图片体系结构概述esapi4java pictures.pptx

ESAPIPicturesForJavadoc

ArchitectureOverviewCustomEnterpriseWebApplicationEnterpriseSecurityAPIAuthenticatorUserAccessControllerAccessReferenceMapValidatorEncoderHTTPUtilitiesEncryptorEncryptedPropertiesRandomizerExceptionHandlingLoggerIntrusionDetectorSecurityConfigurationExistingEnterpriseSecurityServices/Libraries

OWASPTopTenCoverageOWASPTopTenA1.CrossSiteScripting(XSS)A2.InjectionFlawsA3.MaliciousFileExecutionA4.InsecureDirectObjectReferenceA5.CrossSiteRequestForgery(CSRF)A6.LeakageandImproperErrorHandlingA7.BrokenAuthenticationandSessionsA8.InsecureCryptographicStorageA9.InsecureCommunicationsA10.FailuretoRestrictURLAccessOWASPESAPIValidator,EncoderEncoderHTTPUtilities(upload)AccessReferenceMapUser(csrftoken)EnterpriseSecurityException,HTTPUtilsAuthenticator,User,HTTPUtilsEncryptorHTTPUtilities(securecookie,channel)AccessController

EnforcingAccessControlisAuthorizedForURL()isAuthorizedForFunction()isAuthorizedForFunction()isAuthorizedForService()isAuthorizedForData()isAuthorizedForFile()BackendControllerBusinessFunctionsUserDataLayerPresentation

LayerRoles

HandlingAuthenticationandIdentityBackendControllerBusinessFunctionsUserDataLayerPresentation

LayerESAPIAccess

ControlLoggingIntrusion

DetectionAuthenticationUsers

HandlingDirectObjectReferencesReport123.xlsAcct:9182374BackendControllerBusinessFunctionsUserDataLayerPresentation

LayerAccessReferenceMapgetIndirectReference()getDirectReference()

Encode:encodeForSQL()encodeForLDAP()encodeForXML()encodeForXPath()encodeForOS()EncodingEngineDecoding/EncodingUntrustedDataBackendControllerBusinessFunctionsUserDataLayerPresentationLayerEncode:encodeForHTML()encodeForHTMLAttribute()encodeForJavaScript()encodeForCSS()encodeForURL()EncodingEngineCodecs:HTMLEntityCodecPercentCodecJavaScriptCodecVBScriptCodecCSSCodec…ValidationEngineDecodingEngine

Validate:getValidDate()getValidCreditCard()getValidInput()getValidNumber()…Vali