[OWASP-ESAPI] FW: PHP_ESAPI

Nilesh Kumar (India) Nilesh.Kumar at sdgc.com
Sun Mar 29 06:23:04 EDT 2009


Hi Linden!
 
 
   I have checked already the link http://www.owasp.org/index.php/ESAPI#tab=PHP <http://www.owasp.org/index.php/ESAPI#tab=PHP>  . It does not provide any information about the status of the project and resources like documentation or source codes etc.
 
>>By browsing the 'source' area of owasp_esapi_php on google code you will find the code for the latest revision. E.g.: http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src <http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src> 
 
And http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src <http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src>  does not work at all. Even http://code.google.com/p/owasp-esapi-php/source <http://code.google.com/p/owasp-esapi-php/source>  doesn't work.
 
I am unable to find anything substantial so far.
 
Regards,
Nilesh
    

________________________________

From: owasp-esapi-bounces at lists.owasp.org on behalf of Linden Darling
Sent: Sun 3/29/2009 2:23 PM
To: owasp-esapi at lists.owasp.org
Subject: RE: FW: PHP_ESAPI



By browsing the 'source' area of owasp_esapi_php on google code you will find the code for the latest revision. E.g.: http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src

By pressing the 'PHP' tab on the OWASP ESAPI Project page you will see information pertaining to the ESAPI for PHP Project: http://www.owasp.org/index.php/ESAPI#tab=PHP

~~~~~~~~~~~~~~ 
Linden Darling 
JDS Australia 
~~~~~~~~~~~~~~ 

-----Original Message----- 
From: owasp-esapi-bounces at lists.owasp.org on behalf of owasp-esapi-request at lists.owasp.org 
Sent: Fri 27/03/2009 22:51 
To: owasp-esapi at lists.owasp.org 
Subject: OWASP-ESAPI Digest, Vol 18, Issue 16 
  
Send OWASP-ESAPI mailing list submissions to 
        owasp-esapi at lists.owasp.org 

To subscribe or unsubscribe via the World Wide Web, visit 
        https://lists.owasp.org/mailman/listinfo/owasp-esapi 
or, via email, send a message with subject or body 'help' to 
        owasp-esapi-request at lists.owasp.org 

You can reach the person managing the list at 
        owasp-esapi-owner at lists.owasp.org 

When replying, please edit your Subject line so it is more specific 
than "Re: Contents of OWASP-ESAPI digest..." 


Today's Topics: 

   1. Re: ESAPI : CSRF with struts (Sukhmeet Sethi (India)) 
   2. Ronald A Garlit/AMER/AEB/AEXP is out of the office. 
      (Ronald A Garlit) 
   3. FW: PHP_ESAPI (Nilesh Kumar (India)) 


---------------------------------------------------------------------- 

Message: 1 
Date: Fri, 27 Mar 2009 13:48:40 +0530 
From: "Sukhmeet Sethi (India)" <Sukhmeet.Sethi at sdgc.com> 
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts 
To: "Jim Manico" <jim.manico at owasp.org>,        <owasp-esapi at lists.owasp.org> 
Message-ID: 
        <B3A4B574404BA3449A74A5B78B5F2594544F48 at sdgind015.india.sdgc.com> 
Content-Type: text/plain; charset="us-ascii" 

Thanks for the quick response. I will implement this and let you know. 
  
Sukhi 
  
-----Original Message----- 
From: owasp-esapi-bounces at lists.owasp.org 
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico 
Sent: Friday, March 27, 2009 12:50 PM 
To: Sukhmeet Sethi (India); owasp-esapi at lists.owasp.org 
Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts 
  
I feel you only want CSRF tokens when user actions change the state of 
data. So what I do is : 

1) After sucessful login, I generate a CSRF token and stick it in 
session for that user (I think unique per-request CSRF tokens is 
overkill) 
2) Whenever I build a form that necessitates CSRF protection, I stick in 
a CSRF hidden variable in it.  <html:hidden property="csrf" /> 
    2a) My Stuts form objects all descend from a parent that 
automatically populates the CSRF token if it exists in the form (see 
below) so all I need to do is drop in the csrf hidden variable. 
    2a) I then add verifyCSRFToken() to the top of actions that need to 
enforce CSRF protection. 
3) If I want to add CSRF protection to a GET parameter, then I'm being 
lazy. Whenever you see GETS needing CSRF protection, you are designing 
wrong - you should move those to posts. But, I break this rule - so I 
just manually stick a CSRF token to my gets that necessitate CSRF 
protection (when building these URL in JSP's or the like) and add the 
verify function to those actions. Pretty simple. 
public class ParentActionForm extends ActionForm { 
String csrf; 
public String getCsrf() { 
return csrf; 
} 
public void setCsrf(String csrf) { 
this.csrf = csrf; 
} 
public void reset(ActionMapping mapping, 
javax.servlet.http.HttpServletRequest request) { 
setCsrf(ESAPI.httpUtilities().getCSRFToken()); 
} 
} 

- Jim 
----- Original Message ----- 
From: Sukhmeet Sethi (India) 
To: owasp-esapi at lists.owasp.org 
Sent: Thursday, March 26, 2009 9:02 PM 
Subject: [OWASP-ESAPI] ESAPI : CSRF with struts 


Hi there, 
  
I am trying to implement ESAPI - CSRF security in Struts web application 
but wonder, how can I include CSRF token with each action. 
As per documentation, I can add CSRF token to any URL using following 
code: 
  
String url = ESAPI.httpUtilities().addCSRFToken( "/example/action?t=1" 
); 
  
But what if I want to include token to all my action URL's as in struts, 
the desired URL is generated through struts-config's action mapping. 
Kindly let me know if there's way out or if there's any example 
available. 
  
Cheers, 
Sukhi 
  



_______________________________________________ 
OWASP-ESAPI mailing list 
OWASP-ESAPI at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-esapi 
-------------- next part -------------- 
An HTML attachment was scrubbed... 
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/f648c734/attachment-0001.html 

------------------------------ 

Message: 2 
Date: Fri, 27 Mar 2009 04:07:44 -0700 
From: Ronald A Garlit <ronald.a.garlit at aexp.com> 
Subject: [OWASP-ESAPI] Ronald A Garlit/AMER/AEB/AEXP is out of the 
        office. 
To: owasp-esapi at lists.owasp.org 
Message-ID: 
        <OFA972B5B2.1C6F5BAF-ON07257586.003D2208-07257586.003D2208 at aexp.com> 
Content-Type: text/plain; charset=US-ASCII 


I will be out of the office starting  03/27/2009 and will not return until 
03/28/2009. 

I'm out of the office on PTO but can be reached for emergencies on my personal 
cell phone at 856-430-1623.  Have a nice day! 



------------------------------ 

Message: 3 
Date: Fri, 27 Mar 2009 17:23:40 +0530 
From: "Nilesh Kumar (India)" <Nilesh.Kumar at sdgc.com> 
Subject: [OWASP-ESAPI] FW: PHP_ESAPI 
To: <owasp-esapi at lists.owasp.org> 
Message-ID: 
        <B3A4B574404BA3449A74A5B78B5F25945CD749 at sdgind015.india.sdgc.com> 
Content-Type: text/plain; charset="us-ascii" 

Hi there! 

   Could anybody  provide me  the information below...? 

Thanks, 

Nilesh 

From: Nilesh Kumar (India) 
Sent: Thursday, March 26, 2009 3:31 PM 
To: 'vanderaj at owasp.org' 
Subject: PHP_ESAPI 

Hi Andrew, 

    I want to contribute towards PHP ESAPI project. Just wanted to know 
about the project's status like, 

what has been done so far? 

what modules has been developed? 

how can I access the resources like, documentation or source codes of 
already developed modules? 

Or I need to start form the scratch? 

Please provide me complete roadmap of the project done till date and 
provide me information how to start. 

Waiting for your response! 

Thanks, 

Nilesh Kumar CEH ISMS LA 

Security Specialist 

Governance,Risk &  Compliance (GRC) 
________________________________________________________________________ 


Cell:+91-9891524880 


SDG Software India Pvt. Ltd. 
A-10, Sector 2,NOIDA 201301, (UP), INDIA 
Website: www.sdgc.com 

Please Note: The e-mail content is intended for the sole use of the 
intended recipient/s and may contain material that is CONFIDENTIAL AND 
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying 
or distribution or forwarding of any or all of the contents in this 
message is STRICTLY PROHIBITED. If you have erroneously received this 
message, please delete it immediately and notify the sender. Before 
opening any attachments please check them for viruses and defects. 

-------------- next part -------------- 
An HTML attachment was scrubbed... 
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/773d5a3d/attachment.html 

------------------------------ 

_______________________________________________ 
OWASP-ESAPI mailing list 
OWASP-ESAPI at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-esapi 


End of OWASP-ESAPI Digest, Vol 18, Issue 16 
******************************************* 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090329/b2712703/attachment-0001.html 


More information about the OWASP-ESAPI mailing list