Use ESAPI HTTPUtilities

Applies to

• Java web-based applications.

Summary

Use the ESAPI library to handle several standard HTTP utility functions in a secure manner.

Objectives

The ESAPI library provides a HTTPUtilities control that offers secure alternatives for various HTTP relevant APIs. Use the ESAPI library to handle several standard HTTP utility functions in a secure manner.

Scenarios

There are many utility functions provided within the HTTPUtilities control. Below are listed the usage of several common methods:

Solution Example

Using HTTPUtilities to ensure SSL is being used to make the current request.

HttpServletRequest request = ...;

boolean isSecure = ESAPI.httpUtilities().assertSecureChannel(request);

Using HTTPUtilities to ensure SSL is being used to make the current request and that the request is an HTTP POST as opposed to GET or another verb.

HttpServletRequest request = ...;

boolean isSecure = ESAPI.httpUtilities().assertSecureRequest(request);

Using HTTPUtilities to change session identifiers. This is useful if performed immediately after successful authentication of a user to an application as it prevents session fixation.

HttpServletRequest request = ...;

HttpSession newSession = ESAPI.httpUtilities().changeSessionIdentifier(request);

Using HTTPUtilities to retrieve an HTTP cookie value. This implementation additionally validates the cookie value according to the regex defined in the ESAPI.properties configuration file for cookie values.

HttpServletRequest request = ...;

String cookieName = ...;

String cookieValue = ESAPI.httpUtilities().getCookie(request, cookieName);

Using HTTPUtilities to retrieve an HTTP parameter value. This implementation additionally validates the parameter value according to the regex defined in the ESAPI.propertiesconfiguration file for parameter values.

HttpServletRequest request = ...;

String parameterName = ...;

String parameterValue = ESAPI.httpUtilities().getParameter(request, parameterName);

Using HTTPUtilities to retrieve an HTTP header value. This implementation additionally validates the header value according to the regex defined in the ESAPI.propertiesconfiguration file for header values.

HttpServletRequest request = ...;

String headerName = ...;

String headerValue = ESAPI.httpUtilities().getHeader(request, headerName);

In addition to the methods mentioned above, there are various other methods in the HTTPUtilities control dealing with issues such as file uploads, CSRF token management, request logging, cookie management, etc. Some methods have other dependencies within ESAPI. For instance the CSRF solution requires that you use ESAPI's authentication control in order to function properly.

See Also

• For more information about ESAPI, please see https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Java Session Management Guidelines

• Use Session Management Offered by the Framework
• Protect Session IDs
• Protect Session Cookies
• Set the Domain and Path Values of Session Cookies
• Set the Secure and HTTPOnly Flags on All Sensitive Cookies
• Change Session IDs During Authentication
• Invalidate Sessions when Users Log Out
• Make Inactive Sessions Time-out
• Include Unique Tokens in HTTP Requests
• Do Not Make Security Decisions Based on Client-Accessible Parameters

Java Session Management Checklists

• Session Management Offered by the Framework Is Used
• Session IDs Are Protected
• Session Cookies are Protected
• The Domain and Path Values of Session Cookies Are Strict
• The Secure and HTTPOnly Flags Are Set on All Sensitive Cookies
• Session IDs Are Changed During Authentication
• Sessions Are Invalidated When Users Log Out
• Inactive Sessions Time-out
• Unique Tokens Are Included in HTTP Requests
• Security Decisions are Not Made Based on Client-Accessible Parameters

Java Session Management Code Examples

• Add Unique Tokens to HTTP Requests Using ESAPI
• Add Unique Tokens to HTTP Requests Using Java Server Faces (JSF)
• Add Unique Tokens to HTTP Requests Using Plain Java Server Pages (JSP)
• Cross-Site Request Forgery (CSRF) Prevention Using SpringMVC
• Cross-Site Request Forgery (CSRF) Prevention Using Struts 1
• Cross-Site Request Forgery (CSRF) Prevention Using Struts 2
• Use ESAPI HTTPUtilities

Java Session Management Testing

• How to Test for Session Prediction Bugs in Java