[OWASP-ESAPI] FW: PHP_ESAPI

Jeff Williams jeff.williams at owasp.org
Sun Mar 29 16:41:24 EDT 2009


Works fine for me.

--Jeff



On Mar 29, 2009, at 6:23 AM, "Nilesh Kumar (India)" <Nilesh.Kumar at sdgc.com 
 > wrote:

> Hi Linden!
>
>
>    I have checked already the link http://www.owasp.org/index.php/ESAPI#tab=PHP 
>  . It does not provide any information about the status of the  
> project and resources like documentation or source codes etc.
>
> >>By browsing the 'source' area of owasp_esapi_php on google code  
> you will find the code for the latest revision. E.g.: http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src
>
> And http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src 
>  does not work at all. Even http://code.google.com/p/owasp-esapi-php/source 
>  doesn't work.
>
> I am unable to find anything substantial so far.
>
> Regards,
> Nilesh
>
>
> From: owasp-esapi-bounces at lists.owasp.org on behalf of Linden Darling
> Sent: Sun 3/29/2009 2:23 PM
> To: owasp-esapi at lists.owasp.org
> Subject: RE: FW: PHP_ESAPI
>
> By browsing the 'source' area of owasp_esapi_php on google code you  
> will find the code for the latest revision. E.g.: http://code.google.com/p/owasp-esapi-php/source/browse/#svn/trunk/src
>
> By pressing the 'PHP' tab on the OWASP ESAPI Project page you will  
> see information pertaining to the ESAPI for PHP Project: http://www.owasp.org/index.php/ESAPI#tab=PHP
>
> ~~~~~~~~~~~~~~
> Linden Darling
> JDS Australia
> ~~~~~~~~~~~~~~
>
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org on behalf of owasp-esapi-request at lists.owasp.org
> Sent: Fri 27/03/2009 22:51
> To: owasp-esapi at lists.owasp.org
> Subject: OWASP-ESAPI Digest, Vol 18, Issue 16
>
> Send OWASP-ESAPI mailing list submissions to
>         owasp-esapi at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-esapi
> or, via email, send a message with subject or body 'help' to
>         owasp-esapi-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-esapi-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-ESAPI digest..."
>
>
> Today's Topics:
>
>    1. Re: ESAPI : CSRF with struts (Sukhmeet Sethi (India))
>    2. Ronald A Garlit/AMER/AEB/AEXP is out of the office.
>       (Ronald A Garlit)
>    3. FW: PHP_ESAPI (Nilesh Kumar (India))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 27 Mar 2009 13:48:40 +0530
> From: "Sukhmeet Sethi (India)" <Sukhmeet.Sethi at sdgc.com>
> Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts
> To: "Jim Manico" <jim.manico at owasp.org>,        <owasp-esapi at lists.owasp.org 
> >
> Message-ID:
>         <B3A4B574404BA3449A74A5B78B5F2594544F48 at sdgind015.india.sdgc.com 
> >
> Content-Type: text/plain; charset="us-ascii"
>
> Thanks for the quick response. I will implement this and let you know.
>
> Sukhi
>
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Friday, March 27, 2009 12:50 PM
> To: Sukhmeet Sethi (India); owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] ESAPI : CSRF with struts
>
> I feel you only want CSRF tokens when user actions change the state of
> data. So what I do is :
>
> 1) After sucessful login, I generate a CSRF token and stick it in
> session for that user (I think unique per-request CSRF tokens is
> overkill)
> 2) Whenever I build a form that necessitates CSRF protection, I  
> stick in
> a CSRF hidden variable in it.  <html:hidden property="csrf" />
>     2a) My Stuts form objects all descend from a parent that
> automatically populates the CSRF token if it exists in the form (see
> below) so all I need to do is drop in the csrf hidden variable.
>     2a) I then add verifyCSRFToken() to the top of actions that need  
> to
> enforce CSRF protection.
> 3) If I want to add CSRF protection to a GET parameter, then I'm being
> lazy. Whenever you see GETS needing CSRF protection, you are designing
> wrong - you should move those to posts. But, I break this rule - so I
> just manually stick a CSRF token to my gets that necessitate CSRF
> protection (when building these URL in JSP's or the like) and add the
> verify function to those actions. Pretty simple.
> public class ParentActionForm extends ActionForm {
> String csrf;
> public String getCsrf() {
