2013 06-27-securecoding-en - jug pch

Secure
Coding
for
Java
(an
introduc3on)
Java
User
Group
Poitou-‐Charentes
(Niort)
27
Juin
2013
Sébas3en
Gioria
Sebas0en.Gioria@owasp.org
Chapter
Leader
OWASP
France
Friday, June 28, 13

http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation & Technology @ Advens
Twitter :@SPoint / @OWASP_France
2
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Ne
vous
inquietez
pas
c’est
le
seul
slide
en
anglais,
par
contre
il
y
aura
des
trucs
d’écrits
partout
en
bas...
Friday, June 28, 13

ForeWords
• This
is
a
presenta,on
made
from
my
own

experience
with
some
company
using

OWASP
materials.
• Only
the
documents
from
OWASP
wiki
are

OWASP
oﬃcials
(see
hEps://www.owasp.org)
• Some
extracts
come
from
document
I
wrote

as
OWASP
leader,
this
is
why
you
could
ﬁnd
it

elsewhere.
5
Friday, June 28, 13

• Applica,on
Security
:
–where
we
are
(no
bullshit)
–where
we
are
(hopefully)

going
?
• Using
OWASP
materials
to

secure
code
• Secure
Coding
principles
Agenda
Friday, June 28, 13

Introduc3on
5
Friday, June 28, 13

Why
Applica0on
Security
?
6
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
been Hacked
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
been Hacked
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
been Hacked
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13

Why
Applica0on
Security
?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Next
Step
Friday, June 28, 13

We
are
living
in
a
Digital
environment,
in
a
Connected
World
vMost
of
websites
vulnerable
to
aTacks
vImportant
%
of
web-‐based
Business
(Services,
Online
Store,
Self-‐care,
Telcos,

SCADA,
...)
Why
Applica0on
Security
?

Age
of
An0virus
Age
of

Network
Security
Age
of

Applica0on
Security
7
Friday, June 28, 13

Consequences
of
bad
or
no
security
–IdenPty
theQ
–Hardware
theQ
–IT
downPme

–Bad
Media
coverage
–Financials
loss
–Customers
loss
–Legals/business
penalty

8
Friday, June 28, 13

What
Verizon
(PCI-‐DSS
company)

said
?
©
Verizon
2012
9
Friday, June 28, 13

©
Verizon
2012
Verizon
Study
10
Friday, June 28, 13

Verizon
study

11
©
Verizon
2012
Friday, June 28, 13

12
(c)
WhiteHatSecurity
2013
Friday, June 28, 13

What
you
CIO
Said
:
I
got
a
Firewall
!

27
Friday, June 28, 13

What
your
business
user
said
:
I

have
SSL
based
Web
Site
28
Friday, June 28, 13

What
your
business
user
said
:
only
the

hacker
can
aMack
my
website
• Tools
are
more
and

more
simples.
• Try
a
simple
request

on
google
website
on

SQL
InjecPon
and

look
at
it.
• An
aEack
on
a
Web

Server
cost
100$/
200$
per
day
on
the

underground
market.
29
Friday, June 28, 13

What
your
user
said
:
a
vulnerability
on

internal
ApplicaPon
is
not
criPcal.
• No,
The
web
is
anywhere,
and
CSRF,
HTML5
CORS

and
more
can
make
this
complete
destrucPve
• Be
aware
and
share
this
:

• AJAX
doing
a
lot
of
things
without
you
• Be
aware
and
share
this
:

•
HTML5
will
come
with
“nice”
user
funcPonality
,
but
with

big
impact
on
security
(WebSocket,
CORS,
...)
30
Friday, June 28, 13

But
I
do
Security
tesPng
!

17
Security
Tes3ng
Coding
Friday, June 28, 13

Majors OWASP
publications you can use
All are on the wiki https://www.owasp.org
All are under GPL or friendly licenses
Majors publications you can use to secure
your projects/SDLC
Building
Guide
Code Review
Guide
Testing Guide
Application Security Desk Reference (ASDR)
Top10 reference this 3 guides
Ø OWASP Top10
Ø Auditor/Testing Guide
Ø Code Review Guide
Ø Building Guide
Ø Application Security Verification
Standard (ASVS)
Ø Secure Coding Practices
12
Friday, June 28, 13

Learn Contract
Friday, June 28, 13

Learn Contract Design
Friday, June 28, 13

Learn Contract Design
Build
Friday, June 28, 13

Learn Contract
Test
Design
Build
Friday, June 28, 13

Learn Contract
Test
Design
Build Progress
Friday, June 28, 13

OWASP
Applica,on
Security
Veriﬁca,on
Standard
20
Friday, June 28, 13

What
is
ASVS
?
• A
standard
that
provides
a
basis
for
the

veriﬁcaPon
of
web
applicaPons
applicaPon-‐
independent.
• A
standard
life-‐cycle
model
independent.
• A
standard
that
deﬁne
requirements
that
can
be

applied
across
applicaPons
without
special

interpretaPon. 43
Friday, June 28, 13

What
are
ASVS
responses
?
• How
much
trust
can
be
placed
in
a
web

applicaPon?
• What
features
should
be
built
into
security

controls?
• How
do
I
acquire
a
web
applicaPon
that
is

veriﬁed
to
have
a
certain
range
in
coverage

and
level
of
rigor?
Friday, June 28, 13

ASVS
secure
controls

requirements
Security Area
Level
1A
Level
1B
Level
2A
Level
2B
Level 3 Level 4
V1 – Security Architecture Verification Requirements 1 1 2 2 4 5
V2 – Authentication Verification Requirements 3 2 9 13 13 14
V3 – Session Management Verification Requirements 4 1 6 7 8 9
V4 – Access Control Verification Requirements 5 1 12 13 14 15
V5 – Input Validation Verification Requirements 3 1 5 7 8 9
V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10
V7 – Cryptography Verification Requirements 0 0 2 8 9 10
V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9
V9 – Data Protection Verification Requirements 1 1 2 3 4 4
V10 – Communication Security Verification Requirements 1 0 3 6 8 8
V11 – HTTP Security Verification Requirements 3 3 6 6 7 7
V12 – Security Configuration Verification Requirements 0 0 0 2 3 4
V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5
V14 – Internal Security Verification Requirements 0 0 0 0 1 3
Totals 22 12 51 83 96 112
23
Friday, June 28, 13

But
ASVS
stand
for
VeriﬁcaPon
?
• ASVS
just
said
funcPonals
needs
for
controls.

• You
should
use
it
as
a
Secure
Coding
Policy.
★Don’t
be
medium(ASVS
Level1/2),
just

target
excellence
(ASVS
Level
4)
24
Friday, June 28, 13

Using
ASVS
as
a
secure
coding

policy
• ASVS
:
Verify
that
all
password
fields
do
not

echo
the
user’s
password
when
it
is
entered.
➡All
Password
fields
must
be
define
as
HTML

password
fields
and
must
not
echo
user
password.

➡All
login
forms
must
include
autocomplete=off
tag

• ASVS
:
Verify
that
all
input
validaPon
is

performed
on
the
server
side.

➡Performs
all
input
valida,on
on
the
server.

Nothing
in
the
browser
25
Friday, June 28, 13

Posi,ve
aatude
Nega0ve
The
tester
shall
search
for
XSS
holes
Posi0ve
Verify
that
the
applica0on
performs
input
valida0on
and
output
encoding
on

all
user
input

See:
hTp://www.owasp.org/index.php/
XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet
56
Friday, June 28, 13

OWASP
Secure
Coding
Prac3ces
27
Friday, June 28, 13

OWASP
Secure
Coding
PracPces
• Small
document
(only
9
pages)
• Could
be
use
as
an
simple
checklist
for
your

policy.
• Could
be
use
together
with
ASVS
or
alone.
• More
technical
and
deeper
approach
than

ASVS
.
• Wrote
and
use
by
Boeing
:)
28
Friday, June 28, 13

Secure
Coding
PracPces
Contents
• Input
ValidaPon
• Output
Encoding
• AuthenPcaPon
and

Password
Management
• Session
Management
• Access
Control
• Cryptographic
PracPces
• Error
Handling
and
Logging
• Data
ProtecPon
• CommunicaPon
Security
• System
ConﬁguraPon
• Database
Security
• File
Management
• Memory
Management
• General
Coding
PracPces
29
Friday, June 28, 13

Now
the
torture
room
30
Friday, June 28, 13

(extracts
from
OWASP
Secure
Coding

Prac0ces/OWASP
CheatSheets
OWASP

ASVS,
...)
Let
talk
Secure
Coding
now
31
Friday, June 28, 13

Some
secures
principles
to
follow
32
•Deep
defense
of
applica,on
is
mandatory

• Following
less
privileges
is
the
best
soluPon
• Segregate
duty
more
that
user
think
➡Remember
that
applica,on
need
to
answer

user
needs
and
not
security
pleasure.
Friday, June 28, 13

Deep
defense
of
a
Web
Applica0on
(example)
70
Fi
re
w
all
Applica0onWeb
Apps
SGBDApp ServerWeb
Server
Browser
User auth
Input
Validation
Secure
configuration
Good crash mecanisms
• Critical data transport
protection
• Preventing session and ID
theft
Critical data protections
Logs/Audit of
transactions
Authorisation
and
authentication
Authorisation and
authentication
Critical data protectionsPreventing parameters
thefts
Friday, June 28, 13

Fail
securely
• Don’t
give
user
technical
details
of
the
error/crash.
• Clean
state
or
use
objects
in
catch
clause
34
Friday, June 28, 13

Don’t
try
to
make
obscure
things
72
Friday, June 28, 13

Don’t
try
to
make
obscure
things
72
GEOPORTAIL
Friday, June 28, 13

Don’t
try
to
make
obscure
things
72
GOOGLE MAPS
Friday, June 28, 13

• ObfuscaPon
is
not
the
soluPon
• There
is
someone
in
the
matrix
who
will
send
you

evil
data
• Be
evil
!

• Protect
area
with
ﬁlter
is
the
best
soluPon
36
Friday, June 28, 13

Controls
• Controls
need
:
–to
be
simple
–to
be
used
correctly
–funcPonal
–present
in
every
part
of
the
applicaPon
74
Bad understanding of a control result of unused
it by developers and application will be
vulnerable.
Friday, June 28, 13

Minimals
controls
to
have
• You
must
have
at
least
this
components
in

your
applicaPon
:

–AuthenPcaPon
–AuthorizaPon
–Logging
and
audit
–Secure
Storage
–Secure
transport
–Secure
input
and
output
manipulaPon
of
data
75
Friday, June 28, 13

Authen3ca3on
39
Friday, June 28, 13

Implement
good
passwd
strategy
• Password
length
-‐ Categorize
applicaPons
:

• Important
:
at
least
6
characters
• Cri0cal
:
at
least
8
characters
and
perhaps
mul0-‐factors

authen0ca0on
• High
Cri0cal
:
at
least
14
characters
and
mul0-‐factors

authen0ca0on
• Password
strength
-‐ Implement
passwd
complexity
with
previous
categories
• at
least
:
1
upper,
1
lower,
1
digit,
1
special
• don’t
allow
dic0onnary
passwd
• don’t
allow
con0nuous
characters
40
Friday, June 28, 13

Implement
good
passwd
strategy
•Let
the
user
choose
it
•Force
the
user
to
change
it
regulary,
and
add
no

reuse
capability.
•Don’t
allow
too
much
“I
forgot
my
passwd”
•Don’t
allow
change
of
passwd
without
user

approval;
require
actual
passwd
from
the
user
and

more
for
high
cri0cal.
•Add
sleep
strategy
!
•Add
detec3on
of
misuse
strategy
!
•Don’t
store
passwd
in
clear
!!!!!
use
hash
!
41
Friday, June 28, 13

MulP-‐Factor
authenPcaPon
•Passwds
are
bad
•Passwds
are
guessable
•MulP-‐factor
combine:

–something
you
have
(token,
mobile,
...)
–something
you
know
(details
about
you,
passwd,
...)
–somePme,
something
you
are
(biometrics)
–Use
it
for
high
criPcal
applicaPons.
42
Friday, June 28, 13

Implement
good
global
strategy
• Ask
second
authenPcaPon
for
criPcal

transacPons
(with
mulP-‐factor
auth...)
• Force
authenPcaPon
to
be
in
TLS/SSL
• Regenerate
Session
ID
aQer
authenPcaPon
• Force
Session
ID
to
be
“secure”
• LimiPng
forgoEen
passwd,change
of
login/
passwd

43
Friday, June 28, 13

How
to
do
?

• Authen0cate
all
pages
but
not
public
pages
(login,

logout,
help,
....)
• Don’t
allow
more
than
one
authen0ca0on

mecanism
• Authen3cate
on
the
SERVER
• Simply
send
back
“user
or
passwd
mismatch”
and

nothing
else
aker
a
failed
authen0ca0on.
• Logged
all
failed
and
all
correct
authen0ca0on
• Aker
each
authen0ca0on
give
the
user
the
last

status
of
his
authen0ca0on.

44
Friday, June 28, 13

• Good
Regex
for
a
passwd
complexity
:

• Good
Storage
of

password
with
SALT
45
(?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
Friday, June 28, 13

Session
Management
46
Friday, June 28, 13

Session

• Use
Default
Java
Framework
Generator
• Use
other
name
than
the
default
name
of
the

Framework
(rename
JSESSIONID...)
• Force
transport
of
ID
authenPcaPon
on
SSL/TLS.
• Don’t
allow
Session
ID
in
URL
!
• If
using
cookie
:

– Secure
Cookie
– HTTPOnly
Cookie

– LimiPng
path
+
domain
– Max
Age
and
expiraPon
47
Friday, June 28, 13

Session
tricky
• AutomaPc
expiraPon
–categorize
applicaPons
:
• default
:
1
hour
• cri0cal
(some
transac0on)
:
20mns
• high
cri0cal
(ﬁnancials
or
account
impact)
:
5mns

• Renew
Session
ID
aQer
any
privilege
change
• Don’t
allow
simultaneous
logon

• Add
Session
AEack
DetecPon
• add
in-‐session
0ps
:
ip
of
session,
other
random
number,
...
48
Friday, June 28, 13

Browser
defenses
• Bind
JavaScript
events
to
close
session

–on
window.close()
–on
window.stop()
–on
window.blur()
–on
window.home()
• Use
Javascripts
Pmer
to
automaPc
close
session

in
high
criPcal
applicaPons
• Disable
WebBrowser
Cross-‐tab
Session
if

possible...(bad
user
experiences....)
–If
you
use
cookie,
this
is
not
possible

!!!!
49
Friday, June 28, 13

50
<session-‐config>

<cookie-‐config>

<http-‐only>true</http-‐only>

<secure>true</secure>

</cookie-‐config>
</session-‐config>
Using
Servlet
3.0
?
Friday, June 28, 13

Access
Controls
107
Friday, June 28, 13

Remember
(1)Without
access
control,
you
can’t
control

the
user
in
your
applica,on
Friday, June 28, 13

Remember
(1)Without
access
control,
you
can’t
control

the
user
in
your
applica,on
(2)All
client
inputs
are
EVIL
Friday, June 28, 13

Authen0ca0on
&
Authoriza0on
• Two
Levels
of
authenPcaPon
and
authorizaPon

are
needed
–In
the
ApplicaPon
–In
infrastructure
Table
A
Table
B
Connexion Table A + duty A
Role
A
Role
B
SGBDApp Server
Connexion Table B + Duty B
Friday, June 28, 13

AuthorizaPon
• Have
in
mind
the
rule
:

–Nothing

by
default
• Centralize
all
authorizaPon
code
on
the
SERVER
• If
client
state
are
mandatory,
use
encrypPon
and

integrity
checking
on
the
server
side
to
catch

state
tampering.

• Limit
number
of
transacPons
per
user
at
a
interval

Pme.
54
Friday, June 28, 13

AuthorizaPon
• Enforce
:
– protec0on
of
URL
to
authorized
account
only
– protec0on
of
func0on
to
authorized
account
only
– protec0on
of
ﬁle
access
to
authorized
account
only
• Applica0on
need
to
terminate
session
when
authoriza0on

failed.
• Split
administra0ve
and
user
authoriza0on
• Enforce
dormant
account
:
– loss
privileges.
– “disable
account”
– alerts
55
Friday, June 28, 13

Valida3on
of
Data
56
Friday, June 28, 13

Input
ValidaPon
• Ensure
all
data
validaPon
are
done
on
THE
SERVER.
–If
you
do
something
on
client
side
we
can
said
you
do

“painPng”
• Classify
your
data
:
–Trusted
Data

–Untrusted
Data
• Conduct
trusted
path.
• Centralize
your
data
validaPon
• Use
correct
parametrize
query
when
exists
(SQL)
57
Friday, June 28, 13

Border
validaPon
• Consider
validaPng
data
along
all
the
entry
points

of
your
ApplicaPon
border
58
Friday, June 28, 13

Input
ValidaPon
• Use
proper
characters
set
for
all
input
• Encode
all
data
to
the
same
character
set
before

doing
anything
<=>Canonicalize
• Reject
all
not
validated
datas
• Validate
data

:
–expected
type
(convert
as
soon
as
possible
to
Java
Types)
–expected
range
–expected
length
–expected
values
–expected
“white
list”
if
possible
59
Friday, June 28, 13

