Suche senden
Hochladen
JSF Input Validation
•
4 gefällt mir
•
5,280 views
Durch KI verbesserter Titel
Source Conference
Folgen
SOURCE Seattle 2011 - Krishna Raja
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 24
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
Empfohlen
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
Weitere ähnliche Inhalte
Was ist angesagt?
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
Was ist angesagt?
(19)
JavaEE Security
JavaEE Security
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Developing With JAAS
Developing With JAAS
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Creating Secure Applications
Creating Secure Applications
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
Spring security 2017
Spring security 2017
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Struts & hibernate ppt
Struts & hibernate ppt
Brisk WebApp penetration tester
Brisk WebApp penetration tester
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Struts Interview Questions
Struts Interview Questions
Struts presentation
Struts presentation
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Ähnlich wie JSF Input Validation
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
Node.js vs Play Framework
Node.js vs Play Framework
Yevgeniy Brikman
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
Attacking HTML5
Attacking HTML5
AppSec_Labs
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Toru Wonyoung Choi
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Jeremy Kao
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Arun Gupta
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Anghel Leonard
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Arun Gupta
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Codemotion
Ähnlich wie JSF Input Validation
(20)
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
Node.js vs Play Framework
Node.js vs Play Framework
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Attacking HTML5
Attacking HTML5
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Mehr von Source Conference
Million Browser Botnet
Million Browser Botnet
Source Conference
iBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
How to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
Esteganografia
Esteganografia
Source Conference
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
Who should the security team hire next?
Who should the security team hire next?
Source Conference
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
Mehr von Source Conference
(20)
Million Browser Botnet
Million Browser Botnet
iBanking - a botnet on Android
iBanking - a botnet on Android
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
How to Like Social Media Network Security
How to Like Social Media Network Security
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Esteganografia
Esteganografia
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Who should the security team hire next?
Who should the security team hire next?
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Kürzlich hochgeladen
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
Kürzlich hochgeladen
(20)
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
JSF Input Validation
1.
JSF Security © 2011
Security Compass inc. 1
2.
JSF Input Validation
abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
3.
MyFaces: validateRegExpr Tag <%@
taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
4.
Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText
type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
5.
Demo: Facelets validation
6.
Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text"
id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
7.
JSF 2.0 Validators •
Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
8.
Demo: JSF 2.0
Validators
9.
Other JSF Validation
Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
10.
Output Encoding in
JSF <script>alert('xss') < > (') © 2011 Security Compass inc. 10
11.
<h:outputText> & <h:outputFormat> <h:outputText
value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
12.
Output encoding with
Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
13.
But there’s a
problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
14.
Problems with RichFaces •
Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
15.
Solution: OWASP ESAPI
EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
16.
Demo: ESAPI encoding
17.
Page Level Authorization
18.
ESAPI AccessController • Interface
that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
19.
Demo: AccessController
20.
Defending Against CSRF Anti-CSRF
tokens
21.
What about JSF
“view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
22.
Problem: Padding Oracle
Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
23.
Solution: OWASP CSRF
Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23
24.
Demo: Anti-CSRF Tokens
Jetzt herunterladen