Upload
xebia-france
View
2.230
Download
8
Embed Size (px)
DESCRIPTION
OWASP Security Top Ten and the techniques to prevent them in Java
Citation preview
www.xebia.fr / blog.xebia.fr
OWASP Security Top TenOWASP top ten and Java protections
Cyrille Le [email protected]
Tuesday, November 24, 2009
OWASP Security Top Ten
This presentation is based on
OWASP Top 10 For Java EEThe Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applicationshttp://www.owasp.org/index.php/Top_10_2007
2Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Cross Site Scripting (XSS)
Tuesday, November 24, 2009
Cross Site Scripting (XSS)
What ? Subset of HTML injections Data provided by malicious users are rendered in web pages and
execute scripts
Goal ? Hijack user session, steal user data, deface web site, etc
Sample lastName:
4
Cyrille "><script ... />
Tuesday, November 24, 2009
Cross Site Scripting (XSS)How to prevent it ?
Input Validation : JSR 303 Bean Validation
5
public class Person { @Size(min = 1, max = 256) private String lastName;
@Size(max = 256) @Pattern(regexp = ".+@.+\\.[a-z]+") private String email; ...}
@Controller("/person")public class PersonController {
@RequestMapping(method=RequestMethod.POST) public void save(@Valid Person person) { // ... }}
Bean
Controller
Tuesday, November 24, 2009
Cross Site Scripting (XSS)How to prevent it ?
HTML output escaping JSTL
Expression language danger DO NOT ESCAPE !!!
Spring MVC» Global escaping
» Page level
6
<h2>Welcome <c:out value="${person.lastName}" /></h2>
<web-app> <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ...</web-app>
JSP EL does
NOT escape !!!
<h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2>
<spring:htmlEscape defaultHtmlEscape="true" />
Tuesday, November 24, 2009
Cross Site Scripting (XSS)How to prevent it ?
Use HTTP Only cookies Cookies not accessible via javascript
Introduced with Servlet 3.0
Since Tomcat 6.0.20 for session cookies
Manual workaround
7
<Context useHttpOnly="true">...</Context>
cookie.setHttpOnly(true);
response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly");
No web.xml
configuration for
JSESSIONID
Tuesday, November 24, 2009
Cross Site Scripting (XSS)How to prevent it ?
Do not use blacklist validation but blacklist Forbidden : <script>, <img> Prefer wiki/forum white list style: [img], [url], [strong]
8Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Injection Flaws
Tuesday, November 24, 2009
Injection Flaws
What ?
Malicious data provided by user to read or modify sensitive data Types of injection : SQL, Hibernate Query Language (HQL), LDAP,
XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more
Goal ? Create, modify, delete, read data
Sample lastName:
10
Cyrille "; INSERT INTO MONEY_TRANSFER ...
Tuesday, November 24, 2009
Injection FlawsHow to prevent it ?
Input validation XSD with regular expression, min and max values, etc JSR 303 Bean Validation
11Tuesday, November 24, 2009
Injection FlawsHow to prevent it ?
Use strongly typed parameterized query API JDBC
JPA
HTTP
XML
XPath :-(
12
Element lastNameElt = doc.createElement("lastName");lastNameElt.appendChild(doc.createTextNode(lastName));
GetMethod getMethod = new GetMethod("/findPerson");getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});
query.setParameter("lastName", lastName);
preparedStatement.setString(1, lastName);
Tuesday, November 24, 2009
Injection FlawsHow to prevent it ?
If not, use escaping libraries very cautiously !!! HTML
Javascript
HTTP
XML
Don’t use simple escaping functions !
13
"<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>";
"/findPerson?" + URLEncoder.encode(lastName, "UTF-8");
"lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";
"<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";
Caution !
StringUtils.replaceChars(lastName, "’", "’’");
Tuesday, November 24, 2009
Injection FlawsHow to prevent it ?
Don’t use dynamic queries at all !
14
JPA 2
Criteria API
if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'";}
Map<String, Object> parameters = new HashMap<String, Object>();
if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like :lastName "; parameters.put("lastName", lastName);}
Query query = entityManager.createQuery(jpaQl);for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue());}
if (StringUtils.isNotEmpty(lastName)) { criteria.add(Restrictions.like("lastName", lastName));}
JPA 1 Query API
Tuesday, November 24, 2009
Injection FlawsHow to prevent it ?
Enforce least privileges Don’t be root Limit database access to Data Manipulation Language Limit file system access Use firewalls to enter-from / go-to the Internet
15Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Malicious File Execution
Tuesday, November 24, 2009
Malicious File Execution
What ? Malicious file or file path provided by users access files
Goal ? Read or modify sensitive data Remotely execute files (rootkits, etc)
Sample pictureName:
17
../../WEB-INF/web.xml
Tuesday, November 24, 2009
Malicious File Execution How to prevent it ?
Don’t build file path from user provided data
Don’t execute commands with user provided data
Use an indirection identifier to users
Use firewalls to prevent servers to connect to outside sites
18
String picturesFolder = servletContext.getRealPath("/pictures") ;String pictureName = request.getParameter("pictureName");File picture = new File((picturesFolder + "/" + pictureName));
Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));
Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Insecure Direct Object Reference
Tuesday, November 24, 2009
Insecure Direct Object Reference
What ?
Transmit user forgeable identifiers without controlling them server side
Goal ? Create, modify, delete, read other user’s data
Sample
20
<html><body><form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ...</form></body><html>
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id"));
Tuesday, November 24, 2009
Insecure Direct Object ReferenceHow to prevent it ?
Input identifier validation reject wildcards (“10%20”)
Add server side identifiers
Control access permissions See Spring Security
21
Criteria criteria = session.createCriteria(ShoppingCart.class);criteria.add(Restrictions.like("id", request.getParameter("id")));criteria.add(Restrictions.like("clientId", request.getRemoteUser()));
ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();
Tuesday, November 24, 2009
Insecure Direct Object ReferenceHow to prevent it ?
Use server side indirection with generated random
See org.owasp.esapi.AccessReferenceMap
22
String indirectId = request.getParameter("id");String id = accessReferenceMap.getDirectReference(indirectId);ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);
String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId());
<html><body><form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ...</form></body><html>
Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Cross Site Request Forgery (CSRF)
Tuesday, November 24, 2009
Cross Site Request Forgery (CSRF)
What ?
Assume that the user is logged to another web site and send a malicious request
Ajax web sites are very exposed !
Goal ? Perform operations without asking the user
Sample
24
http://mybank.com/transfer.do?amount=100000&recipientAccount=12345
Tuesday, November 24, 2009
Cross Site Request Forgery (CSRF)How to prevent it ?
Ensure that no XSS vulnerability exists in your application
Use a random token in sensitive forms
Spring Web Flow and Struts 2 provide such random token mechanisms
Re-authenticate user for sensitive operations
25
<form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" /> <input name="amount" /> ...</form>
Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Information Leakage and Improper Exception Handling
Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling
What ?
Sensitive code details given to hackers Usually done raising exceptions
Goal ? Discover code details to discover vulnerabilities
27Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling
Sample
28Tuesday, November 24, 2009
Information Leakage and Improper Exception HandlingHow to prevent it ?
Avoid detailed error messages Beware of development mode messages ! web.xml
Tomcat
29
<web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ...</web-app>
<Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service></Server>
Tuesday, November 24, 2009
Information Leakage and Improper Exception HandlingHow to prevent it ?
Don’t display stack traces in Soap Faults
Sanitize GUI error messages Sample : “Invalid login or password”
30Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Broken Authentication and Session Management
Tuesday, November 24, 2009
Broken Authentication and Session Management
What ?
Web authentication and session handling have many tricks
Goal ? Hijack user session
32Tuesday, November 24, 2009
Broken Authentication and Session ManagementHow to prevent it ?
Log session initiation and sensitive data access Remote Ip, time, login, sensitive data & operation accessed Use a log4j dedicated non over-written output file
Use out of the box session and authentication mechanisms Don’t create your own cookies Look at Spring Security
33
#Auditlog4j.appender.audit=org.apache.log4j.DailyRollingFileAppenderlog4j.appender.audit.datePattern='-'yyyyMMddlog4j.appender.audit.file=audit.loglog4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayoutlog4j.appender.audit.layout.conversionPattern=%m %throwable{short}\n
log4j.logger.com.mycompany.audit.Audit=INFO, auditlog4j.additivity.com.mycompany.audit.Audit=false
Tuesday, November 24, 2009
Broken Authentication and Session ManagementHow to prevent it ?
Use SSL and random token for authentication pages including login page display
Regenerate a new session on successful authentication
Use Http Only session cookies, don’t use URL rewriting based session handling
Prevent brute force attacks using timeouts or locking password on authentication failures
Don’t store clear text password, consider SSHA
34Tuesday, November 24, 2009
Broken Authentication and Session ManagementHow to prevent it ?
Use a timeout period
Remember Me cookies must be invalidated on password change (see Spring Security)
Beware not to write password in log files
Server generated passwords (lost password, etc) must be valid only once
Be able to distinguish SSL communications
35Tuesday, November 24, 2009
Broken Authentication and Session ManagementHow to prevent it ?
For server to server communication, use remote ip control in addition to password validation
36Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Insecure Cryptographic Storage
Tuesday, November 24, 2009
Insecure Cryptographic Storage
What ?
Cryptography has many traps
Goal ? Steal sensitive data
38Tuesday, November 24, 2009
Insecure Cryptographic StorageHow to prevent it ?
Don’t invent custom cryptography solutions Java offers approved algorithms for hashing, symmetric key and public
key encryptions Double hashing is a custom weak algorithm
Don’t use weak algorithms MD5 / SHA1, etc are weak. Prefer SHA-256
Beware of private keys storage Java doesn’t offer chroot mechanisms to limit private keys files access
to root Storing secrets on servers requires expertise
39Tuesday, November 24, 2009
www.xebia.fr / blog.xebia.fr
Insecure Communications
Tuesday, November 24, 2009
Insecure Communications
What ?
Unsecure communications are easy to hack
Goal ? Steal sensitive data, hijack user session
41Tuesday, November 24, 2009
Insecure CommunicationsHow to prevent it ?
Use SSL with the Servlet API
42
request.isSecure()
<web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ...</web-app>
Tuesday, November 24, 2009
Insecure CommunicationsHow to prevent it ?
Use SSL with Spring Security
43
<beans ...>
<sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http>
</beans>
Tuesday, November 24, 2009