ESAPI ( XSS, Sql Injection )

 

11월 30, 2013

OWASP 에 ESAPI는 XSS  및 Sql Injection 방어를 위한 API

[link]
  https://www.owasp.org/index.php/Main_Page

[youtube]

http://www.youtube.com/watch?v=suphwAsb-To 
http://www.youtube.com/watch?v=13O9RyjuB3o 
http://www.youtube.com/watch?v=_B2kv2mSJhE 
http://www.youtube.com/watch?v=mMW4fiUI5kQ 

 

1. dependency 추가 

   org.owasp.esapi
   esapi
   2.0.1

https://mvnrepository.com/artifact/org.owasp.esapi/esapi

 

 

 

    2. ESAPI.properties 파일을 만들어 아래 내용을 추가한 후 classpath에 넣는다.

Authenticator.UsernameParameterName=userName
Authenticator.PasswordParameterName=password
ESAPI.Authenticator=com.esapi.authenticator.CustomAuthenticator
Authenticator.IdleTimeoutDuration=100000
Authenticator.AbsoluteTimeoutDuration=100000

 

  Test code

 

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.OracleCodec;
public class EsapiTest {
 public static void main(String[] args) {
   String a = "<script>alert('dddd')</script>";
   String b = ESAPI.encoder().encodeForHTML(a);
   System.out.println("encoded=" + b);
   String username = "airlee' or 1=1";
   String password = "pppp";
   Codec ORACLE_CODEC = new OracleCodec();
   String query = "SELECT user_id FROM user_data WHERE user_name = '" +
                   ESAPI.encoder().encodeForSQL( ORACLE_CODEC, username) + "' and user_password = '"   +
                   ESAPI.encoder().encodeForSQL( ORACLE_CODEC, password) +"'";
  
   System.out.println("query=" + query);  
 }
}