Michael Hanl | 72c7b83 | 2015-09-03 08:42:15 +0200 | [diff] [blame^] | 1 | # |
| 2 | # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version |
| 3 | # |
| 4 | # This file is part of the Open Web de.ids_mannheim.korap.news.Application Security Project (OWASP) |
| 5 | # Enterprise Security API (ESAPI) project. For details, please see |
| 6 | # http://www.owasp.org/index.php/ESAPI. |
| 7 | # |
| 8 | # Copyright (c) 2008,2009 - The OWASP Foundation |
| 9 | # |
| 10 | # DISCUSS: This may cause a major backwards compatibility issue, etc. but |
| 11 | # from a name space perspective, we probably should have prefaced |
| 12 | # all the property names with ESAPI or at least OWASP. Otherwise |
| 13 | # there could be problems is someone loads this properties file into |
| 14 | # the System properties. We could also put this file into the |
| 15 | # esapi.jar file (perhaps as a ResourceBundle) and then allow an external |
| 16 | # ESAPI properties be defined that would overwrite these defaults. |
| 17 | # That keeps the application's properties relatively simple as usually |
| 18 | # they will only want to override a few properties. If looks like we |
| 19 | # already support multiple override levels of this in the |
| 20 | # DefaultSecurityConfiguration class, but I'm suggesting placing the |
| 21 | # defaults in the esapi.jar itself. That way, if the jar is signed, |
| 22 | # we could detect if those properties had been tampered with. (The |
| 23 | # code to isSystem the jar signatures is pretty simple... maybe 70-90 LOC, |
| 24 | # but off course there is an execution penalty (similar to the way |
| 25 | # that the separate sunjce.jar used to be when a class from it was |
| 26 | # first loaded). Thoughts? |
| 27 | ############################################################################### |
| 28 | |
| 29 | ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer |
| 30 | ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator |
| 31 | |
| 32 | #=========================================================================== |
| 33 | # ESAPI Encoder |
| 34 | # |
| 35 | # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. |
| 36 | # Failure to canonicalize input is a very common mistake when implementing validation schemes. |
| 37 | # Canonicalization is automatic when using the ESAPI Validator, but you can also use the |
| 38 | # following code to canonicalize data. |
| 39 | # |
| 40 | # ESAPI.Encoder().canonicalize( "%22hello world"" ); |
| 41 | # |
| 42 | # Multiple encoding is when a single encoding format is applied multiple times. Allowing |
| 43 | # multiple encoding is strongly discouraged. |
| 44 | Encoder.AllowMultipleEncoding=false |
| 45 | |
| 46 | # Mixed encoding is when multiple different encoding formats are applied, or when |
| 47 | # multiple formats are nested. Allowing multiple encoding is strongly discouraged. |
| 48 | Encoder.AllowMixedEncoding=false |
| 49 | |
| 50 | # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs |
| 51 | # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or |
| 52 | # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. |
| 53 | Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec |
| 54 | |
| 55 | |
| 56 | #=========================================================================== |
| 57 | # ESAPI Encryption |
| 58 | # |
| 59 | # The ESAPI Encryptor provides basic cryptographic functions with a simplified API. |
| 60 | # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor |
| 61 | # There is not currently any support for key rotation, so be careful when changing your key and salt as it |
| 62 | # will invalidate all signed, encrypted, and hashed data. |
| 63 | # |
| 64 | # WARNING: Not all combinations of algorithms and key lengths are supported. |
| 65 | # If you choose to use a key length greater than 128, you MUST download the |
| 66 | # unlimited strength policy files and install in the lib directory of your JRE/JDK. |
| 67 | # See http://java.sun.com/javase/downloads/index.jsp for more information. |
| 68 | # |
| 69 | # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API |
| 70 | # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever |
| 71 | # possible, these methods should be avoided as they use ECB cipher mode, which in almost |
| 72 | # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default |
| 73 | # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you |
| 74 | # should only use this compatibility setting if you have persistent data encrypted with |
| 75 | # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL |
| 76 | # you have decrypted all of your old encrypted data and then re-encrypted it with |
| 77 | # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode |
| 78 | # with the new 2.0 methods, make sure that you use the same cipher algorithm for both |
| 79 | # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for |
| 80 | # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods |
| 81 | # where you can specify a SecretKey. (Note that if you are using the 256-bit AES, |
| 82 | # that requires downloading the special jurisdiction policy files mentioned above.) |
| 83 | # |
| 84 | # ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** |
| 85 | # To calculate these values, you can run: |
