Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Colin Harrington 
Principal Consultant 
@ColinHarrington 
colin.harrington@objectpartners.com
This talk is meant to discuss security issues in the spirit 
of helping those who build systems make stable, secure 
web a...
Happy Path 
Easiest thing possible 
MVP 
No unauthorized access. 
Hardened 
Tested
Grandma's cat photos 
Your blog 
Static content 
Banking 
Health information 
Government 
Big business 
Payment systems
$$$ of loss potential 
Office Space 
Loss of consumer confidence 
Restore the backup 
Maybe a few comments lost 
since las...
(but verify)
Non-profit group 
Naming borrowed 
Checkout their recommendations
#1 issue on the web 
"SELECT * FROM accounts WHERE custID='" + params.id +"'" 
http://example.com/app/accountView?id=' or ...
String hql = """from AccountHolder 
where username = '$username' 
and password = '$password'""" 
def row = AccountTransact...
admin' AND substring(password,0,1) == char(64) AND '1' = '1 
http://security.stackexchange.com/questions/24265/hql-injecti...
Or better tested sanitization tools
Grails 1.3.7 (pre 1.3.8) 
class MyDomainObject { 
def SpringSecurityService 
... 
}
“cp img.png ./archive/$filename”.execute()
log.info “user benign said ${message}” 
http://example.com/thing/action?message=[ERROR] Admin password has expired!! OH CR...
def transfer(Transfer tfr) { 
Deposit d = new Deposit(amount: tfr.amt) 
d.save() 
Withdrawal w = new Withdrawal(amount: tf...
http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
Unencrypted transports 
Account signup 
Forgot password 
Password hint exposure 
Insecure SSO
xkcd.com/936/
reviewText = """Excellent Product</div> 
<iframe src="myadnetwork.com/pwnage.html"/> 
<h1>Injected DOM</h1> 
<div class='r...
Default codec = HTML now 
Careful when doing your own TagLibs 
Anti Samy
Direct execution 
eval() 
window.execScript()/function()/setInterval()/setTimeout() 
script.src(), iframe.src()
document.write(), document.writeln() 
elem.innerHTML = danger 
elem.outerHTML = danger 
elem.setAttribute(“dangerous attri...
Cookies in some browsers 
LocalStorage 
Reverse JavaScript Shells 
Stacked 
More..
https://example.com/account/123 
https://example.com/account/999
Filters 
ACL 
Permissions
Ownership level checking Authorization
...for example
socat -v tcp-listen:8080,fork tcp:localhost:80
Poor salting
Not showing the links doesn't mean it is protected 
Assuming a user is logged in doesn't mean they 
should have access to ...
<img 
src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" 
width="0" height="0" />
URL Mappings 
allowedMethods
Apple SSL issue 
OSX/iOS
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Securing Your Grails App - Beyond Authentication & Authorization
Nächste SlideShare
Wird geladen in …5
×

Securing Your Grails App - Beyond Authentication & Authorization

1.412 Aufrufe

Veröffentlicht am

Application security is not a concern that we can ignore. Vulnerabilities come from various angles, but it is important to stay aware and vigilant so we can recognize and thwart threats.

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

Securing Your Grails App - Beyond Authentication & Authorization

  1. 1. Colin Harrington Principal Consultant @ColinHarrington colin.harrington@objectpartners.com
  2. 2. This talk is meant to discuss security issues in the spirit of helping those who build systems make stable, secure web applications.
  3. 3. Happy Path Easiest thing possible MVP No unauthorized access. Hardened Tested
  4. 4. Grandma's cat photos Your blog Static content Banking Health information Government Big business Payment systems
  5. 5. $$$ of loss potential Office Space Loss of consumer confidence Restore the backup Maybe a few comments lost since last backup No animals were harmed Grandma cries for a minute
  6. 6. (but verify)
  7. 7. Non-profit group Naming borrowed Checkout their recommendations
  8. 8. #1 issue on the web "SELECT * FROM accounts WHERE custID='" + params.id +"'" http://example.com/app/accountView?id=' or '1'='1
  9. 9. String hql = """from AccountHolder where username = '$username' and password = '$password'""" def row = AccountTransaction.executeQuery(hql)
  10. 10. admin' AND substring(password,0,1) == char(64) AND '1' = '1 http://security.stackexchange.com/questions/24265/hql-injection-example
  11. 11. Or better tested sanitization tools
  12. 12. Grails 1.3.7 (pre 1.3.8) class MyDomainObject { def SpringSecurityService ... }
  13. 13. “cp img.png ./archive/$filename”.execute()
  14. 14. log.info “user benign said ${message}” http://example.com/thing/action?message=[ERROR] Admin password has expired!! OH CRAP HELP
  15. 15. def transfer(Transfer tfr) { Deposit d = new Deposit(amount: tfr.amt) d.save() Withdrawal w = new Withdrawal(amount: tfr.amt, description: tfr.desc) w.save() }
  16. 16. http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
  17. 17. Unencrypted transports Account signup Forgot password Password hint exposure Insecure SSO
  18. 18. xkcd.com/936/
  19. 19. reviewText = """Excellent Product</div> <iframe src="myadnetwork.com/pwnage.html"/> <h1>Injected DOM</h1> <div class='review'>Good work""" view.gsp (codec = none) <div class='review'>${reviewText}</div>
  20. 20. Default codec = HTML now Careful when doing your own TagLibs Anti Samy
  21. 21. Direct execution eval() window.execScript()/function()/setInterval()/setTimeout() script.src(), iframe.src()
  22. 22. document.write(), document.writeln() elem.innerHTML = danger elem.outerHTML = danger elem.setAttribute(“dangerous attribute”, danger)
  23. 23. Cookies in some browsers LocalStorage Reverse JavaScript Shells Stacked More..
  24. 24. https://example.com/account/123 https://example.com/account/999
  25. 25. Filters ACL Permissions
  26. 26. Ownership level checking Authorization
  27. 27. ...for example
  28. 28. socat -v tcp-listen:8080,fork tcp:localhost:80
  29. 29. Poor salting
  30. 30. Not showing the links doesn't mean it is protected Assuming a user is logged in doesn't mean they should have access to everything
  31. 31. <img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
  32. 32. URL Mappings allowedMethods
  33. 33. Apple SSL issue OSX/iOS

×