A previous post from last year introduced a grand project that I was about to begin. After much analysis and searching I found a great solution that would secure my Java (JEE) application against XSS and SQLi attacks.
OWASP – The Open Web Application Security Project offers the Enterprise Security API in order to aid me in my endeavor to make my application more robust and immune to the constant hacker threats that exist out there in cyberspace.
First, download the appropriate download for your web application architecture. Here we will show the example in Java.
Here we have downloaded the esapi-2.0.1-dist zip archive. The built esapi-2.0.1.jar is ready to be placed in our own web application. Also, grab the basic properties files that are needed in order to get basic ESAPI security service running within your app.
I grabbed mine in the src\test\resources\esapi directory.
Copy the ESAPI.properties and validation.properties files as shown above. These should be placed in your java web application classpath.
After placing the jar and properties files in their respective locations of your web app, reload your web application and similar logging should be visible during the deployment process.
Notice, that right out of the box the esapi-2.0.1.jar is attempting to initialize the two properties files that we place in our java app classpath. It seems that ESAPI is smart enough to attempt to locate the properties files in different locations on your computer.
Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\Program Files\Apache Software Foundation\Tomcat\apache-tomcat-7.0.39-GA-8104\bin\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in ‘user.home’ (C:\Users\u0105457) directory: C:\Users\u0105457\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from ‘/ (root)’ using current thread context class loader!
ESAPI looks in the server bin path, the SystemResource directory, the user home directory, and finally ESAPI.properties was loaded via the classpath. One out of four ain’t bad right?
The same search happens for the validation.properties file as well.
Now that ESAPI is setup, we can start using it in order to secure our application.
Begin by brushing up on the ESAPI javadocs.
In following posts, we shall dive into configuring ESAPI.properties and validation.properties to suit our needs.
Also, we shall get acclimated with the most useful methods to use in our fight against XSS.
See you then…