This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ESAPI Secure Coding Guideline
From OWASP
Revision as of 03:12, 3 May 2008 by Jeff Williams (talk | contribs)
Using Security Controls
Authentication
| ID | Requirement | Code Example |
|---|---|---|
| AU001 | All site interaction from page containing the login form to the page confirming logout (inclusive) must use SSL. | TBD |
| AU002 | All requests for pages that require authentication shall call the ESAPI.authenticator().login() method.
|
TBD |
| AU003 | The application shall provide the user with a logout link on every page that invokes the ESAPI.authenticator().logout() method.
|
TBD |
| AU004 | Form fields used for passwords must use type=password to mask the password from view.
|
TBD |
| AU005 | The application shall never put passwords into HTML, including repopulating form fields. | TBD |
| AU006 | The application shall use the FIXME to set a "remember me" cookie for automatic authentication, but only if a user specifically authorizes it.
|
TBD |
| AU007 | The application shall include Javascript in all pages that protects against being nested or framed in other websites. | TBD |
| AU008 | The application shall reauthenticate users with User.checkPassword() before allowing access to sensitive transactions.
|
TBD |
| AU009 | Link and form URLs for all transactions shall be updated with the HTTPUtilities.addCSRFToken() method to add a CSRF token.
|
TBD |
| AU010 | All HTTP requests for transactions shall be verified using the HTTPUtilities.verifyCSRFToken() method to check that the request is not forged.
|
TBD |
| AU011 | Account creation and registration functions should protect against automated tools. | TBD |
| AU012 | The application shall generate strong passwords for users with the Authenticator.generateStrongPassword() method.
|
TBD |
| AU013 | The application shall verify the strength of any user provided password with the Authenticator.verifyPasswordStrength() method.
|
TBD |
| AU014 | The application shall verify the strength of any user account name with the Authenticator.verifyAccountNameStrength() method.
|
TBD |
| AU015 | The application shall display information upon login about the last successful (User.getLastLoginTime()) and last failed (User.getLastFailedLoginTime()) login date and time.
|
TBD |
Session Management
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Access Control
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use assertAuthorizedForURL() to verify authorization before allowing access to each URL.
|
TBD |
| AC002 | The application shall use assertAuthorizedForFunction() to verify authorization before allowing access to each business function.
|
TBD |
| AC003 | The application shall use assertAuthorizedForFile() to verify authorization before allowing access to files.
|
TBD |
| AC004 | The application shall use assertAuthorizedForData() to verify authorization before allowing access to data.
|
TBD |
| AC005 | The application shall use assertAuthorizedForService() to verify authorization before allowing access to each backend service.
|
TBD |
| AC006 | The application shall use isAuthorizedFor* methods to verify authorization before including user interface controls in HTML output.
|
TBD |
| AC007 | The application shall use AccessReferenceMap.getIndirectReference() to reference all application objects such as filenames, directory paths, and database keys.
|
TBD |
| AC008 | The application shall prevent access to all resources that should not be directly accessed by users (such as resources, XML files, JSP files, properties) by storing them in a protected directory, such as WEB-INF.
|
TBD |
| AC009 | The application shall use HTTPUtilities.sendSafeForward() for all forwards, to ensure that they cannot be used to bypass access checks.
|
TBD |
| AC0010 | The appplication must use only trusted data used in access control decisions. | TBD |
| AC0011 | Administrative functions for the application shall be deployed as a separate application with increased authentication controls. | TBD |
Input Validation and Encoding
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Data Protection
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
| The application shall use an EncryptedProperties to store all security relevant data, such as passwords, credentials, codes, configuration information, addresses, etc…
Using Services Securely
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Error Handling
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Logging and Intrusion Detection
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Secure Configuration and Deployment
| ID | Requirement | Code Example |
|---|---|---|
| SC001 | Production code shall not contain code not intended for use, such as debug, test, and dead code. | TBD |
| SC002 | The application's source code shall not contain secrets that would compromise security if disclosed. | TBD |
| SC003 | The application team shall run code quality tools such as FindBugs and PMD to find quality problems. | TBD |
Avoiding Specific Risks
Cross Site Scripting
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Cross Site Request Forgery
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Thread Safety Problems
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall avoid the use of shared storage, such as class variables, instance variables, or singletons, in all multithreaded code. | TBD |
Denial of Service
| ID | Requirement | Code Example |
|---|---|---|
| AC001 | The application shall use |
TBD |
Banned APIs
The following calls are dangerous and should be replaces with the safer calls provided by ESAPI.
| ID | Banned Call | ESAPI Replacement | Code Example |
|---|---|---|---|
| BAN001 | System.out.println() | Logger.* | TBD |
| BAN002 | Throwable.printStackTrace() | Logger.* | TBD |
| BAN003 | Runtime.exec() | Executor.safeExec() | TBD |
| BAN004 | Session.getId() | Randomizer.getRandomString (better not to use at all) | TBD |
| BAN005 | ServletRequest.getUserPrincipal() | Authenticator.getCurrentUser() | TBD |
| BAN006 | ServletRequest.isUserInRole() | AccessController.isAuthorized*() | TBD |
| BAN007 | Session.invalidate() | Authenticator.logout() | TBD |
| BAN008 | Math.Random.* | Randomizer.* | TBD |
| BAN009 | File.createTempFile() | Randomizer.getRandomFilename() | TBD |
| BAN010 | ServletResponse.setContentType() | HTTPUtilities.setContentType() | TBD |
| BAN011 | ServletResponse.sendRedirect() | HTTPUtilities.safeSendRedirect() | TBD |
| BAN012 | RequestDispatcher.forward() | HTTPUtilities.safeSendForward() | TBD |
| BAN013 | ServletResponse.addHeader() | HTTPUtilities.safeSetHeader()/safeSetHeader() | TBD |
| BAN014 | ServletResponse.addCookie() | HTTPUtilities.safeAddCookie() | TBD |
| BAN015 | ServletRequest.isSecure() | HTTPUtilties.isSecureChannel() | TBD |
| BAN016 | Properties.* | EncryptedProperties.* | TBD |
| BAN017 | ServletContext.log() | Logger.* | TBD |
| BAN018 | java.security and javax.crypto | Encryptor.* | TBD |
| BAN019 | java.net.URLEncoder/Decoder | Encoder.encodeForURL()/decodeForURL() | TBD |
| BAN020 | java.sql.Statement.execute | PreparedStatement.execute | TBD |
| BAN021 | ServletResponse.encodeURL | HTTPUtilities.safeEncodeURL() (better not to use at all) | TBD |
| BAN022 | ServletResponse.encodeRedirectURL | HTTPUtilities.safeEncodeRedirectURL() (better not to use at all) | TBD |
