Embed Size (px)
DESCRIPTION
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013. Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Citation preview
Title How to avoid top 10 security risks in Java EE applications
Masoud Kalali MasoudKalali ORACLE
JDays 2013
Agenda
bull Introduc)on13 bull The13 Top13 1013 Most13 Cri)cal13 Web13 Applica)on13 Security13 Risks13
bull QA
Java EE 6 amp GlassFish
glassfishorg
Motivation for this talk
bull Seen13 a13 lot13 bull Providing13 a13 star)ng13 point13 bull Sharing13 something13 bull Making13 you13 aware
The Top 10 Most Critical Web Application Security Risks
A113 InjeconA213 Cross-shy‐Site13 Scripng13 (XSS)
A213 Broken13 Authencaon13 and13
Session13 Management
A413 Insecure13 Direct13 Object13 References13
A613 Sensive13 Data13 Exposure
A513 Security13 Misconfiguraon
A713 13 Missing13 Funcon13 Level13 Access13 Control13
A813 Cross-shy‐Site13 Request13 Forgery13
(CSRF)
A913 Using13 Components13 with13
Known13 Vulnerabilies
A1013 Unvalidated13 Redirects13 and13 Forwards
AFribu)on-shy‐ShareAlike13 3013 Unported13 (CC13 BY-shy‐SA13 30)13 Source13 hFpowasptop10googlecodecomAka13 OWASP13 Top-shy‐10
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Agenda
bull Introduc)on13 bull The13 Top13 1013 Most13 Cri)cal13 Web13 Applica)on13 Security13 Risks13
bull QA
Java EE 6 amp GlassFish
glassfishorg
Motivation for this talk
bull Seen13 a13 lot13 bull Providing13 a13 star)ng13 point13 bull Sharing13 something13 bull Making13 you13 aware
The Top 10 Most Critical Web Application Security Risks
A113 InjeconA213 Cross-shy‐Site13 Scripng13 (XSS)
A213 Broken13 Authencaon13 and13
Session13 Management
A413 Insecure13 Direct13 Object13 References13
A613 Sensive13 Data13 Exposure
A513 Security13 Misconfiguraon
A713 13 Missing13 Funcon13 Level13 Access13 Control13
A813 Cross-shy‐Site13 Request13 Forgery13
(CSRF)
A913 Using13 Components13 with13
Known13 Vulnerabilies
A1013 Unvalidated13 Redirects13 and13 Forwards
AFribu)on-shy‐ShareAlike13 3013 Unported13 (CC13 BY-shy‐SA13 30)13 Source13 hFpowasptop10googlecodecomAka13 OWASP13 Top-shy‐10
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Java EE 6 amp GlassFish
glassfishorg
Motivation for this talk
bull Seen13 a13 lot13 bull Providing13 a13 star)ng13 point13 bull Sharing13 something13 bull Making13 you13 aware
The Top 10 Most Critical Web Application Security Risks
A113 InjeconA213 Cross-shy‐Site13 Scripng13 (XSS)
A213 Broken13 Authencaon13 and13
Session13 Management
A413 Insecure13 Direct13 Object13 References13
A613 Sensive13 Data13 Exposure
A513 Security13 Misconfiguraon
A713 13 Missing13 Funcon13 Level13 Access13 Control13
A813 Cross-shy‐Site13 Request13 Forgery13
(CSRF)
A913 Using13 Components13 with13
Known13 Vulnerabilies
A1013 Unvalidated13 Redirects13 and13 Forwards
AFribu)on-shy‐ShareAlike13 3013 Unported13 (CC13 BY-shy‐SA13 30)13 Source13 hFpowasptop10googlecodecomAka13 OWASP13 Top-shy‐10
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Motivation for this talk
bull Seen13 a13 lot13 bull Providing13 a13 star)ng13 point13 bull Sharing13 something13 bull Making13 you13 aware
The Top 10 Most Critical Web Application Security Risks
A113 InjeconA213 Cross-shy‐Site13 Scripng13 (XSS)
A213 Broken13 Authencaon13 and13
Session13 Management
A413 Insecure13 Direct13 Object13 References13
A613 Sensive13 Data13 Exposure
A513 Security13 Misconfiguraon
A713 13 Missing13 Funcon13 Level13 Access13 Control13
A813 Cross-shy‐Site13 Request13 Forgery13
(CSRF)
A913 Using13 Components13 with13
Known13 Vulnerabilies
A1013 Unvalidated13 Redirects13 and13 Forwards
AFribu)on-shy‐ShareAlike13 3013 Unported13 (CC13 BY-shy‐SA13 30)13 Source13 hFpowasptop10googlecodecomAka13 OWASP13 Top-shy‐10
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
The Top 10 Most Critical Web Application Security Risks
A113 InjeconA213 Cross-shy‐Site13 Scripng13 (XSS)
A213 Broken13 Authencaon13 and13
Session13 Management
A413 Insecure13 Direct13 Object13 References13
A613 Sensive13 Data13 Exposure
A513 Security13 Misconfiguraon
A713 13 Missing13 Funcon13 Level13 Access13 Control13
A813 Cross-shy‐Site13 Request13 Forgery13
(CSRF)
A913 Using13 Components13 with13
Known13 Vulnerabilies
A1013 Unvalidated13 Redirects13 and13 Forwards
AFribu)on-shy‐ShareAlike13 3013 Unported13 (CC13 BY-shy‐SA13 30)13 Source13 hFpowasptop10googlecodecomAka13 OWASP13 Top-shy‐10
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is OWASP
bull Open13 Web13 Applica)on13 Security13 Project13 bull Improving13 the13 security13 of13 (web)13 applica)on13 soTware13
ndash Not-shy‐for-shy‐profit13 organiza)on13 since13 200113 ndash Raise13 interest13 in13 secure13 development13
bull Documents13 ndash Top13 1013 ndash Cheat13 Sheets13 ndash Development13 Guides13
bull Solu)ons13 ndash Enterprise13 Security13 API13 (ESAPI)13 ndash WebScarab13 ndash WebGoat
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 -shy‐13 Injecon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Sending13 unintended13 data13 to13 applica)ons13 bull Manipulang13 and13 reading13 Data13 stores13 (eg13 DB13 LDAP13 File13 System13 etc)13
bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 ndash Database13 access13 (JPA13 JDBC)13 ndash File13 System13 API13 ndash etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
String customerId= requestgetParameter(customerId) String query = SELECT balance FROM customer_data WHERE customer_id = + customerId try Statement statement = connectioncreateStatement( hellip ) ResultSet results = statementexecuteQuery( query )
String customerId = x13 DROP13 TABLE13 members13 -shy‐-shy‐ user-input
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection
bull Sanize13 the13 input13 bull EscapeQuotesafe13 the13 input13 eg13 use13 ESAPI13 13 bull Use13 bound13 parameters13 (the13 PREPARED13 statement)13 bull Limit13 database13 permissions13 and13 segregate13 users13 bull Configure13 error13 reporng13 eg13 use13 OWASP13 LAPSE+13 Stac13 Code13 Analysis13 Tool
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Prevent Injection Sample
String customerId = requestgetParameter(customerId) white list validation and encodingString escapedCustomerId= ESAPIencoder()encodeForSQL( new OracleCodec() customerId )String query = SELECT balance FROM customer_data WHERE customer_id = + escapedCustomerId ORString query = SELECT balance FROM customer_data WHERE customer_id = using pstmt or stmt with encodedvalidate input parametersPreparedStatement pstmt = connectionprepareStatement( query )pstmtsetString( 1 customerId) ResultSet results = pstmtexecuteQuery( )
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A213 -shy‐13 Broken13 Authencaon13 and13 13 Session13 Management
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Container13 Security13 vs13 own13 soluCon13 bull Session13 Binding13 13 Session13 Renewal13 bull Passwords13 13
ndash Strength13 (lengthcomplexity)13 ndash Plain13 text13 passwords13 (hGphGps)13 ndash Recovery13 mechanisms13
bull Number13 of13 factors13 used13 for13 authenCcaCon13
bull Java13 EE13 613 affected13 ndash JAAS13 13 JASPIC13 ndash Filter13 13 PhaseListener13
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
How to spot it
bull AuthenCcaCon13 over13 hGp13 bull Custom13 security13 filter13 13 bull Not13 using13 Container13 FuncConality13 bull No13 password13 strength13 requirements13 bull No13 13 HGpSession13 binding13 bull Way13 of13 saving13 Passwords13 13 bull Not13 tesCng13 security
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Best Practices
bull Use13 Container13 Managed13 Security13 bull Go13 with13 provided13 Standard13 Realms13 and13 LoginModules13 whenever13 possible13
bull Invalidate13 session13 and13 all13 relevant13 bits13 when13 logged13 out13 bull If13 you13 need13 custom13 ones13 Test13 them13 extremely13 carefully13 bull Use13 transport13 layer13 encrypCon13 (TLSSSL)13 for13 authenCcaCon13 credenCals13 transport13
bull Review13 and13 adopt13 OWASPrsquos13 ASVS(ApplicaCon13 Security13 VerificaCon13 Standard)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A313 -shy‐13 Cross-shy‐Site13 Scripng13 (XSS)
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
bull Inject13 malicious13 code13 into13 user13 interfaces13 bull Get13 access13 to13 browser13 informaon13 ndash Eg13 javascriptalert(documentcookie)13
bull Steal13 userrsquos13 session13 steal13 sensiCve13 data13 bull Rewrite13 web13 page13 or13 parts13 bull Redirect13 user13 to13 phishing13 or13 malware13 site13 bull Java13 EE13 613 affected13 ndash UI13 technology13 of13 choice13 (eg13 JSF13 JSP)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
How to spot it
bull Anywhere13 that13 untrusted13 data13 is13 used13 as13 one13 of13 the13 following13 in13 outgoing13 response13 ndash HTML13 elementrsquos13 aGributes13 ndash JavaScript13 variables13 ndash CSS13 values13 ndash Etc
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
(String)13 page13 +=13 ltinput13 name=creditcard13 type=TEXTlsquo13 value=13 +13 requestgetParameter(CC)13 +13 gt13 13
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Prevent
bull SaniCze13 the13 input13 Eg13 use13 OWASP13 AnCSamy13 or13 OWASP13 Java13 HTML13 SaniCzer13 etc13
bull Escape13 untrusted13 data13 based13 on13 the13 HTML13 context13 (body13 aGribute13 JavaScript13 CSS13 or13 URL)13
bull Use13 Cookie13 flags13 ndash hGpOnly13 13 (prevents13 XSS13 access)
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Exposing13 secure13 objects13 without13 defense13 bull Accessing13 domain13 objects13 with13 their13 PK13 Eg
hGpsyoucomuser113 =gt13 hGpsyoucomuser2113 bull Opening13 opportuniCes13 for13 intruders13 bull InformaCon13 hiding13 on13 the13 client13 bull Parameter13 value13 tampering13
bull Java13 EE13 613 affected13 ndash All13 layers13 ndash Especially13 data13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 How to spot it
bull Direct13 user13 input13 to13 object13 mapping13 bull No13 verificaCon13 on13 user13 input13 (defenseless)13 bull Data13 separaCon13 for13 users13 (tenants)13 bull Request13 mode13 access13 for13 data13 (RUD)13 bull Query13 constraints
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 Best Practices
bull Use13 AccessReferenceMaps13
bull Use13 data-shy‐driven13 security13 bull Validate13 object13 references13 bull Always13 Perform13 addiConal13 data13 authorizaCon13 on13 the13 view
hnpappfile=1
hnpappid=7d3J93hnpappid=918237413
hnpappfile=Report123xls
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A513 -shy‐13 Security13 Misconfiguraon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013 What is it
bull Applies13 to13 13 ndash OperaCng13 System13 ndash ApplicaCon13 Server13 ndash Databases13 ndash AddiConal13 Services13 ndash Frameworks13 ndash Developed13 Code13 ndash Etc13
bull Includes13 (beside13 _many_13 others)13 ndash All13 security13 relevant13 configuraCon13 ndash Missing13 Patches13 ndash Default13 accounts
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practices
bull Network13 interfacessockets13 access13 control13 bull Relaxed13 File13 system13 access13 control13 bull Using13 any13 defaults13 like13 ndash Passwords13 Admin13 master13 password13 ndash Network13 interface13 binding13 Listening13 on13 000013 ndash CerCficates13 Self13 signed13 cerCficate13
bull Using13 a13 not13 hardened13 OS13 bull Not13 using13 segregated13 user13 for13 the13 service13 bull Not13 restricCng13 GlassFishServer13 component13 specific13 user13 nor13 enabling13 security13 manager
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Policy Files location
bull Global13 Policy13 File13 javahomejrelibsecurityjavapolicy13
bull User13 Policy13 File13 userhomejavapolicy13 bull Domain13 Policy13 File13 domainhomeconfigserverpolicy13 13 13 13
bull ApplicaCon13 Policy13 File13 domainhomegeneratedpolicyltappnamegtltmodulenamegtgrantedpolicy13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Review the policy files
bull Policy13 files13 precedence13 order13 bull Remove13 unused13 grants13 bull Add13 extra13 permissions13 only13 to13 applicaons13 or13 modules13 that13 require13 them13 not13 to13 all13 applicaCons13 deployed13 to13 a13 domain13 bull Document13 your13 changes
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Running GlassFish in a
bull Use13 the13 latest13 version13 (3122)13 bull Enable13 secure13 admin13 (TLShGps)13 bull Use13 password13 aliasing13 bull Enable13 security13 manager13 and13 put13 forth13 a13 proper13 security13 policy13 file13 design
hGpblogeiselenet201105securing-shy‐your-shy‐glassfish-shy‐hardening-shy‐guidehtml13 hGpdocsoraclecomcdE18930_01html821-shy‐2435gkscrhtml
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A613 -shy‐13 Sensive13 Data13 Exposure
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
bull SensiCve13 data13 kept13 unprotected13 bull SensiCve13 data13 exposed13 to13 wrong13 persons13 bull Could13 be13 ndash Passwords13 ndash FinancialHealth13 care13 data13 ndash Credit13 cards
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practices
bull Storing13 sensiCve13 data13 unencrypted13 bull Storing13 comparaCve13 data13 unhashed13 (passwordssecurity13 quesCon13 answerhellip)13
bull Keeping13 clear13 text13 copies13 of13 encrypted13 data13 bull Not13 keeping13 the13 keyspasswords13 well13 guarded13 bull cachingautocomplete13 on13 pages13 with13 sensiCve13 data
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practice
bull Using13 basicform13 authenCcaCon13 without13 SSL13 bull Not13 using13 HTTPS13 for13 pages13 with13 private13 informaCon13 bull Using13 default13 self13 signed13 cerCficate13 bull Storing13 unencrypted13 cookies13 bull Not13 semng13 cookies13 to13 be13 securely13 transmiGed13 CookiesetSecure(true)13
bull Forgemng13 about13 the13 rest13 of13 the13 infrastructure
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Prevention
bull IdenCfy13 sensiCve13 data13 bull Wisely13 encrypt13 sensiCve13 data13
ndash On13 every13 level13 (applicaCon13 appserver13 db)13 ndash with13 the13 right13 algorithm13 as13 strong13 as13 possible13 but13 not13 more13 ndash with13 the13 right13 mechanism13 eg13 scrypt13 and13 bcrypt13
bull Donrsquot13 keep13 clear13 text13 copies13 bull To13 decrypt13 and13 view13 clear13 text13 should13 be13 restricted13 to13 authorized13 personnel13
bull Keep13 the13 keys13 as13 protected13 as13 possible13 bull Keep13 offsite13 encrypted13 backups13 in13 addiCon13 to13 on-shy‐site13 copies
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Best Practice
bull Use13 TLS13 on13 all13 connecons13 with13 sensiCve13 data13 bull Individually13 encrypt13 messages13 13 bull Sign13 messages13 before13 transmission13 bull Use13 standard13 strong13 algorithms13 13 bull Use13 proven13 mechanisms13 when13 sufficient
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Java EE
bull Group13 the13 resources13 in13 regard13 to13 transport13 sensiCvity13 using13 web-shy‐resource-shy‐collec+on13
bull Use13 user-shy‐data-shy‐constraint13 as13 widely13 as13 you13 need13 for13 data13 integrity13 and13 encrypCon13 needs13
bull Ensure13 that13 loginlogout13 pages13 (in13 case13 of13 form13 auth-shy‐type)13 are13 protected13 by13 lttransport-shy‐guaranteegtCONFIDENTIALlttransport-shy‐guaranteegt13
bull Secure13 cookies13 transmission
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
GlassFish
bull Protect13 the13 keystore13 bull Protect13 GlassFish13 accounts13 ndash Use13 aliasing13 to13 protect13 the13 password13 and13 keep13 the13 master13 password13 safe13 to13 protect13 the13 aliases13
bull Use13 digest13 authenCcaConhashed13 password13 storage
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
GlassFish
bull Install13 the13 right13 server13 cerCficates13 to13 be13 used13 by13 SSL13 listeners13
bull Properly13 configure13 HTTPS13 listeners13 (set13 the13 right13 keystore)13
bull Properly13 configure13 the13 ORB13 over13 SSL13 listeners13 if13 needed13 (set13 the13 right13 keystore)13
bull Enable13 audiCng13 under13 Security13 and13 access13 log13 under13 HTTP13 Service
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A713 -shy‐13 Missing13 func7onal13 access13 control
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
bull PresentaCon13 layer13 access13 control13 is13 not13 enough13
bull Not13 using13 ldquoDeny13 Allrdquo13 by13 default13 bull Related13 to13 A413 ndash13 Insecure13 Direct13 Object13 References
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practice
bull Using13 home-shy‐grown13 security13 features13 instead13 of13 container13 provided13 ones13
bull Assuming13 people13 wont13 know13 some13 URLs13 to13 try13 them13
bull Assuming13 no13 one13 would13 misuse13 the13 extra13 permission13 and13 access13 they13 have
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Java EE 6
bull What13 you13 do13 to13 prevent13 A413 plus13 ndash Use13 Container13 security13 (security-shy‐constraint)13 ndash Use13 programmaCc13 login13 of13 Java13 EE13 613 if13 needed13 ndash Properly13 configure13 security13 realms13 ndash Accurately13 map13 roles13 to13 principalgroups13 (auth-shy‐constraint13 13 security-shy‐role-shy‐mapping)13
ndash Only13 allow13 supportedrequired13 HTTP13 methods13 ndash Accurately13 Categorize13 the13 URL13 paGerns13 and13 permit13 the13 relevant13 roles13 for13 each
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Best Practices
bull Any13 non-shy‐public13 URL13 should13 be13 protected13 bull Use13 container13 authenCcaConauthorizaCon13 features13 or13 extend13 on13 top13 of13 them13
bull If13 not13 enough13 use13 proven13 frameworks13 products13 to13 protect13 the13 resources13
bull If13 user13 can13 get13 getpicid=1x118uf13 it13 does13 not13 mean13 you13 should13 show13 getpicid=1x22ug
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A813 -shy‐13 Cross13 Site13 Request13 Forgery13 (CSRF)
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
bull Basically13 a13 capture-shy‐replay13 aGack13 bull Malicious13 code13 executes13 funcCons13 on13 your13 behalf13 while13 being13 authenCcated13
bull Deep13 links13 make13 this13 easier13
bull JavaEE13 613 affected13 ndash UI13 technology13 of13 choice13
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
How to spot it
bull Predictable13 URLs13 (for13 logged-shy‐in)13 users13 bull No13 random13 secret13 tokens13 processing13 (CSRF13 Token)13
bull No13 double13 check13 on13 different13 stages13 of13 a13 mulC-shy‐step13 operaCon
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Best Practices
bull Add13 Unpredictability13 (tokens)13 ndash Hidden13 Field13 Single-shy‐Use13 URLs13 ndash Request13 or13 Session13 Scope13
bull CSRFPrevenConForm13 (JSF13 1213 amp13 2) hGpblogeiselenet201102prevenCng-shy‐csrf-shy‐with-shy‐jsf-shy‐20html13
bull Use13 OWASP13 ESAPIhGpwwwjtmeltoncom20100516the-shy‐owasp-shy‐top-shy‐ten-shy‐and-shy‐esapi-shy‐part-shy‐6-shy‐cross-shy‐site-shy‐request-shy‐forgery-shy‐csrf
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A913 -shy‐13 Using13 Components13 with13 Known13 Vulnerabili7es
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 commercial13 off13 the13 shelve13 components13 and13 frameworks13
ndash Hard13 to13 track13 list13 of13 vulnerabiliCes13 ndash Hard13 to13 track13 fix13 versions13 ndash 13 Late13 or13 someCmes13 no13 news13 about13 the13 flaws13
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practices
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Using13 non13 well13 stablished13 frameworks13 and13 components13 specially13 in13 security13 services13
ndash Do13 not13 following13 the13 release13 train13 and13 list13 of13 changes13 or13 announcements13 mailing13 lists13 etc13
ndash Ignoring13 security13 fixes13 because13 of13 update13 expense13 ndash Staying13 with13 dead13 project13 because13 of13 replacing13 refactoring13 costs
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Java EE 6
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
ndash Stay13 with13 ApplicaCon13 server13 cerCfied13 components13 eg13 OS13 frameworks13 libraries13 external13 services13 etc13 as13 long13 as13 possible13
ndash If13 staying13 with13 same13 major13 or13 dot13 release13 ensure13 applying13 all13 patches13 specially13 security13 fixes13
ndash Only13 use13 well13 known13 and13 established13 frameworks13 with13 proven13 records13
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
A1013 -shy‐13 Unvalidate13 Redirects13 and13 Forwards
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
What is it
bull Redirec7ng13 to13 another13 URL13 computed13 by13 user13 provided13 parameters13
bull Forward13 to13 another13 URL13 computed13 by13 user13 provided13 parameters
httpwwwjavanetexternalurl=httpwwwadam-biencomrollerabienentryconveniently_transactionally_and_legally_starting
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Worst Practices
bull Not13 to13 validateverify13 the13 target13 with13 userrsquos13 access13 level13 before13 doing13 the13 forward13
bull Not13 using13 a13 proper13 access13 control13 mechanism13 (eg13 container13 managed13 and13 proper13 security-shy‐constraint13 )13
bull RedirecCng13 to13 a13 user13 provided13 parameter13 eg13 to13 an13 external13 website
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Java EE 6
bull Donrsquot13 use13 redirect13 or13 forward13 as13 much13 as13 possible13 bull Accurately13 verifyvalidate13 the13 target13 URL13 before13 forwarding13 or13 redirecCng13
bull Redirects13 are13 safe13 when13 using13 container13 managed13 authenCcaConauthorizaCon13 properly13
bull Forwards13 happen13 without13 authenCcaCon13 and13 thus13 requires13 triple13 check13 to13 prevent13 unauthorized13 access
A113 A213 A313 A413
A513 A613 A713 A813
A913 A1013
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Galleria Project
hGpsbitbucketorgVineetReynoldsjava-shy‐ee-shy‐6-shy‐galleria
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Security isnlsquot all candy
hellip13 but13 you13 will13 love13 it13 in13 the13 end
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
CC picture reference
bull hGpwwwflickrcomphotoswallyg2439494447sizeslinphotostream13 bull hGpwwwflickrcomphotos62983199N047188112487sizeslinphotostream13 bull hGpwwwflickrcomphotosstuckincustoms3466470709sizeslinphotostream13 bull hGpwwwflickrcomphotoslukemontague187987292sizeslinphotostream13 bull hGpwwwflickrcomphotos0820077108942911sizeslinphotostream13 bull hGpwwwflickrcomphotosndrwfgg140411433sizeslinphotostream13 bull hGpwwwflickrcomphotosgingerblokey4130969725sizeslinphotostream13 bull hGpwwwflickrcomphotosbpc0093328427457sizeslinphotostream13 bull hGpwwwflickrcomphotosmarine_corps6950409157sizeslinphotostream13 bull hGpwwwflickrcomphotoscindy474522898015652sizeslinphotostream13 bull hGpwwwflickrcomphotoszen4494845sizesoinphotostream13
Questionshellip
59
Questionshellip
59
