Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Use ESAPI HTTPUtilities

  
  

Applies to

  • Java web-based applications.

Summary

Use the ESAPI library to handle several standard HTTP utility functions in a secure manner.

Objectives

The ESAPI library provides a HTTPUtilities control that offers secure alternatives for various HTTP relevant APIs. Use the ESAPI library to handle several standard HTTP utility functions in a secure manner.

Scenarios

There are many utility functions provided within the HTTPUtilities control. Below are listed the usage of several common methods:

Solution Example

Using HTTPUtilities to ensure SSL is being used to make the current request.

HttpServletRequest request = ...;

boolean isSecure = ESAPI.httpUtilities().assertSecureChannel(request);

Using HTTPUtilities to ensure SSL is being used to make the current request and that the request is an HTTP POST as opposed to GET or another verb.

HttpServletRequest request = ...;

boolean isSecure = ESAPI.httpUtilities().assertSecureRequest(request);

Using HTTPUtilities to change session identifiers. This is useful if performed immediately after successful authentication of a user to an application as it prevents session fixation.

HttpServletRequest request = ...;

HttpSession newSession = ESAPI.httpUtilities().changeSessionIdentifier(request);

Using HTTPUtilities to retrieve an HTTP cookie value. This implementation additionally validates the cookie value according to the regex defined in the ESAPI.properties configuration file for cookie values.

HttpServletRequest request = ...;

String cookieName = ...;

String cookieValue = ESAPI.httpUtilities().getCookie(request, cookieName);

Using HTTPUtilities to retrieve an HTTP parameter value. This implementation additionally validates the parameter value according to the regex defined in the ESAPI.propertiesconfiguration file for parameter values.

HttpServletRequest request = ...;

String parameterName = ...;

String parameterValue = ESAPI.httpUtilities().getParameter(request, parameterName);

Using HTTPUtilities to retrieve an HTTP header value. This implementation additionally validates the header value according to the regex defined in the ESAPI.propertiesconfiguration file for header values.

HttpServletRequest request = ...;

String headerName = ...;

String headerValue = ESAPI.httpUtilities().getHeader(request, headerName);

In addition to the methods mentioned above, there are various other methods in the HTTPUtilities control dealing with issues such as file uploads, CSRF token management, request logging, cookie management, etc. Some methods have other dependencies within ESAPI. For instance the CSRF solution requires that you use ESAPI's authentication control in order to function properly.

See Also

 

Comments

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics