2013 06-27-securecoding-en - jug pch

  • 1,932 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,932
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
28
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Secure  Coding  for  Java  (an  introduc3on) Java  User  Group  Poitou-­‐Charentes  (Niort) 27  Juin  2013 Sébas3en  Gioria Sebas0en.Gioria@owasp.org Chapter  Leader  OWASP  France Friday, June 28, 13
  • 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation & Technology @ Advens Twitter :@SPoint / @OWASP_France 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Ne  vous  inquietez  pas  c’est  le  seul  slide  en  anglais,  par  contre  il  y  aura  des  trucs  d’écrits  partout  en  bas... Friday, June 28, 13
  • 3. ForeWords • This  is  a  presenta,on  made  from  my  own   experience  with  some  company  using   OWASP  materials. • Only  the  documents  from  OWASP  wiki  are   OWASP  officials  (see  hEps://www.owasp.org) • Some  extracts  come  from  document  I  wrote   as  OWASP  leader,  this  is  why  you  could  find  it   elsewhere. 5 Friday, June 28, 13
  • 4. • Applica,on  Security  : –where  we  are  (no  bullshit) –where  we  are  (hopefully)   going  ? • Using  OWASP  materials  to   secure  code • Secure  Coding  principles Agenda Friday, June 28, 13
  • 5. Introduc3on 5 Friday, June 28, 13
  • 6. Why  Applica0on  Security  ? 6 Friday, June 28, 13
  • 7. Why  Applica0on  Security  ? 6 Your Application been Hacked Friday, June 28, 13
  • 8. Why  Applica0on  Security  ? 6 Your Application been Hacked YES Friday, June 28, 13
  • 9. Why  Applica0on  Security  ? 6 Your Application been Hacked NO YES Friday, June 28, 13
  • 10. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked NO YES Friday, June 28, 13
  • 11. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Friday, June 28, 13
  • 12. Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 13. Why  Applica0on  Security  ? 6 Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 14. Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 15. Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Friday, June 28, 13
  • 16. We  are  living  in  a  Digital  environment,  in  a  Connected  World vMost  of  websites  vulnerable  to  aTacks vImportant   %  of  web-­‐based   Business  (Services,  Online   Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica0on  Security  ?   Age  of  An0virus Age  of   Network  Security Age  of   Applica0on  Security 7 Friday, June 28, 13
  • 17. Consequences  of  bad  or  no  security –IdenPty  theQ –Hardware  theQ –IT  downPme   –Bad  Media  coverage –Financials  loss –Customers  loss –Legals/business  penalty   8 Friday, June 28, 13
  • 18. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 19. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 20. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 21. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 22. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 23. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 24. What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 25. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 26. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 27. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 28. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 29. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 30. ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 31. Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  • 32. Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  • 33. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  • 34. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  • 35. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  • 36. 12 (c)  WhiteHatSecurity  2013 Friday, June 28, 13
  • 37. What  you  CIO  Said  :  I  got  a  Firewall  !   27 Friday, June 28, 13
  • 38. What  your  business  user  said  :  I   have  SSL  based  Web  Site 28 Friday, June 28, 13
