From 74e56e10cce1cd88b0628f0a0377d7812209ad6b Mon Sep 17 00:00:00 2001 From: dushitaoyuan Date: Sun, 29 Sep 2019 15:25:37 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0esapi=20=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=8E=A7=E5=88=B6=E5=8C=85,=E5=8F=8A=E7=AE=80=E5=8D=95?= =?UTF-8?q?=E4=BD=BF=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Readme.md | 3 + pom.xml | 7 +- .../exception/ServiceException.java | 3 + .../exception/SystemExceptionHandler.java | 23 +- .../security/RateLimitAspect.java | 5 +- .../securitydemo/security/RateLimitType.java | 7 +- .../ratelimit/AbstractRateLimiter.java | 3 +- .../security/ratelimit/GuavaRateLimiter.java | 2 +- .../security/ratelimit/RedisRateLimiter.java | 8 +- .../com/taoyuanx/securitydemo/EsapiTest.java | 73 +++ .../esapi/ESAPI-AccessControlPolicy.xml | 127 +++++ src/test/resources/esapi/ESAPI.properties | 497 ++++++++++++++++++ src/test/resources/esapi/antisamy-esapi.xml | 492 +++++++++++++++++ src/test/resources/esapi/users.txt | 4 + .../resources/esapi/validation.properties | 29 + .../esapi/waf-policies/add-header-policy.xml | 29 + .../waf-policies/add-httponly-policy.xml | 27 + .../esapi/waf-policies/add-secure-policy.xml | 27 + .../waf-policies/authentication-policy.xml | 30 ++ .../esapi/waf-policies/bean-shell-policy.xml | 30 ++ .../esapi/waf-policies/bean-shell-rule.bsh | 5 + .../waf-policies/detect-outbound-policy.xml | 27 + .../waf-policies/dynamic-insertion-policy.xml | 27 + .../waf-policies/enforce-https-policy.xml | 28 + .../esapi/waf-policies/must-match-policy.xml | 35 ++ .../waf-policies/replace-outbound-policy.xml | 27 + .../restrict-content-type-policy.xml | 27 + .../restrict-extension-policy.xml | 25 + .../waf-policies/restrict-method-policy.xml | 25 + .../restrict-source-ip-policy.xml | 27 + .../restrict-user-agent-policy.xml | 26 + .../waf-policies/virtual-patch-policy.xml | 27 + src/test/resources/esapi/waf-policy.xsd | Bin 0 -> 20582 bytes src/test/resources/logback.xml | 41 ++ 34 files changed, 1752 insertions(+), 21 deletions(-) create mode 100644 src/test/java/com/taoyuanx/securitydemo/EsapiTest.java create mode 100644 src/test/resources/esapi/ESAPI-AccessControlPolicy.xml create mode 100644 src/test/resources/esapi/ESAPI.properties create mode 100644 src/test/resources/esapi/antisamy-esapi.xml create mode 100644 src/test/resources/esapi/users.txt create mode 100644 src/test/resources/esapi/validation.properties create mode 100644 src/test/resources/esapi/waf-policies/add-header-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/add-httponly-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/add-secure-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/authentication-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/bean-shell-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/bean-shell-rule.bsh create mode 100644 src/test/resources/esapi/waf-policies/detect-outbound-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/dynamic-insertion-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/enforce-https-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/must-match-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/replace-outbound-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/restrict-content-type-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/restrict-extension-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/restrict-method-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/restrict-source-ip-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/restrict-user-agent-policy.xml create mode 100644 src/test/resources/esapi/waf-policies/virtual-patch-policy.xml create mode 100644 src/test/resources/esapi/waf-policy.xsd create mode 100644 src/test/resources/logback.xml diff --git a/Readme.md b/Readme.md index 3a00f9d..cf87e21 100644 --- a/Readme.md +++ b/Readme.md @@ -53,3 +53,6 @@ +## esapi 介绍 + +此jar包为一个比较全面的安全库,控制较为全面,业务较为复杂的可自行扩展 \ No newline at end of file diff --git a/pom.xml b/pom.xml index 29cf8ab..277212e 100644 --- a/pom.xml +++ b/pom.xml @@ -82,11 +82,16 @@ 4.0.3 - org.springframework.boot spring-boot-starter-data-redis + + + org.owasp.esapi + esapi + 2.2.0.0 + diff --git a/src/main/java/com/taoyuanx/securitydemo/exception/ServiceException.java b/src/main/java/com/taoyuanx/securitydemo/exception/ServiceException.java index c530544..d5554ee 100644 --- a/src/main/java/com/taoyuanx/securitydemo/exception/ServiceException.java +++ b/src/main/java/com/taoyuanx/securitydemo/exception/ServiceException.java @@ -17,6 +17,9 @@ public class ServiceException extends RuntimeException { super(msg); this.errorCode=errorCode; } + public Integer getErrorCode(){ + return getErrorCode(); + } } diff --git a/src/main/java/com/taoyuanx/securitydemo/exception/SystemExceptionHandler.java b/src/main/java/com/taoyuanx/securitydemo/exception/SystemExceptionHandler.java index 9ad1979..ff5dd8c 100644 --- a/src/main/java/com/taoyuanx/securitydemo/exception/SystemExceptionHandler.java +++ b/src/main/java/com/taoyuanx/securitydemo/exception/SystemExceptionHandler.java @@ -9,6 +9,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; import org.springframework.web.HttpMediaTypeNotSupportedException; +import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.HandlerExceptionResolver; import org.springframework.web.servlet.ModelAndView; @@ -27,11 +28,11 @@ public class SystemExceptionHandler implements HandlerExceptionResolver { public ModelAndView resolveException(HttpServletRequest request, HttpServletResponse response, Object handler, Exception e) { - if (isJson(request)) { + if (isJson(request, handler)) { doHandleException(request, response, handler, e); return new ModelAndView(); } else { - ModelAndView modelAndView=new ModelAndView(); + ModelAndView modelAndView = new ModelAndView(); //todo跳转到页面 return modelAndView; @@ -43,10 +44,12 @@ public class SystemExceptionHandler implements HandlerExceptionResolver { Throwable e) { Result result = null; HttpStatus httpStatus = HttpStatus.OK; - if (e instanceof ValidatorException) {//参数异常 + if (e instanceof ValidatorException) { + //参数异常 result = ResultBuilder.failed(ResultCode.PARAM_ERROR.code, e.getMessage()); } else if (e instanceof ServiceException) { - result = ResultBuilder.failed(ResultCode.BUSSINESS_ERROR.code, e.getMessage()); + ServiceException exception = (ServiceException) e; + result = ResultBuilder.failed(exception.getErrorCode(), e.getMessage()); } else if (e instanceof UnAuthException) { httpStatus = HttpStatus.UNAUTHORIZED; result = ResultBuilder.failed(ResultCode.UNAUTHORIZED.code, e.getMessage()); @@ -59,11 +62,13 @@ public class SystemExceptionHandler implements HandlerExceptionResolver { } else if (e instanceof JSONException) { result = ResultBuilder.failed(ResultCode.PARAM_ERROR.code, "参数异常,json格式非法:" + e.getMessage()); } else if (e instanceof ServletException) { + httpStatus = HttpStatus.INTERNAL_SERVER_ERROR; result = ResultBuilder.failed(e.getMessage()); } else if (e instanceof NoHandlerFoundException) { httpStatus = HttpStatus.NOT_FOUND; result = ResultBuilder.failed(ResultCode.NOT_FOUND.code, "接口 [" + ((NoHandlerFoundException) e).getRequestURL() + "] 不存在"); } else { + httpStatus = HttpStatus.INTERNAL_SERVER_ERROR; result = ResultBuilder.failed(ResultCode.INTERNAL_SERVER_ERROR.code, "接口 [" + request.getRequestURI() + "] 内部错误,请联系管理员"); if (handler != null && handler instanceof HandlerMethod) { HandlerMethod handlerMethod = (HandlerMethod) handler; @@ -78,10 +83,16 @@ public class SystemExceptionHandler implements HandlerExceptionResolver { } - public static boolean isJson(HttpServletRequest request) { + public static boolean isJson(HttpServletRequest request, Object handler) { + if (handler != null && handler instanceof HandlerMethod) { + HandlerMethod handlerMethod = (HandlerMethod) handler; + if (handlerMethod.hasMethodAnnotation(ResponseBody.class)) { + return true; + } + } String contentType = request.getHeader("Content-Type"); String accept = request.getHeader("Accept"); - if ((accept != null && accept.contains("json"))||(contentType != null && contentType.contains("json"))) { + if ((accept != null && accept.contains("json")) || (contentType != null && contentType.contains("json"))) { return true; } else { return false; diff --git a/src/main/java/com/taoyuanx/securitydemo/security/RateLimitAspect.java b/src/main/java/com/taoyuanx/securitydemo/security/RateLimitAspect.java index e873b2f..ff274a9 100644 --- a/src/main/java/com/taoyuanx/securitydemo/security/RateLimitAspect.java +++ b/src/main/java/com/taoyuanx/securitydemo/security/RateLimitAspect.java @@ -63,7 +63,7 @@ public class RateLimitAspect { if (type == null) { key = methodName; if (LOG.isDebugEnabled()) { - LOG.debug("限流策略未定义,采用[]限流策略", methodName, RateLimitType.METHOD); + LOG.debug("{}限流策略未定义,采用[{}]限流策略", methodName, RateLimitType.METHOD); } } else { switch (type) { @@ -79,7 +79,6 @@ public class RateLimitAspect { key = methodName; break; case SERVICE_KEY: - break; case GLOBAL: key = "global"; @@ -91,7 +90,7 @@ public class RateLimitAspect { } if (type.equals(RateLimitType.TOTAL_COUNT)) { if (!rateLimiter.tryCount(1, key, rateLimit.totalCount())) { - throw new LimitException("访问字数已达最大限制:" + rateLimit.totalCount() + ",请稍后再试"); + throw new LimitException("访问次数已达最大限制:" + rateLimit.totalCount() + ",请稍后再试"); } } else { if (!rateLimiter.tryAcquire(key, rateLimit.limit())) { diff --git a/src/main/java/com/taoyuanx/securitydemo/security/RateLimitType.java b/src/main/java/com/taoyuanx/securitydemo/security/RateLimitType.java index 4066288..8b66c38 100644 --- a/src/main/java/com/taoyuanx/securitydemo/security/RateLimitType.java +++ b/src/main/java/com/taoyuanx/securitydemo/security/RateLimitType.java @@ -8,8 +8,8 @@ package com.taoyuanx.securitydemo.security; public enum RateLimitType { IP(0, "IP限流"), METHOD(1, "方法名"), SERVICE_KEY(3, "业务自定义key"), - GLOBAL(4,"系统全局"), - TOTAL_COUNT(5,"总次数限制"); + GLOBAL(4, "系统全局"), + TOTAL_COUNT(5, "总次数限制"); private int code; private String desc; @@ -18,7 +18,7 @@ public enum RateLimitType { this.desc = desc; } - public static RateLimitType type(Integer code) { + public static RateLimitType type(Integer code) { if (code == null) { return null; } @@ -29,7 +29,6 @@ public enum RateLimitType { return METHOD; case 3: return SERVICE_KEY; - case 4: return GLOBAL; case 5: diff --git a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/AbstractRateLimiter.java b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/AbstractRateLimiter.java index 398f621..475d661 100644 --- a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/AbstractRateLimiter.java +++ b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/AbstractRateLimiter.java @@ -19,7 +19,8 @@ public abstract class AbstractRateLimiter { public boolean tryAcquire(String key, Double limit){ return doTryAcquire(1,key,limit); } - protected abstract boolean doTryAcquire(int permits, String key, Double limit); + + public abstract boolean doTryAcquire(int permits, String key, Double limit); /** * 增加资源访问次数 用户可自行持久化记录 diff --git a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/GuavaRateLimiter.java b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/GuavaRateLimiter.java index d3b017e..40c2bbf 100644 --- a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/GuavaRateLimiter.java +++ b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/GuavaRateLimiter.java @@ -24,7 +24,7 @@ public class GuavaRateLimiter extends AbstractRateLimiter { */ private BloomFilter TOTAL_LIMIT_ZERO_FLAG = BloomFilter.create(Funnels.stringFunnel(Charset.defaultCharset()), MAX_HOLDER_SIZE * 20); - protected boolean doTryAcquire(int permits, String key, Double limit) { + public boolean doTryAcquire(int permits, String key, Double limit) { //超过固定阈值,清空,重构 if (rateHolder.size() > MAX_HOLDER_SIZE) { rateHolder.clear(); diff --git a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/RedisRateLimiter.java b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/RedisRateLimiter.java index d8f8be7..807afc5 100644 --- a/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/RedisRateLimiter.java +++ b/src/main/java/com/taoyuanx/securitydemo/security/ratelimit/RedisRateLimiter.java @@ -1,6 +1,5 @@ package com.taoyuanx.securitydemo.security.ratelimit; -import com.sun.org.apache.xml.internal.utils.StringToIntTable; import com.taoyuanx.securitydemo.utils.StringIntUtil; import org.springframework.core.io.ClassPathResource; import org.springframework.data.redis.core.StringRedisTemplate; @@ -38,7 +37,7 @@ public class RedisRateLimiter extends AbstractRateLimiter { } @Override - protected boolean doTryAcquire(int permits, String key, Double limit) { + public boolean doTryAcquire(int permits, String key, Double limit) { String[] scriptArgs = {limit.longValue() + "", limit.longValue() + "", Instant.now().getEpochSecond() + "", permits + ""}; List results = redisTemplate.execute(this.tokenScript, getKeys(key), scriptArgs); return results.get(0) == 1L; @@ -47,9 +46,8 @@ public class RedisRateLimiter extends AbstractRateLimiter { @Override public boolean tryCount(int count, String key, Long totalCount) { - - String[] scriptArgs = {count + "", totalCount + "", StringIntUtil.toInt(key) +""}; - Long result = redisTemplate.execute(this.countScript, Arrays.asList(key,"zero_flag"), scriptArgs); + String[] scriptArgs = {count + "", totalCount + "", StringIntUtil.toInt(key) + ""}; + Long result = redisTemplate.execute(this.countScript, Arrays.asList(key, "zero_flag"), scriptArgs); return result >= 0; } diff --git a/src/test/java/com/taoyuanx/securitydemo/EsapiTest.java b/src/test/java/com/taoyuanx/securitydemo/EsapiTest.java new file mode 100644 index 0000000..bd903d2 --- /dev/null +++ b/src/test/java/com/taoyuanx/securitydemo/EsapiTest.java @@ -0,0 +1,73 @@ +package com.taoyuanx.securitydemo; + +import org.junit.Test; +import org.owasp.esapi.Authenticator; +import org.owasp.esapi.ESAPI; +import org.owasp.esapi.User; +import org.owasp.esapi.codecs.MySQLCodec; +import org.owasp.esapi.errors.AuthenticationException; +import org.owasp.esapi.errors.ValidationException; + +import java.util.Set; + +/** + * @author dushitaoyuan + * @desc esapi 测试 + * @date 2019/9/29 + *

+ * esapi开源地址:https://github.com/ESAPI/esapi-java-legacy 可惜文档较少,不过代码不难理解 + *

+ * api较多,可以参考example使用 + */ +public class EsapiTest { + @Test + public void userTest() throws AuthenticationException { + Authenticator instance = ESAPI.authenticator(); + String password = instance.generateStrongPassword(); + String u = "uuu1"; + User user = null; + if (!instance.exists(u)) { + user = instance.createUser(u, password, password); + } + user = instance.getUser(u); + user.addRole("role1"); + Set roles = user.getRoles(); + } + + @Test + public void scriptTest() throws AuthenticationException { + /** + * 转义javascript + */ + String safe = ESAPI.encoder().encodeForJavaScript(""); + System.out.println(safe); + + safe = ESAPI.encoder().encodeForSQL(new MySQLCodec(MySQLCodec.Mode.STANDARD), "'1' or 1"); + System.out.println(safe); + /** + * 转义sql + */ + safe = ESAPI.encoder().encodeForSQL(new MySQLCodec(MySQLCodec.Mode.STANDARD), "'1' or 1"); + System.out.println(safe); + + } + + /** + * 参数校验 + * @throws AuthenticationException + * @throws ValidationException + */ + @Test + public void validationTest() throws AuthenticationException, ValidationException { + System.out.println(ESAPI.validator().isValidInput( + "email", "12345", "Email", + 200, false)); + + + System.out.println(ESAPI.validator().isValidInput( + "email", "192.168.10.1", "IPAddress", + 200, false)); + + + } +} diff --git a/src/test/resources/esapi/ESAPI-AccessControlPolicy.xml b/src/test/resources/esapi/ESAPI-AccessControlPolicy.xml new file mode 100644 index 0000000..4d2ca74 --- /dev/null +++ b/src/test/resources/esapi/ESAPI-AccessControlPolicy.xml @@ -0,0 +1,127 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties new file mode 100644 index 0000000..c40de81 --- /dev/null +++ b/src/test/resources/esapi/ESAPI.properties @@ -0,0 +1,497 @@ +# +# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version +# +# This file is part of the Open Web Application Security Project (OWASP) +# Enterprise Security API (ESAPI) project. For details, please see +# http://www.owasp.org/index.php/ESAPI. +# +# Copyright (c) 2008,2009 - The OWASP Foundation +# +# DISCUSS: This may cause a major backwards compatibility issue, etc. but +# from a name space perspective, we probably should have prefaced +# all the property names with ESAPI or at least OWASP. Otherwise +# there could be problems is someone loads this properties file into +# the System properties. We could also put this file into the +# esapi.jar file (perhaps as a ResourceBundle) and then allow an external +# ESAPI properties be defined that would overwrite these defaults. +# That keeps the application's properties relatively simple as usually +# they will only want to override a few properties. If looks like we +# already support multiple override levels of this in the +# DefaultSecurityConfiguration class, but I'm suggesting placing the +# defaults in the esapi.jar itself. That way, if the jar is signed, +# we could detect if those properties had been tampered with. (The +# code to check the jar signatures is pretty simple... maybe 70-90 LOC, +# but off course there is an execution penalty (similar to the way +# that the separate sunjce.jar used to be when a class from it was +# first loaded). Thoughts? +############################################################################### +# +# WARNING: Operating system protection should be used to lock down the .esapi +# resources directory and all the files inside and all the directories all the +# way up to the root directory of the file system. Note that if you are using +# file-based implementations, that some files may need to be read-write as they +# get updated dynamically. +# +#=========================================================================== +# ESAPI Configuration +# +# If true, then print all the ESAPI properties set here when they are loaded. +# If false, they are not printed. Useful to reduce output when running JUnit tests. +# If you need to troubleshoot a properties related problem, turning this on may help. +# This is 'false' in the src/test/resources/.esapi version. It is 'true' by +# default for reasons of backward compatibility with earlier ESAPI versions. +ESAPI.printProperties=true + +# ESAPI is designed to be easily extensible. You can use the reference implementation +# or implement your own providers to take advantage of your enterprise's security +# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: +# +# String ciphertext = +# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 +# CipherText cipherText = +# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred +# +# Below you can specify the classname for the provider that you wish to use in your +# application. The only requirement is that it implement the appropriate ESAPI interface. +# This allows you to switch security implementations in the future without rewriting the +# entire application. +# +# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory +ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController +# FileBasedAuthenticator requires users.txt file in .esapi directory +ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor + +ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor +ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities +ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector +# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html +#ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory +ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory +# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set +# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory +# and do whatever other normal SLF4J configuration that you normally would do for your application. +ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer +ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator + +#=========================================================================== +# ESAPI Authenticator +# +Authenticator.AllowedLoginAttempts=3 +Authenticator.MaxOldPasswordHashes=13 +Authenticator.UsernameParameterName=username +Authenticator.PasswordParameterName=password +# RememberTokenDuration (in days) +Authenticator.RememberTokenDuration=14 +# Session Timeouts (in minutes) +Authenticator.IdleTimeoutDuration=20 +Authenticator.AbsoluteTimeoutDuration=120 + +#=========================================================================== +# ESAPI Encoder +# +# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. +# Failure to canonicalize input is a very common mistake when implementing validation schemes. +# Canonicalization is automatic when using the ESAPI Validator, but you can also use the +# following code to canonicalize data. +# +# ESAPI.Encoder().canonicalize( "%22hello world"" ); +# +# Multiple encoding is when a single encoding format is applied multiple times. Allowing +# multiple encoding is strongly discouraged. +Encoder.AllowMultipleEncoding=false + +# Mixed encoding is when multiple different encoding formats are applied, or when +# multiple formats are nested. Allowing multiple encoding is strongly discouraged. +Encoder.AllowMixedEncoding=false + +# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs +# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or +# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + + +#=========================================================================== +# ESAPI Encryption +# +# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. +# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# There is not currently any support for key rotation, so be careful when changing your key and salt as it +# will invalidate all signed, encrypted, and hashed data. +# +# WARNING: Not all combinations of algorithms and key lengths are supported. +# If you choose to use a key length greater than 128, you MUST download the +# unlimited strength policy files and install in the lib directory of your JRE/JDK. +# See http://java.sun.com/javase/downloads/index.jsp for more information. +# +# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** +# To calculate these values, you can run: +# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# +Encryptor.MasterKey=12345678123456 +Encryptor.MasterSalt=123456781234567845678911 + +# Provides the default JCE provider that ESAPI will "prefer" for its symmetric +# encryption and hashing. (That is it will look to this provider first, but it +# will defer to other providers if the requested algorithm is not implemented +# by this provider.) If left unset, ESAPI will just use your Java VM's current +# preferred JCE provider, which is generally set in the file +# "$JAVA_HOME/jre/lib/security/java.security". +# +# The main intent of this is to allow ESAPI symmetric encryption to be +# used with a FIPS 140-2 compliant crypto-module. For details, see the section +# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in +# the ESAPI 2.0 Symmetric Encryption User Guide, at: +# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# However, this property also allows you to easily use an alternate JCE provider +# such as "Bouncy Castle" without having to make changes to "java.security". +# See Javadoc for SecurityProviderLoader for further details. If you wish to use +# a provider that is not known to SecurityProviderLoader, you may specify the +# fully-qualified class name of the JCE provider class that implements +# java.security.Provider. If the name contains a '.', this is interpreted as +# a fully-qualified class name that implements java.security.Provider. +# +# NOTE: Setting this property has the side-effect of changing it in your application +# as well, so if you are using JCE in your application directly rather than +# through ESAPI (you wouldn't do that, would you? ;-), it will change the +# preferred JCE provider there as well. +# +# Default: Keeps the JCE provider set to whatever JVM sets it to. +Encryptor.PreferredJCEProvider= + +# AES is the most widely used and strongest encryption algorithm. This +# should agree with your Encryptor.CipherTransformation property. +# Warning: This property does not control the default reference implementation for +# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped +# in the future. +# @deprecated +Encryptor.EncryptionAlgorithm=AES +# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. +Encryptor.CipherTransformation=AES/CBC/PKCS5Padding + +# Applies to ESAPI 2.0 and later only! +# Comma-separated list of cipher modes that provide *BOTH* +# confidentiality *AND* message authenticity. (NIST refers to such cipher +# modes as "combined modes" so that's what we shall call them.) If any of these +# cipher modes are used then no MAC is calculated and stored +# in the CipherText upon encryption. Likewise, if one of these +# cipher modes is used with decryption, no attempt will be made +# to validate the MAC contained in the CipherText object regardless +# of whether it contains one or not. Since the expectation is that +# these cipher modes support support message authenticity already, +# injecting a MAC in the CipherText object would be at best redundant. +# +# Note that as of JDK 1.5, the SunJCE provider does not support *any* +# of these cipher modes. Of these listed, only GCM and CCM are currently +# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports +# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other +# padding modes. +Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC + +# Applies to ESAPI 2.0 and later only! +# Additional cipher modes allowed for ESAPI 2.0 encryption. These +# cipher modes are in _addition_ to those specified by the property +# 'Encryptor.cipher_modes.combined_modes'. +# Note: We will add support for streaming modes like CFB & OFB once +# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' +# (probably in ESAPI 2.1). +# DISCUSS: Better name? +Encryptor.cipher_modes.additional_allowed=CBC + +# Default key size to use for cipher specified by Encryptor.EncryptionAlgorithm. +# Note that this MUST be a valid key size for the algorithm being used +# (as specified by Encryptor.EncryptionAlgorithm). So for example, if AES is used, +# it must be 128, 192, or 256. If DESede is chosen, then it must be either 112 or 168. +# +# Note that 128-bits is almost always sufficient and for AES it appears to be more +# somewhat more resistant to related key attacks than is 256-bit AES.) +# +# Defaults to 128-bits if left blank. +# +# NOTE: If you use a key size > 128-bits, then you MUST have the JCE Unlimited +# Strength Jurisdiction Policy files installed!!! +# +Encryptor.EncryptionKeyLength=128 + +# This is the _minimum_ key size (in bits) that we allow with ANY symmetric +# cipher for doing encryption. (There is no minimum for decryption.) +# +# Generally, if you only use one algorithm, this should be set the same as +# the Encryptor.EncryptionKeyLength property. +Encryptor.MinEncryptionKeyLength=128 + +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) There are two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While +# the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Also, random IVs are generally much more +# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes +# such as CFB and OFB use a different IV for each encryption with a given key so +# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random +# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and +# uncomment the Encryptor.fixedIV. +# +# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3 +# 'fixed' is deprecated as of 2.2 +# and will be removed in 2.3. +Encryptor.ChooseIVMethod=random + + +# If you choose to use a fixed IV, then you must place a fixed IV here that +# is known to all others who are sharing your secret key. The format should +# be a hex string that is the same length as the cipher block size for the +# cipher algorithm that you are using. The following is an *example* for AES +# from an AES test vector for AES-128/CBC as described in: +# NIST Special Publication 800-38A (2001 Edition) +# "Recommendation for Block Cipher Modes of Operation". +# (Note that the block size for AES is 16 bytes == 128 bits.) +# +# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support +# will be removed in the next release (tentatively, 2.3). +# If you MUST use this, at least replace this IV with one +# that your legacy application was using. +Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f + +# Whether or not CipherText should use a message authentication code (MAC) with it. +# This prevents an adversary from altering the IV as well as allowing a more +# fool-proof way of determining the decryption failed because of an incorrect +# key being supplied. This refers to the "separate" MAC calculated and stored +# in CipherText, not part of any MAC that is calculated as a result of a +# "combined mode" cipher mode. +# +# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also +# set this property to false. That is because ESAPI takes the master key and +# derives 2 keys from it--a key for the MAC and a key for encryption--and +# because ESAPI is not itself FIPS 140-2 verified such intermediary aterations +# to keys from FIPS approved sources would have the effect of making your FIPS +# approved key generation and thus your FIPS approved JCE provider unapproved! +# More details in +# documentation/esapi4java-core-2.0-readme-crypto-changes.html +# documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# You have been warned. +Encryptor.CipherText.useMAC=true + +# Whether or not the PlainText object may be overwritten and then marked +# eligible for garbage collection. If not set, this is still treated as 'true'. +Encryptor.PlainText.overwrite=true + +# Do not use DES except in a legacy situations. 56-bit is way too small key size. +#Encryptor.EncryptionKeyLength=56 +#Encryptor.MinEncryptionKeyLength=56 +#Encryptor.EncryptionAlgorithm=DES + +# TripleDES is considered strong enough for most purposes. +# Note: There is also a 112-bit version of DESede. Using the 168-bit version +# requires downloading the special jurisdiction policy from Sun. +#Encryptor.EncryptionKeyLength=168 +#Encryptor.MinEncryptionKeyLength=112 +#Encryptor.EncryptionAlgorithm=DESede + +Encryptor.HashAlgorithm=SHA-512 +Encryptor.HashIterations=1024 +Encryptor.DigitalSignatureAlgorithm=SHA1withDSA +Encryptor.DigitalSignatureKeyLength=1024 +Encryptor.RandomAlgorithm=SHA1PRNG +Encryptor.CharacterEncoding=UTF-8 + +# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function +# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and +# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for +# the MAC, mostly to keep the overall size at a minimum.) +# +# Currently supported choices for JDK 1.5 and 1.6 are: +# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and +# HmacSHA512 (512 bits). +# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though +# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide +# further details. +Encryptor.KDF.PRF=HmacSHA256 +#=========================================================================== +# ESAPI HttpUtilties +# +# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods +# protect against malicious data from attackers, such as unprintable characters, escaped characters, +# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, +# headers, and CSRF tokens. +# +# Default file upload location (remember to escape backslashes with \\) +HttpUtilities.UploadDir=C:\\ESAPI\\testUpload +HttpUtilities.UploadTempDir=C:\\temp +# Force flags on cookies, if you use HttpUtilities to set cookies +HttpUtilities.ForceHttpOnlySession=false +HttpUtilities.ForceSecureSession=false +HttpUtilities.ForceHttpOnlyCookies=true +HttpUtilities.ForceSecureCookies=true +# Maximum size of HTTP header key--the validator regex may have additional values. +HttpUtilities.MaxHeaderNameSize=256 +# Maximum size of HTTP header value--the validator regex may have additional values. +HttpUtilities.MaxHeaderValueSize=4096 +# Maximum size of JSESSIONID for the application--the validator regex may have additional values. +HttpUtilities.HTTPJSESSIONIDLENGTH=50 +# Maximum length of a URL (see https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers) +HttpUtilities.URILENGTH=2000 +# Maximum length of a redirect +HttpUtilities.maxRedirectLength=512 +# Maximum length for an http scheme +HttpUtilities.HTTPSCHEMELENGTH=10 +# Maximum length for an http host +HttpUtilities.HTTPHOSTLENGTH=100 +# Maximum length for an http path +HttpUtilities.HTTPPATHLENGTH=150 +#Maximum length for a context path +HttpUtilities.contextPathLength=150 +#Maximum length for an httpServletPath +HttpUtilities.HTTPSERVLETPATHLENGTH=100 +#Maximum length for an http query parameter name +HttpUtilities.httpQueryParamNameLength=100 +#Maximum length for an http query parameter -- old default was 2000, but that's the max length for a URL... +HttpUtilities.httpQueryParamValueLength=500 +# File upload configuration +HttpUtilities.ApprovedUploadExtensions=.pdf,.doc,.docx,.ppt,.pptx,.xls,.xlsx,.rtf,.txt,.jpg,.png +HttpUtilities.MaxUploadFileBytes=500000000 +# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, +# container, and any other technologies you may be using. Failure to do this may expose you +# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. +HttpUtilities.ResponseContentType=text/html; charset=UTF-8 +# This is the name of the cookie used to represent the HTTP session +# Typically this will be the default "JSESSIONID" +HttpUtilities.HttpSessionIdName=JSESSIONID +#Sets whether or not we will overwrite http status codes to 200. +HttpUtilities.OverwriteStatusCodes=true +#Sets the application's base character encoding. This is forked from the Java Encryptor property. +HttpUtilities.CharacterEncoding=UTF-8 + +#=========================================================================== +# ESAPI Executor +# CHECKME - This should be made OS independent. Don't use unsafe defaults. +# # Examples only -- do NOT blindly copy! +# For Windows: +# Executor.WorkingDirectory=C:\\Windows\\Temp +# Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe +# For *nux, MacOS: +# Executor.WorkingDirectory=/tmp +# Executor.ApprovedExecutables=/bin/bash +Executor.WorkingDirectory= +Executor.ApprovedExecutables= + + +#=========================================================================== +# ESAPI Logging +# Set the application name if these logs are combined with other applications +Logger.ApplicationName=ExampleApplication +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true +Logger.LogEncodingRequired=false +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. +Logger.LogApplicationName=true +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. +Logger.LogServerIP=true +# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you +# want to place it in a specific directory. +Logger.LogFileName=ESAPI_logging_file +# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) +Logger.MaxLogFileSize=10000000 + + +#=========================================================================== +# ESAPI Intrusion Detection +# +# Each event has a base to which .count, .interval, and .action are added +# The IntrusionException will fire if we receive "count" events within "interval" seconds +# The IntrusionDetector is configurable to take the following actions: log, logout, and disable +# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable +# +# Custom Events +# Names must start with "event." as the base +# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here +# You can also disable intrusion detection completely by changing +# the following parameter to true +# +IntrusionDetector.Disable=false +# +IntrusionDetector.event.test.count=2 +IntrusionDetector.event.test.interval=10 +IntrusionDetector.event.test.actions=disable,log + +# Exception Events +# All EnterpriseSecurityExceptions are registered automatically +# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException +# Use the fully qualified classname of the exception as the base + +# any intrusion is an attack +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout + +# for test purposes +# CHECKME: Shouldn't there be something in the property name itself that designates +# that these are for testing??? +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout + +# rapid validation errors indicate scans or attacks in progress +# org.owasp.esapi.errors.ValidationException.count=10 +# org.owasp.esapi.errors.ValidationException.interval=10 +# org.owasp.esapi.errors.ValidationException.actions=log,logout + +# sessions jumping between hosts indicates session hijacking +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout + +#=========================================================================== +# ESAPI Validation +# +# The ESAPI Validator works on regular expressions with defined names. You can define names +# either here, or you may define application specific patterns in a separate file defined below. +# This allows enterprises to specify both organizational standards as well as application specific +# validation rules. +# +# Use '\p{L}' (without the quotes) within the character class to match +# any Unicode LETTER. You can also use a range, like: \u00C0-\u017F +# You can also use any of the regex flags as documented at +# https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u) +# +Validator.ConfigurationFile=validation.properties + +# Validators used by ESAPI +Validator.AccountName=^[a-zA-Z0-9]{3,20}$ +Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ +Validator.RoleName=^[a-z0-9]{1,20}$ + +#the word TEST below should be changed to your application +#name - only relative URL's are supported +Validator.Redirect=^\\/test.*$ + +# Global HTTP Validation Rules +# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] +Validator.HTTPScheme=^(http|https)$ +Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ +Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ +# Note that headerName and Value length is also configured in the HTTPUtilities section +Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$ +Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ +Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ +Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ +Validator.HTTPURL=^.*$ +Validator.HTTPJSESSIONID=^[A-Z0-9]{10,32}$ + + +# Contributed by Fraenku@gmx.ch +# Github Issue 126 https://github.com/ESAPI/esapi-java-legacy/issues/126 +Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$ +Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$ +Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$ +Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$ +Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$ + + +# Validation of file related input +Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ +Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ + +# Validation of dates. Controls whether or not 'lenient' dates are accepted. +# See DataFormat.setLenient(boolean flag) for further details. +Validator.AcceptLenientDates=false diff --git a/src/test/resources/esapi/antisamy-esapi.xml b/src/test/resources/esapi/antisamy-esapi.xml new file mode 100644 index 0000000..14880d0 --- /dev/null +++ b/src/test/resources/esapi/antisamy-esapi.xml @@ -0,0 +1,492 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/test/resources/esapi/users.txt b/src/test/resources/esapi/users.txt new file mode 100644 index 0000000..b662819 --- /dev/null +++ b/src/test/resources/esapi/users.txt @@ -0,0 +1,4 @@ +# This is the user file associated with the ESAPI library from http://www.owasp.org +# accountId | accountName | hashedPassword | roles | locked | enabled | csrfToken | oldPasswordHashes | lastPasswordChangeTime | lastLoginTime | lastFailedLoginTime | expirationTime | failedLoginCount + +1796576143730101883 | uuu1 | idNZxxHXBaDpKFXw3vHH09ScBjeYEEBK1hOMn7AuxkJnKXFwJ2ijS/m7bm5rj82S8pZzPkbhdgd4qvMey4Y92A== | | unlocked | disabled | | unknown | 0 | 0 | 0 | 9223372036854775807 | 0 diff --git a/src/test/resources/esapi/validation.properties b/src/test/resources/esapi/validation.properties new file mode 100644 index 0000000..dd24e46 --- /dev/null +++ b/src/test/resources/esapi/validation.properties @@ -0,0 +1,29 @@ +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); +# Where maxLength and allowNull are set for you needs, respectively. +# +# But note, when you use boolean variants of validation functions, you lose critical +# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and +# and use the returned user input which is in canonical form. Consider the following: +# +# try { +# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); +# +Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ +Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&;%\\$#_]*)?$ +Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ +Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ + diff --git a/src/test/resources/esapi/waf-policies/add-header-policy.xml b/src/test/resources/esapi/waf-policies/add-header-policy.xml new file mode 100644 index 0000000..0a48ed2 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/add-header-policy.xml @@ -0,0 +1,29 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + /marketing/.* + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/add-httponly-policy.xml b/src/test/resources/esapi/waf-policies/add-httponly-policy.xml new file mode 100644 index 0000000..4420e6c --- /dev/null +++ b/src/test/resources/esapi/waf-policies/add-httponly-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/add-secure-policy.xml b/src/test/resources/esapi/waf-policies/add-secure-policy.xml new file mode 100644 index 0000000..80067da --- /dev/null +++ b/src/test/resources/esapi/waf-policies/add-secure-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/authentication-policy.xml b/src/test/resources/esapi/waf-policies/authentication-policy.xml new file mode 100644 index 0000000..5a77e6c --- /dev/null +++ b/src/test/resources/esapi/waf-policies/authentication-policy.xml @@ -0,0 +1,30 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + > + + + + /index.html + /images/.* + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/bean-shell-policy.xml b/src/test/resources/esapi/waf-policies/bean-shell-policy.xml new file mode 100644 index 0000000..76711c8 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/bean-shell-policy.xml @@ -0,0 +1,30 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/bean-shell-rule.bsh b/src/test/resources/esapi/waf-policies/bean-shell-rule.bsh new file mode 100644 index 0000000..08c8424 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/bean-shell-rule.bsh @@ -0,0 +1,5 @@ +import org.owasp.esapi.waf.actions.*; + +session.setAttribute("simple_waf_test", "true"); + +action = new RedirectAction(); \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/detect-outbound-policy.xml b/src/test/resources/esapi/waf-policies/detect-outbound-policy.xml new file mode 100644 index 0000000..ac756ae --- /dev/null +++ b/src/test/resources/esapi/waf-policies/detect-outbound-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/dynamic-insertion-policy.xml b/src/test/resources/esapi/waf-policies/dynamic-insertion-policy.xml new file mode 100644 index 0000000..5b0926c --- /dev/null +++ b/src/test/resources/esapi/waf-policies/dynamic-insertion-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/enforce-https-policy.xml b/src/test/resources/esapi/waf-policies/enforce-https-policy.xml new file mode 100644 index 0000000..beb8851 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/enforce-https-policy.xml @@ -0,0 +1,28 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + /index.html + /images/.* + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/must-match-policy.xml b/src/test/resources/esapi/waf-policies/must-match-policy.xml new file mode 100644 index 0000000..af26fc4 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/must-match-policy.xml @@ -0,0 +1,35 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/replace-outbound-policy.xml b/src/test/resources/esapi/waf-policies/replace-outbound-policy.xml new file mode 100644 index 0000000..5b0926c --- /dev/null +++ b/src/test/resources/esapi/waf-policies/replace-outbound-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/restrict-content-type-policy.xml b/src/test/resources/esapi/waf-policies/restrict-content-type-policy.xml new file mode 100644 index 0000000..b766f19 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/restrict-content-type-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + /fileupload.jsp + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/restrict-extension-policy.xml b/src/test/resources/esapi/waf-policies/restrict-extension-policy.xml new file mode 100644 index 0000000..a572bd4 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/restrict-extension-policy.xml @@ -0,0 +1,25 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/restrict-method-policy.xml b/src/test/resources/esapi/waf-policies/restrict-method-policy.xml new file mode 100644 index 0000000..c1eb5a3 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/restrict-method-policy.xml @@ -0,0 +1,25 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/restrict-source-ip-policy.xml b/src/test/resources/esapi/waf-policies/restrict-source-ip-policy.xml new file mode 100644 index 0000000..72860a7 --- /dev/null +++ b/src/test/resources/esapi/waf-policies/restrict-source-ip-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + /admin/.* + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/restrict-user-agent-policy.xml b/src/test/resources/esapi/waf-policies/restrict-user-agent-policy.xml new file mode 100644 index 0000000..c550a2c --- /dev/null +++ b/src/test/resources/esapi/waf-policies/restrict-user-agent-policy.xml @@ -0,0 +1,26 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + /index.html + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policies/virtual-patch-policy.xml b/src/test/resources/esapi/waf-policies/virtual-patch-policy.xml new file mode 100644 index 0000000..8b989dd --- /dev/null +++ b/src/test/resources/esapi/waf-policies/virtual-patch-policy.xml @@ -0,0 +1,27 @@ + + + + + + + + redirect + + /security/error.jsp + 403 + + + + + + + + \ No newline at end of file diff --git a/src/test/resources/esapi/waf-policy.xsd b/src/test/resources/esapi/waf-policy.xsd new file mode 100644 index 0000000000000000000000000000000000000000..4287e792b508ce0b8010b83473965465fca10b2d GIT binary patch literal 20582 zcmeHPOK;mo5ZD^6OVhagQ3EqdzX&>nh~Ejbo!%dSj2PJevc`M6rl?0ZRZ zN!Bog#ECfM&f}ZsF8$BH>b?4?p45%HRtxp0Hfpc#)mGiAo%&wAQg793^@e^f=*mu= z)Awt-x>KLps}HJC7ivjV-x1A6^+A2DzM>~S(KFWS9sPZ-F6qu2wW24ih`OQYZ`GN? zog4KNJ#SA}f24n3(Deu6qB%Tyr~ab?wFn zYNs2Y;1BlKnD;q#uTRM<{HJOC4W0q~z~i(pFG*MMuCTVt?z3f!={ja3M3Me>I3vzi zWcejo91-Q3J}H@U^i#@W?1bpCReyK1Qu?kb<$^z^t>RNm$uDrUqO5|Pm%>tvZc5%C z2|0W6Zk-{Q6yxFRI@|hDDos759Jg)EI-@-GK;FGh+95?dybSLtT5%l{%X*S3oNaYY zgsg+w$j*@AJM8>iCN-~OuW(Gh4(C(YiS1>oGFiXCr(j9xH-3iqX`~IiWs2iD)ivId zaJZuw_Jz2=pr0$M?&6%s@0m^#*jradn*tfa)Z=r%CXH(Zp=w!DY(o`}xNPbd*9!SN zrjP=)BJ|&o4DfB#VYJF@wD>r(TudMSpG`lDC zjJ4in;Yw1jF))^k3OS_3Jp@@&VlvgM?#UYHp;zS7+_Ss32~#nLc8{*JbV-F_=kpwL zr}v!~1oI@vR6@Bt%W=}Sb{fAnZ3@ANXSeE#^6JL(bb0MLptXKn3TrH8!<@&O%Gr%4 zv5Yrv3^oWhQ_xU_%&3X!;04Eeeh3?vRxI^#%(mq@NL^d@?bCElxumKZb8KW`uJv5M zF|;hnIGOhtKei)zE@C`VC2~zT@?&{P%;>h3(Wa~A;a93rxpeU%=%rsTR61R&5gq$_ zRGeqm(s9b;J*|O!;t@rf7 zT(6&e^${zlrgB#zkJn?WtiEvsUGF{3M}V8q+$%miDZi5?_cOWeOKuM|oK(7M!#lZbqx3P)lr)77@l(Rb-b)G{+ttMlW?L3IzaX8B4PL%Xv{sL z=aLyyaf4AUCtT<~O+5aAEX(r}NiXm4v+shY?fN|!oMH!_ z#5yOHTMZE!Q|nDTVSnn4^scM=y>nQT<@@i*aM6h_%}T04gtSO z0@Z{*H-Z=+I+dgA4W=C4Qsq8`b5Xa%?-ij<*A{pK*WdkOy5YH%h?x>sn8f0&n2r!E zXALBUV@JM^U>@DL##fkge>ONjT{E|=XE|Re={xP-+V5&>Pb5rSaBX5LZF8Q?#BdW? zr<#9A6!_X=JLotvw;6z`o#%xd=n6QL*v)lVO{YngL5*3d)Qa}Zr^KJ+lk4Pg^*uVOSM^#nYc zD2?h(_Y`5t4V{kW=4tRs{o!|`F`IaxF3Rkbn5Xhy1}aImrmfAs&vWa`VV;UQ5pSqV zdxJyi9bql9h9qssa!lFply8^bj@ObnkX)fRthN6kwK&)KEV~)wTk`j)J%7E~c;(;x G_u)V2UnNTb literal 0 HcmV?d00001 diff --git a/src/test/resources/logback.xml b/src/test/resources/logback.xml new file mode 100644 index 0000000..50df288 --- /dev/null +++ b/src/test/resources/logback.xml @@ -0,0 +1,41 @@ + + + + + + + + + %d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{50} - + %msg%n + + + + + + + ${LOG_HOME}/cert.log.%d{yyyy-MM-dd}.log + + + 30 + + + + %d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{50} - + %msg%n + + + + + 10MB + + + + + + + + + \ No newline at end of file