4. Motivation for this talk
• Seen a lot
• Providing a starting point
• Sharing something
• Making you aware
5. The Top 10 Most Critical Web Application
Security Risks
A2: Broken
A2: Broken
A4: Insecure
A4: Insecure
Authentication and
Authentication and A2: Cross-Site
A2: Cross-Site
A1: Injection
A1: Injection Direct Object
Direct Object
Session
Session Scripting (XSS)
Scripting (XSS)
Management References
References
Management
A7: Missing
A7: Missing A8: Cross-Site
A8: Cross-Site
A5: Security
A5: Security A6: Sensitive Data
A6: Sensitive Data
Function Level
Function Level Request Forgery
Request Forgery
Misconfiguration
Misconfiguration Exposure
Exposure
Access Control
Access Control (CSRF)
(CSRF)
A9: Using
A9: Using A10: Unvalidated
A10: Unvalidated
Components with
Components with
Redirects and
Redirects and
Known
Known
Vulnerabilities
Forwards
Forwards
Vulnerabilities
Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
6. What is OWASP?
• Open Web Application Security Project
• Improving the security of (web) application software
– Not-for-profit organization since 2001
– Raise interest in secure development
• Documents
– Top 10
– Cheat Sheets
– Development Guides
• Solutions
– Enterprise Security API (ESAPI)
– WebScarab
– WebGoat
8. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sending unintended data to applications
• Manipulating and reading Data stores (e.g.
DB, LDAP, File System, etc.)
• Java EE 6 affected:
– UI technology of choice
– Database access (JPA, JDBC)
– File System API
– etc.
9. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it!
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
String customerId= request.getParameter("customerId")
String query = "SELECT balance FROM customer_data WHERE customer_id = "
+ customerId;
try {
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query );
}
String customerId = "x'; DROP TABLE members; --"; // user-input
10. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Prevent Injection
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sanitize the input
• Escape/Quotesafe the input, e.g. use ESAPI
• Use bound parameters (the PREPARED statement)
• Limit database permissions and segregate users
• Configure error reporting, e.g use OWASP
LAPSE+ Static Code Analysis Tool
11. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Prevent Injection, Sample
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
String customerId = request.getParameter("customerId");
//white list validation and encoding
String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(),
customerId );
String query = "SELECT balance FROM customer_data WHERE customer_id = "
+ escapedCustomerId;
...
//OR
String query = "SELECT balance FROM customer_data WHERE customer_id = ? ";
//using pstmt or stmt with encoded/validate input parameters
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, customerId);
ResultSet results = pstmt.executeQuery( );
13. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Container Security vs. own solution
• Session Binding / Session Renewal
• Passwords
– Strength (length/complexity)
– Plain text passwords (http/https)
– Recovery mechanisms
• Number of factors used for authentication
• Java EE 6 affected:
– JAAS / JASPIC
– Filter / PhaseListener
– Container and Web-App configuration
14. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Authentication over http
• Custom security filter
• Not using Container Functionality
• No password strength requirements
• No HttpSession binding
• Way of saving Passwords
• Not testing security
15. A2:
A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6:
A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and Site
Direct
A9: A10:
re A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Object
stst
dated MisconRefere
Restric n n
Best Practices
graphi (XSS) Miscon Refere
ient
ient dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forger
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Use Container Managed Security!
• Go with provided Standard Realms and LoginModules
whenever possible
• Invalidate session and all relevant bits when logged out
• If you need custom ones: Test them extremely carefully!
• Use transport layer encryption (TLS/SSL) for
authentication, credentials transport
• Review and adopt OWASP’s ASVS(Application Security
Verification Standard)
17. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Objec
Restric n n Referestst
What is it?
graphi (XSS) Miscon Refere
ient
ient dated Miscon
dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forge
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Inject malicious code into user interfaces
• Get access to browser information
– E.g. javascript:alert(document.cookie)
• Steal user’s session, steal sensitive data
• Rewrite web page or parts
• Redirect user to phishing or malware site
• Java EE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
18. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Anywhere that untrusted data is used as one
of the following in outgoing response:
– HTML element’s attributes
– JavaScript variables
– CSS values
– Etc.
(String) page += "<input name='creditcard' type='TEXT‘ value='" +
request.getParameter("CC") + "'>";
19. A5:
Authen Insecu
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6:
A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and Site
Direct
A9: A10:
re A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Object
stst
dated MisconRefere
Restric n n
graphi (XSS) Miscon Refere
ient
Prevent
ient dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forger
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sanitize the input. E.g. use OWASP AntiSamy or
OWASP Java HTML Sanitizer, etc.
• Escape untrusted data based on the HTML
context (body, attribute, JavaScript, CSS, or
URL)
• Use Cookie flags:
– httpOnly (prevents XSS access)
21. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Exposing secure objects without defense.
• Accessing domain objects with their PK. E.g.
https://you.com/user/1 => https://you.com/user/21
• Opening opportunities for intruders
• Information hiding on the client
• Parameter value tampering
• Java EE 6 affected:
– All layers
– Especially data access
22. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Direct user input to object mapping
• No verification on user input (defenseless)
• Data separation for users (tenants)
• Request mode access for data (RUD)
• Query constraints
23. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Best Practices
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Use AccessReferenceMaps
http://app?file=Report123.xls
http://app?file=1
http://app?id=9182374
http://app?id=7d3J93
• Use data-driven security
• Validate object references
• Always Perform additional data authorization
on the view
25. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
What is it?
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Applies to
– Operating System
– Application Server
– Databases
– Additional Services
– Frameworks
– Developed Code
– Etc.
• Includes (beside _many_ others)
– All security relevant configuration
– Missing Patches
– Default accounts
26. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Worst Practices
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Network interfaces/sockets access control
• Relaxed File system access control
• Using any defaults like:
– Passwords: Admin, master password
– Network interface binding: Listening on 0.0.0.0
– Certificates: Self signed certificate
• Using a not hardened OS!
• Not using segregated user for the service
• Not restricting GlassFish/Server component specific
user nor enabling security manager
27. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Policy Files location
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Global Policy File:
java.home/jre/lib/security/java.policy
• User Policy File: user.home/.java.policy
• Domain Policy File:
domain.home/config/server.policy
• Application Policy File:
domain.home/generated/policy/<app.name>/
<module.name>/granted.policy
28. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Review the *.policy files
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Policy files precedence order
• Remove unused grants
• Add extra permissions only to applications
or modules that require them, not to all
applications deployed to a domain.
• Document your changes!
29. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
Running GlassFish in a
A9:A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn Refere
ient Miscon Restric
dated
ient (XSS)
dated
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
ort cts Acces Storag
cts
on Acces
Secure Environment
(CSRF on Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Use the latest version (3.1.2.2)
• Enable secure admin (TLS/https)
• Use password aliasing
• Enable security manager and put forth a
proper security policy file design
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
31. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
What is it?
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Sensitive data kept unprotected
• Sensitive data exposed to wrong persons
• Could be:
– Passwords
– Financial/Health care data
– Credit cards
32. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Worst Practices
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Storing sensitive data unencrypted
• Storing comparative data unhashed
(passwords/security question answer…)
• Keeping clear text copies of encrypted data
• Not keeping the keys/passwords well guarded
• caching/autocomplete on pages with sensitive
data
33. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Worst Practice
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Using basic/form authentication without SSL
• Not using HTTPS for pages with private information
• Using default self signed certificate
• Storing unencrypted cookies
• Not setting cookies to be securely transmitted
Cookie.setSecure(true)
• Forgetting about the rest of the
infrastructure
34. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Prevention
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Identify sensitive data
• Wisely encrypt sensitive data
– On every level (application, appserver, db)
– with the right algorithm, as strong as possible but not more!
– with the right mechanism, e.g scrypt and bcrypt
• Don’t keep clear text copies
• To decrypt and view clear text should be restricted to
authorized personnel
• Keep the keys as protected as possible
• Keep offsite encrypted backups in addition to on-site
copies
35. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Best Practice
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Use TLS on all connections with sensitive data
• Individually encrypt messages
• Sign messages before transmission
• Use standard strong algorithms
• Use proven mechanisms when sufficient