Produced by Araxis Merge on 12/21/2017 6:15:13 PM Eastern Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
| # | Location | File | Last Modified |
|---|---|---|---|
| 1 | Genisis_2.0_v7_bld7.zip\TS\Service\common\ts-common-api\src\main\resources | ESAPI.properties | Thu Dec 14 19:56:35 2017 UTC |
| 2 | Genisis_2.0_v7_bld7.zip\TS\Service\common\ts-common-api\src\main\resources | ESAPI.properties | Thu Dec 21 22:04:13 2017 UTC |
| Description | Between Files 1 and 2 |
|
|---|---|---|
| Text Blocks | Lines | |
| Unchanged | 7 | 962 |
| Changed | 6 | 30 |
| Inserted | 0 | 0 |
| Removed | 0 | 0 |
| Whitespace | |
|---|---|
| Character case | Differences in character case are significant |
| Line endings | Differences in line endings (CR and LF characters) are ignored |
| CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
| 1 | # | |
| 2 | # OWASP En terprise S ecurity AP I (ESAPI) Properties file -- T EST Versio n | |
| 3 | # | |
| 4 | # This fil e is part of the Ope n Web Appl ication Se curity Pro ject (OWAS P) | |
| 5 | # Enterpri se Securit y API (ESA PI) projec t. For det ails, plea se see | |
| 6 | # http://w ww.owasp.o rg/index.p hp/ESAPI. | |
| 7 | # | |
| 8 | # Copyrigh t (c) 2008 ,2009 - Th e OWASP Fo undation | |
| 9 | # | |
| 10 | # DISCUSS: This may cause a ma jor backwa rds compat ibility is sue, etc. but | |
| 11 | # f rom a name space per spective, we probabl y should h ave prefac ed | |
| 12 | # a ll the pro perty name s with ESA PI or at l east OWASP . Otherwis e | |
| 13 | # t here could be proble ms is some one loads this prope rties file into | |
| 14 | # t he System properties . We coul d also put this file into the | |
| 15 | # e sapi.jar f ile (perha ps as a Re sourceBund le) and th en allow a n external | |
| 16 | # E SAPI prope rties be d efined tha t would ov erwrite th ese defaul ts. | |
| 17 | # T hat keeps the applic ation's pr operties r elatively simple as usually | |
| 18 | # t hey will o nly want t o override a few pro perties. I f looks li ke we | |
| 19 | # a lready sup port multi ple overri de levels of this in the | |
| 20 | # D efaultSecu rityConfig uration cl ass, but I 'm suggest ing placin g the | |
| 21 | # d efaults in the esapi .jar itsel f. That wa y, if the jar is sig ned, | |
| 22 | # w e could de tect if th ose proper ties had b een tamper ed with. ( The | |
| 23 | # c ode to che ck the jar signature s is prett y simple.. . maybe 70 -90 LOC, | |
| 24 | # b ut off cou rse there is an exec ution pena lty (simil ar to the way | |
| 25 | # t hat the se parate sun jce.jar us ed to be w hen a clas s from it was | |
| 26 | # f irst loade d). Though ts? | |
| 27 | ########## ########## ########## ########## ########## ########## ########## ######### | |
| 28 | # | |
| 29 | # WARNING: Operating system pr otection s hould be u sed to loc k down the .esapi | |
| 30 | # resource s director y and all the files inside and all the d irectories all the | |
| 31 | # way up t o the root directory of the fi le system. Note tha t if you a re using | |
| 32 | # file-bas ed impleme ntations, that some files may need to be read-writ e as they | |
| 33 | # get upda ted dynami cally. | |
| 34 | # | |
| 35 | # Before u sing, be s ure to upd ate the Ma sterKey an d MasterSa lt as desc ribed belo w. | |
| 36 | # N.B.: If you had s tored data that you have previ ously encr ypted with ESAPI 1.4 , | |
| 37 | # you *must* FIR ST decrypt it using ESAPI 1.4 and then ( if so desi red) | |
| 38 | # re-e ncrypt it with ESAPI 2.0. If y ou fail to do this, you will N OT be | |
| 39 | # able to decryp t your dat a with ESA PI 2.0. | |
| 40 | # | |
| 41 | # YOU HAVE BEEN WARNED!!! More detai ls are in the ESAPI 2.0 Releas e Notes. | |
| 42 | # | |
| 43 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 44 | # ESAPI Co nfiguratio n | |
| 45 | # | |
| 46 | # If true, then prin t all the ESAPI prop erties set here when they are loaded. | |
| 47 | # If false , they are not print ed. Useful to reduce output wh en running JUnit tes ts. | |
| 48 | # If you n eed to tro ubleshoot a properti es related problem, turning th is on may help, | |
| 49 | # but we l eave it of f for runn ing JUnit tests. (It will be ' true' in t he one del ivered | |
| 50 | # as part of product ion ESAPI, mostly fo r backward compatibi lity.) | |
