Monday, May 4, 2009

OWASP ISWG: Struts 2/WebWork Gap Analysis

Arshan Dabirsiaghi recently published "A Gap Analysis of Application Security in Struts2/WebWork" for the OWASP Intrinsic Security Working Group. The paper evaluates the security controls/features that are either built into Struts 2 or can be added by extending the framework.

I had the opportunity to contribute research and code to this paper. The appendix section contains several code examples showing how one might:
  • Create an authentication interceptor
  • Create a roles interceptor (Enforced page-level access controls based on a user's privilege level)
  • Create a caching headers interceptor
  • Prevent CSRF vulnerabilities using the built in tokenSession Interceptor
  • Implement a custom error handler
  • Create an interceptor that enforces SSL
  • Regenerate session IDs when users cross an authentication boundary
The paper can be found here:
http://www.owasp.org/index.php/Image:A_Gap_Analysis_of_Application_Security_in_Struts2.pdf

The code repository containing updated struts 2 modules can be found below:

http://code.google.com/p/struts2securityaddons/

Additionally, you can see discussion of these modules in my earlier blog posts:

2 comments:

Eurrsk said...

Thank you for the code in the appendix.

But I did not understand in the analysis if there is a way to use the ESAPI directly with struts2.

Nick Coblentz said...

Eurrsk,

I am not that familiar with ESAPI. My knowledge centers around Struts 2. I recommend joining the OWASP ESAPI mailing list and asking folks there. I believe Arshan is a member of that mailing list. You can find it here:

https://lists.owasp.org/mailman/listinfo/owasp-esapi