21. They are bots (automated scanners) from Virus vendors, Security organizations, search engines and more cataloging all web sites.
22. There is the famous GoogleBot, http://en.wikipedia.org/wiki/Googlebot, that will look for the local robots.txt, see http://www.robotstxt.org/ , to define what to search for on the web site. Hackers usually don’t respect these gentlemen agreements on the Internet.
23. There are so many scans on the Internet that many consider it white noise and careers have been built dedicated on sifting through the network traffics white noise.
24.
25.
26. A well known site containing a database of various keywords is found at http://www.hackersforcharity.org/ghdb/ .
34. The down side of Skipfish is that it was primarily created for Linux written in gcc and uses BSD Sockets. It can be compiled for Windows using cygwin.
35. My demonstrations will be down in Hackme Books because it was written in J2EE and can be run on a local machine.
36.
37. Another tool that I use, of course Open Source, is a Web proxy instead of a scanner from OWASP called WebScarab.
38. WebScarab sits between a browser and the web site, or web service, as a proxy and reads the packets going across. You can also spider the URLs once the initial one is captured to the web site to scan.
62. With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.
63. The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.
64.
65. Output:import java.util.logging.*; import java.io.*; public class TestLog { public static void main(Stringargs[]) { try{ Logger logger = Logger.getLogger("TestLog"); FileHandlerfh = new FileHandler("mylog.txt"); fh.setFormatter(newSimpleFormatter()); logger.addHandler(fh); logger.severe("my severe message"); logger.warning("my warning message"); logger.info("my info message"); } catch (IOExceptione) {e.printStackTrace(); }}} Mar 25, 2008 8:43:48 PM TestLog main SEVERE: my severe message Mar 25, 2008 8:43:49 PM TestLog main WARNING: my warning message Mar 25, 2008 8:43:49 PM TestLog main INFO: my info message
66.
67. There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.
68. The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.
69. The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.
70.
71.
72. Even though the basic JDK logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4j offers more advanced features in its XML use of its Appender class.
73.
74. Log4j demo.log 2008-08-11 20:03:43,379 [com.demo.test] DEBUG - Show DEBUG message.2008-08-11 20:03:43,409 [com.demo.test] INFO - Show INFO message.2008-08-11 20:03:43,409 [com.demo.test] WARN - Show WARN message.2008-08-11 20:03:43,409 [com.demo.test] ERROR - Show ERROR message.2008-08-11 20:03:43,419 [com.demo.test] FATAL - Show FATAL message.
75.
76. An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.
81. For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.
82. Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.
83. Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.
88. Blind SQL Injection is performed when a hacker passes SQL commands into the web form and generic errors are returned to the user, for instance a “404” Error page or page not found. The hacker has to make more extensive guesses on the database behind the web server.
101. The problem with using Javascript is the same as its purpose, the script can execute any script in the HTML browser, however, it may also execute any script put into its place.
102. Hackers can use Javascript to alert the browser to go to a different website, input some extra data, or even access data on the browser itself like browser cookies or the session information in the browser.
103. The hacker takes advantage of changing the information in the <script> … </script> tags.
109. Using the Jtidy framework, http://jtidy.sourceforge.net/ , you can encode a URL link as follows:<input type="text" name="url" value="<%=HTMLEncode.encode(userURL)%>" size="50"><br/>
110.
111.
112. The benefit to the attacker, is that if a hidden image is injected into a user’s browser, and their browser currently has their bank authentication cookie, then the hacker may hijack the victims authentication.
113.
114. This tool is simply a browser proxy, built from WebScarab, that will just grab data from some websites as I browse them. Later, I will use these sites to generate the “IMG” (images), “Links”, “Forms”, etc, for attack CSRF segments.
115.
116.
117.
118.
119. It will scrub the input before the HelloWorldServlet receives it.
120.
121.
122.
123.
124.
125. Servers use Session Management to schemes to maintain the current conversation between the browser and the server by using cookies or transferring session token.
126. Keep in mind that session state may be seen by others if transferred in clear text. Avoid any predictable or guessable information.
127.
128.
129. Security Realms After a user has logged into a Form, a session can use the roles from the Application Server’s Security Realm. A Realm is a “database” of usernames and passwords that identify valid users of a web application plus their roles. The Application Servers, i.e. WebLogic or WebSphere, have GUI interfaces and and even custom frameworks for managing Security Realms. For example, to get an existing user: weblogic.security. acl.Useru = realm. getUser(userName) ;
132. When a system is in production, and especially on the Internet, there is no guarantee that you know who is watching the data transmitted between the user and the server. This may also apply to the Local Area Network as well.
133. Never take it for granted that access cannot be broken.
134. Always, use common algorithms that come with Java. Common algorithms are tested well and are vetted by millions.
135. Keep the keys as secure as the data, because they can unlock the data.
136.
