[OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Boberski, Michael [USA] boberski_michael at bah.com
Wed Aug 26 10:03:08 EDT 2009


It instructs the integrator to figure out a way to e.g. add a directory user, using one of your examples. Which, may be technically possible to do programmatically depending on the directory's configuration, but that's a larger and different problem. The hook shouldn't be integrated into apps, to guard against such misconfiguration.

Mike B.

-----Original Message-----
From: Boberski, Michael [USA] 
Sent: Wednesday, August 26, 2009 9:50 AM
To: 'Neil Matatall'
Cc: Rogan Dawes; 'owasp-esapi'
Subject: RE: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

I'm not saying the rest is bad, just that the one method specifically as an example of how to do this using an ESAPI, is bad.

Mike B.

-----Original Message-----
From: Neil Matatall [mailto:nmatatal at uci.edu]
Sent: Wednesday, August 26, 2009 9:46 AM
To: Boberski, Michael [USA]
Cc: Rogan Dawes; 'owasp-esapi'
Subject: Re: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

my $.02

I pictured the FileBasedAuthenticator only as an example.  One that implements all the necessary methods and provides an example of how your reference should be implemented.  I'm not so sure any enterprise would use a file-based user list; rather they have some hook to LDAP, kerberos, SecurID, Shib, etc.

FileBasedAuthenticator does a lot of nice things that should be ported for any reference implementations.

Neil

> I'm thinking more generally, e.g. when integrating into an 
> enterprise's authentication service. I don't think the file reference 
> implementation sets a good example with this method.
>
> With this method, an unauthenticated management interface has been 
> introduced into the enterprises's authentication service, more generally.
> This is not the same as being able to arbitrarily call validation 
> routines, for comparison.
>
> Mike B.
>
>
> -----Original Message-----
> From: Rogan Dawes [mailto:rogan.dawes at gmail.com] On Behalf Of Rogan 
> Dawes
> Sent: Wednesday, August 26, 2009 9:09 AM
> To: Boberski, Michael [USA]
> Cc: jeff.williams at owasp.org; 'owasp-esapi'
> Subject: Re: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?
>
> Boberski, Michael [USA] wrote:
>>
>> Well, it doesn't require calling the application that ESAPI is 
>> integrated into.
>>
>> Mike B.
>
> No it doesn't, and why should it? The underlying Auth DB may be used 
> by multiple applications. Which one hsould be invoked?
>
> I think the point that Jeff is trying to make is that IF you can get 
> to the point where you can invoke ESAPI calls on the machine that is 
> hosting the application, you could just as easily invoke any other 
> arbitrary commands. In that case, why should Authenticator.main() be 
> considered a backdoor, and "rm" not? rm also has a main() method . . .
>
> And of course, an attacker could write their own little snippet of 
> Java to invoke any other ESAPI or application methods (or download 
> BeanShell if there is no javaC available).
>
> Rogan
>
>>
>>
>> *From:* Jeff Williams [mailto:jeff.williams at owasp.org]
>> *Sent:* Wednesday, August 26, 2009 8:51 AM
>> *To:* Boberski, Michael [USA]; 'owasp-esapi'
>> *Subject:* RE: [OWASP-ESAPI] In FileBasedAuthenticator, main == back 
>> door?
>>
>> Seriously?
>>
>>
>>
>> In order for an attacker to misuse this method, they must be able to 
>> invoke it.  That's no different than any other method available in 
>> ESAPI or the JDK, such as Runtime.exec().  Do you consider those 
>> backdoors?
>>
>>
>>
>> Also, you have to be able to create accounts with roles to set up the 
>> system the first time.  And even if you removed this method, if the 
>> attacker can invoke arbitrary API methods, then they could just 
>> invoke each of the necessary methods one-by-one.
>>
>>
>>
>> We've discussed moving some of the 'administrative' API calls into a 
>> separate JAR file in the past, but have never been able to come up 
>> with a scheme for splitting the baby.  One application may need to 
>> programmatically add users, another might need to programmatically 
>> lock users, etc...?
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>>
>> *From:* owasp-esapi-bounces at lists.owasp.org
>> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Boberski, 
>> Michael [USA]
>> *Sent:* Wednesday, August 26, 2009 8:36 AM
>> *To:* owasp-esapi
>> *Subject:* [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?
>>
>>
>>
>> Hi, a question about the main method in the Authenticator reference 
>> implementation.
>>
>>
>>
>> Why wouldn't that be considered a back door, i.e., malicious code?
>>
>>
>>
>> Thanks in advance!
>>
>>
>>
>> Mike B.
>>
>>
>> ---------------------------------------------------------------------
>> -
>> --
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>




More information about the OWASP-ESAPI mailing list