Your SlideShare is downloading. ×
JSF Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

JSF Security

7,098

Published on

SOURCE Seattle 2011 - Krishna Raja

SOURCE Seattle 2011 - Krishna Raja

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,098
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
112
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. JSF Security© 2011 Security Compass inc. 1
  • 2. JSF Input Validation abcd <script> 24c;-- Validated Input© 2011 Security Compass inc. 2
  • 3. MyFaces: validateRegExpr Tag<%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library<h:outputLabel for="zip1" value="Zip"/><t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/></t:inputText> © 2011 Security Compass inc. 3
  • 4. Facelets Implementation<html ...xmlns:ui="http://java.sun.com/jsf/facelets"xmlns:t="http://myfaces.apache.org/tomahawk"><h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /></h:inputText> © 2011 Security Compass inc. 4
  • 5. Demo: Facelets validation
  • 6. Mojarra Validatorsxmlns:mj=http://mojarra.dev.java.net/mojarra_ext<h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/></h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
  • 7. JSF 2.0 Validators• Part of JSF 2.0 core tag library• Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/>© 2011 Security Compass inc. 7
  • 8. Demo: JSF 2.0 Validators
  • 9. Other JSF Validation Techniques• Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields• Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need)© 2011 Security Compass inc. 9
  • 10. Output Encoding in JSF <script>alert(xss) &lt; &gt; &#x28;&#x27;&#x29;© 2011 Security Compass inc. 10
  • 11. <h:outputText> & <h:outputFormat><h:outputText value="#{param.name}"/> escape attribute is set to “true” by default<h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
  • 12. Output encoding with Facelets<ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText></ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
  • 13. But there’s a problem …• <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS• Similar problem with: Facelets ${bean.name}© 2011 Security Compass inc. 13
  • 14. Problems with RichFaces• Some tags can lead to XSS• Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl>• Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth>© 2011 Security Compass inc. 14
  • 15. Solution: OWASP ESAPI EL<p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/></p><p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script></p> © 2011 Security Compass inc. 15
  • 16. Demo: ESAPI encoding
  • 17. Page Level Authorization
  • 18. ESAPI AccessController• Interface that provides access control for – URLs – Business functions – Data services & files• Contains: – assertAuthorizedForURL(String URL)© 2011 Security Compass inc. 18
  • 19. Demo: AccessController
  • 20. Defending Against CSRFAnti-CSRF tokens
  • 21. What about JSF “view state”?• javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ???© 2011 Security Compass inc. 21
  • 22. Problem: Padding Oracle Attack• Recently discovered exploit against CBC- mode encryption with PKCS#5 padding• Incorrect padding can result in java.crypto.BadPaddingException• Can use to decrypt STATE_SAVING_METHOD© 2011 Security Compass inc. 22
  • 23. Solution: OWASP CSRF Guard• Version 3 recently released!• Library that injects per-session or per- request tokens into HTML• Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library© 2011 Security Compass inc. 23
  • 24. Demo: Anti-CSRF Tokens

×