Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
OWASP Enterprise Security API for ColdFusion/CFML Project
ColdFusion
Branch: patch-1
Pull request Compare This branch is 1 commit ahead, 241 commits behind damonmiller:master.

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
demo
esapi
helpers
org/owasp/esapi
test
README

README

OWASP Enterprise Security API (ESAPI)
OWASP ESAPI for ColdFusion/CFML Project
Purpose: This is the ColdFusion/CFML language version of OWASP ESAPI.
= The current release of this project *is not* suitable for production use =
License: BSD license
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=ColdFusion.2FCFML


*** SETUP/USAGE ***

Setup:
1. Ensure that J2EE session variables be enabled! You will not be able to authenticate if this is disabled.
2. The cfesapi folder should sit at the webroot level.
3. Copy /cfesapi/esapi/esapi-2.0.1.jar and selected files from /cfesapi/esapi/libs/ to your lib folder (see compatibility below).
4. Restart ColdFusion.
NOTE: there are folders included with CFESAPI that you will want to exclude from your production environment

Tests:
- You will need to create an 'esapi' folder under your User Home directory so the users.txt file can be written to disk i.e. C:\Users\myusername\esapi\
- You can run the MXUnit tests using: /cfesapi/test/TestSuite.cfm

Demos:
- See the /cfesapi/demo/ for basic examples of implementation. It is a shell for adding your specific code to the existing methods.

Implementation:
- You can extend any of the default implementations to overwrite the methods you need
 and/or
- You can create new implementations that implement the provided interfaces

How:
- Copy the /cfesapi/esapi/configuration/esapi/ folder to a location within your CF application and make changes to your copy of the config files
- ESAPI.properties
	- IMPORTANT: Run /cfesapi/org/owasp/esapi/reference/crypto/JavaEncryptor.cfm to calculate your *own* Encryptor.MasterKey and Encryptor.MasterSalt values
	- Update the component paths with the location of your implementation components
	- Modify other configs as needed
- Include the /cfesapi/helpers/ESAPI.cfm in your application
- Call the filters provided by CFESAPI to secure and authenticate each request.
- See demos for examples

Tips:
- You can determine whether unlimited strength crypto is installed by running: /cfesapi/test/org/owasp/esapi/reference/crypto/CryptoPolicy.cfm

*** COMPATIBILITY ***

**************************
* Railo ColdFusion 3.2.3 *
**************************
MXUnit Test Results
- 10 failures + 1 errors + 264 successes (55-65s)

Dependencies (place in [webroot]\WEB-INF\railo\lib)
- ESAPI.jar
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-beanutils.jar
- commons-configuration.jar
- nekohtml.jar
- xercesImpl.jar

**************************
* Adobe ColdFusion 9.0.1 *
**************************
MXUnit Test Results
 - 10 failures + 0 errors + 265 successes (60-70s)

Dependencies (place in [webroot]\WEB-INF\cfusion\lib)
- ESAPI.jar (http://kb2.adobe.com/cps/907/cpsid_90784.html adds version esapi-2.0_rc10.jar which may conflict with our jar - SOLUTION?)
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-configuration.jar

**************************
* Adobe ColdFusion 8.0.1 *
**************************
MXUnit Test Results
 - 9 failures + 1 errors + 265 successes (70-80s)

Dependencies (place in [webroot]\WEB-INF\cfusion\lib)
- ESAPI.jar (http://kb2.adobe.com/cps/907/cpsid_90784.html adds version esapi-2.0_rc10.jar which may conflict with our jar - SOLUTION?)
- antisamy.jar
- batik-css.jar
- batik-util.jar
- commons-beanutils.jar
- commons-collections.jar (ACF8 has 2.1 but 3.2 is required)
- commons-configuration.jar
- commons-lang.jar
- nekohtml.jar
Something went wrong with that request. Please try again.