Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Security Search Coderanch
Advance search Google search
Register / Login
thread boost granny book review grid polymorphism advertise on coderanch
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
advertise on coderanch thread boost building better world book meaningless drivel book review grid
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Paul Clapham
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Roland Mueller
  • Piet Souris
Bartenders:

OWASP - ESAPI

 
Sean Keane
Ranch Hand
Posts: 590
I like...
Eclipse IDE Chrome Java
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi folks, I was just taking a look at the ESAPI for Java. Documentation seems to be a bit sparse, so I am wondering what exactly do I get for free out-of-the-box with the package? How can this package enhance my security straight away?

All I can see that is gives me out-of-the-box is the ability to (a) do canonicalization and (b) encode and decode values - which is available in from Encoder interface. So this will allow me to do this like:
But the rest of the API just seems to be a framework for white-list validation that doesn't provide me anything out-of-the-box. So for example you can validate parameter values from a request using something like this:But this requires that you have set up the validation rule in a properties file like follows:So it doesn't give me anything out-of-the-box from the perspective of just being able to plug this API in and it will do something to protect me straight away.

Any ideas or throughts on whether my understanding of what I get out-of-the-box is correct? At the moment, from the perspective of introducing a third-party API into my Application, I am struggling to see the major benefits.

SCJP (1.4 | 5.0), OCJP (6.0), OCMJD

 
Juan C Calderon
Owasp member
Posts: 4
posted 13 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
ESAPI provides other functionality such as secure encryption, logging, and much more.

ESAPI is a library not a product, so you have to implement it and plug it as part of your application, that is, you have to call the appropriate classes and methods to secure your app, it does nothing by itself.

Maybe one benefit out of the box could be the ESAPI WAF, included in ESAPI. You only have to add the WAF filter to your web.config and do some changes to waf-policy file, it has some predefined rules to add httponly attributes to cookies and that stuff.

Anyway, the real benefit is you have a library with proven secure components that you can use to secure your application right away, no need for further coding and testing. You can see how to implement ESAPI with ESAPI Swingset, this is an application that have examples of both unprotected and protected implementation of the different controls on ESAPI, which serves as a self documentation for ESAPI

http://www.owasp.org/index.php/ESAPI_Swingset

Hope it helps,
Juan Carlos Calderon
 
jQuery in Action, 3rd edition
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...