Presentation about Rich Internet Application security with GWT and Vaadin. Presented at GWT.create 2013 in San Francisco and Frankfurt.

1. RIA security based
on OWASP Top 10
Kim Leppänen
Leif Åstrand
torsdag 19 december 13

2. OWASP Top 10
Open Web Application Security Project
torsdag 19 december 13

3. GWT?
Vaadin?
torsdag 19 december 13

4. A1: Injection
torsdag 19 december 13

5. “SELECT * FROM Users WHERE username=’”
+ userNameField.getValue() + “‘“
Not just SQL - could also be JPQL, HQL, shell,
XPath, XML, LDAP, regex, eval, ...
torsdag 19 december 13

6. Web frameworks can help
GWT
Vaadin
• N/A
• N/A
torsdag 19 december 13

7. A2: Broken
Authentication
and Session
Management
torsdag 19 december 13

8. Session ID fixation
Exposure of session ID
Exposing user credentials
torsdag 19 december 13

9. Web frameworks can help
GWT
Vaadin
• N/A
• Helper for changing
session id
torsdag 19 december 13

10. A3: Cross-Site
Scripting (XSS)
torsdag 19 december 13

11. Demo: auction
application
torsdag 19 december 13

12. Web frameworks can help
GWT
Vaadin
• setText
• SafeHtml
• setHtmlContentAllo
wed(false)
• Beware of tooltips
(setDescription)
torsdag 19 december 13

13. Other things to keep in
mind
Consider e.g. Markdown
instead of HTML for formatting
Different handling needed in
different contexts
Feel the power of the XSS filter
evasion cheat sheet
torsdag 19 december 13

14. A4: Insecure
Direct Object
References
torsdag 19 december 13

15. Web frameworks can help
GWT
Vaadin
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“invisible”
• All ids are
generated values
that the server uses
to find the right
object when
needed
torsdag 19 december 13

16. A5: Security
Misconfiguration
torsdag 19 december 13

17. Web frameworks can help
GWT
Vaadin
• N/A
• productionMode =
true
torsdag 19 december 13

18. A6: Sensitive
Data Exposure
torsdag 19 december 13

19. Keep in mind
Use SSL, no excuses!
Salt and hash passwords
Avoid handling sensitive data,
e.g. credit card numbers
torsdag 19 december 13

20. A7: Missing
Function Level
Access Control
torsdag 19 december 13

21. A8: Cross-Site
Request Forgery
(CSRF)
torsdag 19 december 13

22. http://example.com/addRole?
user=adam&role=power_user
torsdag 19 december 13

23. <img src=”
http://example.com/addRole?
user=eve&role=power_user
“ />
torsdag 19 december 13

24. http://example.com/addRole?
user=eve&role=power_user&token=abcd
torsdag 19 december 13

25. Web frameworks can help
GWT
Vaadin
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
• Secured out of the
box
torsdag 19 december 13

26. A9: Using
Components
with Known
Vulnerabilities
torsdag 19 december 13

27. How do you
know whether
they are
vulnerable?
torsdag 19 december 13

28. A10: Unvalidated
Redirects and
Forwards
torsdag 19 december 13

29. <a href=”http://myapp.com?
redirect=example.com/evil"> Open app </a>
torsdag 19 december 13

30. Very quick
conclusion
torsdag 19 december 13

31. You need to
know what the
framework does
for you and what
you need to
handle yourself
torsdag 19 december 13

32. ?
torsdag 19 december 13
Did we get some
detail wrong?
Questions?
Please rate the talk at
gwtcreate.com/agenda
leif@vaadin.com
kim@vaadin.com