cat slave diary

ESAPI for PHP – first tests passed

Written by

Andrew van der Stock

in

, ,

I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class.
PHP ESAPI Exception Test Suite pass

This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes, it’s one test, but it tests the exceptions thrown by every single one of the Exception classes.

This is key as ESAPI throws a lot of ESAPI exceptions when things go south. In addition to ESAPI exceptions, the PHP port will also throw SPL exceptions, such as InvalidArgument and so on as it makes sense to do so.

To get this far, I’ve had to hand hack the Authenticator, User, Logger, and Intrusion Detection classes – currently no errors are sent out by ESAPI for PHP, but give me a bit of time and it will happen. String Utilities is also partially there. Authenticator is interesting as it actually does generate strong passwords, and actually reads from the resources directory for the user’s file and decodes it into an array. However, some of these behaviors are hard wired to allow more of the Milestone 1 classes to pass tests, rather than be part of the Milestone 3 build.

I’ve started work on the RandomAccessReferenceMap class. It’s almost there; but unfortunately, I’ve got to go to bed as it’s 2 AM. It’s so close I can smell it. Once done, that class is a close relative of the IntegerReferenceAccessMap, and so there are likely to be two valid and useful ESAPI for PHP classes done soon. I’ll see if I can finish it and check it in before I have to go to work on Monday.

Comments

5 responses to “ESAPI for PHP – first tests passed”

  1. jrosell Avatar
    jrosell

    vanderaj, do you know where i can get real world examples using ESAPI for PHP.

  2. vanderaj Avatar
    vanderaj

    Hi there,

    As it’s only just started to exist, there are no current ESAPI for PHP examples.

    I will be porting my old forum, UltimaBB, to ESAPI for PHP and I’ll donate that to OWASP as an example program.

    It’ll use:

    AccessReferenceMap – for most user CP and admin CP options
    AccessController – replacing the current code
    Authenticator – replace the current autologin, remember me, change password and other code
    Encoder – to replace the current encoding mechanisms, particularly around themes and CSS
    Executor – to protect the system() calls used by the optional load banner
    HTTP Utilities – to replace its CSRF protection with ESAPI’s, and other things
    IntrusionDetector – to replace / beef up the current audit functionality
    Logger – to replace / beef up the current logging mechanism
    Randomizer – for generating random values for the CAPTCHA
    SafeFile – to protect the uploading of attachments, icons and avatars
    SecureProperties – for config.php
    User – a non-reference implementation that suits me

    Essentially, it will over time use all of ESAPI for PHP, albeit with a customized version suitable for it. That forum runs a very large site I run, so it will immediately help me more than any demo application like SwingSet might.

  3. Neue Sicherheit bringt der Mai – PHPUGFFM – PHP User Group Frankfurt am Main

    […] Ein erster Termin ist mit Mai 2009 angegeben. Dabei handelt es sich um eine Portierung der JAVA Referenzimplementierung. Mehr Infos auch im Blog von Andrew van der Stock. […]

  4. El Yobo Avatar
    El Yobo

    A year or so later and it still seems impossible to find any useful examples using this framework…

    Any pointers for someone looking to start using this? Is it usable yet?

  5. vanderaj Avatar
    vanderaj

    Hi there,

    It’s being actively developed, and should be ready by OWASP US this year.

    I think many of the classes are complete, but it’ll be at least a few more months until we can call it cooked.

    thanks,
    Andrew

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts