SlideShare une entreprise Scribd logo

JSF Security

Source Conference
Source Conference

SOURCE Seattle 2011 - Krishna Raja

Technologie
1  sur  24
Télécharger pour lire hors ligne
JSF Security © 2011 Security Compass inc. 1
JSF Input Validation abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
MyFaces: validateRegExpr Tag <%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
Demo: Facelets validation
Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
JSF 2.0 Validators • Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
Demo: JSF 2.0 Validators
Other JSF Validation Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
Output Encoding in JSF <script>alert('xss') &lt; &gt; &#x28;&#x27;&#x29; © 2011 Security Compass inc. 10
<h:outputText> & <h:outputFormat> <h:outputText value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
Output encoding with Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
But there’s a problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
Problems with RichFaces • Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
Solution: OWASP ESAPI EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
Demo: ESAPI encoding
Page Level Authorization
ESAPI AccessController • Interface that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
Demo: AccessController
Defending Against CSRF Anti-CSRF tokens
What about JSF “view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
Problem: Padding Oracle Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
Solution: OWASP CSRF Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23
Demo: Anti-CSRF Tokens

Recommandé

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 

Recommandé

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingKnoldus Inc.
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisEnrico Micco
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate pptPankaj Patel
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration testerBriskInfosec Solutions
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questionsjbashask
 
Struts presentation
Struts presentationStruts presentation
Struts presentationNicolaescu Petru
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 

Contenu connexe

Tendances

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingKnoldus Inc.
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisEnrico Micco
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate pptPankaj Patel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questionsjbashask
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 

Tendances (19)

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate ppt
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration tester
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questions
 
Struts presentation
Struts presentationStruts presentation
Struts presentation
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 

Similaire à JSF Security

OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedJetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedToru Wonyoung Choi
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationJeremy Kao
 
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Arun Gupta
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applicationsAnghel Leonard
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Arun Gupta
 

Similaire à JSF Security (20)

OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedJetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
 
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
 

Plus de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

Plus de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Dernier

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

JSF Security

  • 1. JSF Security © 2011 Security Compass inc. 1
  • 2. JSF Input Validation abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
  • 3. MyFaces: validateRegExpr Tag <%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
  • 4. Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
  • 6. Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
  • 7. JSF 2.0 Validators • Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
  • 8. Demo: JSF 2.0 Validators
  • 9. Other JSF Validation Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
  • 10. Output Encoding in JSF <script>alert('xss') &lt; &gt; &#x28;&#x27;&#x29; © 2011 Security Compass inc. 10
  • 11. <h:outputText> & <h:outputFormat> <h:outputText value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
  • 12. Output encoding with Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
  • 13. But there’s a problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
  • 14. Problems with RichFaces • Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
  • 15. Solution: OWASP ESAPI EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
  • 18. ESAPI AccessController • Interface that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
  • 21. What about JSF “view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
  • 22. Problem: Padding Oracle Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
  • 23. Solution: OWASP CSRF Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23