SlideShare ist ein Scribd-Unternehmen logo

Confess 2013: OWASP Top 10 and Java EE security in practice

Als PPT, PDF herunterladen
Masoud Kalali
Masoud Kalali

OWASP Top 10 and Java EE security in practice. Updated slides and presentation for Confess 2013

Technologie
1 von 60
OWASP Top 10 and Java EE security in practice Masoud Kalali, @MasoudKalali Principal Software Engineer, ORACLE
Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • QA
Java EE 6 & GlassFish glassfish.org
Motivation for this talk • Seen a lot • Providing a starting point • Sharing something • Making you aware
The Top 10 Most Critical Web Application Security Risks A2: Broken A2: Broken A4: Insecure A4: Insecure Authentication and Authentication and A2: Cross-Site A2: Cross-Site A1: Injection A1: Injection Direct Object Direct Object Session Session Scripting (XSS) Scripting (XSS) Management References References Management A7: Missing A7: Missing A8: Cross-Site A8: Cross-Site A5: Security A5: Security A6: Sensitive Data A6: Sensitive Data Function Level Function Level Request Forgery Request Forgery Misconfiguration Misconfiguration Exposure Exposure Access Control Access Control (CSRF) (CSRF) A9: Using A9: Using A10: Unvalidated A10: Unvalidated Components with Components with Redirects and Redirects and Known Known Vulnerabilities Forwards Forwards Vulnerabilities Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
A1 - Injection
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP, File System, etc.) • Java EE 6 affected: – UI technology of choice – Database access (JPA, JDBC) – File System API – etc.
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it! graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds String customerId= request.getParameter("customerId") String query = "SELECT balance FROM customer_data WHERE customer_id = " + customerId; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } String customerId = "x'; DROP TABLE members; --"; // user-input
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Prevent Injection graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sanitize the input • Escape/Quotesafe the input, e.g. use ESAPI • Use bound parameters (the PREPARED statement) • Limit database permissions and segregate users • Configure error reporting, e.g use OWASP LAPSE+ Static Code Analysis Tool
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Prevent Injection, Sample graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds String customerId = request.getParameter("customerId"); //white list validation and encoding String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(), customerId ); String query = "SELECT balance FROM customer_data WHERE customer_id = " + escapedCustomerId; ... //OR String query = "SELECT balance FROM customer_data WHERE customer_id = ? "; //using pstmt or stmt with encoded/validate input parameters PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, customerId); ResultSet results = pstmt.executeQuery( );
A2 - Broken Authentication and Session
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Container Security vs. own solution • Session Binding / Session Renewal • Passwords – Strength (length/complexity) – Plain text passwords (http/https) – Recovery mechanisms • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Way of saving Passwords • Not testing security
A2: A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n n Best Practices graphi (XSS) Miscon Refere ient ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Use Container Managed Security! • Go with provided Standard Realms and LoginModules whenever possible • Invalidate session and all relevant bits when logged out • If you need custom ones: Test them extremely carefully! • Use transport layer encryption (TLS/SSL) for authentication, credentials transport • Review and adopt OWASP’s ASVS(Application Security Verification Standard)
A3 - Cross-Site Scripting (XSS)
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and A10: Site Direct re A9: A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Objec Restric n n Referestst What is it? graphi (XSS) Miscon Refere ient ient dated Miscon dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forge Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • Rewrite web page or parts • Redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Anywhere that untrusted data is used as one of the following in outgoing response: – HTML element’s attributes – JavaScript variables – CSS values – Etc. (String) page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
A5: Authen Insecu A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n n graphi (XSS) Miscon Refere ient Prevent ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sanitize the input. E.g. use OWASP AntiSamy or OWASP Java HTML Sanitizer, etc. • Escape untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) • Use Cookie flags: – httpOnly (prevents XSS access)
A4 – Insecure Direct Object References
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Exposing secure objects without defense. • Accessing domain objects with their PK. E.g. https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Direct user input to object mapping • No verification on user input (defenseless) • Data separation for users (tenants) • Request mode access for data (RUD) • Query constraints
A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Best Practices graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Use AccessReferenceMaps http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 http://app?id=7d3J93 • Use data-driven security • Validate object references • Always Perform additional data authorization on the view
A5 - Security Misconfiguration
A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn What is it? ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Applies to – Operating System – Application Server – Databases – Additional Services – Frameworks – Developed Code – Etc. • Includes (beside _many_ others) – All security relevant configuration – Missing Patches – Default accounts
A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Worst Practices ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Network interfaces/sockets access control • Relaxed File system access control • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Using a not hardened OS! • Not using segregated user for the service • Not restricting GlassFish/Server component specific user nor enabling security manager
A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Policy Files location ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Global Policy File: java.home/jre/lib/security/java.policy • User Policy File: user.home/.java.policy • Domain Policy File: domain.home/config/server.policy • Application Policy File: domain.home/generated/policy/<app.name>/ <module.name>/granted.policy
A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Review the *.policy files ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Policy files precedence order • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes!
A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site Site Scripti Insecu Direct InjectioSecurit Failure Direct and Running GlassFish in a A9:A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Refere ient Miscon Restric dated ient (XSS) dated Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort ort cts Acces Storag cts on Acces Secure Environment (CSRF on Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file design http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
A6 - Sensitive Data Exposure
A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated What is it? Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Sensitive data kept unprotected • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Worst Practices Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Storing sensitive data unencrypted • Storing comparative data unhashed (passwords/security question answer…) • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded • caching/autocomplete on pages with sensitive data
A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Worst Practice Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be securely transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Prevention Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm, as strong as possible but not more! – with the right mechanism, e.g scrypt and bcrypt • Don’t keep clear text copies • To decrypt and view clear text should be restricted to authorized personnel • Keep the keys as protected as possible • Keep offsite encrypted backups in addition to on-site copies
A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Best Practice Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice

Empfohlen

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Owasp lapse
Owasp lapseOwasp lapse
Owasp lapsen|u - The Open Security Community
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 

Empfohlen

Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Owasp lapse
Owasp lapseOwasp lapse
Owasp lapsen|u - The Open Security Community
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Come mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoCome mettere in sicurezza le applicazioni legacy, un approccio pragmatico
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
On Failure and Resilience
On Failure and ResilienceOn Failure and Resilience
On Failure and ResilienceMike Brittain
 
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010FPGA Central
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 
IdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureIdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureMohammad Faraji
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)guestf67bc2
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)Lars Trieloff
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachNordic APIs
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation 42Crunch
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptLiza Welch
 
Opencart security testing
Opencart security testing Opencart security testing
Opencart security testing vikram vashisth
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCFPGA Central
 
µjax in 30 minutes
µjax in 30 minutesµjax in 30 minutes
µjax in 30 minutesLars Trieloff
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySiarhei Barysiuk
 
Netflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksNetflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksSudhir Tonse
 
Introducing spring
Introducing springIntroducing spring
Introducing springErnesto Hernández Rodríguez
 
Transition from process to product-level perspective for business software
Transition from process to product-level perspective for business softwareTransition from process to product-level perspective for business software
Transition from process to product-level perspective for business softwareCONFENIS 2012
 
Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)Chris Richardson
 
First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...Real-Time Innovations (RTI)
 
Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsMasoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
 

Weitere ähnliche Inhalte

Ähnlich wie Confess 2013: OWASP Top 10 and Java EE security in practice

SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security42Crunch
 
On Failure and Resilience
On Failure and ResilienceOn Failure and Resilience
On Failure and ResilienceMike Brittain
 
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010FPGA Central
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Matteo Meucci
 
IdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureIdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureMohammad Faraji
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)guestf67bc2
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)Lars Trieloff
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachNordic APIs
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation 42Crunch
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptLiza Welch
 
Opencart security testing
Opencart security testing Opencart security testing
Opencart security testing vikram vashisth
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCFPGA Central
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformDavid Chou
 
Netflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksNetflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksSudhir Tonse
 
Transition from process to product-level perspective for business software
Transition from process to product-level perspective for business softwareTransition from process to product-level perspective for business software
Transition from process to product-level perspective for business softwareCONFENIS 2012
 
Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)Chris Richardson
 
First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...Real-Time Innovations (RTI)
 

Ähnlich wie Confess 2013: OWASP Top 10 and Java EE security in practice (20)

SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
On Failure and Resilience
On Failure and ResilienceOn Failure and Resilience
On Failure and Resilience
 
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
Upgrading to SystemVerilog for FPGA Designs - FPGA Camp Bangalore, 2010
 
Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09Meucci OWASP Pci Milan 09
Meucci OWASP Pci Milan 09
 
IdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual InfrastructureIdM in Smart Applications on Virtual Infrastructure
IdM in Smart Applications on Virtual Infrastructure
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)
 
µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)µjax in 30 minutes (for Stockholm)
µjax in 30 minutes (for Stockholm)
 
Better API Security With A SecDevOps Approach
Better API Security With A SecDevOps ApproachBetter API Security With A SecDevOps Approach
Better API Security With A SecDevOps Approach
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Opencart security testing
Opencart security testing Opencart security testing
Opencart security testing
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
 
µjax in 30 minutes
µjax in 30 minutesµjax in 30 minutes
µjax in 30 minutes
 
Patterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services PlatformPatterns of Cloud Applications Using Microsoft Azure Services Platform
Patterns of Cloud Applications Using Microsoft Azure Services Platform
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Netflix Cloud Platform Building Blocks
Netflix Cloud Platform Building BlocksNetflix Cloud Platform Building Blocks
Netflix Cloud Platform Building Blocks
 
Introducing spring
Introducing springIntroducing spring
Introducing spring
 
Transition from process to product-level perspective for business software
Transition from process to product-level perspective for business softwareTransition from process to product-level perspective for business software
Transition from process to product-level perspective for business software
 
Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)Decomposing applications for scalability and deployability (devnexus 2013)
Decomposing applications for scalability and deployability (devnexus 2013)
 
First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...First Operational Technology (OT) High Performance Messaging Patterns for Ent...
First Operational Technology (OT) High Performance Messaging Patterns for Ent...
 

Mehr von Masoud Kalali

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsMasoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyMasoud Kalali
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsMasoud Kalali
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodologyMasoud Kalali
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.Masoud Kalali
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the futureMasoud Kalali
 

Mehr von Masoud Kalali (12)

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutions
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectively
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and Solutions
 
Java EE 7 overview
Java EE 7 overviewJava EE 7 overview
Java EE 7 overview
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodology
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the future
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Confess 2013: OWASP Top 10 and Java EE security in practice

  • 1. OWASP Top 10 and Java EE security in practice Masoud Kalali, @MasoudKalali Principal Software Engineer, ORACLE
  • 2. Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • QA
  • 3. Java EE 6 & GlassFish glassfish.org
  • 4. Motivation for this talk • Seen a lot • Providing a starting point • Sharing something • Making you aware
  • 5. The Top 10 Most Critical Web Application Security Risks A2: Broken A2: Broken A4: Insecure A4: Insecure Authentication and Authentication and A2: Cross-Site A2: Cross-Site A1: Injection A1: Injection Direct Object Direct Object Session Session Scripting (XSS) Scripting (XSS) Management References References Management A7: Missing A7: Missing A8: Cross-Site A8: Cross-Site A5: Security A5: Security A6: Sensitive Data A6: Sensitive Data Function Level Function Level Request Forgery Request Forgery Misconfiguration Misconfiguration Exposure Exposure Access Control Access Control (CSRF) (CSRF) A9: Using A9: Using A10: Unvalidated A10: Unvalidated Components with Components with Redirects and Redirects and Known Known Vulnerabilities Forwards Forwards Vulnerabilities Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  • 6. What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  • 8. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP, File System, etc.) • Java EE 6 affected: – UI technology of choice – Database access (JPA, JDBC) – File System API – etc.
  • 9. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it! graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds String customerId= request.getParameter("customerId") String query = "SELECT balance FROM customer_data WHERE customer_id = " + customerId; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } String customerId = "x'; DROP TABLE members; --"; // user-input
  • 10. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Prevent Injection graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sanitize the input • Escape/Quotesafe the input, e.g. use ESAPI • Use bound parameters (the PREPARED statement) • Limit database permissions and segregate users • Configure error reporting, e.g use OWASP LAPSE+ Static Code Analysis Tool
  • 11. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Prevent Injection, Sample graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds String customerId = request.getParameter("customerId"); //white list validation and encoding String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(), customerId ); String query = "SELECT balance FROM customer_data WHERE customer_id = " + escapedCustomerId; ... //OR String query = "SELECT balance FROM customer_data WHERE customer_id = ? "; //using pstmt or stmt with encoded/validate input parameters PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, customerId); ResultSet results = pstmt.executeQuery( );
  • 12. A2 - Broken Authentication and Session
  • 13. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Container Security vs. own solution • Session Binding / Session Renewal • Passwords – Strength (length/complexity) – Plain text passwords (http/https) – Recovery mechanisms • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  • 14. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Way of saving Passwords • Not testing security
  • 15. A2: A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n n Best Practices graphi (XSS) Miscon Refere ient ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Use Container Managed Security! • Go with provided Standard Realms and LoginModules whenever possible • Invalidate session and all relevant bits when logged out • If you need custom ones: Test them extremely carefully! • Use transport layer encryption (TLS/SSL) for authentication, credentials transport • Review and adopt OWASP’s ASVS(Application Security Verification Standard)
  • 16. A3 - Cross-Site Scripting (XSS)
  • 17. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and A10: Site Direct re A9: A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Objec Restric n n Referestst What is it? graphi (XSS) Miscon Refere ient ient dated Miscon dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forge Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • Rewrite web page or parts • Redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  • 18. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Anywhere that untrusted data is used as one of the following in outgoing response: – HTML element’s attributes – JavaScript variables – CSS values – Etc. (String) page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
  • 19. A5: Authen Insecu A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n n graphi (XSS) Miscon Refere ient Prevent ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Sanitize the input. E.g. use OWASP AntiSamy or OWASP Java HTML Sanitizer, etc. • Escape untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) • Use Cookie flags: – httpOnly (prevents XSS access)
  • 20. A4 – Insecure Direct Object References
  • 21. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn What is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Exposing secure objects without defense. • Accessing domain objects with their PK. E.g. https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
  • 22. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn How to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Direct user input to object mapping • No verification on user input (defenseless) • Data separation for users (tenants) • Request mode access for data (RUD) • Query constraints
  • 23. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nn Best Practices graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds • Use AccessReferenceMaps http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 http://app?id=7d3J93 • Use data-driven security • Validate object references • Always Perform additional data authorization on the view
  • 24. A5 - Security Misconfiguration
  • 25. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn What is it? ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Applies to – Operating System – Application Server – Databases – Additional Services – Frameworks – Developed Code – Etc. • Includes (beside _many_ others) – All security relevant configuration – Missing Patches – Default accounts
  • 26. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Worst Practices ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Network interfaces/sockets access control • Relaxed File system access control • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Using a not hardened OS! • Not using segregated user for the service • Not restricting GlassFish/Server component specific user nor enabling security manager
  • 27. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Policy Files location ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Global Policy File: java.home/jre/lib/security/java.policy • User Policy File: user.home/.java.policy • Domain Policy File: domain.home/config/server.policy • Application Policy File: domain.home/generated/policy/<app.name>/ <module.name>/granted.policy
  • 28. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Review the *.policy files ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Policy files precedence order • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes!
  • 29. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site Site Scripti Insecu Direct InjectioSecurit Failure Direct and Running GlassFish in a A9:A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Refere ient Miscon Restric dated ient (XSS) dated Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort ort cts Acces Storag cts on Acces Secure Environment (CSRF on Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file design http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  • 30. A6 - Sensitive Data Exposure
  • 31. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated What is it? Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Sensitive data kept unprotected • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
  • 32. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Worst Practices Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Storing sensitive data unencrypted • Storing comparative data unhashed (passwords/security question answer…) • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded • caching/autocomplete on pages with sensitive data
  • 33. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Worst Practice Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be securely transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
  • 34. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Prevention Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm, as strong as possible but not more! – with the right mechanism, e.g scrypt and bcrypt • Don’t keep clear text copies • To decrypt and view clear text should be restricted to authorized personnel • Keep the keys as protected as possible • Keep offsite encrypted backups in addition to on-site copies
  • 35. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) dated Best Practice Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient