[Owasp-appsensor-project] ESAPI WAF Contribution

John Melton jtmelton at gmail.com
Tue Feb 14 03:41:47 UTC 2012


After a quick look - there's nothing that would break functionality w/
appsensor. Things are done slightly differently, and there's some
overlapping functionality (blocking/redirection), but it doesn't break
anything for us.

The one proposed change that makes the most sense for appsensor to
implement is the "mode" where all parms are validated against a simple
constrained whitelist. We in essence get that for free if you use it
with ESAPI (via the SafeRequest API b/c an exception is thrown if you
try to getParameter w/ data that doesn't match the regex in the ESAPI
config file), but it could be useful in the case where appsensor is
used in standalone mode. I'll add it to the list. Thanks for the heads
up.

John

On Mon, Feb 13, 2012 at 9:11 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> Looping in the AppSensor team...
>
> Michael, John, Colin, et al,
>
> On Thu, Feb 2, 2012 at 1:45 PM, James Manico <jim at manico.net> wrote:
>> Looping in ESAPI leads...
>>
>> --
>> Jim Manico
>> VP, Security Architecture
>> WhiteHat Security
>> (808) 652-3805
>>
>> On Feb 2, 2012, at 8:42 AM, Jon Gill <jagill.vt at gmail.com> wrote:
>>
>> Hi Arshan & Jim,
>>
>> Roger and I had committed a contribution for ESAPI WAF back in August 2011.
>> I was just pinging you both in case you had not seen it.
>>
>> http://code.google.com/p/owasp-esapi-java/issues/detail?id=244
>>
>> Thanks!
>> Jon
>
> Can you take a look at this work that Jon Gill and Roger Seagle
> did regarding the extending ESAPI WAF and make sure that it is still
> compatible with using AppSensor within ESAPI? I'm not sure
> I could make an accurate assessment without diving significantly
> into AppSensor. The changes to ESAPI WAF is limited to these 6
> ESAPI source files:
>
>    src/main/java/org/owasp/esapi/waf/ESAPIWebApplicationFirewallFilter.java
>    src/main/java/org/owasp/esapi/waf/configuration/AppGuardianConfiguration.java
>    src/main/java/org/owasp/esapi/waf/configuration/ConfigurationParser.java
>    src/main/java/org/owasp/esapi/waf/rules/Rule.java
>    src/main/java/org/owasp/esapi/waf/rules/SimpleVirtualPatchRule.java
>    src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.javaes:
>
> If these changes are not compatible with using AppSensor with ESAPI, would
> this be something that maybe the AppSensor gang would be interested in
> considering with a similar extension?
>
> Thanks,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents."        -- Nathaniel Borenstein
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project


More information about the Owasp-appsensor-project mailing list