137. The one-way hash generates a fixed size hash some given any size data.
138. The data cannot be reversed engineered from the hash, hence one-way.
140. Different data generates different hash sums.(Note: In rare cases, collisions, different data generates the same sum).
141.
142. The 128 bit hash sum can be used to ensure if there has been tampering of data or a file.
143.
144.
145.
146.
147. The Rijndael algorithm was selected, developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
148. The NIST adapted the variable key space into 128, 192, or 256 bits as FIPS 197 and called it AES.
149.
150. AES, output This program generates the following: ciphertext: 7=~↑╫‼Äε{▐ç≤■ßJ% plaintext : Secret Message Some key functions to keep track of: 1) “KeyGenerator.getInstance("AES");” will be used to get the algorithm to generate the key. 2) “Cipher.getInstance("AES");” will be used to get the algorithm of the encryption algorithm. 3) “cipher.init(Cipher.ENCRYPT_MODE, skeySpec)” will set the algorithm into encryption mode with the generated key. 4) “cipher.doFinal(message.getBytes());” will encrypt/decrypt the message depending on the algorithm mode. 5) “cipher.init(Cipher.DECRYPT_MODE, skeySpec)” will set the algorithm into decryption mode with the generated key.
151.
152. The Asymmetric algorithm can generate key pairs, one private key for encrypting, and its pair is handed out for decryption to more people, the public key.
153.
154. RSA Encryption/Decryption Java (Looks a little different than AES code) // Instantiate the cipher String message="Secret Message"; Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, myKeyPair.getPrivate()); byte[] encrypted = cipher.doFinal(message.getBytes()); System.out.println("ciphertext: " + encrypted); cipher.init(Cipher.DECRYPT_MODE, myKeyPair.getPublic()); System.out.println("plaintext : " + new String(cipher.doFinal(encrypted)));}}
158. A larger, combined, piece is the Digital Certificate.
159. A Digital Certificate is a protocol X509 structure that contains verification of the certificate, Non-repudiation (proof of receipt), and third party authentication through a Certificate Authority.
160. The Digital Certificate is the heart of Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) and Public Key Infrastructure (PKI).
161. PKI is the process of authentication through a trusted party called Certificate Authority (CA). This could be a third party or self signed internally through a domain controller.
162.
163. Again, once a key is stolen, then the encrypted text can be compromised, so a secure storage of certificates is important.
164.
165. Let’s see the cert…… Using the Java keytool utility to read the user’s home keystore file, we can generate a certfle.cer file that we can import into Internet Explorer : C:gt;keytool –list –v –keystore.jks
166. Let’s see the cert…… Using the Java keytool utility to read the user’s home keystore file, we can generate a certfle.cer file that we can import into Internet Explorer or pass it around in HTTPS: C:gt;keytool -export –keystorekeystore.jks -aliasmydomain-file certfile.cer Enter keystore password: Certificate stored in file <certfile.cer>
167. Let’s print the cert file…… public class PrintCert { public static void main(String[] args) throws Exception { // Get the cert file FileInputStream fin = new FileInputStream("certfile.cer"); // Get the X509 instance CertificateFactory factory = CertificateFactory.getInstance("X.509"); // Get the cert X509Certificate cert = (X509Certificate)factory.generateCertificate(fin); System.out.println(cert); }
172. Websites can get accessed by typing in “admin” “admin” at times, and auditors try a range of default and well known logins.
173.
174.
175. The eXtensible Markup Language (XML) defines the interfaces and content of the message.
176.
177.
178. UDDI provides for discovery of services and retrieval of their WSDL descriptions as a directory service. This service may require authentication and encrypt the HTTP protocol.
179. The UDDI will return the WSDL and forward the client to the proxy that will contain the service, usually in the form of a URL.
180. The WSDL will define the acceptable interface into the SOA.
181. The client SOAP call will format the acceptable XML. SOAP will act as an envelope to the SOA.
182. The SOA will accept the call if it meets the WSDL criteria and process the call.
183.
184.
185. These tools were originally part of Sun’s Glassfish MetroProject and more information can be found at https://jax-ws.dev.java.net/ .
186. The wsgen tool generates JAX-WS portable artifacts used in JAX-WS web services.
187. The tool reads the we service endpoint class and generates all the required artifacts for web service deployment, and invocation.
188. Here is an example to generate the wrapper class needed for StockService annotated with the @WebService inside the stock directory: wsgen –d stock –cp myclasspathstock.StockService
195. Apache has an Open Source version of WS-Security called WSS4j http://ws.apache.org/wss4j/
196.
197. It consists of a Java, and a C++, implementation of a SOAP server, and various utilities for APIs for generating and deploying Web Service applications.
