forked from j3ers3/Hello-Java-Sec
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
19 changed files
with
162 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
ESAPI.printProperties=false | ||
|
||
ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController | ||
ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator | ||
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder | ||
ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor | ||
ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor | ||
ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities | ||
ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector | ||
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory | ||
ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer | ||
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator | ||
|
||
|
||
#=========================================================================== | ||
# ESAPI Encoder | ||
Encoder.AllowMultipleEncoding=false | ||
Encoder.AllowMixedEncoding=false | ||
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec | ||
|
||
|
||
#=========================================================================== | ||
# ESAPI ???? | ||
Encryptor.PreferredJCEProvider= | ||
Encryptor.EncryptionAlgorithm=AES | ||
Encryptor.CipherTransformation=AES/CBC/PKCS5Padding | ||
Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC | ||
Encryptor.cipher_modes.additional_allowed=CBC | ||
Encryptor.EncryptionKeyLength=128 | ||
Encryptor.ChooseIVMethod=random | ||
Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f | ||
Encryptor.CipherText.useMAC=true | ||
Encryptor.PlainText.overwrite=true | ||
Encryptor.HashAlgorithm=SHA-512 | ||
Encryptor.HashIterations=1024 | ||
Encryptor.DigitalSignatureAlgorithm=SHA1withDSA | ||
Encryptor.DigitalSignatureKeyLength=1024 | ||
Encryptor.RandomAlgorithm=SHA1PRNG | ||
Encryptor.CharacterEncoding=UTF-8 | ||
Encryptor.KDF.PRF=HmacSHA256 | ||
|
||
#=========================================================================== | ||
# ESAPI Http?? | ||
|
||
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload | ||
HttpUtilities.UploadTempDir=C:\\temp | ||
# Force flags on cookies, if you use HttpUtilities to set cookies | ||
HttpUtilities.ForceHttpOnlySession=false | ||
HttpUtilities.ForceSecureSession=false | ||
HttpUtilities.ForceHttpOnlyCookies=true | ||
HttpUtilities.ForceSecureCookies=true | ||
# Maximum size of HTTP headers | ||
HttpUtilities.MaxHeaderSize=4096 | ||
# File upload configuration | ||
HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll | ||
HttpUtilities.MaxUploadFileBytes=500000000 | ||
# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, | ||
# container, and any other technologies you may be using. Failure to do this may expose you | ||
# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. | ||
HttpUtilities.ResponseContentType=text/html; charset=UTF-8 | ||
# This is the name of the cookie used to represent the HTTP session | ||
# Typically this will be the default "JSESSIONID" | ||
HttpUtilities.HttpSessionIdName=JSESSIONID | ||
|
||
|
||
|
||
#=========================================================================== | ||
# ESAPI Executor | ||
Executor.WorkingDirectory= | ||
Executor.ApprovedExecutables= | ||
|
||
|
||
#=========================================================================== | ||
# ESAPI Logging | ||
# Set the application name if these logs are combined with other applications | ||
Logger.ApplicationName=ExampleApplication | ||
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true | ||
Logger.LogEncodingRequired=false | ||
# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. | ||
Logger.LogApplicationName=true | ||
# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. | ||
Logger.LogServerIP=true | ||
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you | ||
# want to place it in a specific directory. | ||
Logger.LogFileName=ESAPI_logging_file | ||
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) | ||
Logger.MaxLogFileSize=10000000 | ||
|
||
|
||
#=========================================================================== | ||
# ESAPI Intrusion Detection | ||
IntrusionDetector.Disable=false | ||
IntrusionDetector.event.test.count=2 | ||
IntrusionDetector.event.test.interval=10 | ||
IntrusionDetector.event.test.actions=disable,log | ||
|
||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 | ||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 | ||
IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout | ||
|
||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 | ||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 | ||
IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout | ||
|
||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 | ||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 | ||
IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout | ||
|
||
|
||
#=========================================================================== | ||
# ESAPI ??? | ||
#???????? | ||
Validator.ConfigurationFile=validation.properties | ||
|
||
# Validators used by ESAPI | ||
Validator.AccountName=^[a-zA-Z0-9]{3,20}$ | ||
Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ | ||
Validator.RoleName=^[a-z]{1,20}$ | ||
|
||
#the word TEST below should be changed to your application | ||
#name - only relative URL's are supported | ||
Validator.Redirect=^\\/test.*$ | ||
|
||
# Global HTTP Validation Rules | ||
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] | ||
Validator.HTTPScheme=^(http|https)$ | ||
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ | ||
Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ | ||
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=@_ ]*$ | ||
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ | ||
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ | ||
|
||
# Note that max header name capped at 150 in SecurityRequestWrapper! | ||
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,50}$ | ||
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | ||
Validator.HTTPContextPath=^\\/?[a-zA-Z0-9.\\-\\/_]*$ | ||
Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ | ||
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ | ||
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ | ||
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ | ||
Validator.HTTPURL=^.*$ | ||
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ | ||
|
||
# Validation of file related input | ||
Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | ||
Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ | ||
|
||
# Validation of dates. Controls whether or not 'lenient' dates are accepted. | ||
# See DataFormat.setLenient(boolean flag) for further details. | ||
Validator.AcceptLenientDates=false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
log4j2.formatMsgNoLookups=False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$ | ||
Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ | ||
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | ||
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ | ||
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ | ||
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ |