Beruflich Dokumente
Kultur Dokumente
php/ESAPI
DesignPatterns
Thispageisintentionallyblank
iiESAPIDesignPatterns
OWASPESAPIDesignPatterns ThisdocumentexploresthreecommonOWASPEnterpriseSecurityAPI(ESAPI)designpatterns. Itisintendedtobelanguageindependent,i.e.,thepatternsdescribedinthisdocumentare applicabletoalllanguageversionsofESAPI.OWASPESAPIToolkitsaredesignedtoensurethat strongsimplesecuritycontrolsareavailabletoeverydeveloperineveryenvironment. WedLiketoHearfromYou FurtherdevelopmentofESAPIoccursthroughmailinglistdiscussionsandoccasionalworkshops, andsuggestionsforimprovementarewelcome.Pleaseaddresscommentsandquestions concerningtheAPIandthisdocumenttotheESAPImaillist,owaspesapi@lists.owasp.org CopyrightandLicense Copyright2009TheOWASPFoundation. ThisdocumentisreleasedundertheCreativeCommonsAttribution ShareAlike3.0license.Foranyreuseordistribution,youmustmakeclearto othersthelicensetermsofthiswork.
ESAPIDesignPatterns
iii
Thispageisintentionallyblank
ivESAPIDesignPatterns
TableofContents AboutESAPI............................................................................................................................. 1 TheBuiltInSingletonPattern .................................................................................................. 2 TheExtendedSingletonPattern............................................................................................... 3 TheExtendedFactoryPattern.................................................................................................. 4 WheretoGoFromHere........................................................................................................... 7 Figures Figure1:HowESAPIworksoutofthebox ...................................................................................... 1 Figure2:BuiltInSingletonPatternExample .................................................................................. 2 Figure3:ExtendedSingletonPatternExample ............................................................................... 4 Figure4:ExtendedFactoryPatternExample .................................................................................. 6
ESAPIDesignPatterns
Thispageisintentionallyblank
viESAPIDesignPatterns
About ESAPI
OWASPESAPIToolkitsaredesignedtoensurethatstrongsimple securitycontrolsareavailabletoeverydeveloperineveryenvironment. AllOWASPESAPIversionsarecalledinthesamebasicway,asdepicted inthefigurebelow.
Figure1:HowESAPIworksoutofthebox Allowingforlanguagespecificdifferences,allOWASPESAPIversions havethesamebasicdesign: Thereisasetofsecuritycontrolinterfaces.Thereisno applicationlogiccontainedintheseinterfaces.Theydefinefor exampletypesofparametersthatarepassedtotypesof securitycontrols.Thereisnoproprietaryinformationorlogic containedintheseinterfaces. Thereisareferenceimplementationforeachsecuritycontrol. Thereisapplicationlogiccontainedintheseclasses,i.e. containedintheseinterfaceimplementations.However,the logicisnotorganizationspecificandthelogicisnotapplication specific.Thereisnoproprietaryinformationorlogiccontained inthesereferenceimplementationclasses.Anexample:string basedinputvalidation. Thereareoptionallyyourownimplementationsforeach securitycontrol.Theremaybeapplicationlogiccontainedin theseclasseswhichmaybedevelopedbyorforyour organization.Thelogicmaybeorganizationspecificand/or applicationspecific.Theremaybeproprietaryinformationor logiccontainedintheseclasseswhichmaybedevelopedbyor foryourorganization.Anexample:enterpriseauthentication.
DeveloperswouldcallESAPIinthisexampleasfollows:
... $ESAPI = new ESAPI(); $myauthenticator = new MyAuthenticator(); //register with locator class ESAPI::setAuthenticator($myauthenticator); $authenticator = ESAPI::getAuthenticator(); $authenticator->login(...); //use your implementation ...
TheUMLfortheaboveexampleisinthefigurebelow.
Figure2:BuiltInSingletonPatternExample 2ESAPIDesignPatterns
DeveloperswouldcallESAPIinthisexampleasfollows:
... $ESAPI = new ESAPI(); $validator = ESAPI::getValidator(); $validator->isValidEmployeeID(1234); ...
TheUMLfortheaboveexampleisinthefigurebelow.
ESAPIDesignPatterns
Your implementation (has additional and/or perhaps changed functions compared to reference implementation)
ESAPI interface
Figure3:ExtendedSingletonPatternExample
Prosoftakingthisapproacharethelesseningoftheneedfor developerstounderstandhowtocallESAPIfunctionswiththespecific parametersrequiredbyyourorganizationand/orapplication.Prosalso includeminimizingoreliminatingtheabilityfordeveloperstocallESAPI functionsthatdeviatefromyourorganizationsand/orapplications policies. ConsresultfromthetightcouplingbetweenESAPIandyourown implementations:youwillneedtomaintainboththemodifiedsecurity controlreferenceimplementationsandthemodifiedsecuritycontrol interfaces(asnewversionsofESAPIarereleasedovertime).
Inthenewsecuritycontrolclassinterface:
... //new interface interface Adapter { function getValidEmployeeID($eid); function isValidEmployeeID($eid); }
Inthenewsecuritycontrolclass:
... require_once dirname ( __FILE__ ) . '/../Adapter.php'; //new class with your implementation class MyAdapter implements Adapter { //for your new interface function getValidEmployeeID($eid) { //calls reference implementation $val = ESAPI::getValidator(); //calls using hardcoded parameters $val->getValidInput( "My Organization's Employee ID", $eid, "EmployeeID", //regex defined in ESAPI config 4, false ); }
ESAPIDesignPatterns
//for your new interface function isValidEmployeeID($eid) { try { $this->getValidEmployeeID($eid); return true; } catch ( Exception $e ) { return false; } }
DeveloperswouldcallESAPIinthisexampleasfollows:
... $ESAPI = new ESAPI(); $adapter = ESAPI::getAdapter(); $adapter->isValidEmployeeID(1234); ... //no other ESAPI controls called directly
TheUMLfortheaboveexampleisinthefigurebelow.
6ESAPIDesignPatterns
Similarly,thefollowingWebsitesaremostlikelytobeusefulto users/adoptersofESAPI: OWASPhttp://www.owasp.org MITRECommonWeaknessEnumerationVulnerability Trends,http://cwe.mitre.org/documents/vulntrends.html PCISecurityStandardsCouncilpublishersofthePCIstandards, relevanttoallorganizationsprocessingorholdingcreditcard data,https://www.pcisecuritystandards.org PCIDataSecurityStandard(DSS)v1.1 https://www.pcisecuritystandards.org/pdfs/pci_dss_v11.pdf
ESAPIDesignPatterns
Thispageisintentionallyblank
8ESAPIDesignPatterns
Thispageisintentionallyblank
ESAPIDesignPatterns
10ESAPIDesignPatterns