198. Some of the tools include a Maven plugin to generate WSDL from Java.
207. The difference between hacking Web Services, is that the attacks are transmitted in the XML field, which is similar to HTML, instead of an HTML form field.
208. In other words, the XML must be parsed out to enter an attack in the “username” text field in the XML format instead of the “username” GUI form field in HTML.
209.
210. It uses path to traverse traverse through the nodes of an XML document to look for specific information.
211. Xpath injection is similar to SQL injection except that the query strings are slightly different and it uses XML as its attack vector.
212. One example is to pass ‘ or 1=1 or ‘ ‘=‘ as the username to fake the database into a valid username:
228. Knowing the code structure of applications and also knowing the implications of Web Security, a programmer can write customizable Web routines to test their applications.
229. Many of these Java Web Frameworks were created from JUnit, the Java Unit Testing Framework.
230.
231.
232. HTMLUnit allows a “getPage()” routine to examine the HTML source code.
233. This allows the walking through of “HREF”, images, and others pieces of the HTML code before executing on the item.
234. Selenium IDE is another Open Source concept that is a Integrated Development Environment running on top of the FireFox browser as a plugin.
235. This allows a recording of the browser actions that can be played back execute buttons being pushed and actions inside the browser.
236. Assertions can be executed on the HTML pages itself for checking specific information.
244. MVC (model 2 JSP/Servlet) 1) The browser calls the servlet. 2) The servlet instantiates a Java bean that is connected to a database. 3) The servlet communicates with a JSP page. 4) The JSP page communicates with the Java bean. 5) The JSP page responds to the browser.
245.
246. MVC (model 2 Struts) 1) The browser calls the ActionServlet. 2) The servlet instantiates a FormBean that is connected to a database. 3) The servlet communicates with a JSP page. 4) The JSP page communicates with the Java bean. 5) The JSP page responds to the browser.
247. The ActionServlet The ActionServlet gets it’s Actions (an object) to perform based on it’s configuration, thus saving a lot of coding.
248. Benefits of Struts Declarative control that maps between the requests between the MVC. Automated Request Dispatching using an ActioForward to request a specific ActionServlet. Struts can provide DataSource management. Struts provide custom tags. Struts provide Internationalization Support. Struts provide declarative error handling specific to application code. Struts provide a declarative validation mechanism. Struts provide a Plug-In interface.
254. All ActionForms should extend org.apache.struts.validator.ValidatorForm or org.apache.struts.validator.ValidatorActionForm instead of org.apache.struts.action.ActionForm.
256. The Validator plug-in should be enabled in struts-config.xml:<plug-in className="org.apache.struts.validator.ValidatorPlugIn"> <set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validator.xml"/></plug-in>
260. ^ and $ match the positions at the beginning and end of the string, which mean search the entire string for the specific patter.
261. * mean Matches zero or more occurrences of the patter [a-zA-Z].
262.
263.
264. JSF allows reusable component objects that map to the tags on the JSP page.
265.
266.
267. JSF Designer Many IDE’s have a JSF Designer that includes Validators like JDeveloper:
268.
269. Data is usually retrieved using the XMLHttpRequest (XHR) object from the server asynchronously.
270. Javascript (ECMAScript) is used for local processing, and the Document Object Model (DOM) is used to access the data inside the page or read XML from the server.
271.
272.
273. The browser has to interpret the Javascript regardless of how it is encoded and decoded. If a browser can read the Javascript, then the Javascript can be debugged/monitored and manipulated using a JavaScript reverser to intercept the functions.
274.
275. The XMLHttpRequest will call the “callback” function in the Html browser to start updating the HTML:
276.
277. The Dojo Toolkit http://dojotoolkit.org/ is the Swiss army knife of Java script libraries containing APIs and widgets for web applications.
278. Dynamic Web Remoting (DWR), https://dwr.dev.java.net/ , which uses RPC from the client side JavaScript to Plain Old Java objects (POJO) in a J2EE web container.
279. The Google Web Toolkit (GWT), http://code.google.com/webtoolkit/ , that allows a developer to write an Ajax application in pure Java.
280. Oracle Application Framework (ADF) Faces Rich Client framework with more than 150 JSF components with built-in Ajax capabilities. http://www.oracle.com/technetwork/developer-tools/adf/overview/index.html
281. ADF Task Flow Designer JDeveloper has an ADF Task Flow Designer to assist in its ADF View Flow:
282.
283. Flex uses MXML, the Macromedia XML, as a declarative layout of the interfaces to compile into the SWF file that is deployed.
284. To extend the MXML, Flex uses a language called ActionScript, which is similar to Java. ActionScript can be called from the MXML file using the <mx:script> tag.
