[Esapi-user] Esapi-user Digest, Vol 6, Issue 19

Tarcizio Vieira Neto tarciziovn at gmail.com
Fri May 28 09:22:14 EDT 2010


Kevin,

First at all, thank's for the answers to my questions.

1 - About Swingset: I had a brief look at swingset, but it didn't reached my
needs. I observed that a lot of actions (secure/insecure) have no methods
implementations because those implementations are on the jsp files that does
the submit action to same page. So, using swingset is very hard to compare
the difference just looking for the secure/insecure version of JSP.

I think that an funcional application (like a petstore, or any other) that
we can see all differences in implementations will provide an after/before
comparison specially when we submit both versions in a black box security
scanner. This would be helpfull for teaching the potential of ESAPI  and
show the advantages of using it, or to show an concept proof for a technical
team.

Another thing that I observed is about filters. The swingset example doesn't
use all potential of filters, even because it shows each vulnerability
solving in JSP code, but in real applications I believe that we must solve,
when possible, the vulnerabilities with filters.

So, who only use swingset to learn how to protect the application may not
use all the potential of filters and rise the risk of don't follow the best
way to protect the application. Specially about the use of WAF that do
automatically a lot of things just by configuring the policy file. It will
avoid the creation of unnecessary code in filters or in action classes by
configuring the WAF policy file or by the creation of beanshell script
linked in WAF policy file.

Obviously the Swingset was created for instruct about how to use ESAPI in a
simpler manner, but the challenge now is find/develop an application that
shows how to use ESAPI in a better way by activating filters and by creating
your own filters for specially needs.

Does anyone share this opinion with me? It would be nice if the ESAPI
experts could develop something like that.

2 - About the question about RequestRateThrottleFilter, the answer is No. To
use this filter I believe that is simple (just enable filter configuring in
the web.xml). I asked about RequestRateThrottleFilter because we want to use
it in other non java systems, like ASP, PHP, etc.


Until now, thanks for the answers to my questions.


Regards,

Tarcizio


2010/5/26 <esapi-user-request at lists.owasp.org>

> Send Esapi-user mailing list submissions to
>        esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or body 'help' to
>        esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
>        esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
>   1. Sample Java Web Application with ESAPI (Tarcizio Vieira Neto)
>   2. Re: Sample Java Web Application with ESAPI (Kevin W. Wall)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 25 May 2010 21:27:08 -0300
> From: Tarcizio Vieira Neto <tarciziovn at gmail.com>
> Subject: [Esapi-user] Sample Java Web Application with ESAPI
> To: esapi-user at lists.owasp.org
> Message-ID:
>        <AANLkTimikdkfFg-MZyHK19N70B69jCgQNGOtn3yrS9aw at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Is there any Java Web Application sample with insecure version and the new
> version with security improvements using ESAPI?
>
> I'm asking this because I'm learning about ESAPI and I'm not feeling secure
> about the right way to use filters and ESAPI classes.
>
> If this application doesn't exists would be a good idea construct it to
> help
> the users how to implement security in their applications with ESAPI and
> the
> most important: how to do this in the best way.
>
> Regards,
>
> Tarcizio
> SERPRO - Federal Data Processing Service - Brazil
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/esapi-user/attachments/20100525/7c10df91/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 26 May 2010 07:23:24 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] Sample Java Web Application with ESAPI
> To: Tarcizio Vieira Neto <tarciziovn at gmail.com>
> Cc: esapi-user at lists.owasp.org
> Message-ID: <4BFD04AC.7050002 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Tarcizio Vieira Neto wrote:
> > Is there any Java Web Application sample with insecure version and the
> new
> > version with security improvements using ESAPI?
> >
> > I'm asking this because I'm learning about ESAPI and I'm not feeling
> secure
> > about the right way to use filters and ESAPI classes.
> >
> > If this application doesn't exists would be a good idea construct it to
> help
> > the users how to implement security in their applications with ESAPI and
> the
> > most important: how to do this in the best way.
>
> Have you taken a look at Swingset?
>   http://www.owasp.org/index.php/ESAPI_Swingset
>
> Or where you looking for something specific, such as how to
> configure the RequestRateThrottleFilter that you mentioned
> yesterday?
>
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
>
>
> ------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 6, Issue 19
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100528/ce3028be/attachment.html 


More information about the Esapi-user mailing list