  • 39. What  your  business  user  said  :  only  the   hacker  can  aMack  my  website • Tools  are  more  and   more  simples. • Try  a  simple  request   on  google  website  on   SQL  InjecPon  and   look  at  it. • An  aEack  on  a  Web   Server  cost  100$/ 200$  per  day  on  the   underground  market. 29 Friday, June 28, 13
  • 40. What  your  user  said  :  a  vulnerability  on   internal  ApplicaPon  is  not  criPcal. • No,  The  web  is  anywhere,  and  CSRF,  HTML5  CORS   and  more  can  make  this  complete  destrucPve • Be  aware  and  share  this  :   • AJAX  doing  a  lot  of  things  without  you • Be  aware  and  share  this  :   •  HTML5  will  come  with  “nice”  user  funcPonality  ,  but  with   big  impact  on  security  (WebSocket,  CORS,  ...) 30 Friday, June 28, 13
  • 41. But  I  do  Security  tesPng  !   17 Security  Tes3ng Coding Friday, June 28, 13
  • 42. Majors OWASP publications you can use All are on the wiki https://www.owasp.org All are under GPL or friendly licenses Majors publications you can use to secure your projects/SDLC Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) Top10 reference this 3 guides Ø OWASP Top10 Ø Auditor/Testing Guide Ø Code Review Guide Ø Building Guide Ø Application Security Verification Standard (ASVS) Ø Secure Coding Practices 12 Friday, June 28, 13
  • 43. Friday, June 28, 13
  • 44. Learn Friday, June 28, 13
  • 45. Learn Friday, June 28, 13
  • 46. Learn Contract Friday, June 28, 13
  • 47. Learn Contract Friday, June 28, 13
  • 48. Learn Contract Design Friday, June 28, 13
  • 49. Learn Contract Design Friday, June 28, 13
  • 50. Learn Contract Design Build Friday, June 28, 13
  • 51. Learn Contract Design Build Friday, June 28, 13
  • 52. Learn Contract Test Design Build Friday, June 28, 13
  • 53. Learn Contract Test Design Build Friday, June 28, 13
  • 54. Learn Contract Test Design Build Progress Friday, June 28, 13
  • 55. Learn Contract Test Design Build Progress Friday, June 28, 13
  • 56. OWASP  Applica,on  Security  Verifica,on  Standard 20 Friday, June 28, 13
  • 57. What  is  ASVS  ? • A  standard  that  provides  a  basis  for  the   verificaPon  of  web  applicaPons  applicaPon-­‐ independent. • A  standard  life-­‐cycle  model  independent. • A  standard  that  define  requirements  that  can  be   applied  across  applicaPons  without  special   interpretaPon. 43 Friday, June 28, 13
  • 58. What  are  ASVS  responses  ? • How  much  trust  can  be  placed  in  a  web   applicaPon? • What  features  should  be  built  into  security   controls? • How  do  I  acquire  a  web  applicaPon  that  is   verified  to  have  a  certain  range  in  coverage   and  level  of  rigor? Friday, June 28, 13
  • 59. ASVS  secure  controls   requirements Security Area Level 1A Level 1B Level 2A Level 2B Level 3 Level 4 V1 – Security Architecture Verification Requirements 1 1 2 2 4 5 V2 – Authentication Verification Requirements 3 2 9 13 13 14 V3 – Session Management Verification Requirements 4 1 6 7 8 9 V4 – Access Control Verification Requirements 5 1 12 13 14 15 V5 – Input Validation Verification Requirements 3 1 5 7 8 9 V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10 V7 – Cryptography Verification Requirements 0 0 2 8 9 10 V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9 V9 – Data Protection Verification Requirements 1 1 2 3 4 4 V10 – Communication Security Verification Requirements 1 0 3 6 8 8 V11 – HTTP Security Verification Requirements 3 3 6 6 7 7 V12 – Security Configuration Verification Requirements 0 0 0 2 3 4 V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5 V14 – Internal Security Verification Requirements 0 0 0 0 1 3 Totals 22 12 51 83 96 112 23 Friday, June 28, 13
  • 60. But  ASVS  stand  for  VerificaPon  ? • ASVS  just  said  funcPonals  needs  for  controls.   • You  should  use  it  as  a  Secure  Coding  Policy. ★Don’t  be  medium(ASVS  Level1/2),  just   target  excellence  (ASVS  Level  4) 24 Friday, June 28, 13
  • 61. Using  ASVS  as  a  secure  coding   policy • ASVS  :  Verify  that  all  password  fields  do  not   echo  the  user’s  password  when  it  is  entered. ➡All  Password  fields  must  be  define  as  HTML   password  fields  and  must  not  echo  user  password.   ➡All  login  forms  must  include  autocomplete=off  tag   • ASVS  :  Verify  that  all  input  validaPon  is   performed  on  the  server  side.   ➡Performs  all  input  valida,on  on  the  server.   Nothing  in  the  browser 25 Friday, June 28, 13
  • 62. Posi,ve  aatude Nega0ve The  tester  shall  search  for  XSS  holes Posi0ve Verify  that  the  applica0on  performs  input  valida0on  and  output  encoding  on   all  user  input See:  hTp://www.owasp.org/index.php/ XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet 56 Friday, June 28, 13
  • 63. OWASP  Secure  Coding  Prac3ces 27 Friday, June 28, 13
  • 64. OWASP  Secure  Coding  PracPces • Small  document  (only  9  pages) • Could  be  use  as  an  simple  checklist  for  your   policy. • Could  be  use  together  with  ASVS  or  alone. • More  technical  and  deeper  approach  than   ASVS  . • Wrote  and  use  by  Boeing  :) 28 Friday, June 28, 13
  • 65. Secure  Coding  PracPces  Contents • Input  ValidaPon • Output  Encoding • AuthenPcaPon  and   Password  Management • Session  Management • Access  Control • Cryptographic  PracPces • Error  Handling  and  Logging • Data  ProtecPon • CommunicaPon  Security • System  ConfiguraPon • Database  Security • File  Management • Memory  Management • General  Coding  PracPces 29 Friday, June 28, 13
  • 66. Now  the  torture  room 30 Friday, June 28, 13
  • 67. (extracts  from  OWASP  Secure  Coding   Prac0ces/OWASP  CheatSheets  OWASP   ASVS,  ...) Let  talk  Secure  Coding  now 31 Friday, June 28, 13
  • 68. Some  secures  principles  to  follow 32 •Deep  defense  of  applica,on  is  mandatory   • Following  less  privileges  is  the  best  soluPon • Segregate  duty  more  that  user  think ➡Remember  that  applica,on  need  to  answer   user  needs  and  not  security  pleasure. Friday, June 28, 13
  • 69. Deep  defense  of  a  Web  Applica0on  (example) 70 Fi re w all Applica0onWeb  Apps SGBDApp ServerWeb Server Browser User auth Input Validation Secure configuration Good crash mecanisms • Critical data transport protection • Preventing session and ID theft Critical data protections Logs/Audit of transactions Authorisation and authentication Authorisation and authentication Critical data protectionsPreventing parameters thefts Friday, June 28, 13
  • 70. Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  • 71. Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  • 72. Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  • 73. Don’t  try  to  make  obscure  things 72 GEOPORTAIL Friday, June 28, 13
  • 74. Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  • 75. Don’t  try  to  make  obscure  things 72 GOOGLE MAPS Friday, June 28, 13
  • 76. • ObfuscaPon  is  not  the  soluPon • There  is  someone  in  the  matrix  who  will  send  you   evil  data • Be  evil  !   • Protect  area  with  filter  is  the  best  soluPon 36 Friday, June 28, 13
  • 77. Controls • Controls  need  : –to  be  simple –to  be  used  correctly –funcPonal –present  in  every  part  of  the  applicaPon 74 Bad understanding of a control result of unused it by developers and application will be vulnerable. Friday, June 28, 13
  • 78. Minimals  controls  to  have • You  must  have  at  least  this  components  in   your  applicaPon  :   –AuthenPcaPon –AuthorizaPon –Logging  and  audit –Secure  Storage –Secure  transport –Secure  input  and  output  manipulaPon  of  data 75 Friday, June 28, 13
  • 79. Authen3ca3on 39 Friday, June 28, 13
  • 80. Implement  good  passwd  strategy • Password  length -­‐ Categorize  applicaPons  :   • Important  :  at  least  6  characters • Cri0cal  :  at  least  8  characters  and  perhaps  mul0-­‐factors   authen0ca0on • High  Cri0cal  :  at  least  14  characters  and  mul0-­‐factors   authen0ca0on • Password  strength -­‐ Implement  passwd  complexity  with  previous  categories • at  least  :  1  upper,  1  lower,  1  digit,  1  special • don’t  allow  dic0onnary  passwd • don’t  allow  con0nuous  characters 40 Friday, June 28, 13
  • 81. Implement  good  passwd  strategy •Let  the  user  choose  it •Force  the  user  to  change  it  regulary,  and  add  no   reuse  capability. •Don’t  allow  too  much  “I  forgot  my  passwd” •Don’t  allow  change  of  passwd  without  user   approval;  require  actual  passwd  from  the  user  and   more  for  high  cri0cal. •Add  sleep  strategy  ! •Add  detec3on  of  misuse  strategy  ! •Don’t  store  passwd  in  clear  !!!!!  use  hash  ! 41 Friday, June 28, 13
  • 82. MulP-­‐Factor  authenPcaPon •Passwds  are  bad •Passwds  are  guessable •MulP-­‐factor  combine:   –something  you  have  (token,  mobile,  ...) –something  you  know  (details  about  you,  passwd,  ...) –somePme,  something  you  are  (biometrics) –Use  it  for  high  criPcal  applicaPons. 42 Friday, June 28, 13
  • 83. Implement  good  global  strategy • Ask  second  authenPcaPon  for  criPcal   transacPons  (with  mulP-­‐factor  auth...) • Force  authenPcaPon  to  be  in  TLS/SSL • Regenerate  Session  ID  aQer  authenPcaPon • Force  Session  ID  to  be  “secure” • LimiPng  forgoEen  passwd,change  of  login/ passwd     43 Friday, June 28, 13
  • 84. How  to  do  ?   • Authen0cate  all  pages  but  not  public  pages  (login,   logout,  help,  ....) • Don’t  allow  more  than  one  authen0ca0on   mecanism • Authen3cate  on  the  SERVER • Simply  send  back  “user  or  passwd  mismatch”  and     nothing  else  aker  a  failed  authen0ca0on. • Logged  all  failed  and  all  correct  authen0ca0on • Aker  each  authen0ca0on  give  the  user  the  last   status  of  his  authen0ca0on.   44 Friday, June 28, 13
  • 85. • Good  Regex  for  a  passwd  complexity  :   • Good  Storage  of    password  with  SALT 45 (?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); } Friday, June 28, 13
  • 86. Session  Management 46 Friday, June 28, 13
  • 87. Session   • Use  Default  Java  Framework  Generator • Use  other  name  than  the  default  name  of  the   Framework  (rename  JSESSIONID...) • Force  transport  of  ID  authenPcaPon  on  SSL/TLS. • Don’t  allow  Session  ID  in  URL  ! • If  using  cookie  :   – Secure  Cookie – HTTPOnly  Cookie   – LimiPng  path  +  domain – Max  Age  and  expiraPon 47 Friday, June 28, 13
  • 88. Session  tricky • AutomaPc  expiraPon –categorize  applicaPons  : • default  :  1  hour • cri0cal  (some  transac0on)  :  20mns • high  cri0cal  (financials  or  account  impact)  :  5mns   • Renew  Session  ID  aQer  any  privilege  change • Don’t  allow  simultaneous  logon   • Add  Session  AEack  DetecPon • add  in-­‐session  0ps  :  ip  of  session,  other  random  number,  ... 48 Friday, June 28, 13
  • 89. Browser  defenses • Bind  JavaScript  events  to  close  session   –on  window.close() –on  window.stop() –on  window.blur() –on  window.home() • Use  Javascripts  Pmer  to  automaPc  close  session   in  high  criPcal  applicaPons • Disable  WebBrowser  Cross-­‐tab  Session  if   possible...(bad  user  experiences....) –If  you  use  cookie,  this  is  not  possible    !!!! 49 Friday, June 28, 13
  • 90. 50 <session-­‐config>    <cookie-­‐config>        <http-­‐only>true</http-­‐only>        <secure>true</secure>    </cookie-­‐config> </session-­‐config> Using  Servlet  3.0  ? Friday, June 28, 13
  • 91.  Access  Controls 107 Friday, June 28, 13
  • 92. Remember Friday, June 28, 13
  • 93. Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on Friday, June 28, 13
  • 94. Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on (2)All  client  inputs  are  EVIL Friday, June 28, 13
  • 95. Authen0ca0on  &  Authoriza0on • Two  Levels  of  authenPcaPon  and  authorizaPon   are  needed –In  the  ApplicaPon –In  infrastructure Table  A Table  B Connexion Table A + duty A Role  A Role  B SGBDApp Server Connexion Table B + Duty B Friday, June 28, 13
  • 96. AuthorizaPon • Have  in  mind  the  rule  :   –Nothing    by  default • Centralize  all  authorizaPon  code  on  the  SERVER • If  client  state  are  mandatory,  use  encrypPon  and   integrity  checking  on  the  server  side  to  catch   state  tampering.   • Limit  number  of  transacPons  per  user  at  a  interval   Pme. 54 Friday, June 28, 13
  • 97. AuthorizaPon • Enforce  : – protec0on  of  URL  to  authorized  account  only – protec0on  of  func0on  to  authorized  account  only – protec0on  of  file  access  to  authorized  account  only • Applica0on  need  to  terminate  session  when  authoriza0on   failed. • Split  administra0ve  and  user  authoriza0on • Enforce  dormant  account  : – loss  privileges. – “disable  account” – alerts 55 Friday, June 28, 13
  • 98. Valida3on  of  Data 56 Friday, June 28, 13
  • 99. Input  ValidaPon • Ensure  all  data  validaPon  are  done  on  THE  SERVER. –If  you  do  something  on  client  side  we  can  said  you  do   “painPng” • Classify  your  data  : –Trusted  Data   –Untrusted  Data • Conduct  trusted  path. • Centralize  your  data  validaPon • Use  correct  parametrize  query  when  exists  (SQL) 57 Friday, June 28, 13
  • 100. Border  validaPon • Consider  validaPng  data  along  all  the  entry  points   of  your  ApplicaPon  border 58 Friday, June 28, 13
  • 101. Input  ValidaPon • Use  proper  characters  set  for  all  input • Encode  all  data  to  the  same  character  set  before   doing  anything  <=>Canonicalize • Reject  all  not  validated  datas • Validate  data    : –expected  type  (convert  as  soon  as  possible  to  Java  Types) –expected  range –expected  length –expected  values –expected  “white  list”  if  possible 59 Friday, June 28, 13
  • 102. Input  ValidaPon • Be  careful  of  using  “hazardous”  characters  (ex:  <>’,”! (+)&  %.) • Add  specific  validaPon  : –check  for  null  bytes  (%00) –check  for  new  lines  (%0D,  %0A,  n,  r,  ...) –check  for  dot-­‐dot-­‐slashes  (../)   60 Friday, June 28, 13
  • 103. Be  careful  of  encoding  for  specific   valida0on... URL %3c%73%63%72%69%70%74%3e%61%6c %65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e %0a HTML &#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x7 2;&#x74;&#x28;&#x58;&#x53;&#x53;&#x29;&#x3b;&#x3c;&#x2f;&#x73;&#x63;&#x 72;&#x69;&#x70;&#x74;&#x3e;&#x0a; UTF-8 %u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c %uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c %u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003 One space ? < s c r i p t > a l e r t ( X S S ) ; < / s c r i p t > <script>alert(XSS);</script> Friday, June 28, 13
  • 104. Validate  Datas 124 Friday, June 28, 13
  • 105. SQL  =>  bad 125 Friday, June 28, 13
  • 106. SQL  =>  bad 125 Friday, June 28, 13
  • 107. SQL  =>  bad 125 Friday, June 28, 13
  • 108. SQL  =>  a  liEle  bit  beEer 126 Friday, June 28, 13
  • 109. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  • 110. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  • 111. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); Friday, June 28, 13
  • 112. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); Friday, June 28, 13
  • 113. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  • 114. List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  Native  SQL  */ Query  sqlQuery  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  ?",  Book.class); List  results  =  sqlQuery.setParameter(1,  "Charles  Dickens").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  • 115. XML  =>  bad 127 Friday, June 28, 13
  • 116. XML  =>  bad 127 Friday, June 28, 13
  • 117. XML  =>  ValidaPng  via  regexp/white   list 128 Friday, June 28, 13
  • 118. BeEer,  a  XML  schema <xs:schema  xmlns:xs="hTp://www.w3.org/2001/XMLSchema">   <xs:element  name="item">     <xs:complexType>       <xs:sequence>         <xs:element  name="descrip0on"  type="xs:string"/>         <xs:element  name="price"  type="xs:decimal"/>         <xs:element  name="quan0ty"  type="xs:integer"/>       </xs:sequence>     </xs:complexType>  </xs:element>   </xs:schema>   Friday, June 28, 13
  • 119. XML  =>  XML  Parser  validaPon Friday, June 28, 13
  • 120. LDAP  =>  bad 131 Friday, June 28, 13
  • 121. LDAP  =>  bad 131 Friday, June 28, 13
  • 122. LDAP  =>  beEer 132 Friday, June 28, 13
  • 123. Using  OWASP  ESAPI 72 Friday, June 28, 13
  • 124. Output  Encoding 73 Friday, June 28, 13
  • 125. Output  encoding • It’s  a  Defense  in  depth  mechanism • Encode  ON  THE  SERVER • Centralize  the  encoder  funcPons • SaniPze  all  data  send  to  the  client   –HTMLEncode  is  a  minimum  but  did  not  work  on  all   cases 74 Friday, June 28, 13
  • 126. Essai  1  =>  bad 137 Friday, June 28, 13
  • 127. Essai  1  =>  bad 137 Friday, June 28, 13
  • 128. Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  • 129. Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  • 130. A  good  soluPon  with  a  robust   SaniPzer  :) 139 Friday, June 28, 13
  • 131. Error  Logging 78 Friday, June 28, 13
  • 132. Error  Handling Your  Applica3on  will  crash  ! • Catch  all  excep0ons  without  excep0on  (remember  the  null  pointer   excep0on  !) – Clean  all  excep0on  code  of  sensi0ve  datas – Don’t  give  user  any  details  about  crash,  just  said  “It’s  a  crash,  try  again  later” • Logs  are  sensi0ve,  you  MUST  PROTECT  THEM • Log  :   – input  valida0on  failures – authen0ca0on  request;  especially  failures – access  control  failures – systems  excep0ons – administra0ve  func0onality – crypto  failures – invalid/expired  session  token  access 79 Friday, June 28, 13
  • 133. Logging/Errors • Split  your  logs  with  categories,  examples  :   –Access –Error –Debug –Audit • Use  log4j  for  standard  logging 80 Friday, June 28, 13
  • 134. Log4J  Example 81 import com.sec.dev; // Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator; public class SecLogger { // Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class); public static void main(String[] args) { // Set up a simple configuration that logs on the console. BasicConfigurator.configure(); logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } } Friday, June 28, 13
  • 135. Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  • 136. Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  • 137. Good  Housecleaning 83 try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff…. } catch (IOException e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("IO exception ", e.getMessage()); } catch (Exception e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("Error occurred!”, e.getMessage()); } finally { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } if (out != null) { out.close(); // RELEASE RESOURCES } } Friday, June 28, 13
  • 138. BeEer  handling  of  excepPon  and   error 145 <error-­‐page>      <excepPon-­‐type>java.lang.Throwable</ excepPon-­‐type>      <locaPon>/error.jsp</locaPon>  </error-­‐page> Friday, June 28, 13
  • 139. Data  Protec3on 85 Friday, June 28, 13
  • 140. Data  protecPon • Protect  sensiPve  datas,    don’t  store  them  in  clear. • Store  sensiPve  datas  in  trusted  systems • Don’t  use  GET  request  for  sensiPve  data. • Disable  client  site  caching 86 Friday, June 28, 13
  • 141. Disable  Client  Side  caching 87 import  javax.servlet.*; import  javax.servlet.http.HttpServletResponse; import  java.io.IOException; import  java.util.Date; public  class  CacheControlFilter  implements  Filter  {        public  void  doFilter(ServletRequest  request,  ServletResponse  response,                                                  FilterChain  chain)  throws  IOException,  ServletException  {                HttpServletResponse  resp  =  (HttpServletResponse)  response;                resp.setHeader("Expires",  "Tue,  03  Jul  2001  06:00:00  GMT");                resp.setHeader("Last-­‐Modified",  new  Date().toString());                resp.setHeader("Cache-­‐Control",  "no-­‐store,  no-­‐cache,  must-­‐revalidate,  max-­‐age=0,  post-­‐check=0,  pre-­‐check=0");                resp.setHeader("Pragma",  "no-­‐cache");                chain.doFilter(request,  response);        } } <filter>        <filter-­‐name>SetCacheControl</filter-­‐name>        <filter-­‐class>com.sec.dev.cacheControlFilter</filter-­‐class> </filter>                                               <filter-­‐mapping>        <filter-­‐name>SetCacheControl</filter-­‐name> <url-­‐pattern>/*</url-­‐pattern> </filter-­‐mapping> web.xml Friday, June 28, 13
  • 142. Access  to  FileSystem 88 Friday, June 28, 13
  • 143. Absolute  Path  is  bad 151 Friday, June 28, 13
  • 144. Absolute  Path  is  bad 151 Friday, June 28, 13
  • 145. Absolute  Path  is  bad 151 Friday, June 28, 13
  • 146. Canonicalisa,on  is  good 90 Friday, June 28, 13
  • 147. Secure  Communica3ons 91 Friday, June 28, 13
  • 148. Secure  CommunicaPons • Use  TLS/SSL  : –at  least  SSL  v3.0/TLS  1.0 –minimum  of  128bits  encrypPon –use  secure  crypto  :  AES  is  good • Don’t  expose  criPcal  data  in  the  URL • Failed  SSL/TLS  communicaPons  should  not  fall   back  to  insecure • Validate  cerPficate  when  used • Protect  all  page,  not  just  logon  page  ! 92 Friday, June 28, 13
  • 149. Force  TLS/SSL  Response • Use  HTTP  Strict  Transport  Security  (HSTS). –Available  on  some  browsers  (not  IE) –draQ  IETF  :  hEp://tools.iew.org/html/draQ-­‐iew-­‐websec-­‐ strict-­‐transport-­‐sec-­‐04 93 HttpServletResponse  ...; response.setHeader("Strict-­‐Transport-­‐Security",  "max-­‐age=7776000;   includeSubdomains"); Friday, June 28, 13
  • 150. ConfiguraPon 94 • Review  all  properPes,  configuraPon  files • Be  careful  of  default  passwords... • Remove,  and  not  just  de-­‐acPvate,  unused   funcPons/modules • Use  sandbox  system  when  available  : Be  careful  of  Java  Signed  code  who   execute  with  more  privileges  ! Friday, June 28, 13
  • 151. Now  you  can  protect  against  him 95 Friday, June 28, 13
  • 152.  NEWS A  BLOG A  PODCAST MEMBERSHIPS MAILING  LISTS A  NEWSLETTER APPLE  APP  STORE VIDEO  TUTORIALS TRAINING  SESSIONS SOCIAL  NETWORKING 96 On  est  aussi  des  humains,  et  on  peut  boire  un  coup  tout  simplement Friday, June 28, 13
  • 153. Dates • AppSec  Research  Europe  2013  :  20/23  Aout  –   Hambourg  –  Allemagne • Octobre  2013  :  OSSIR  PARIS –OWASP  Top10  2013;  quoi  de  neuf  ? •  OWASP  Benelux  :  28/29  Novembre  2013 97 Un  tour  des  JUG  est  prévu  en  France,  si  vous  en  connaissez  un  dans  le  coin... Friday, June 28, 13
  • 154. Soutenir  l’OWASP • Différentes  soluPons  :   –Membre  Individuel  :  50  $ –Membre  Entreprise  :  5000  $ –DonaPon  Libre • Soutenir  uniquement    le  chapitre  France  : –Single  MeePng  supporter   • Nous  offrir  une  salle  de  mee0ng  !   • Par0ciper  par  un  talk  ou  autre  !   • Dona0on  simple   –Local  Chapter  supporter  :   • 500  $  à  2000  $   98 Friday, June 28, 13
  • 155. Prochains  meePngs • Septembre  2013   –Salle  :  Mozilla  Center  Paris –Speaker  :   • Security  on  Firefox  OS • A  définir • Novembre  2013 –Salle  :  a  définir –Speaker  :  a  définir Septembre  s’annonce  merveilleux  avec  plein  d’annonces  en  tout  genre.... Friday, June 28, 13
  • 156. License 100 Si  vous  avez  tout  suivi  vous  connaissez  le  prochain  slide.... @SPoint sebas0en.gioria@owasp.org Friday, June 28, 13