Friday, September 04, 2009

OWASP Enterprise Security API (ESAPI)

OWASP has a Web Application Security framework called Enterprise Security API (ESAPI) ( http://www.owasp.org/index.php/ESAPI ). It is a security framework cum security utilities library.
You can do authentication, authorization, CSRF protection, XSS protection etc (besided many other things). A sample application and API doc is available at the site. However there is no other detailed documentation on the usage. I will write another blog on the usage in detail.
Following is few Key classes and API
package org.owasp.esapi
For authentication
class Authenticator
   login()
   logout()
For authorization
class AccessController
   assertAuthorizedForURL(string url)
For XSS protection
class Validator
   assertValidHTTPRequestParameterSet(string context, Request request, Set requied, Set optional)
   isValidString(string input)
class Encoder
   encodeForHTML(string input)
For CSRF protection
class HTTPUtilities
   addCSRFToken(string href)
   verifyCSRFToken()


I will write a detailed blog later.

No comments: