Xebia Knowledge Exchange - Owasp Top Ten

www.xebia.fr / blog.xebia.fr
OWASP Security Top Ten
OWASP top ten and Java protections
Cyrille Le Clerc
cleclerc@xebia.fr
Tuesday, November 24, 2009

OWASP Security Top Ten
 This presentation is based on
OWASP Top 10 For Java EE
The Ten Most Critical Web Application Security
Vulnerabilities For Java Enterprise Applications
http://www.owasp.org/index.php/Top_10_2007
2

Cross Site Scripting (XSS)

 What ?
 Subset of HTML injections
 Data provided by malicious users are rendered in web pages and
execute scripts
 Goal ?
 Hijack user session, steal user data, deface web site, etc
 Sample
 lastName:
4
Cyrille "><script ... />

How to prevent it ?
 Input Validation : JSR 303 Bean Validation
5
public class Person {
@Size(min = 1, max = 256)
private String lastName;
@Size(max = 256)
@Pattern(regexp = ".+@.+.[a-z]+")
private String email;
...
}
@Controller("/person")
public class PersonController {
@RequestMapping(method=RequestMethod.POST)
public void save(@Valid Person person) {
// ...
}
}
Bean
C
ontroller

How to prevent it ?
 HTML output escaping
 JSTL
 Expression language danger DO NOT ESCAPE !!!
 Spring MVC
» Global escaping
» Page level
6
<h2>Welcome <c:out value="${person.lastName}" /></h2>
<web-app>
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
...
</web-app>
JSP
EL
does
N
O
T
escape
!!!
<h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2>
<spring:htmlEscape defaultHtmlEscape="true" />

How to prevent it ?
 Use HTTP Only cookies
 Cookies not accessible via javascript
 Introduced with Servlet 3.0
 Since Tomcat 6.0.20 for session cookies
 Manual workaround
7
<Context useHttpOnly="true">
...
</Context>
cookie.setHttpOnly(true);
response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly");
N
o
w
eb.xm
l
configuration
for
JSESSIO
N
ID

How to prevent it ?
 Do not use blacklist validation but blacklist
 Forbidden : <script>, <img>
 Prefer wiki/forum white list style: [img], [url], [strong]
8

Injection Flaws

Injection Flaws
 What ?
 Malicious data provided by user to read or modify sensitive data
 Types of injection : SQL, Hibernate Query Language (HQL), LDAP,
XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP
requests, and many more
 Goal ?
 Create, modify, delete, read data
 Sample
 lastName:
10
Cyrille "; INSERT INTO MONEY_TRANSFER ...

Injection Flaws
How to prevent it ?
 Input validation
 XSD with regular expression, min and max values, etc
 JSR 303 Bean Validation
11

Injection Flaws
How to prevent it ?
 Use strongly typed parameterized query API
 JDBC
 JPA
 HTTP
 XML
 XPath :-(
12
Element lastNameElt = doc.createElement("lastName");
lastNameElt.appendChild(doc.createTextNode(lastName));
GetMethod getMethod = new GetMethod("/findPerson");
getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});
query.setParameter("lastName", lastName);
preparedStatement.setString(1, lastName);

Injection Flaws
How to prevent it ?
 If not, use escaping libraries very cautiously !!!
 HTML
 Javascript
 HTTP
 XML
 Don’t use simple escaping functions !
13
"<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>";
"/findPerson?" + URLEncoder.encode(lastName, "UTF-8");
"lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";
"<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";
Caution !
StringUtils.replaceChars(lastName, "’", "’’");

Injection Flaws
How to prevent it ?
 Don’t use dynamic queries at all !
14
JPA
2
C
riteria
API
if (StringUtils.isNotEmpty(lastName)) {
jpaQl += " lastName like '" + lastName + "'";
}
Map<String, Object> parameters = new HashMap<String, Object>();
jpaQl += " lastName like :lastName ";
parameters.put("lastName", lastName);
}
Query query = entityManager.createQuery(jpaQl);
for (Entry<String, Object> parameter : parameters.entrySet()) {
query.setParameter(parameter.getKey(), parameter.getValue());
}
criteria.add(Restrictions.like("lastName", lastName));
}
JPA
1
Q
uery
API

Injection Flaws
How to prevent it ?
 Enforce least privileges
 Don’t be root
 Limit database access to Data Manipulation Language
 Limit file system access
 Use firewalls to enter-from / go-to the Internet
15

Malicious File Execution

 What ?
 Malicious file or file path provided by users access files
 Goal ?
 Read or modify sensitive data
 Remotely execute files (rootkits, etc)
 Sample
 pictureName:
17
../../WEB-INF/web.xml

How to prevent it ?
 Don’t build file path from user provided data
 Don’t execute commands with user provided data
 Use an indirection identifier to users
 Use firewalls to prevent servers to connect to outside sites
18
String picturesFolder = servletContext.getRealPath("/pictures") ;
String pictureName = request.getParameter("pictureName");
File picture = new File((picturesFolder + "/" + pictureName));
Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));

