«
»

Open Web Application Security Project (OWASP)

The Open source OWASP( Open Web Application Security Project) is a non revenue dependent worldwide charity organization, concentrating on the improvement of web application security. Their particular mission is to highlight the application security mechanism in every way possible, so that people and organizations can be informed regarding original application security risks and their solutions. Worldwide, OWASP is free for everyone to join and take advantage or provide and help on OWASP’s security projects.

All of the information about security risks and their solutions are available under one free web portal. All of the information can be found on OWASP’s official website and all the latest information about it is available on OWASP’s blog. It has been requested to feel very comfortable to help make any changes and improvement to any of their security projects. In fact, there are hundreds of people around the world who review the changes to the site to help ensure quality and performance. They do have a ‘ Getting Started ‘ page for new users, and it becomes very easy for a new person to get involved with the information they are providing. It has been highly appreciated by OWASP team that every visitor become a member of their security portal.

Some of the projects done by OWASP are follows:

  1. OWASP AntiSamy Java Project:  An API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
  2. OWASP AntiSamy. NET Project:  An API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
  3. OWASP Enterprise Security API (ESAPI) Project:  A free and open collection of all the security techniques that a developer needs to develop a secure web application.
  4. OWASP ModSecurity Core Rule Set Project:  A project to document and develop the ModSecurity Core Rule Set.

OWASP AntiSamy Java Project

The OWASP AntiSamy project consists a handful of things. Technically, it is an API for ensuring HTML/CSS provided by user is in compliance within an application’s rules. Yet another way of stating that could be: It’s an API that assists you to make sure that your clients don’t supply any harmful cargo codes in the HTML they supply for their profile, comments, images etc… that get persisted on the server. “Malicious Code” is a temr regarding to web applications usually mean “JavaScript”. The Cascading Stylesheets (css) are only considered malicious when they are linked with JavaScript engines. Moreover, there are many situations where a completly normal HTML and CSS cab be used in many different harmful manners, AntiSamy project take care of that too.

Philosophically, AntiSamy is a departure from modern day security mechanisms to the future security mechanisms. Generally speaking, the security mechanism and user have a very useful communication which is virtually one way, for very good reasons. Leading the potential attacker know the details about the validation is considered unwise as it allows the attacker to discover and recon the mechanism for weaknesses. These kinds of information leaks can also become harmful in many ways that a user cannot expect. A login mechanism that tells the user, “Username invalid” leaks the fact that a user by that name does not exist. There are more things like the Username example which we does not consider to any worth. Attacker can use a dictionary and a phonebook to remotely check out the list of valid usernames. Using this information, an attacker could use  a brute-force attack (very popular attack these days) or massive account lock denial-of-service. We get that. Unfortunately, that’s just not very functional in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

The Owasp Enterprise Security Api

ESAPI (The Owasp Enterprise Security Api) is a web security control application library which provide ease to the developers to program applications with low risks. The ESAPI liabriries are basically designed for programmers to use it to retrofit security into their existing applications easily. ESAPI libraries are also very helpful for new development’s security foundations. Enabling for language-specific differences, all OWASP ESAPI versions have the same basic design:

There’ve been a set of interfaces for security control, they define for example, types of parameters that are passed to types of security controls.Each security control system is implemented with a reference guide for implementation. The logic is not both organization and application specific, string-based input validation is a good example. There could be different and custom implementations for each of your security control. In these classes, it may contain application logic which may be designed by or for your organization according to it’s requirement. Enterprise authentication is a good example.
This project source code is licensed under the BSD license, which is very permissive and about as close to public domain as is possible. The project documentation is licensed under the Creative Commons license. You can use or modify ESAPI however you want, even include it in commercial products

OWASP ModSecurity Core Rule Set Project

ModSecurity™
A firewall web application engine which does not offer a lot of protection on its own. ModSecurity™ is to be configured under rules in order to become beneficial. SpiderLabs from Trustwave is serving a free certified rule set to provide maximized advantage for users of ModSecurity™ 2. x. It is not like a intrusion detection application or its preventation system, that rely on specific signature to capture vulnerabilities.
The Core Rules are providing many similar type of protections against known and unknown vulnerabilities which are found in several web applications (which are mostly custom coded so they become unknown). The Core Rules are to be used for step-by-step deployment for ModSecurity™.

The Core Rules Content

To provide numerous similar sort of web applications’ protection, Core Rules use the following methods:

1.     HTTP Protection – detects violation of the HTTP protocol as well as locally defined usage policy.
2.     Real-time Blacklist Loockups – utilize 3rd Party IP Reputation.
3.     Web-based Malware Detection – identifies malicious web content by examine towards the Google Safe Browsing API.
4.     HTTP Refusal of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
5.     Common Web Attacks Protection – detecting common web application security attack.
6.     Automation Detection – Detecting bots, crawlers, scanners and other surface harmful activity.
7.     Integration with AV Scanning for File Uploads – detects harmful files uploaded through the web application.
8.     Tracking Sensitive Data – Monitors Credit Card usage and blocks leakages.
9.     Trojan Protection – Detecting access to Trojans horses.
10.  Identification of Application Defects – alerts on application misconfigurations.
11.  Error Detection and Hiding – Disguising error messages sent by the server.


This entry was posted on Sunday, September 18th, 2011 at 4:42 pm and is filed under Java, Security, Web Application Performance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply