[OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Boberski, Michael [USA] boberski_michael at bah.com
Wed Aug 26 09:02:14 EDT 2009


Well, it doesn't require calling the application that ESAPI is integrated into.

Mike B.


________________________________
From: Jeff Williams [mailto:jeff.williams at owasp.org]
Sent: Wednesday, August 26, 2009 8:51 AM
To: Boberski, Michael [USA]; 'owasp-esapi'
Subject: RE: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Seriously?

In order for an attacker to misuse this method, they must be able to invoke it.  That's no different than any other method available in ESAPI or the JDK, such as Runtime.exec().  Do you consider those backdoors?

Also, you have to be able to create accounts with roles to set up the system the first time.  And even if you removed this method, if the attacker can invoke arbitrary API methods, then they could just invoke each of the necessary methods one-by-one.

We've discussed moving some of the 'administrative' API calls into a separate JAR file in the past, but have never been able to come up with a scheme for splitting the baby.  One application may need to programmatically add users, another might need to programmatically lock users, etc...?

--Jeff


From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Boberski, Michael [USA]
Sent: Wednesday, August 26, 2009 8:36 AM
To: owasp-esapi
Subject: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Hi, a question about the main method in the Authenticator reference implementation.

Why wouldn't that be considered a back door, i.e., malicious code?

Thanks in advance!

Mike B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090826/fa893a7b/attachment-0001.html 


More information about the OWASP-ESAPI mailing list