> return csrf;
> }
> public void setCsrf(String csrf) {
> this.csrf = csrf;
> }
> public void reset(ActionMapping mapping,
> javax.servlet.http.HttpServletRequest request) {
> setCsrf(ESAPI.httpUtilities().getCSRFToken());
> }
> }
>
> - Jim
> ----- Original Message -----
> From: Sukhmeet Sethi (India)
> To: owasp-esapi at lists.owasp.org
> Sent: Thursday, March 26, 2009 9:02 PM
> Subject: [OWASP-ESAPI] ESAPI : CSRF with struts
>
>
> Hi there,
>
> I am trying to implement ESAPI - CSRF security in Struts web  
> application
> but wonder, how can I include CSRF token with each action.
> As per documentation, I can add CSRF token to any URL using following
> code:
>
> String url = ESAPI.httpUtilities().addCSRFToken( "/example/action?t=1"
> );
>
> But what if I want to include token to all my action URL's as in  
> struts,
> the desired URL is generated through struts-config's action mapping.
> Kindly let me know if there's way out or if there's any example
> available.
>
> Cheers,
> Sukhi
>
>
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/f648c734/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Fri, 27 Mar 2009 04:07:44 -0700
> From: Ronald A Garlit <ronald.a.garlit at aexp.com>
> Subject: [OWASP-ESAPI] Ronald A Garlit/AMER/AEB/AEXP is out of the
>         office.
> To: owasp-esapi at lists.owasp.org
> Message-ID:
>         <OFA972B5B2.1C6F5BAF-ON07257586.003D2208-07257586.003D2208 at aexp.com 
> >
> Content-Type: text/plain; charset=US-ASCII
>
>
> I will be out of the office starting  03/27/2009 and will not return  
> until
> 03/28/2009.
>
> I'm out of the office on PTO but can be reached for emergencies on  
> my personal
> cell phone at 856-430-1623.  Have a nice day!
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 27 Mar 2009 17:23:40 +0530
> From: "Nilesh Kumar (India)" <Nilesh.Kumar at sdgc.com>
> Subject: [OWASP-ESAPI] FW: PHP_ESAPI
> To: <owasp-esapi at lists.owasp.org>
> Message-ID:
>         <B3A4B574404BA3449A74A5B78B5F25945CD749 at sdgind015.india.sdgc.com 
> >
> Content-Type: text/plain; charset="us-ascii"
>
> Hi there!
>
>
>    Could anybody  provide me  the information below...?
>
>
> Thanks,
>
> Nilesh
>
>
> From: Nilesh Kumar (India)
> Sent: Thursday, March 26, 2009 3:31 PM
> To: 'vanderaj at owasp.org'
> Subject: PHP_ESAPI
>
>
> Hi Andrew,
>
>
>     I want to contribute towards PHP ESAPI project. Just wanted to  
> know
> about the project's status like,
>
> what has been done so far?
>
> what modules has been developed?
>
> how can I access the resources like, documentation or source codes of
> already developed modules?
>
>
> Or I need to start form the scratch?
>
>
> Please provide me complete roadmap of the project done till date and
> provide me information how to start.
>
>
> Waiting for your response!
>
>
>
> Thanks,
>
> Nilesh Kumar CEH ISMS LA
>
> Security Specialist
>
> Governance,Risk &  Compliance (GRC)
> ________________________________________________________________________
 

>
>
> Cell:+91-9891524880
>
>
> SDG Software India Pvt. Ltd.
> A-10, Sector 2,NOIDA 201301, (UP), INDIA
> Website: www.sdgc.com
>
> Please Note: The e-mail content is intended for the sole use of the
> intended recipient/s and may contain material that is CONFIDENTIAL AND
> PRIVATE COMPANY INFORMATION. Any review or reliance by others or  
> copying
> or distribution or forwarding of any or all of the contents in this
> message is STRICTLY PROHIBITED. If you have erroneously received this
> message, please delete it immediately and notify the sender. Before
> opening any attachments please check them for viruses and defects.
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090327/773d5a3d/attachment.html
>
> ------------------------------
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
> End of OWASP-ESAPI Digest, Vol 18, Issue 16
> *******************************************
>
> g/mailman/listinfo/owasp-esapi">https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
> End of OWASP-ESAPI Digest, Vol 18, Issue 16
> *******************************************
>
> TML>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090329/f46d3a86/attachment-0001.html 


More information about the OWASP-ESAPI mailing list