Insecure Direct Object Reference

 What ?
 Transmit user forgeable identifiers without controlling them server side
 Goal ?
 Create, modify, delete, read other user’s data
 Sample
20
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="32" />
...
</form>
</body><html>
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id"));

How to prevent it ?
 Input identifier validation
 reject wildcards (“10%20”)
 Add server side identifiers
 Control access permissions
 See Spring Security
21
Criteria criteria = session.createCriteria(ShoppingCart.class);
criteria.add(Restrictions.like("id", request.getParameter("id")));
criteria.add(Restrictions.like("clientId", request.getRemoteUser()));
ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();

How to prevent it ?
 Use server side indirection with generated random
 See org.owasp.esapi.AccessReferenceMap
22
String indirectId = request.getParameter("id");
String id = accessReferenceMap.getDirectReference(indirectId);
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);
String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId());
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="${indirectId}" />
...
</form>
</body><html>

Cross Site Request Forgery (CSRF)

 What ?
 Assume that the user is logged to another web site and send a
malicious request
 Ajax web sites are very exposed !
 Goal ?
 Perform operations without asking the user
 Sample
24
http://mybank.com/transfer.do?amount=100000&recipientAccount=12345

How to prevent it ?
 Ensure that no XSS vulnerability exists in your
application
 Use a random token in sensitive forms
 Spring Web Flow and Struts 2 provide such random token mechanisms
 Re-authenticate user for sensitive operations
25
<form action="/transfer.do">
<input name="token" type="hidden" value="14689423257893257" />
<input name="amount" />
...
</form>

Information Leakage and Improper
Exception Handling

Information Leakage and Improper Exception Handling
 What ?
 Sensitive code details given to hackers
 Usually done raising exceptions
 Goal ?
 Discover code details to discover vulnerabilities
27

 Sample
28

How to prevent it ?
 Avoid detailed error messages
 Beware of development mode messages !
 web.xml
 Tomcat
29
<web-app>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/empty-error-page.jsp</location>
</error-page>
...
</web-app>
<Server ...>
<Service ...>
<Engine ...>
<Host
errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve"
...>
...
</Host>
</Engine>
</Service>
</Server>

How to prevent it ?
 Don’t display stack traces in Soap Faults
 Sanitize GUI error messages
 Sample : “Invalid login or password”
30

Broken Authentication and Session
Management

Broken Authentication and Session Management
 What ?
 Web authentication and session handling have many tricks
 Goal ?
 Hijack user session
32

How to prevent it ?
 Log session initiation and sensitive data access
 Remote Ip, time, login, sensitive data & operation accessed
 Use a log4j dedicated non over-written output file
 Use out of the box session and authentication
mechanisms
 Don’t create your own cookies
 Look at Spring Security
33
#Audit
log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.audit.datePattern='-'yyyyMMdd
log4j.appender.audit.file=audit.log
log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout
log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n
log4j.logger.com.mycompany.audit.Audit=INFO, audit
log4j.additivity.com.mycompany.audit.Audit=false

How to prevent it ?
 Use SSL and random token for authentication pages
 including login page display
 Regenerate a new session on successful authentication
 Use Http Only session cookies, don’t use URL rewriting
based session handling
 Prevent brute force attacks using timeouts or locking
password on authentication failures
 Don’t store clear text password, consider SSHA
34

How to prevent it ?
 Use a timeout period
 Remember Me cookies must be invalidated on password
change (see Spring Security)
 Beware not to write password in log files
 Server generated passwords (lost password, etc) must
be valid only once
 Be able to distinguish SSL communications
35

How to prevent it ?
 For server to server communication, use remote ip
control in addition to password validation
36

Insecure Cryptographic Storage

 What ?
 Cryptography has many traps
 Goal ?
 Steal sensitive data
38

How to prevent it ?
 Don’t invent custom cryptography solutions
 Java offers approved algorithms for hashing, symmetric key and public
key encryptions
 Double hashing is a custom weak algorithm
 Don’t use weak algorithms
 MD5 / SHA1, etc are weak. Prefer SHA-256
 Beware of private keys storage
 Java doesn’t offer chroot mechanisms to limit private keys files access
to root
 Storing secrets on servers requires expertise
39

Insecure Communications

 What ?
 Unsecure communications are easy to hack
 Goal ?
 Steal sensitive data, hijack user session
41

How to prevent it ?
 Use SSL with the Servlet API
42
request.isSecure()
<web-app ...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted web services</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
</web-app>

How to prevent it ?
 Use SSL with Spring Security
43
<beans ...>
<sec:http auto-config="true">
<sec:intercept-url
pattern="/services/**"
requires-channel="https"
access="IS_AUTHENTICATED_FULLY" />
</sec:http>
</beans>

Xebia Knowledge Exchange - Owasp Top Ten

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Xebia Knowledge Exchange - Owasp Top Ten

Similaire à Xebia Knowledge Exchange - Owasp Top Ten (20)

Plus de Publicis Sapient Engineering

Plus de Publicis Sapient Engineering (20)

Dernier

Dernier (20)

Xebia Knowledge Exchange - Owasp Top Ten