method = RequestMethod.POST)
 @ResponseBody
 public String testLogin(HttpServletRequest request, 
   HttpServletResponse response, HttpSession session){
      StringBuffer buffer=new StringBuffer();
         String id=request.getParameter("id");
         String passwd=request.getParameter("passwd");
         FileBasedAuthenticator auth=
                (FileBasedAuthenticator)ESAPI.authenticator();
         try {
                 ESAPI.httpUtilities().setCurrentHTTP(request, response);
                 auth.login(request,response);
                 User user=auth.getUser(id);    
                 buffer.append("로그인완료<br/>");
         } catch (AuthenticationException e) {
                 e.printStackTrace();
                 buffer.append("로그인 오류발생");    
        }
         return buffer.toString();
  }


(3) 로그아웃 처리   

ESAPI 로그아웃을 처리한다.

testLogout.txt



@RequestMapping(value="/test/esapi_logout_test.do", method = RequestMethod.GET)
 @ResponseBody
 public String testLogout(HttpServletRequest request){
     StringBuffer buffer=new StringBuffer();
     ESAPI.authenticator().logout();
     buffer.append("로그아웃 완료");
     return buffer.toString();  
 }

 

(4) BASE64 인코딩 처리 

 ESAPI Encoder 의 인코딩 메서드를 이용하여 Base64 인코딩을 처리한다.

testEncoding.txt


@RequestMapping(value="/test/esapi_encode_test.do",method = RequestMethod.POST)

 @ResponseBody
 public String testEncoding(HttpServletRequest request) {
  
  String data=request.getParameter("data");
  if ( data != null )
            return ESAPI.encoder().encodeForBase64(data.getBytes(), true);
  else 
            return "encoding test 오류";
 }

 
 

(5) Encoder를 이용하여 XSS 취약점 제거

 

testXss.txt

// ESAPI Encoder를 이용하여 XSS 취약점을 제거한다.


 @RequestMapping(value="/test/esapi_xss_test.do", method = RequestMethod.POST)

 @ResponseBody
 public String testXss(HttpServletRequest request) {
        StringBuffer buffer=new StringBuffer();
        String data=request.getParameter("data");

        buffer.append(ESAPI.encoder().encodeForHTML(data));

        return buffer.toString();
  
 }


 

(6) Encoder를 이용하여 SQL 인젝션 취약점 제거


testSqlInjection.txt

// ESAPI Encoder를 이용하여 SQL 인젝션 취약점을 제거한다.


@RequestMapping(value="/test/esapi_sql_test.do", method = RequestMethod.POST)
 @ResponseBody
 public String testSqlInjection(HttpServletRequest request){
  StringBuffer buffer=new StringBuffer();
  String id=request.getParameter("id");
  String passwd=request.getParameter("passwd");
  buffer.append("결과: "+readDB(id, passwd));
        return buffer.toString();
  
 }

 



readDB.txt


public String readDB(String id, String passwd) {

  StringBuffer  result=new StringBuffer();
  Connection con=null;
  //Statement st=null;
  Statement st=null;
  ResultSet rs=null;
  InputStream is =
       this.getClass().getClassLoader().getResourceAsStream("config/dbconn.properties");
  Properties props = new Properties();
  try {
     props.load(is);
     String driver = props.getProperty("jdbc.driver");
     String url = props.getProperty("jdbc.url");
     String username = props.getProperty("jdbc.username");
     String password = props.getProperty("jdbc.password");
     System.out.println(driver+url+username+password);
     Class.forName(driver);
     con=DriverManager.getConnection(url, username, password);
     st=con.createStatement();
     Codec MYSQL_CODEC = new MySQLCodec(Mode.STANDARD);
     String query =        
             "select * from jmboard_member where userid='"+
              ESAPI.encoder().encodeForSQL( MYSQL_CODEC, id) +"'"+
              "and userpw='"+
              ESAPI.encoder().encodeForSQL( MYSQL_CODEC, passwd)+"'";
   
     rs=st.executeQuery(query);
     if ( rs.next() ) {
         result.append("ID: "+rs.getString(2));
         result.append("    PASSWORD: "+rs.getString(3));
     }else {
      result.append("등록되어있지 않은 계정입니다.");
     }
  } catch (Exception e) {
        e.printStackTrace();
     System.err.println("Load failed");
  } finally {
   if ( rs != null ) try { rs.close(); }catch(SQLException e){}
   if ( st != null ) try { st.close(); }catch(SQLException e){}
   if ( con != null ) try { con.close(); }catch(SQLException e){}
            
   return result.toString();
  }





ESAPI에서 CSRF 토큰사용하기



// ESAPI CSRF 토큰 설정 기능을 사용한다.


private String csrfToken = resetCSRFToken();

public String resetCSRFToken() {

    csrfToken = ESAPI.randomizer().getRandomString(8,DefaultEncoder.CHAR_ALPHANUMERICS);

    return csrfToken;

}




// 히든 필드에 파라메터로 토큰을 추가한다. 


final static String CSRF_TOKEN_NAME = "cftoken";

public String addCSRFToken(String href) {

        User user = ESAPI.authenticator().getCurrentUser();

        String token = CSRF_TOKEN_NAME + "=" + user.getCSRFToken();

        return href.indexOf( '?') != -1 ? href + "&amp;" + token : href + "?" + token;

}


 

// 사용자 요청에 대해 CSRF 토큰을 얻어온다.


public String getCSRFToken() { 

        User user = ESAPI.authenticator().getCurrentUser();

        if (user == null) return null;

        return user.getCSRFToken();

 }




// 서버 사이드에서 세션의 사용자 오브젝트에 있는 토큰과 제출된 토큰이 일치하는지 체크한다.


public void verifyCSRFToken(HttpServletRequest request) throws IntrusionException {

        User user = ESAPI.authenticator().getCurrentUser();

        if( request.getAttribute(user.getCSRFToken()) != null ) {

                return;

        }


        String token = request.getParameter(CSRF_TOKEN_NAME);

        if ( !user.getCSRFToken().equals( token ) ) {

                throw new IntrusionException("Authentication failed", 

                     "Possibly forged HTTP request without proper CSRF token detected");

        }

}




블로그 이미지

오픈이지 제로킴

시큐어코딩 교육/컨설팅 전문가 그룹

티스토리 툴바