| 51 | ESAPI.prin tPropertie s=false | |
| 52 | ||
| 53 | # ESAPI is designed to be easi ly extensi ble. You c an use the reference implement ation | |
| 54 | # or imple ment your own provid ers to tak e advantag e of your enterprise 's securit y | |
| 55 | # infrastr ucture. Th e function s in ESAPI are refer enced usin g the ESAP I locator, like: | |
| 56 | # | |
| 57 | # Strin g cipherte xt = | |
| 58 | # ESAP I.encrypto r().encryp t("Secret message"); // Depr ecated in 2.0 | |
| 59 | # Ciphe rText ciph erText = | |
| 60 | # ESAP I.encrypto r().encryp t(new Plai nText("Sec ret messag e")); // P referred | |
| 61 | # | |
| 62 | # Below yo u can spec ify the cl assname fo r the prov ider that you wish t o use in y our | |
| 63 | # applicat ion. The o nly requir ement is t hat it imp lement the appropria te ESAPI i nterface. | |
| 64 | # This all ows you to switch se curity imp lementatio ns in the future wit hout rewri ting the | |
| 65 | # entire a pplication . | |
| 66 | # | |
| 67 | # Experime ntalAccess Controller requires ESAPI-Acce ssControlP olicy.xml in .esapi directory | |
| 68 | ESAPI.Acce ssControl= org.owasp. esapi.refe rence.Defa ultAccessC ontroller | |
| 69 | # FileBase dAuthentic ator requi res users. txt file i n .esapi d irectory | |
| 70 | ESAPI.Auth enticator= org.owasp. esapi.refe rence.File BasedAuthe nticator | |
| 71 | ESAPI.Enco der=org.ow asp.esapi. reference. DefaultEnc oder | |
| 72 | ESAPI.Encr yptor=org. owasp.esap i.referenc e.crypto.J avaEncrypt or | |
| 73 | ||
| 74 | ESAPI.Exec utor=org.o wasp.esapi .reference .DefaultEx ecutor | |
| 75 | ESAPI.HTTP Utilities= org.owasp. esapi.refe rence.Defa ultHTTPUti lities | |
| 76 | ESAPI.Intr usionDetec tor=org.ow asp.esapi. reference. DefaultInt rusionDete ctor | |
| 77 | # Log4JFac tory Requi res log4j. xml or log 4j.propert ies in cla sspath - h ttp://www. laliluna.d e/log4j-tu torial.htm l | |
| 78 | ESAPI.Logg er=org.owa sp.esapi.r eference.L og4JLogFac tory | |
| 79 | #ESAPI.Log ger=org.ow asp.esapi. reference. JavaLogFac tory | |
| 80 | #ESAPI.Log ger=org.ow asp.esapi. reference. ExampleExt endedLog4J LogFactory | |
| 81 | ESAPI.Rand omizer=org .owasp.esa pi.referen ce.Default Randomizer | |
| 82 | ESAPI.Vali dator=org. owasp.esap i.referenc e.DefaultV alidator | |
| 83 | ||
| 84 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 85 | # ESAPI Au thenticato r | |
| 86 | # | |
| 87 | Authentica tor.Allowe dLoginAtte mpts=3 | |
| 88 | Authentica tor.MaxOld PasswordHa shes=13 | |
| 89 | Authentica tor.Userna meParamete rName=user name | |
| 90 | Authentica tor.Passwo rdParamete rName=pass word | |
| 91 | # Remember TokenDurat ion (in da ys) | |
| 92 | Authentica tor.Rememb erTokenDur ation=14 | |
| 93 | # Session Timeouts ( in minutes ) | |
| 94 | Authentica tor.IdleTi meoutDurat ion=20 | |
| 95 | Authentica tor.Absolu teTimeoutD uration=12 0 | |
| 96 | ||
| 97 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 98 | # ESAPI En coder | |
| 99 | # | |
| 100 | # ESAPI ca nonicalize s input be fore valid ation to p revent byp assing fil ters with encoded at tacks. | |
| 101 | # Failure to canonic alize inpu t is a ver y common m istake whe n implemen ting valid ation sche mes. | |
| 102 | # Canonica lization i s automati c when usi ng the ESA PI Validat or, but yo u can also use the | |
| 103 | # followin g code to canonicali ze data. | |
| 104 | # | |
| 105 | # ESA PI.Encoder ().canonic alize( "%2 2hello wor ld"" ); | |
| 106 | # | |
| 107 | # Multiple encoding is when a single enc oding form at is appl ied multip le times. Allowing | |
| 108 | # multiple encoding is strongl y discoura ged. | |
| 109 | Encoder.Al lowMultipl eEncoding= false | |
| 110 | ||
| 111 | # Mixed en coding is when multi ple differ ent encodi ng formats are appli ed, or whe n | |
| 112 | # multiple formats a re nested. Allowing multiple e ncoding is strongly discourage d. | |
| 113 | Encoder.Al lowMixedEn coding=fal se | |
| 114 | ||
| 115 | # The defa ult list o f codecs t o apply wh en canonic alizing un trusted da ta. The li st should include th e codecs | |
| 116 | # for all downstream interpret ers or dec oders. For example, if the dat a is likel y to end u p in a URL , HTML, or | |
| 117 | # inside J avaScript, then the list of co decs below is approp riate. The order of the list i s not terr ibly impor tant. | |
| 118 | Encoder.De faultCodec List=HTMLE ntityCodec ,PercentCo dec,JavaSc riptCodec | |
| 119 | ||
| 120 | ||
| 121 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 122 | # ESAPI En cryption | |
| 123 | # | |
| 124 | # The ESAP I Encrypto r provides basic cry ptographic functions with a si mplified A PI. | |
| 125 | # To get s tarted, ge nerate a n ew key usi ng java -c lasspath e sapi.jar o rg.owasp.e sapi.refer ence.crypt o.JavaEncr yptor | |
| 126 | # There is not curre ntly any s upport for key rotat ion, so be careful w hen changi ng your ke y and salt as it | |
| 127 | # will inv alidate al l signed, encrypted, and hashe d data. | |
| 128 | # | |
| 129 | # WARNING: Not all c ombination s of algor ithms and key length s are supp orted. | |
| 130 | # If you c hoose to u se a key l ength grea ter than 1 28, you MU ST downloa d the | |
| 131 | # unlimite d strength policy fi les and in stall in t he lib dir ectory of your JRE/J DK. | |
| 132 | # See http ://java.su n.com/java se/downloa ds/index.j sp for mor e informat ion. | |
| 133 | # | |
| 134 | # Backward compatibi lity with ESAPI Java 1.4 is su pported by the two d eprecated API | |
| 135 | # methods, Encryptor .encrypt(S tring) and Encryptor .decrypt(S tring). Ho wever, whe never | |
| 136 | # possible , these me thods shou ld be avoi ded as the y use ECB cipher mod e, which i n almost | |
| 137 | # all circ umstances a poor cho ice becaus e of it's weakness. CBC cipher mode is t he default | |
| 138 | # for the new Encryp tor encryp t / decryp t methods for ESAPI Java 2.0. In genera l, you | |
| 139 | # should o nly use th is compati bility set ting if yo u have per sistent da ta encrypt ed with | |
| 140 | # version 1.4 and ev en then, y ou should ONLY set t his compat ibility mo de UNTIL | |
| 141 | # you have decrypted all of yo ur old enc rypted dat a and then re-encryp ted it wit h | |
| 142 | # ESAPI 2. 0 using CB C mode. If you have some reaso n to mix t he depreca ted 1.4 mo de | |
| 143 | # with the new 2.0 m ethods, ma ke sure th at you use the same cipher alg orithm for both | |
| 144 | # (256-bit AES was t he default for 1.4; 128-bit is the defau lt for 2.0 ; see belo w for | |
| 145 | # more det ails.) Oth erwise, yo u will hav e to use t he new 2.0 encrypt / decrypt m ethods | |
| 146 | # where yo u can spec ify a Secr etKey. (No te that if you are u sing the 2 56-bit AES , | |
| 147 | # that req uires down loading th e special jurisdicti on policy files ment ioned abov e.) | |
| 148 | # | |
| 149 | # **** * IMPORTAN T: These a re for JUn it testing . Test fil es may hav e been | |
| 150 | # e ncrypted u sing these values so do not ch ange these or | |
| 151 | # t hose tests will fail . The vers ion under | |
| 152 | # src/ main/resou rces/.esap i/ESAPI.pr operties | |
| 153 | # w ill be del ivered wit h Encrypto r.MasterKe y and | |
| 154 | # E ncryptor.M asterSalt set to the empty str ing. | |
| 155 | # | |
| 156 | # F INAL NOTE: | |
| 157 | # If Maven cha nges these when run, that need s to be fi xed. | |
| 158 | # 25 6-bit key. .. require s unlimite d strength jurisdict ion policy files | |
| 159 | ### Encryp tor.Master Key=
|
|
| 160 | # EKL | |
| 161 | Encryptor. MasterKey=
|
|
| 162 | Encryptor. MasterSalt =
|
|
| 163 | # Encrypto r.MasterSa lt= | |
| 164 | ||
| 165 | # Provides the defau lt JCE pro vider that ESAPI wil l "prefer" for its s ymmetric | |
| 166 | # encrypti on and has hing. (Tha t is it wi ll look to this prov ider first , but it | |
| 167 | # will def er to othe r provider s if the r equested a lgorithm i s not impl emented | |
| 168 | # by this provider.) If left u nset, ESAP I will jus t use your Java VM's current | |
| 169 | # preferre d JCE prov ider, whic h is gener ally set i n the file | |
| 170 | # "$JAVA_H OME/jre/li b/security /java.secu rity". | |
| 171 | # | |
| 172 | # The main intent of this is t o allow ES API symmet ric encryp tion to be | |
| 173 | # used wit h a FIPS 1 40-2 compl iant crypt o-module. For detail s, see the section | |
| 174 | # "Using E SAPI Symme tric Encry ption with FIPS 140- 2 Cryptogr aphic Modu les" in | |
| 175 | # the ESAP I 2.0 Symm etric Encr yption Use r Guide, a t: | |
| 176 | # http://o wasp-esapi -java.goog lecode.com /svn/trunk /documenta tion/esapi 4java-core -2.0-symme tric-crypt o-user-gui de.html | |
| 177 | # However, this prop erty also allows you to easily use an al ternate JC E provider | |
| 178 | # such as "Bouncy Ca stle" with out having to make c hanges to "java.secu rity". | |
| 179 | # See Java doc for Se curityProv iderLoader for furth er details . If you w ish to use | |
| 180 | # a provid er that is not known to Securi tyProvider Loader, yo u may spec ify the | |
| 181 | # fully-qu alified cl ass name o f the JCE provider c lass that implements | |
| 182 | # java.sec urity.Prov ider. If t he name co ntains a ' .', this i s interpre ted as | |
| 183 | # a fully- qualified class name that impl ements jav a.security .Provider. | |
| 184 | # | |
| 185 | # NOTE: Se tting this property has the si de-effect of changin g it in yo ur applica tion | |
| 186 | # as well, so if you are using JCE in your a pplication directly rather tha n | |
| 187 | # th rough ESAP I (you wou ldn't do t hat, would you? ;-), it will c hange the | |
| 188 | # pr eferred JC E provider there as well. | |
| 189 | # | |
| 190 | # Default: Keeps the JCE provi der set to whatever JVM sets i t to. | |
| 191 | Encryptor. PreferredJ CEProvider = | |
| 192 | ||
| 193 | # AES is t he most wi dely used and strong est encryp tion algor ithm. This | |
| 194 | # should a gree with your Encry ptor.Ciphe rTransform ation prop erty. | |
| 195 | # By defau lt, ESAPI Java 1.4 u ses "PBEWi thMD5AndDE S" and whi ch is | |
| 196 | # very wea k. It is e ssentially a passwor d-based en cryption k ey, hashed | |
| 197 | # with MD5 around 1K times and then encr ypted with the weak DES algori thm | |
| 198 | # (56-bits ) using EC B mode and an unspec ified padd ing (it is | |
| 199 | # JCE prov ider speci fic, but m ost likely "NoPaddin g"). Howev er, 2.0 us es | |
| 200 | # "AES/CBC /PKCSPaddi ng". If yo u want to change the se, change them here . | |
| 201 | # Warning: This prop erty does not contro l the defa ult refere nce implem entation f or | |
| 202 | # E SAPI 2.0 u sing JavaE ncryptor. Also, this property will be dr opped | |
| 203 | # i n the futu re. | |
| 204 | # @depreca ted | |
| 205 | Encryptor. Encryption Algorithm= AES | |
| 206 | # For ESAPI Java 2.0 - New encrypt / decrypt m ethods use this. | |
| 207 | Encryptor. CipherTran sformation =AES/CBC/P KCS5Paddin g | |
| 208 | ||
| 209 | # Applies to ESAPI 2 .0 and lat er only! | |
| 210 | # Comma-se parated li st of ciph er modes t hat provid e *BOTH* | |
| 211 | # confiden tiality *A ND* messag e authenti city. (NIS T refers t o such cip her | |
| 212 | # modes as "combined modes" so that's wh at we shal l call the m.) If any of these | |
| 213 | # cipher m odes are u sed then n o MAC is c alculated and stored | |
| 214 | # in the C ipherText upon encry ption. Lik ewise, if one of the se | |
| 215 | # cipher m odes is us ed with de cryption, no attempt will be m ade | |
| 216 | # to valid ate the MA C containe d in the C ipherText object reg ardless | |
| 217 | # of wheth er it cont ains one o r not. Sin ce the exp ectation i s that | |
| 218 | # these ci pher modes support s upport mes sage authe nticity al ready, | |
| 219 | # injectin g a MAC in the Ciphe rText obje ct would b e at best redundant. | |
| 220 | # | |
| 221 | # Note tha t as of JD K 1.5, the SunJCE pr ovider doe s not supp ort *any* | |
| 222 | # of these cipher mo des. Of th ese listed , only GCM and CCM a re current ly | |
| 223 | # NIST app roved. YMM V for othe r JCE prov iders. E.g ., Bouncy Castle sup ports | |
| 224 | # GCM and CCM with " NoPadding" mode, but not with "PKCS5Padd ing" or ot her | |
| 225 | # padding modes. | |
| 226 | Encryptor. cipher_mod es.combine d_modes=GC M,CCM,IAPM ,EAX,OCB,C WC | |
| 227 | ||
| 228 | # Applies to ESAPI 2 .0 and lat er only! | |
| 229 | # Addition al cipher modes allo wed for ES API 2.0 en cryption. These | |
| 230 | # cipher m odes are i n _additio n_ to thos e specifie d by the p roperty | |
| 231 | # 'Encrypt or.cipher_ modes.comb ined_modes '. | |
| 232 | # Note: We will add support fo r streamin g modes li ke CFB & O FB once | |