| 86 | # java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor |
| 87 | # |
| 88 | #Encryptor.MasterKey= |
| 89 | ## default key |
| 90 | #Encryptor.MasterSalt=434fsdferbs7sdf5sdf+d23=a |
| 91 | |
| 92 | #============================================================== |
| 93 | Encryptor.MasterKey=Nowq7w96tBckpYCPkoBtjQ== |
| 94 | Encryptor.MasterSalt=vRaKzzh7hLp9v3CXi7KDI/1yO3A= |
| 95 | #============================================================== |
| 96 | |
| 97 | #=========================================================================== |
| 98 | # ESAPI Intrusion Detection |
| 99 | # |
| 100 | # Each event has a base to which .count, .interval, and .action are added |
| 101 | # The IntrusionException will fire if we receive "count" events within "interval" seconds |
| 102 | # The IntrusionDetector is configurable to take the following actions: log, logout, and disable |
| 103 | # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable |
| 104 | # |
| 105 | # Custom Events |
| 106 | # Names must start with "event." as the base |
| 107 | # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here |
| 108 | # You can also disable intrusion detection completely by changing |
| 109 | # the following parameter to true |
| 110 | # |
| 111 | IntrusionDetector.Disable=false |
| 112 | # |
| 113 | IntrusionDetector.event.test.count=2 |
| 114 | IntrusionDetector.event.test.interval=10 |
| 115 | IntrusionDetector.event.test.actions=disable,log |
| 116 | |
| 117 | # Exception Events |
| 118 | # All EnterpriseSecurityExceptions are registered automatically |
| 119 | # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException |
| 120 | # Use the fully qualified classname of the exception as the base |
| 121 | |
| 122 | # any intrusion is an attack |
| 123 | IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 |
| 124 | IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 |
| 125 | IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout |
| 126 | |
| 127 | # for test purposes |
| 128 | # CHECKME: Shouldn't there be something in the property name itself that designates |
| 129 | # that these are for testing??? |
| 130 | IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 |
| 131 | IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 |
| 132 | IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout |
| 133 | |
| 134 | # rapid validation errors indicate scans or attacks in progress |
| 135 | org.owasp.esapi.errors.ValidationException.count=10 |
| 136 | org.owasp.esapi.errors.ValidationException.interval=10 |
| 137 | org.owasp.esapi.errors.ValidationException.actions=log,logout |
| 138 | |
| 139 | # sessions jumping between hosts indicates session hijacking |
| 140 | IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 |
| 141 | IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 |
| 142 | IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout |
| 143 | |
| 144 | |
| 145 | #=========================================================================== |
| 146 | # ESAPI Validation |
| 147 | # |
| 148 | # The ESAPI Validator works on regular expressions with defined names. You can define names |
| 149 | # either here, or you may define application specific patterns in a separate file defined below. |
| 150 | # This allows enterprises to specify both organizational standards as well as application specific |
| 151 | # validation rules. |
| 152 | # |
| 153 | Validator.ConfigurationFile=validation.properties |
| 154 | |
| 155 | # Validators used by ESAPI |
| 156 | Validator.AccountName=^[a-zA-Z0-9]{3,20}$ |
| 157 | Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ |
| 158 | Validator.RoleName=^[a-z]{1,20}$ |
| 159 | |
| 160 | #the word TEST below should be changed to your application |
| 161 | #name - only relative URL's are supported |
| 162 | Validator.Redirect=^\\/test.*$ |
| 163 | |
| 164 | # Global HTTP Validation Rules |
| 165 | # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] |
| 166 | Validator.HTTPScheme=^(http|https)$ |
| 167 | Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ |
| 168 | Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ |
| 169 | Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ |
| 170 | Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ |
| 171 | Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ |
| 172 | Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ |
| 173 | Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ |
| 174 | Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ |
| 175 | Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ |
| 176 | Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ |
| 177 | Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ |
| 178 | Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ |
| 179 | Validator.HTTPURL=^.*$ |
| 180 | Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ |
| 181 | |
| 182 | # Validation of file related input |
| 183 | Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ |
| 184 | Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ |
| 185 | |
| 186 | # Validation of dates. Controls whether or not 'lenient' dates are accepted. |
| 187 | # See DataFormat.setLenient(boolean flag) for further details. |
| 188 | Validator.AcceptLenientDates=false |