forked from ESAPI/esapi-java-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathESAPI.properties
More file actions
128 lines (106 loc) · 4.91 KB
/
Copy pathESAPI.properties
File metadata and controls
128 lines (106 loc) · 4.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Properties file for OWASP Enterprise Security API (ESAPI)
# You can find more information about ESAPI at http://www.owasp.org/esapi
#
# Authentication
RememberTokenDuration=14
AllowedLoginAttempts=3
MaxOldPasswordHashes=13
UsernameParameterName=username
PasswordParameterName=password
# Encryption
MasterPassword=owasp1
MasterSalt=testtest
# Validation
#
# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
# Validaton.email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
#
# Then you can validate in your code against the pattern like this:
# Validator.getInstance().getValidDataFromBrowser( "Email", input );
# Validator.getInstance().isValidDataFromBrowser( "Email", input );
#
Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$
Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
# Validators used by ESAPI
Validator.AccountName=^[a-zA-Z0-9]{3,20}$
Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
Validator.RoleName=^[a-z]{1,20}$
Validator.Redirect=^\\/test.*$
# Global HTTP Validation Rules
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
# Validation of file related input
Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$
# File upload configuration
ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
MaxUploadFileBytes=500000000
# Content-Type header
ResponseContentType=text/html; charset=UTF-8
# Logging
#
# Logging level, values are ALL, SEVERE, WARNING, INFO, DEBUG?
LogLevel=ALL
LogEncodingRequired=false
# Algorithms
# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data
# WARNING: Reasonable values for these algorithms will be tested and documented in a future release
#
CharacterEncoding=UTF-8
HashAlgorithm=SHA-512
HashIterations=1024
#EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
EncryptionAlgorithm=PBEWithMD5AndDES
RandomAlgorithm=SHA1PRNG
DigitalSignatureAlgorithm=SHAwithDSA
# Intrusion Detection
#
# Each event has a base to which .count, .interval, and .action are added
# The IntrusionException will fire if we receive "count" events within "interval" seconds
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
#
# Custom Events
# Names must start with "event." as the base
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
#
event.test.count=2
event.test.interval=10
event.test.actions=disable,log
# Exception Events
# All EnterpriseSecurityExceptions are registered automatically
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
# Use the fully qualified classname of the exception as the base
# any intrusion is an attack
org.owasp.esapi.errors.IntrusionException.count=1
org.owasp.esapi.errors.IntrusionException.interval=1
org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
# for test purposes
org.owasp.esapi.errors.IntegrityException.count=10
org.owasp.esapi.errors.IntegrityException.interval=5
org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
# rapid validation errors indicate scans or attacks in progress
# org.owasp.esapi.errors.ValidationException.count=10
# org.owasp.esapi.errors.ValidationException.interval=10
# org.owasp.esapi.errors.ValidationException.actions=log,logout
# sessions jumping between hosts indicates a session hijacking
org.owasp.esapi.errors.AuthenticationHostException.count=2
org.owasp.esapi.errors.AuthenticationHostException.interval=10
org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout