Avoid usage of BannedAPI when using ESAPI library

Rule Definition
While some known vulnerabilities lead to only minor impacts, some of the largest breaches to date have relied on exploiting known vulnerabilities in components.

Remediation
Remediation, using the equivalent APi provided OWASP ESAPI BAN001 System.out.println() Logger.* BAN002 Throwable.printStackTrace() Logger.* BAN003 Runtime.exec() Executor.safeExec() BAN004 Session.getId() Randomizer.getRandomString (better not to use at all) BAN005 ServletRequest.getUserPrincipal() Authenticator.getCurrentUser() BAN006 ServletRequest.isUserInRole() AccessController.isAuthorized*() BAN007 Session.invalidate() Authenticator.logout() BAN008 Math.Random.* Randomizer.* BAN009 File.createTempFile() Randomizer.getRandomFilename() BAN010 ServletResponse.setContentType() HTTPUtilities.setContentType() BAN011 ServletResponse.sendRedirect() HTTPUtilities.safeSendRedirect() BAN012 RequestDispatcher.forward() HTTPUtilities.safeSendForward() BAN013 ServletResponse.addHeader() HTTPUtilities.safeSetHeader()/safeSetHeader() BAN014 ServletResponse.addCookie() HTTPUtilities.safeAddCookie() BAN015 ServletRequest.isSecure() HTTPUtilties.isSecureChannel() BAN016 Properties.* EncryptedProperties.* BAN017 ServletContext.log() Logger.* BAN018 java.security and javax.crypto Encryptor.* BAN019 java.net.URLEncoder/Decoder Encoder.encodeForURL()/decodeForURL() BAN020 java.sql.Statement.execute PreparedStatement.execute BAN021 ServletResponse.encodeURL HTTPUtilities.safeEncodeURL() (better not to use at all) BAN022 ServletResponse.encodeRedirectURL HTTPUtilities.safeEncodeRedirectURL() (better not to use at all)

Violation Code Sample

The following calls in the code. System.out.println() Throwable.printStackTrace() Runtime.exec() Session.getId() ServletRequest.getUserPrincipal() ServletRequest.isUserInRole() Session.invalidate() Math.Random.* File.createTempFile() ServletResponse.setContentType() ServletResponse.sendRedirect() RequestDispatcher.forward() ServletResponse.addHeader() ServletResponse.addCookie() ServletRequest.isSecure() Properties.* ServletContext.log() java.security and javax.crypto java.net.URLEncoder/Decoder java.sql.Statement.execute ServletResponse.encodeURL ServletResponse.encodeRedirectURL

Fixed Code Sample

Use the available OWASP ESAPI or equivalent. BAN001 System.out.println() Logger.* BAN002 Throwable.printStackTrace() Logger.* BAN003 Runtime.exec() Executor.safeExec() BAN004 Session.getId() Randomizer.getRandomString (better not to use at all) BAN005 ServletRequest.getUserPrincipal() Authenticator.getCurrentUser() BAN006 ServletRequest.isUserInRole() AccessController.isAuthorized*() BAN007 Session.invalidate() Authenticator.logout() BAN008 Math.Random.* Randomizer.* BAN009 File.createTempFile() Randomizer.getRandomFilename() BAN010 ServletResponse.setContentType() HTTPUtilities.setContentType() BAN011 ServletResponse.sendRedirect() HTTPUtilities.safeSendRedirect() BAN012 RequestDispatcher.forward() HTTPUtilities.safeSendForward() BAN013 ServletResponse.addHeader() HTTPUtilities.safeSetHeader()/safeSetHeader() BAN014 ServletResponse.addCookie() HTTPUtilities.safeAddCookie() BAN015 ServletRequest.isSecure() HTTPUtilties.isSecureChannel() BAN016 Properties.* EncryptedProperties.* BAN017 ServletContext.log() Logger.* BAN018 java.security and javax.crypto Encryptor.* BAN019 java.net.URLEncoder/Decoder Encoder.encodeForURL()/decodeForURL() BAN020 java.sql.Statement.execute PreparedStatement.execute BAN021 ServletResponse.encodeURL HTTPUtilities.safeEncodeURL() (better not to use at all) BAN022 ServletResponse.encodeRedirectURL HTTPUtilities.safeEncodeRedirectURL() (better not to use at all)

Reference

https://www.owasp.org/index.php/ESAPI_Secure_Coding_Guideline

Related Technologies

Health Factor

Changeability

Technical Criterion
Programming Practices - Modularity and OO Encapsulation Conformity

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

100.00%

Financial Services

99.99%

IT & Business Consulting

99.98%

Want more stats? Register now!