How compliant is liberator with OWASP ?

[colceagus]

Hi,

I have to do a security compliance audit on the liberator to get it accepted for use in the company I work for right now. What does liberator comply with or offers as a default sane protection against [OWASP Top Ten Cheat Sheet Specified Attacks|https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet] ?

All the best! And keep it up guys!

[ordnungswidrig]

Hi Daniel,

this is a very good question. I'm not an expert with OWASP compliance but I had a look at the cheat sheet you mentioned. Most of the issues are on a higher level than on which liberator typically works. However, and this should help to get a solid security, liberator sticks close to the HTTP specification and encourages and enforces the proper handling of it, e.g. content-negotatition or the explicit handling of all the decisions and how they lead to the many status codes.

Typically liberator resource handlers are combined with ring middleware and libraries that does the heavy lifting on lower levels like parameter parsing, session handling, CSRF-prevention, html encoding etc. The security of your application will most likely depend more on the right decisions made here than on liberator which focuses very much on the executional (think status code) semantics of the HTTP resource.

[colceagus]

Hi @ordnungswidrig.

Thanks for your response, I did the OWASP analysis for the project and some things have to be activated, added or implemented in the API I'm building.

I'll come back with some suggestions if it gets approved.

Thanks,
Daniel.

[ordnungswidrig]

Great. Please let me know if you identify anything could improve liberator's compliancy or security in general

[colceagus]

I'm back, and it hasn't been approved, because of the legal issues it implies (now being under facebook's umbrella, and having the PATENTS section). It didn't reach the security approval and I cannot share more details if it would (have) pass(ed) the corp security review.
I'm sorry..
You might want to keep this open for other corporate integrations.

[ordnungswidrig]

@danielmihai sorry to head that you cannot disclose any details. I'm not sure what you mean by facebook's umbrella, I suppose this is related to the company you're working for.

Given that liberator is a rather low-level library in the http stack of a typical application I wonder where it would actually fail to fulfill the requirements. Can you tell if this mostly because of missing features which might be even a deliberate design choice (e.g. no authentication implementation but left open for implementor) or did you find fundamental flaws that would need changes to liberator's implementation?

[belucid]

I'll let @danielmihai answer but my read here @ordnungswidrig is that it never even made it to the OWASP/security evaluation stage and was knocked out earlier by not having patent indemnification in the license.

[colceagus]

I have to specify something, just to clear the mist of confusion. This component was used in a PoC to expose a REST API Endpoint for the wit.ai time parser. In the meanwhile, Facebook acquired wit.ai and that's why we couldn't go further with the adoption.