Input
ValidaPon
• Be
careful
of
using
“hazardous”
characters
(ex:
<>’,”!
(+)&
%.)
• Add
speciﬁc
validaPon
:
–check
for
null
bytes
(%00)
–check
for
new
lines
(%0D,
%0A,
n,
r,
...)
–check
for
dot-‐dot-‐slashes
(../)

60
Friday, June 28, 13

Be
careful
of
encoding
for
speciﬁc

valida0on...
URL
%3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e
%0a
HTML
<script>ale&#x7
2;t(XSS);</sc&#x
72;ipt>

UTF-8
%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c
%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c
%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003
One space ?
< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >
<script>alert(XSS);</script>
Friday, June 28, 13

Validate
Datas
124
Friday, June 28, 13

SQL
=>
bad
125
Friday, June 28, 13

SQL
=>
a
liEle
bit
beEer
126
Friday, June 28, 13

List
results
=
entityManager.createQuery("Select
order
from
Orders
order
where
order.id
=
"
+
orderId).getResultList();
List
results
=
entityManager.createNativeQuery("Select
*
from
Books
where
author
=
"
+
author).getResultList();
int
resultCode
=
entityManager.createNativeQuery("Delete
from
Cart
where
itemId
=
"
+
itemId).executeUpdate();
JPA/EnPty

65
Friday, June 28, 13

List
results
=
order
from
Orders
order
where
order.id
=
"
+
List
results
=
*
from
Books
where
author
=
"
+
int
resultCode
=
from
Cart
where
itemId
=
"
+
JPA/EnPty

65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
order
from
Orders
order
where
order.id
=
?1");
List
results
=
jpqlQuery.setParameter(1,
"123-‐ADB-‐567-‐QTWYTFDL").getResultList();
Friday, June 28, 13

List
results
=
order
from
Orders
order
where
order.id
=
"
+
List
results
=
*
from
Books
where
author
=
"
+
int
resultCode
=
from
Cart
where
itemId
=
"
+
JPA/EnPty

65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
order
from
Orders
order
where
order.id
=
?1");
List
results
=
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
entityManager.createNamedQuery("myCart");
List
results
=
jpqlQuery.setParameter("itemId",
"item-‐id-‐0001").getResultList();
Friday, June 28, 13

List
results
=
order
from
Orders
order
where
order.id
=
"
+
List
results
=
*
from
Books
where
author
=
"
+
int
resultCode
=
from
Cart
where
itemId
=
"
+
JPA/EnPty

65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
order
from
Orders
order
where
order.id
=
?1");
List
results
=
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
List
results
=
/*
named
parameter
in
JPQL
*/
Query
jpqlQuery
=
emp
from
Employees
emp
where
emp.incentive
>
:incentive");
List
results
=
jpqlQuery.setParameter("incentive",
new
Long(10000)).getResultList();
Friday, June 28, 13

List
results
=
order
from
Orders
order
where
order.id
=
"
+
List
results
=
*
from
Books
where
author
=
"
+
int
resultCode
=
from
Cart
where
itemId
=
"
+
JPA/EnPty

65
/*
positional
parameter
in
JPQL
*/
Query
jpqlQuery
=
order
from
Orders
order
where
order.id
=
?1");
List
results
=
/*
Native
SQL
*/
Query
sqlQuery
=
*
from
Books
where
author
=
?",
Book.class);
List
results
=
sqlQuery.setParameter(1,
"Charles
Dickens").getResultList();
/*
named
query
in
JPQL
-‐
Query
named
"myCart"
being
"Select
c
from
Cart
c
where
c.itemId
=
:itemId"
*/
Query
jpqlQuery
=
List
results
=
/*
named
parameter
in
JPQL
*/
Query
jpqlQuery
=
emp
from
Employees
emp
where
emp.incentive
>
:incentive");
List
results
=
jpqlQuery.setParameter("incentive",
new
Long(10000)).getResultList();
Friday, June 28, 13

XML
=>
bad
127
Friday, June 28, 13

XML
=>
ValidaPng
via
regexp/white

list
128
Friday, June 28, 13

BeEer,
a
XML
schema
<xs:schema
xmlns:xs="hTp://www.w3.org/2001/XMLSchema">

<xs:element
name="item">

<xs:complexType>

<xs:sequence>

<xs:element
name="descrip0on"
type="xs:string"/>

<xs:element
name="price"
type="xs:decimal"/>

<xs:element
name="quan0ty"
type="xs:integer"/>

</xs:sequence>

</xs:complexType>

</xs:element>

</xs:schema>

Friday, June 28, 13

XML
=>
XML
Parser
validaPon
Friday, June 28, 13

LDAP
=>
bad
131
Friday, June 28, 13

LDAP
=>
beEer
132
Friday, June 28, 13

Using
OWASP
ESAPI
72
Friday, June 28, 13

Output
Encoding
73
Friday, June 28, 13

Output
encoding
• It’s
a
Defense
in
depth
mechanism
• Encode
ON
THE
SERVER
• Centralize
the
encoder
funcPons
• SaniPze
all
data
send
to
the
client

–HTMLEncode
is
a
minimum
but
did
not
work
on
all

cases
74
Friday, June 28, 13

Essai
1
=>
bad
137
Friday, June 28, 13

Essai
2
=>
it’s
bad,
but
beTer
than

nothing
138
Friday, June 28, 13

A
good
soluPon
with
a
robust

SaniPzer
:)
139
Friday, June 28, 13

Error
Logging
78
Friday, June 28, 13

Error
Handling
Your
Applica3on
will
crash
!
• Catch
all
excep0ons
without
excep0on
(remember
the
null
pointer

excep0on
!)
– Clean
all
excep0on
code
of
sensi0ve
datas
– Don’t
give
user
any
details
about
crash,
just
said
“It’s
a
crash,
try
again
later”
• Logs
are
sensi0ve,
you
MUST
PROTECT
THEM
• Log
:

– input
valida0on
failures
– authen0ca0on
request;
especially
failures
– access
control
failures
– systems
excep0ons
– administra0ve
func0onality
– crypto
failures
– invalid/expired
session
token
access
79
Friday, June 28, 13

Logging/Errors
• Split
your
logs
with
categories,
examples
:

–Access
–Error
–Debug
–Audit
• Use
log4j
for
standard
logging
80
Friday, June 28, 13

Log4J
Example
81
import com.sec.dev;
// Import log4j classes.
import org.apache.log4j.Logger;
import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the
// Logger instance named "MyApp".
static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console.
BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used
// Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application.");
Bar bar = new Bar();
bar.doIt();
logger.info("Exiting application.");
}
}
Friday, June 28, 13

Bad
handling
of
ExcepPon
144
Friday, June 28, 13

Good
Housecleaning
83
try {
SensitiveData sensitiveData = new SensitiveData (“4242424242424242”);
out = new PrintWriter(new FileWriter("OutFile.txt"));
//Do Stuff….
} catch (IOException e) {
if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”);
}
logger.log ("IO exception ", e.getMessage());
} catch (Exception e) {
}
logger.log ("Error occurred!”, e.getMessage());
}
finally {
}
if (out != null) {
out.close(); // RELEASE RESOURCES
}
}
Friday, June 28, 13

BeEer
handling
of
excepPon
and

error
145
<error-‐page>

<excepPon-‐type>java.lang.Throwable</
excepPon-‐type>

<locaPon>/error.jsp</locaPon>

</error-‐page>
Friday, June 28, 13

Data
Protec3on
85
Friday, June 28, 13

Data
protecPon
• Protect
sensiPve
datas,

don’t
store
them
in
clear.
• Store
sensiPve
datas
in
trusted
systems
• Don’t
use
GET
request
for
sensiPve
data.
• Disable
client
site
caching
86
Friday, June 28, 13

Disable
Client
Side
caching
87
import
javax.servlet.*;
import
javax.servlet.http.HttpServletResponse;
import
java.io.IOException;
import
java.util.Date;
public
class
CacheControlFilter
implements
Filter
{

public
void
doFilter(ServletRequest
request,
ServletResponse
response,

FilterChain
chain)
throws
IOException,
ServletException
{

HttpServletResponse
resp
=
(HttpServletResponse)
response;

resp.setHeader("Expires",
"Tue,
03
Jul
2001
06:00:00
GMT");

resp.setHeader("Last-‐Modified",
new
Date().toString());

resp.setHeader("Cache-‐Control",
"no-‐store,
no-‐cache,
must-‐revalidate,
max-‐age=0,
post-‐check=0,
pre-‐check=0");

resp.setHeader("Pragma",
"no-‐cache");

chain.doFilter(request,
response);

}
}
<filter>

<filter-‐name>SetCacheControl</filter-‐name>

<filter-‐class>com.sec.dev.cacheControlFilter</filter-‐class>
</filter>

<filter-‐mapping>

<filter-‐name>SetCacheControl</filter-‐name>
<url-‐pattern>/*</url-‐pattern>
</filter-‐mapping>
web.xml
Friday, June 28, 13

Access
to
FileSystem
88
Friday, June 28, 13

Absolute
Path
is
bad
151
Friday, June 28, 13

Canonicalisa,on
is
good
90
Friday, June 28, 13

Secure
Communica3ons
91
Friday, June 28, 13

Secure
CommunicaPons
• Use
TLS/SSL
:
–at
least
SSL
v3.0/TLS
1.0
–minimum
of
128bits
encrypPon
–use
secure
crypto
:
AES
is
good
• Don’t
expose
criPcal
data
in
the
URL
• Failed
SSL/TLS
communicaPons
should
not
fall

back
to
insecure
• Validate
cerPﬁcate
when
used
• Protect
all
page,
not
just
logon
page
!
92
Friday, June 28, 13

Force
TLS/SSL
Response
• Use
HTTP
Strict
Transport
Security
(HSTS).
–Available
on
some
browsers
(not
IE)
–draQ
IETF
:
hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐
strict-‐transport-‐sec-‐04
93
HttpServletResponse
...;
response.setHeader("Strict-‐Transport-‐Security",
"max-‐age=7776000;

includeSubdomains");
Friday, June 28, 13

ConfiguraPon
94
• Review
all
properPes,
configuraPon
files
• Be
careful
of
default
passwords...
• Remove,
and
not
just
de-‐acPvate,
unused

funcPons/modules
• Use
sandbox
system
when
available
:
Be
careful
of
Java
Signed
code
who

execute
with
more
privileges
!
Friday, June 28, 13

Now
you
can
protect
against
him
95
Friday, June 28, 13

NEWS
A
BLOG
A
PODCAST
MEMBERSHIPS
MAILING
LISTS
A
NEWSLETTER
APPLE
APP
STORE
VIDEO
TUTORIALS
TRAINING
SESSIONS
SOCIAL
NETWORKING
96
On
est
aussi
des
humains,
et
on
peut
boire
un
coup
tout
simplement
Friday, June 28, 13

Dates
• AppSec
Research
Europe
2013
:
20/23
Aout
–

Hambourg
–
Allemagne
• Octobre
2013
:
OSSIR
PARIS
–OWASP
Top10
2013;
quoi
de
neuf
?
•
OWASP
Benelux
:
28/29
Novembre
2013
97
Un
tour
des
JUG
est
prévu
en
France,
si
vous
en
connaissez
un
dans
le
coin...
Friday, June 28, 13

Soutenir
l’OWASP
• Diﬀérentes
soluPons
:

–Membre
Individuel
:
50
$
–Membre
Entreprise
:
5000
$
–DonaPon
Libre
• Soutenir
uniquement

le
chapitre
France
:
–Single
MeePng
supporter

• Nous
oﬀrir
une
salle
de
mee0ng
!

• Par0ciper
par
un
talk
ou
autre
!

• Dona0on
simple

–Local
Chapter
supporter
:

• 500
$
à
2000
$
98
Friday, June 28, 13

Prochains
meePngs
• Septembre
2013

–Salle
:
Mozilla
Center
Paris
–Speaker
:

• Security
on
Firefox
OS
• A
définir
• Novembre
2013
–Salle
:
a
définir
–Speaker
:
a
définir
Septembre
s’annonce
merveilleux
avec
plein
d’annonces
en
tout
genre....
Friday, June 28, 13

License
100
Si
vous
avez
tout
suivi
vous
connaissez
le
prochain
slide....
@SPoint
sebas0en.gioria@owasp.org
Friday, June 28, 13

2013 06-27-securecoding-en - jug pch

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (17)

Ähnlich wie 2013 06-27-securecoding-en - jug pch

Ähnlich wie 2013 06-27-securecoding-en - jug pch (20)

Mehr von Sébastien GIORIA

Mehr von Sébastien GIORIA (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

2013 06-27-securecoding-en - jug pch