ESAPI for PHP – first tests passed

I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class.
PHP ESAPI Exception Test Suite pass

This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes, it’s one test, but it tests the exceptions thrown by every single one of the Exception classes.

This is key as ESAPI throws a lot of ESAPI exceptions when things go south. In addition to ESAPI exceptions, the PHP port will also throw SPL exceptions, such as InvalidArgument and so on as it makes sense to do so.

To get this far, I’ve had to hand hack the Authenticator, User, Logger, and Intrusion Detection classes – currently no errors are sent out by ESAPI for PHP, but give me a bit of time and it will happen. String Utilities is also partially there. Authenticator is interesting as it actually does generate strong passwords, and actually reads from the resources directory for the user’s file and decodes it into an array. However, some of these behaviors are hard wired to allow more of the Milestone 1 classes to pass tests, rather than be part of the Milestone 3 build.

I’ve started work on the RandomAccessReferenceMap class. It’s almost there; but unfortunately, I’ve got to go to bed as it’s 2 AM. It’s so close I can smell it. Once done, that class is a close relative of the IntegerReferenceAccessMap, and so there are likely to be two valid and useful ESAPI for PHP classes done soon. I’ll see if I can finish it and check it in before I have to go to work on Monday.

Author: vanderaj

Just another security geek

5 thoughts on “ESAPI for PHP – first tests passed”

  1. Hi there,

    As it’s only just started to exist, there are no current ESAPI for PHP examples.

    I will be porting my old forum, UltimaBB, to ESAPI for PHP and I’ll donate that to OWASP as an example program.

    It’ll use:

    AccessReferenceMap – for most user CP and admin CP options
    AccessController – replacing the current code
    Authenticator – replace the current autologin, remember me, change password and other code
    Encoder – to replace the current encoding mechanisms, particularly around themes and CSS
    Executor – to protect the system() calls used by the optional load banner
    HTTP Utilities – to replace its CSRF protection with ESAPI’s, and other things
    IntrusionDetector – to replace / beef up the current audit functionality
    Logger – to replace / beef up the current logging mechanism
    Randomizer – for generating random values for the CAPTCHA
    SafeFile – to protect the uploading of attachments, icons and avatars
    SecureProperties – for config.php
    User – a non-reference implementation that suits me

    Essentially, it will over time use all of ESAPI for PHP, albeit with a customized version suitable for it. That forum runs a very large site I run, so it will immediately help me more than any demo application like SwingSet might.

  2. A year or so later and it still seems impossible to find any useful examples using this framework…

    Any pointers for someone looking to start using this? Is it usable yet?

  3. Hi there,

    It’s being actively developed, and should be ready by OWASP US this year.

    I think many of the classes are complete, but it’ll be at least a few more months until we can call it cooked.


Leave a Reply

Your email address will not be published. Required fields are marked *