| 233 | # we add s upport for 'specifie d' to the property ' Encryptor. ChooseIVMe thod' | |
| 234 | # (probabl y in ESAPI 2.1). | |
| 235 | # | |
| 236 | # IM PORTANT NO TE: In the official ESAPI.prop erties we do *NOT* i nclude ECB | |
| 237 | # here as th is is an e xtremely w eak mode. However, w e *must* | |
| 238 | # allow it h ere so we can test E CB mode. T hat is imp ortant | |
| 239 | # since the logic is s omewhat di fferent (i .e., ECB m ode does | |
| 240 | # not use an IV). | |
| 241 | # DISCUSS: Better na me? | |
| 242 | # NO TE: ECB ad ded only f or testing purposes. Don't try this at h ome! | |
| 243 | Encryptor. cipher_mod es.additio nal_allowe d=CBC,ECB | |
| 244 | ||
| 245 | # 128-bit is almost always suf ficient an d appears to be more resistant to | |
| 246 | # related key attack s than is 256-bit AE S. Use '_' to use de fault key size | |
| 247 | # for ciph er algorit hms (where it makes sense beca use the al gorithm su pports | |
| 248 | # a variab le key siz e). Key le ngth must agree to w hat's prov ided as th e | |
| 249 | # cipher t ransformat ion, other wise this will be ig nored afte r logging a | |
| 250 | # warning. | |
| 251 | # | |
| 252 | # NOTE: Th is is what applies B OTH ESAPI 1.4 and 2. 0. See war ning above about mix ing! | |
| 253 | Encryptor. Encryption KeyLength= EKL | |
| 254 | ||
| 255 | # Because 2.0 uses C BC mode by default, it require s an initi alization vector (IV ). | |
| 256 | # (All cip her modes except ECB require a n IV.) The re are two choices: we can eit her | |
| 257 | # use a fi xed IV kno wn to both parties o r allow ES API to cho ose a rand om IV. Whi le | |
| 258 | # the IV d oes not ne ed to be h idden from adversari es, it is important that the | |
| 259 | # adversar y not be a llowed to choose it. Also, ran dom IVs ar e generall y much mor e | |
| 260 | # secure t han fixed IVs. (In f act, it is essential that feed -back ciph er modes | |
| 261 | # such as CFB and OF B use a di fferent IV for each encryption with a gi ven key so | |
| 262 | # in such cases, ran dom IVs ar e much pre ferred. By default, ESAPI 2.0 uses rando m | |
| 263 | # IVs. If you wish t o use 'fix ed' IVs, s et 'Encryp tor.Choose IVMethod=f ixed' and | |
| 264 | # uncommen t the Encr yptor.fixe dIV. | |
| 265 | # | |
| 266 | # Valid va lues: random |fixed|spe cified 'spe cified' no t yet impl emented; p lanned for 2.1 | |
| 267 | Encryptor. ChooseIVMe thod=rando m | |
| 268 | # If you c hoose to u se a fixed IV, then you must p lace a fix ed IV here that | |
| 269 | # is known to all ot hers who a re sharing your secr et key. Th e format s hould | |
| 270 | # be a hex string th at is the same lengt h as the c ipher bloc k size for the | |
| 271 | # cipher a lgorithm t hat you ar e using. T he followi ng is an e xample for AES | |
| 272 | # from an AES test v ector for AES-128/CB C as descr ibed in: | |
| 273 | # NIST Spe cial Publi cation 800 -38A (2001 Edition) | |
| 274 | # "Recomme ndation fo r Block Ci pher Modes of Operat ion". | |
| 275 | # (Note th at the blo ck size fo r AES is 1 6 bytes == 128 bits. ) | |
| 276 | # | |
| 277 | Encryptor. fixedIV=0x 0001020304 0506070809 0a0b0c0d0e 0f | |
| 278 | ||
| 279 | # Whether or not Cip herText sh ould use a message a uthenticat ion code ( MAC) with it. | |
| 280 | # This pre vents an a dversary f rom alteri ng the IV as well as allowing a more | |
| 281 | # fool-pro of way of determinin g the decr yption fai led becaus e of an in correct | |
| 282 | # key bein g supplied . This ref ers to the "separate " MAC calc ulated and stored | |
| 283 | # in Ciphe rText, not part of a ny MAC tha t is calcu lated as a result of a | |
| 284 | # "combine d mode" ci pher mode. | |
| 285 | # | |
| 286 | # If you a re using E SAPI with a FIPS 140 -2 cryptog raphic mod ule, you * must* also | |
| 287 | # set this property to false. | |
| 288 | Encryptor. CipherText .useMAC=tr ue | |
| 289 | ||
| 290 | # Whether or not the PlainText object ma y be overw ritten and then mark ed | |
| 291 | # eligible for garba ge collect ion. If no t set, thi s is still treated a s 'true'. | |
| 292 | Encryptor. PlainText. overwrite= true | |
| 293 | ||
| 294 | # Do not u se DES exc ept in a l egacy situ ations. 56 -bit is wa y too smal l key size . | |
| 295 | #Encryptor .Encryptio nKeyLength = EKL | |
| 296 | #Encryptor .Encryptio nAlgorithm =
|
|
| 297 | ||
| 298 | # TripleDE S is consi dered stro ng enough for most p urposes. | |
| 299 | # No te: Ther e is also a 112-bit version of DESede. U sing the 1 68-bit ver sion | |
| 300 | # requir es downloa ding the s pecial jur isdiction policy fro m Sun. | |
| 301 | #Encryptor .Encryptio nKeyLength = EKL | |
| 302 | #Encryptor .Encryptio nAlgorithm =
|
|
| 303 | ||
| 304 | Encryptor. HashAlgori thm= EKL | |
| 305 | Encryptor. HashIterat ions= EKL | |
| 306 | Encryptor. DigitalSig natureAlgo rithm= EKL | |
| 307 | Encryptor. DigitalSig natureKeyL ength= EKL | |
| 308 | Encryptor. RandomAlgo rithm= EKL | |
| 309 | Encryptor. CharacterE ncoding=UT F-8 | |
| 310 | # Currentl y supporte d choices for JDK 1. 5 and 1.6 are: | |
| 311 | # Hm acSHA1 (16 0 bits), H macSHA256 (256 bits) , HmacSHA3 84 (384 bi ts), and | |
| 312 | # Hm acSHA512 ( 512 bits). | |
| 313 | # Note tha t HmacMD5 is *not* s upported f or the PRF used by t he KDF eve n though | |
| 314 | # these JD Ks support it. | |
| 315 | Encryptor. KDF.PRF= EKL | |
| 316 | ||
| 317 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 318 | # ESAPI Ht tpUtilties | |
| 319 | # | |
| 320 | # The Http Utilities provide ba sic protec tions to H TTP reques ts and res ponses. Pr imarily th ese method s | |
| 321 | # protect against ma licious da ta from at tackers, s uch as unp rintable c haracters, escaped c haracters, | |
| 322 | # and othe r simple a ttacks. Th e HttpUtil ities also provides utility me thods for dealing wi th cookies , | |
| 323 | # headers, and CSRF tokens. | |
| 324 | # | |
| 325 | # Default file uploa d location (remember to escape backslash es with \\ ) | |
| 326 | HttpUtilit ies.Upload Dir=C:\\ES API\\testU pload | |
| 327 | # let this default t o java.io. tmpdir for testing | |
| 328 | #HttpUtili ties.Uploa dTempDir=C :\\temp | |
| 329 | # Force fl ags on coo kies, if y ou use Htt pUtilities to set co okies | |
| 330 | HttpUtilit ies.ForceH ttpOnlySes sion=false | |
| 331 | HttpUtilit ies.ForceS ecureSessi on=false | |
| 332 | HttpUtilit ies.ForceH ttpOnlyCoo kies=true | |
| 333 | HttpUtilit ies.ForceS ecureCooki es=true | |
| 334 | # Maximum size of HT TP header key--the v alidator r egex may h ave additi onal value s. | |
| 335 | HttpUtilit ies.MaxHea derNameSiz e=256 | |
| 336 | # Maximum size of HT TP header value--the validator regex may have addi tional val ues. | |
| 337 | HttpUtilit ies.MaxHea derValueSi ze=4096 | |
| 338 | # Maximum size of JS ESSIONID f or the app lication-- the valida tor regex may have a dditional values. | |
| 339 | HttpUtilit ies.HTTPJS ESSIONIDLE NGTH=50 | |
| 340 | # Maximum length of a URL (see https://s tackoverfl ow.com/que stions/417 142/what-i s-the-maxi mum-length -of-a-url- in-differe nt-browser s) | |
| 341 | HttpUtilit ies.URILEN GTH=2000 | |
| 342 | # Maximum length of a redirect | |
| 343 | HttpUtilit ies.maxRed irectLengt h=512 | |
| 344 | # Maximum length for an http s cheme | |
| 345 | HttpUtilit ies.HTTPSC HEMELENGTH =10 | |
| 346 | # Maximum length for an http h ost | |
| 347 | HttpUtilit ies.HTTPHO STLENGTH=1 00 | |
| 348 | # Maximum length for an http p ath | |
| 349 | HttpUtilit ies.HTTPPA THLENGTH=1 50 | |
| 350 | #Maximum l ength for a context path | |
| 351 | HttpUtilit ies.contex tPathLengt h=150 | |
| 352 | #Maximum l ength for an httpSer vletPath | |
| 353 | HttpUtilit ies.HTTPSE RVLETPATHL ENGTH=100 | |
| 354 | #Maximum l ength for an http qu ery parame ter name | |
| 355 | HttpUtilit ies.httpQu eryParamNa meLength=1 00 | |
| 356 | #Maximum l ength for an http qu ery parame ter -- old default w as 2000, b ut that's the max le ngth for a URL... | |
| 357 | HttpUtilit ies.httpQu eryParamVa lueLength= 500 | |
| 358 | # File upl oad config uration | |
| 359 | HttpUtilit ies.Approv edUploadEx tensions=. zip,.pdf,. doc,.docx, .ppt,.pptx ,.tar,.gz, .tgz,.rar, .war,.jar, .ear,.xls, .rtf,.prop erties,.ja va,.class, .txt,.xml, .jsp,.jsf, .exe,.dll | |
| 360 | HttpUtilit ies.MaxUpl oadFileByt es=5000000 00 | |
| 361 | # Using UT F-8 throug hout your stack is h ighly reco mmended. T hat includ es your da tabase dri ver, | |
| 362 | # containe r, and any other tec hnologies you may be using. Fa ilure to d o this may expose yo u | |
| 363 | # to Unico de transco ding injec tion attac ks. Use of UTF-8 doe s not hind er interna tionalizat ion. | |
| 364 | HttpUtilit ies.Respon seContentT ype=text/h tml; chars et=UTF-8 | |
| 365 | # This is the name o f the cook ie used to represent the HTTP session | |
| 366 | # Typicall y this wil l be the d efault "JS ESSIONID" | |
| 367 | HttpUtilit ies.HttpSe ssionIdNam e=JSESSION ID | |
| 368 | #Sets whet her or not we will o verwrite h ttp status codes to 200. | |
| 369 | HttpUtilit ies.Overwr iteStatusC odes=true | |
| 370 | #Sets the applicatio n's base c haracter e ncoding. This is fo rked from the Java E ncryptor p roperty. | |
| 371 | HttpUtilit ies.Charac terEncodin g=UTF-8 | |
| 372 | ||
| 373 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 374 | # ESAPI Ex ecutor | |
| 375 | # CHECKME - Not sure what this is used f or, but su rely it sh ould be ma de OS inde pendent. | |
| 376 | Executor.W orkingDire ctory=C:\\ Windows\\T emp | |
| 377 | Executor.A pprovedExe cutables=C :\\Windows \\System32 \\cmd.exe, C:\\Window s\\System3 2\\runas.e xe | |
| 378 | ||
| 379 | ||
| 380 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 381 | # ESAPI Lo gging | |
| 382 | # Set the applicatio n name if these logs are combi ned with o ther appli cations | |
| 383 | Logger.App licationNa me=Example Applicatio n | |
| 384 | # If you u se an HTML log viewe r that doe s not prop erly HTML escape log data, you can set L ogEncoding Required t o true | |
| 385 | Logger.Log EncodingRe quired=fal se | |
| 386 | # Determin es whether ESAPI sho uld log th e applicat ion name. This might be clutte r in some single-ser ver/single -app envir onments. | |
| 387 | Logger.Log Applicatio nName=true | |
| 388 | # Determin es whether ESAPI sho uld log th e server I P and port . This mig ht be clut ter in som e single-s erver envi ronments. | |
| 389 | Logger.Log ServerIP=t rue | |
| 390 | # LogFileN ame, the n ame of the logging f ile. Provi de a full directory path (e.g. , C:\\ESAP I\\ESAPI_l ogging_fil e) if you | |
| 391 | # want to place it i n a specif ic directo ry. | |
| 392 | Logger.Log FileName=E SAPI_loggi ng_file | |
| 393 | # MaxLogFi leSize, th e max size (in bytes ) of a sin gle log fi le before it cuts ov er to a ne w one (def ault is 10 ,000,000) | |
| 394 | Logger.Max LogFileSiz e=10000000 | |
| 395 | ||
| 396 | ||
| 397 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 398 | # ESAPI In trusion De tection | |
| 399 | # | |
| 400 | # Each eve nt has a b ase to whi ch .count, .interval , and .act ion are ad ded | |
| 401 | # The Intr usionExcep tion will fire if we receive " count" eve nts within "interval " seconds | |
| 402 | # The Intr usionDetec tor is con figurable to take th e followin g actions: log, logo ut, and di sable | |
| 403 | # (multip le actions separated by commas are allow ed e.g. ev ent.test.a ctions=log ,disable | |
| 404 | # | |
| 405 | # Custom E vents | |
| 406 | # Names mu st start w ith "event ." as the base | |
| 407 | # Use Intr usionDetec tor.addEve nt( "test" ) in your code to t rigger "ev ent.test" here | |
| 408 | # You can also disab le intrusi on detecti on complet ely by cha nging | |
| 409 | # the foll owing para meter to t rue | |
| 410 | # | |
| 411 | IntrusionD etector.Di sable=fals e | |
| 412 | # | |
| 413 | IntrusionD etector.ev ent.test.c ount=2 | |
| 414 | IntrusionD etector.ev ent.test.i nterval=10 | |
| 415 | IntrusionD etector.ev ent.test.a ctions=dis able,log | |
| 416 | ||
| 417 | # Exceptio n Events | |
| 418 | # All Ente rpriseSecu rityExcept ions are r egistered automatica lly | |
| 419 | # Call Int rusionDete ctor.getIn stance().a ddExceptio n(e) for E xceptions that do no t extend E nterpriseS ecurityExc eption | |
| 420 | # Use the fully qual ified clas sname of t he excepti on as the base | |
| 421 | ||
| 422 | # any intr usion is a n attack | |
| 423 | IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. count=1 | |
| 424 | IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. interval=1 | |
| 425 | IntrusionD etector.or g.owasp.es api.errors .Intrusion Exception. actions=lo g,disable, logout | |
| 426 | ||
| 427 | # for test purposes | |
| 428 | # CHECKME: Shouldn't there be something in the pro perty name itself th at designa tes | |
| 429 | # t hat these are for te sting??? | |
| 430 | IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. count=10 | |
| 431 | IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. interval=5 | |
| 432 | IntrusionD etector.or g.owasp.es api.errors .Integrity Exception. actions=lo g,disable, logout | |
| 433 | ||
| 434 | # rapid va lidation e rrors indi cate scans or attack s in progr ess | |
| 435 | # org.owas p.esapi.er rors.Valid ationExcep tion.count =10 | |
| 436 | # org.owas p.esapi.er rors.Valid ationExcep tion.inter val=10 | |
| 437 | # org.owas p.esapi.er rors.Valid ationExcep tion.actio ns=log,log out | |
| 438 | ||
| 439 | # sessions jumping b etween hos ts indicat es session hijacking | |
| 440 | IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.c ount=2 | |
| 441 | IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.i nterval=10 | |
| 442 | IntrusionD etector.or g.owasp.es api.errors .Authentic ationHostE xception.a ctions=log ,logout | |
| 443 | ||
| 444 | ||
| 445 | #========= ========== ========== ========== ========== ========== ========== ====== | |
| 446 | # ESAPI Va lidation | |
| 447 | # | |
| 448 | # The ESAP I Validato r works on regular e xpressions with defi ned names. You can d efine name s | |
| 449 | # either h ere, or yo u may defi ne applica tion speci fic patter ns in a se parate fil e defined below. | |
| 450 | # This all ows enterp rises to s pecify bot h organiza tional sta ndards as well as ap plication specific | |
| 451 | # validati on rules. | |
| 452 | # | |
| 453 | # Use '\p{ L}' (witho ut the quo tes) withi n the char acter clas s to match | |
| 454 | # any Unic ode LETTER . You can also use a range, li ke: \u00C 0-\u017F | |
| 455 | # You can also use a ny of the regex flag s as docum ented at | |
| 456 | # https:// docs.oracl e.com/java se/tutoria l/essentia l/regex/pa ttern.html , e.g. (?u ) | |
| 457 | # | |
| 458 | Validator. Configurat ionFile=va lidation.p roperties | |
| 459 | ||
| 460 | # Validato rs used by ESAPI | |
| 461 | Validator. AccountNam e=^[a-zA-Z 0-9]{3,20} $ | |
| 462 | Validator. SystemComm and=^[a-zA -Z\\-\\/]{ 1,64}$ | |
| 463 | Validator. RoleName=^ [a-z]{1,20 }$ | |
| 464 | Validator. Redirect=^ \\/test.*$ | |
| 465 | ||
| 466 | # Global H TTP Valida tion Rules | |
| 467 | # Values w ith Base64 encoded d ata (e.g. encrypted state) wil l need at least [a-z A-Z0-9\/+= ] | |
| 468 | Validator. HTTPScheme =^(http|ht tps)$ | |
| 469 | Validator. HTTPServer Name=^[a-z A-Z0-9_.\\ -]*$ | |
| 470 | Validator. HTTPCookie Name=^[a-z A-Z0-9\\-_ ]{1,32}$ | |
| 471 | Validator. HTTPCookie Value=^[a- zA-Z0-9\\- \\/+=_ ]*$ | |
| 472 | # Note tha t headerNa me and Val ue length is also co nfigured i n the HTTP Utilities section | |
| 473 | Validator. HTTPHeader Name=^[a-z A-Z0-9\\-_ ]{1,256}$ | |
| 474 | Validator. HTTPHeader Value=^[a- zA-Z0-9()\ \-=\\*\\.\ \?;,+\\/:& _ ]*$ | |
| 475 | Validator. HTTPServle tPath=^[a- zA-Z0-9.\\ -\\/_]*$ | |
| 476 | Validator. HTTPPath=^ [a-zA-Z0-9 .\\-_]*$ | |
| 477 | Validator. HTTPURL=^. *$ | |
| 478 | Validator. HTTPJSESSI ONID=^[A-Z 0-9]{10,32 }$ | |
| 479 | ||
| 480 | ||
| 481 | # Contribu ted by Fra enku@gmx.c h | |
| 482 | # Googleco de Issue 1 16 (http:/ /code.goog le.com/p/o wasp-esapi -java/issu es/detail? id=116) | |
| 483 | Validator. HTTPParame terName=^[ a-zA-Z0-9_ \\-]{1,32} $ | |
| 484 | Validator. HTTPParame terValue=^ [\\p{L}\\p {N}.\\-/+= _ !$*?@]{0 ,1000}$ | |
| 485 | Validator. HTTPContex tPath=^/[a -zA-Z0-9.\ \-_]*$ | |
| 486 | Validator. HTTPQueryS tring=^([a -zA-Z0-9_\ \-]{1,32}= [\\p{L}\\p {N}.\\-/+= _ !$*?@%]* &?)*$ | |
| 487 | Validator. HTTPURI=^/ ([a-zA-Z0- 9.\\-_]*/? )*$ | |
| 488 | ||
| 489 | ||
| 490 | # Validati on of file related i nput | |
| 491 | Validator. FileName=^ [a-zA-Z0-9 !@#$%^&{}\ \[\\]()_+\ \-=,.~'` ] {1,255}$ | |
| 492 | Validator. DirectoryN ame=^[a-zA -Z0-9:/\\\ \!@#$%^&{} \\[\\]()_+ \\-=,.~'` ]{1,255}$ | |
| 493 | ||
| 494 | # Validati on of date s. Control s whether or not 'le nient' dat es are acc epted. | |
| 495 | # See Data Format.set Lenient(bo olean flag ) for furt her detail s. | |
| 496 | Validator. AcceptLeni entDates=f alse |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.