# Properties file for OWASP Enterprise Security API (ESAPI) # You can find more information about ESAPI at http://www.owasp.org/esapi # # Authentication RememberTokenDuration=14 AllowedLoginAttempts=3 MaxOldPasswordHashes=13 UsernameParameterName=username PasswordParameterName=password # Encryption MasterPassword=owasp1 MasterSalt=testtest # Validation # # The ESAPI validator does many security checks on input, such as canonicalization # and whitelist validation. Note that all of these validation rules are applied *after* # canonicalization. Double-encoded characters (even with different encodings involved, # are never allowed. # # To use: # # First set up a pattern below. You can choose any name you want, prefixed by the word # "Validator." For example: # Validator.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ # # Then you can validate in your code against the pattern like this: # ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); # Where maxLength and allowNull are set for you needs, respectively. # # But note, when you use boolean variants of validation functions, you lose critical # canonicalization. It is preferable to use the "get" methods (which throw exceptions) and # and use the returned user input which is in canonical form. Consider the following: # # try { # someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); # Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$ Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ # Validators used by ESAPI Validator.AccountName=^[a-zA-Z0-9]{3,20}$ Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$ Validator.RoleName=^[a-z]{1,20}$ Validator.Redirect=^\\/test.*$ # Global HTTP Validation Rules # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$ Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$ Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ # Validation of file related input Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$ Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$ # File upload configuration ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll MaxUploadFileBytes=500000000 # Content-Type header ResponseContentType=text/html; charset=UTF-8 # Logging # Application Name ApplicationName=ESAPI_Driven_Application # Logging level, supported values are OFF, FATAL, ERROR, WARNING (ESAPI default), INFO, DEBUG, TRACE, ALL LogLevel=ALL # LogEncodingRequired, Indicates if all content logged needs to be HTML Entity encoded before being recorded in the log file LogEncodingRequired=false # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you # want to place it in a specific directory. LogFileName=ESAPI_logging_file # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) MaxLogFileSize=10000000 # Algorithms # WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data # WARNING: Reasonable values for these algorithms will be tested and documented in a future release # CharacterEncoding=UTF-8 HashAlgorithm=SHA-512 HashIterations=1024 #EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding EncryptionAlgorithm=PBEWithMD5AndDES RandomAlgorithm=SHA1PRNG DigitalSignatureAlgorithm=SHAwithDSA # Intrusion Detection # # Each event has a base to which .count, .interval, and .action are added # The IntrusionException will fire if we receive "count" events within "interval" seconds # The IntrusionDetector is configurable to take the following actions: log, logout, and disable # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable # # Custom Events # Names must start with "event." as the base # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here # # You can also disable intrusion detection completely by changing # the following parameter to true # DisableIntrusionDetection=false event.test.count=2 event.test.interval=10 event.test.actions=disable,log # Exception Events # All EnterpriseSecurityExceptions are registered automatically # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException # Use the fully qualified classname of the exception as the base # any intrusion is an attack org.owasp.esapi.errors.IntrusionException.count=1 org.owasp.esapi.errors.IntrusionException.interval=1 org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout # for test purposes org.owasp.esapi.errors.IntegrityException.count=10 org.owasp.esapi.errors.IntegrityException.interval=5 org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout # rapid validation errors indicate scans or attacks in progress # org.owasp.esapi.errors.ValidationException.count=10 # org.owasp.esapi.errors.ValidationException.interval=10 # org.owasp.esapi.errors.ValidationException.actions=log,logout # sessions jumping between hosts indicates a session hijacking org.owasp.esapi.errors.AuthenticationHostException.count=2 org.owasp.esapi.errors.AuthenticationHostException.interval=10 org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout