Difference between revisions of "OWASP EJSF Project"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
=Main=
 
=Main=
 
Project Leader’s content goes here
 
Project Leader’s content goes here
 
=Project About=
 
{{:Projects/OWASP_EJSF_Project}}
 
  
 
=Installation=
 
=Installation=
  
 
=Downloads=
 
=Downloads=
 +
 +
=Examples=
 +
 +
=Project About=
 +
{{:Projects/OWASP_EJSF_Project}}
 +
  
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Revision as of 06:19, 2 September 2013

Contents

Main

Project Leader’s content goes here

Installation

Downloads

Examples

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP EJSF Project (home page)
Purpose: Modern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation.

There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.

The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.

This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.

Advantages:- (1) It requires minimal configuration to use the framework. (2) It ensures retrofit security in the existing application. (3) It provides the same performance as JSF framework. (4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”. (5) The input validation is easy and no additional coding is required. (6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment. (7) One framework includes the most secure features."

License: GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Prof.Dr. Emmanual Benoist @
  • Rakeshkumar Kachhadiya @
Project Contributor(s):
  • Matthey Samuel @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Prof.Dr. Emmanual Benoist @ to contribute to this project
  • Contact Prof.Dr. Emmanual Benoist @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
https://github.com/OWASP/EJSF
last reviewed release
https://github.com/OWASP/EJSF


other releases