289. Hibernate, can now be added, as a pure Java object-relational mapping (ORM) and persistence framework that allows you to map plain old Java, or .NET, objects to relational database tables using (XML) configuration files.
290. Its purpose is to relieve the developer from a significant amount of relational data persistence-related programming tasks.
291. The main advantages of Hibernate is that maps database entities to objects and hides the details of the data access from the business logic.
292.
293.
294. This validator will not only validate the values but can also validate the size of the data before being persisted.
295. Sample validator annotations:public class Car { @NotNull private String manufacturer; // Cannot be null @NotNull @Size(min = 2, max = 14) @CheckCase(CaseMode.UPPER) private String licensePlate; // must be upper case between 2-14 chars
296.
297. The Spring framework is an Open source framework that introduces AOP by managing, or taking care of the plumbing, of the business objects. http://www.springsource.com/
298. Spring introduces the concept of Inversion of Control (IoC), which simply means instead of having the application call the framework, the framework will call the components defined by the application.
299. I like to think of IoC as collecting the application pieces in modular blocks. The IoC knows how to manage the blocks when it needs to deal with them correctly.
300.
301. Here is an example that a user must be logged in and validated before being allowed to change a password:public interface IUserService { @PreAuthorize("hasRole('ROLE_USER')") public void changePassword(String username, String password); } Otherwise:
302.
303. Here is an example that a user must be logged in and validated before being allowed to change a password:public interface IUserService { @PreAuthorize("hasRole('ROLE_USER')") public void changePassword(String username, String password); } Otherwise:
304.
305. The Seam framework is bi-injection framework to bridge the gap between Java Server Faces (JSF) and the Java Persistence API (JPA) of EJB 3.
309. The WAF takes configurations like a normal firewall on what traffic to pass and reject. The difference is that it is responding specifically to an HTTP server like Apache or IIS.
310. For Apache, the most popular approach is to use its Open Source plugin called mod_security.
311. For IIS, WebKnight from AQTronix, http://aqtronix.com/?PageID=99 is the most popular Open Source solution.
312.
313. To understand WAF’s is to understand validation filtering as it approaches the Web site. WAFs are similar to the J2EE filter Stinger http://www.owasp.org/index.php/Category:OWASP_Stinger_Project
314. Depending on their configuration, they will deny, or log, validated information from the Internet into the Application.
322. Note: Tomcat can also use Microsoft’s IIS, instead of Apache, utilizing the Microsoft ISAPI plugin.
323. The easiest way to install the mod_jk connector is to have Tomcat generate “conf/auto/mod_jk.conf” from its Container and have Apache reference it from its “conf/httpd.conf” file:
342. It provides installation instructions as well as installing the configuration in httpd.conf:<IfModule security2_module> Include conf/modsecurity_crs/*.conf Include conf/modsecurity_crs/base_rules/*.conf </IfModule>
343.
344.
345.
346. Mod_evasive will slow down the number of hits from the same client to the same URL to ten seconds per hit. This is based in the following configuration:<IfModule mod_evasive20.c> DOSHashTableSize 3097 # Size of memory for Hashing DOSPageCount 2 # Number of request to same page DOSSiteCount 50 # Blacklist after 50 times DOSPageInterval 1 # 1 second interval for the page DOSSiteInterval 1 # 1 second interval for the site DOSBlockingPeriod 10 # Number of seconds to block </IfModule>
347.
348. Installing a WAF is quicker, in most cases, than changing code and re-deploying a Web Application.
349. WAF’s may find issues, by using its rule sets, that the code may not be prepared to find. This is because WAFs have thousands of rules generated by industry experts.
351. WAFs are limited by the rules that are installed in them. Therefore, if the rule is not there, it cannot protect against it.
352.
353. Encrypt the tunnel, simply using SSLv3 and Point-to-Point VPN tunneling that comes with Servers and Firewalls can alleviate many encryption issues.
354. Use only common encryption algorithms that come with Java and have been tested by thousands of uses like AES.
355. Use common libraries, and if possible, open source, that can be reviewed for concerns.
356. Test as much as possible for abnormal cases, and automate the testing as much as possible so that the testing can be done again and again.
357.
358.
359. Feel free to contact me at rich.helton@state.co.us
370. Java must be able to run from the local Browser.
371.
372.
373.
374.
375. OpenSSH can be found at http://www.openssh.com/ .
376.
377.
378.
379.
380. If Java is configured correctly, the JFtp will run in a Java Console that works like the “Web Start” version.
381.
382.
383. Unzip the source, cd to j-ftp and ensure that the build.xml file is present:
384.
385.
386.
387.
388. Eclipse is also one of the most Java Editor, found at http://www.eclipse.org/ . More information can be found at http://en.wikipedia.org/wiki/Eclipse_ide .