OWASP ESAPI for ColdFusion/CFML Project
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development. Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:
If you are only concerned with leveraging some encoders for XSS prevention on a few pages then ESAPI4CF is probably not for you. You can very easily use the Encoder module of the esapi.jar included with the CFML engines to accomplish this. There are several articles out there on how to accomplish this.
But if you want to take security seriously and take control of the Authentication, Authorization, Encoding, Encryption, Execution, Intrusion Detection, Validation, and Logging of your web applications, you need ESAPI4CF.
In case you were not aware, even if you choose to just use the Encoder module directly from the esapi.jar like mentioned above, any validation exceptions thrown by the Encoder module get logged by the Logger module. Included with that logging is information like the authenticated user, timestamp, IP address, CSRF token and a few other very important pieces of information. However, because the esapi.jar is coded to work with Java and its session management the authenticated user logged will never be tied to your authentication mechansim of your web application. That makes for some pretty useless encoder exception logs.
This is where ESAPI4CF comes in. ESAPI4CF provides CF wrappers around all of the modules of ESAPI4J which means you and CF can tap into the power of each module including the Authenticator giving you the ability to implement your user base and authentication methods. Back to our Encoder example, with your own user base and authentication implemented all logging will now reflect your authenticated user rather than an anonymous user. And let's also add that the Encoder is not the only module which leverages the Logger module... they all do! Let's now add onto this that the Logger module, like all the modules, can be overridden with your own implementation so you can place these logs wherever you would like.
Now doesn't that sound so much better than a few encoders here and there? Take the security of your web application seriously and use the right tools for the job.
ESAPI4CF is written is to compatible with the newest ESAPI4J version included with the supported CFML engines. Below is the list of the ESAPI4CF version and its appropriate ESAPI4J compatibility.
ESAPI4CF is designed to work with the esapi.jar included with the latest versions of each CFML engine. The esapi.jar is not included with ESAPI4CF.
It is highly recommended that you apply all hotfixes to your CFML instances to help ensure the highest security of your web applications. Both Lucee and ColdFusion 10+ include automatic updaters. If you are running an older ColdFusion version you must apply the hotfixes manually or use the Unofficial Updater 2.
You should also be sure that you are running the latest JVM version applicable to your CFML engine.
A few words about the tutorials.
How to setup your CFML Application.cfc to use ESAPI4CF.
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. The ESAPI Authenticator interface defines a set of methods for generating and handling account credentials and session identifiers. The goal of this interface is to encourage developers to protect credentials from disclosure to the maximum extent possible.
Session management is the process of keeping track of a user's activity across sessions of interaction with the computer system. The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.
Access Control is a process that defines each user's privileges on a system. The ESAPI AccessController interface defines a set of methods that can be used in a wide variety of applications to enforce access control.
Input Validation is the process of ensuring that a program operates on clean, correct and useful data. The ESAPI Validator interface defines a set of methods for canonicalizing and validating untrusted input.
Encoding is the process of transforming information from one format into another. The ESAPI Encoder interface contains a number of methods for decoding input and encoding output so that it will be safe for a variety of interpreters.
Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The ESAPI Encryptor interface provides a set of methods for performing common encryption, random number, and hashing operations.
Error handling refers to the anticipation, detection, and resolution of programming, application, and communications errors. Data logging is the process of recording events, with an automated computer program, in a certain scope in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. The ESAPI Logger interface defines a set of methods that can be used to log security events.
Data Protection is the process of ensuring the prevention of misuse of computer data. The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.
HTTP Security refers to the protection of HTTP requests, responses, sessions, cookies, headers and logging. The ESAPI HTTPUtilities interface is a collection of methods that provide additional security for all these.