[OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Boberski, Michael [USA] boberski_michael at bah.com
Wed Aug 26 09:25:20 EDT 2009


I'm thinking more generally, e.g. when integrating into an enterprise's authentication service. I don't think the file reference implementation sets a good example with this method.

With this method, an unauthenticated management interface has been introduced into the enterprises's authentication service, more generally. This is not the same as being able to arbitrarily call validation routines, for comparison.

Mike B.


-----Original Message-----
From: Rogan Dawes [mailto:rogan.dawes at gmail.com] On Behalf Of Rogan Dawes
Sent: Wednesday, August 26, 2009 9:09 AM
To: Boberski, Michael [USA]
Cc: jeff.williams at owasp.org; 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Boberski, Michael [USA] wrote:
> 
> Well, it doesn't require calling the application that ESAPI is 
> integrated into.
>  
> Mike B.

No it doesn't, and why should it? The underlying Auth DB may be used by multiple applications. Which one hsould be invoked?

I think the point that Jeff is trying to make is that IF you can get to the point where you can invoke ESAPI calls on the machine that is hosting the application, you could just as easily invoke any other arbitrary commands. In that case, why should Authenticator.main() be considered a backdoor, and "rm" not? rm also has a main() method . . .

And of course, an attacker could write their own little snippet of Java to invoke any other ESAPI or application methods (or download BeanShell if there is no javaC available).

Rogan

>  
> 
> *From:* Jeff Williams [mailto:jeff.williams at owasp.org]
> *Sent:* Wednesday, August 26, 2009 8:51 AM
> *To:* Boberski, Michael [USA]; 'owasp-esapi'
> *Subject:* RE: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?
> 
> Seriously?
> 
>  
> 
> In order for an attacker to misuse this method, they must be able to 
> invoke it.  That's no different than any other method available in 
> ESAPI or the JDK, such as Runtime.exec().  Do you consider those backdoors?
> 
>  
> 
> Also, you have to be able to create accounts with roles to set up the 
> system the first time.  And even if you removed this method, if the 
> attacker can invoke arbitrary API methods, then they could just invoke 
> each of the necessary methods one-by-one.
> 
>  
> 
> We've discussed moving some of the 'administrative' API calls into a 
> separate JAR file in the past, but have never been able to come up 
> with a scheme for splitting the baby.  One application may need to 
> programmatically add users, another might need to programmatically 
> lock users, etc...?
> 
>  
> 
> --Jeff
> 
>  
> 
>  
> 
> *From:* owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Boberski, 
> Michael [USA]
> *Sent:* Wednesday, August 26, 2009 8:36 AM
> *To:* owasp-esapi
> *Subject:* [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?
> 
>  
> 
> Hi, a question about the main method in the Authenticator reference 
> implementation.
> 
>  
> 
> Why wouldn't that be considered a back door, i.e., malicious code?
> 
>  
> 
> Thanks in advance!
> 
>  
> 
> Mike B.
> 
> 
> ----------------------------------------------------------------------
> --
> 
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi



More information about the OWASP-ESAPI mailing list