All Downloads are FREE. Search and download functionalities are using the official Maven repository.

auth.0.5.0.0-1014.source-code.ESAPI.properties Maven / Gradle / Ivy

# Properties file for OWASP Enterprise Security API (ESAPI)
# You can find more information about ESAPI at http://www.owasp.org/esapi
#

# Logging
ApplicationName=Robe

# Authentication
Authenticator.AllowedLoginAttempts=3
Authenticator.MaxOldPasswordHashes=13
Authenticator.UsernameParameterName=username
Authenticator.PasswordParameterName=password
# ESAPI.Authenticator=com.esapi.authenticator.CustomAuthenticator

# Auth Token and Session Timeouts
# RememberTokenDuration (in days)
RememberTokenDuration=14
# Session Timeouts (in minutes)
Authenticator.IdleTimeoutDuration=10
Authenticator.AbsoluteTimeoutDuration=120

# Encryption
# Generate a new key using java -Dorg.owasp.esapi.resources="your path" org.owasp.esapi.reference.JavaEncryptor
Encryptor.MasterKey=O5qLHtg/V3jSzVnQvzX55w==
Encryptor.MasterSalt=ROBEROBE
Encryptor.cipher_modes.additional_allowed=CBC

# Validation
#
# The ESAPI validator does many security checks on input, such as canonicalization
# and whitelist validation. Note that all of these validation rules are applied *after*
# canonicalization. Double-encoded characters (even with different encodings involved,
# are never allowed.
#
# To use:
#
# First set up a pattern below. You can choose any name you want, prefixed by the word
# "Validation." For example:
#   Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
# 
# Then you can validate in your code against the pattern like this:
#   Validator.getInstance().getValidDataFromBrowser( "Email", input );
#   Validator.getInstance().isValidDataFromBrowser( "Email", input );
#
Validator.SafeString=^[\p{L}\p{N}.]{0,1024}$
Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$

# Validators used by ESAPI
Validator.AccountName=^[a-zA-Z0-9]{3,100}$
Validator.SystemCommand=^[a-zA-Z\\-\\/]{0,64}$
Validator.RoleName=^[a-z]{1,50}$
Validator.Redirect=^\\/medy.*$

# Global HTTP Validation Rules
# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
Validator.HTTPScheme=^(http|https)$
Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]$
Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{0,32}$
Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
Validator.HTTPContextPath=^[a-zA-Z0-9.\\-_]$
Validator.HTTPPath=^[a-zA-Z0-9.\\-_]$
Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]$
Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]$
Validator.HTTPURL=^.*$
Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$

# Validation of file related input
Validator.FileName=^[a-zA-Z0-9.\\-_ ]{0,255}$
Validator.DirectoryName=^[a-zA-Z0-9.-\\_ ]{0,255}$

# File upload configuration
ValidExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
MaxUploadFileBytes=500000000


# Content-Type header
ResponseContentType=text/html; charset=UTF-8


# Logging
#
# Logging level, supported values are OFF, FATAL, ERROR, WARNING (ESAPI default), INFO, DEBUG, TRACE, ALL
ESAPI.LogLevel=FATAL
# LogEncodingRequired, Indicates if all content logged needs to be HTML Entity encoded before being recorded in the log file
ESAPI.LogEncodingRequired=false
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
# want to place it in a specific directory.
ESAPI.LogFileName=ESAPI_logging_file
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
ESAPI.MaxLogFileSize=10000000


# Algorithms
# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data
# WARNING: Reasonable values for these algorithms will be tested and documented in a future release
# 
Encryptor.CharacterEncoding=UTF-8
Encryptor.HashAlgorithm=SHA-256
Encryptor.HashIterations=1024
Encryptor.EncryptionAlgorithm=AES
Encryptor.RandomAlgorithm=SHA1PRNG
Encryptor.DigitalSignatureAlgorithm=SHAwithDSA
Encryptor.CipherText.useMAC=false

# Intrusion Detection
#
# Each event has a base to which .count, .interval, and .action are added
# The IntrusionException will scheduleJob if we receive "count" events within "interval" seconds
# The IntrusionDetector is configurable to take the following actions: log, logout, and disable
#  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
#
# Custom Events
# Names must start with "event." as the base
# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
#
event.test.count=2
event.test.interval=10
event.test.actions=disable,log

# Exception Events
# All EnterpriseSecurityExceptions are registered automatically
# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
# Use the fully qualified classname of the exception as the base

# any intrusion is an attack
org.owasp.esapi.errors.IntrusionException.count=1
org.owasp.esapi.errors.IntrusionException.interval=1
org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout

# for test purposes
org.owasp.esapi.errors.IntegrityException.count=10
org.owasp.esapi.errors.IntegrityException.interval=5
org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout

# rapid validation errors indicate scans or attacks in progress
# org.owasp.esapi.errors.ValidationException.count=10
# org.owasp.esapi.errors.ValidationException.interval=10
# org.owasp.esapi.errors.ValidationException.actions=log,logout

# sessions jumping between hosts indicates session hijacking
org.owasp.esapi.errors.AuthenticationHostException.count=2
org.owasp.esapi.errors.AuthenticationHostException.interval=10
org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout





© 2015 - 2024 Weber Informatics LLC | Privacy Policy