[OWASP-ESAPI] FW: PHP_ESAPI

Linden Darling Linden.Darling at jds.net.au
Sun Mar 29 04:53:16 EDT 2009


By browsing the 'source' area of owasp_esapi_php on google code you will find the code for the latest revision. E.g.: http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src

By pressing the 'PHP' tab on the OWASP ESAPI Project page you will see information pertaining to the ESAPI for PHP Project: http://www.owasp.org/index.php/ESAPI#tab=PHP

~~~~~~~~~~~~~~
Linden Darling
JDS Australia
~~~~~~~~~~~~~~

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org on behalf of owasp-esapi-request at lists.owasp.org
Sent: Fri 27/03/2009 22:51
To: owasp-esapi at lists.owasp.org
Subject: OWASP-ESAPI Digest, Vol 18, Issue 16
 
Send OWASP-ESAPI mailing list submissions to
	owasp-esapi at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-esapi
or, via email, send a message with subject or body 'help' to
	owasp-esapi-request at lists.owasp.org

You can reach the person managing the list at
	owasp-esapi-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OWASP-ESAPI digest..."


Today's Topics:

   1. Re: ESAPI : CSRF with struts (Sukhmeet Sethi (India))
   2. Ronald A Garlit/AMER/AEB/AEXP is out of the office.
      (Ronald A Garlit)
   3. FW: PHP_ESAPI (Nilesh Kumar (India))


----------------------------------------------------------------------

Message: 1
Date: Fri, 27 Mar 2009 13:48:40 +0530
From: "Sukhmeet Sethi (India)" <Sukhmeet.Sethi at sdgc.com>
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts
To: "Jim Manico" <jim.manico at owasp.org>,	<owasp-esapi at lists.owasp.org>
Message-ID:
	<B3A4B574404BA3449A74A5B78B5F2594544F48 at sdgind015.india.sdgc.com>
Content-Type: text/plain; charset="us-ascii"

Thanks for the quick response. I will implement this and let you know.
 
Sukhi
 
-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, March 27, 2009 12:50 PM
To: Sukhmeet Sethi (India); owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts
 
I feel you only want CSRF tokens when user actions change the state of
data. So what I do is :

1) After sucessful login, I generate a CSRF token and stick it in
session for that user (I think unique per-request CSRF tokens is
overkill)
2) Whenever I build a form that necessitates CSRF protection, I stick in
a CSRF hidden variable in it.  <html:hidden property="csrf" />
    2a) My Stuts form objects all descend from a parent that
automatically populates the CSRF token if it exists in the form (see
below) so all I need to do is drop in the csrf hidden variable.
    2a) I then add verifyCSRFToken() to the top of actions that need to
enforce CSRF protection.
3) If I want to add CSRF protection to a GET parameter, then I'm being
lazy. Whenever you see GETS needing CSRF protection, you are designing
wrong - you should move those to posts. But, I break this rule - so I
just manually stick a CSRF token to my gets that necessitate CSRF
protection (when building these URL in JSP's or the like) and add the
verify function to those actions. Pretty simple.
public class ParentActionForm extends ActionForm {
String csrf;
public String getCsrf() {
return csrf;
}
public void setCsrf(String csrf) {
this.csrf = csrf;
}
public void reset(ActionMapping mapping,
javax.servlet.http.HttpServletRequest request) {
setCsrf(ESAPI.httpUtilities().getCSRFToken());
}
}

- Jim
----- Original Message ----- 
From: Sukhmeet Sethi (India) 
To: owasp-esapi at lists.owasp.org 
Sent: Thursday, March 26, 2009 9:02 PM
Subject: [OWASP-ESAPI] ESAPI : CSRF with struts


Hi there,
 
I am trying to implement ESAPI - CSRF security in Struts web application
but wonder, how can I include CSRF token with each action.
As per documentation, I can add CSRF token to any URL using following
code:
 
String url = ESAPI.httpUtilities().addCSRFToken( "/example/action?t=1"
);
 
But what if I want to include token to all my action URL's as in struts,
the desired URL is generated through struts-config's action mapping.
Kindly let me know if there's way out or if there's any example
available.
 
Cheers,
Sukhi
 



_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/f648c734/attachment-0001.html 

------------------------------

Message: 2
Date: Fri, 27 Mar 2009 04:07:44 -0700
From: Ronald A Garlit <ronald.a.garlit at aexp.com>
Subject: [OWASP-ESAPI] Ronald A Garlit/AMER/AEB/AEXP is out of the
	office.
To: owasp-esapi at lists.owasp.org
Message-ID:
	<OFA972B5B2.1C6F5BAF-ON07257586.003D2208-07257586.003D2208 at aexp.com>
Content-Type: text/plain; charset=US-ASCII


I will be out of the office starting  03/27/2009 and will not return until
03/28/2009.

I'm out of the office on PTO but can be reached for emergencies on my personal
cell phone at 856-430-1623.  Have a nice day!



------------------------------

Message: 3
Date: Fri, 27 Mar 2009 17:23:40 +0530
From: "Nilesh Kumar (India)" <Nilesh.Kumar at sdgc.com>
Subject: [OWASP-ESAPI] FW: PHP_ESAPI
To: <owasp-esapi at lists.owasp.org>
Message-ID:
	<B3A4B574404BA3449A74A5B78B5F25945CD749 at sdgind015.india.sdgc.com>
Content-Type: text/plain; charset="us-ascii"

Hi there!

 

   Could anybody  provide me  the information below...?

 

Thanks,

Nilesh

 

From: Nilesh Kumar (India) 
Sent: Thursday, March 26, 2009 3:31 PM
To: 'vanderaj at owasp.org'
Subject: PHP_ESAPI

 

Hi Andrew,

 

    I want to contribute towards PHP ESAPI project. Just wanted to know
about the project's status like, 

what has been done so far?

what modules has been developed?

how can I access the resources like, documentation or source codes of
already developed modules?

 

Or I need to start form the scratch?

 

Please provide me complete roadmap of the project done till date and
provide me information how to start.

 

Waiting for your response!

 

 

Thanks,

Nilesh Kumar CEH ISMS LA

Security Specialist

Governance,Risk &  Compliance (GRC)
________________________________________________________________________


Cell:+91-9891524880 


SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying
or distribution or forwarding of any or all of the contents in this
message is STRICTLY PROHIBITED. If you have erroneously received this
message, please delete it immediately and notify the sender. Before
opening any attachments please check them for viruses and defects.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/773d5a3d/attachment.html 

------------------------------

_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi


End of OWASP-ESAPI Digest, Vol 18, Issue 16
*******************************************

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 6402 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090329/ef58815b/attachment.bin 


More information about the OWASP-ESAPI mailing list