JSF Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

JSF Security

on

  • 7,858 views

SOURCE Seattle 2011 - Krishna Raja

SOURCE Seattle 2011 - Krishna Raja

Statistics

Views

Total Views
7,858
Views on SlideShare
7,816
Embed Views
42

Actions

Likes
3
Downloads
102
Comments
0

1 Embed 42

http://www.secdocs.org 42

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

JSF Security Presentation Transcript

  • 1. JSF Security© 2011 Security Compass inc. 1
  • 2. JSF Input Validation abcd <script> 24c;-- Validated Input© 2011 Security Compass inc. 2
  • 3. MyFaces: validateRegExpr Tag<%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library<h:outputLabel for="zip1" value="Zip"/><t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/></t:inputText> © 2011 Security Compass inc. 3
  • 4. Facelets Implementation<html ...xmlns:ui="http://java.sun.com/jsf/facelets"xmlns:t="http://myfaces.apache.org/tomahawk"><h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /></h:inputText> © 2011 Security Compass inc. 4
  • 5. Demo: Facelets validation
  • 6. Mojarra Validatorsxmlns:mj=http://mojarra.dev.java.net/mojarra_ext<h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/></h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
  • 7. JSF 2.0 Validators• Part of JSF 2.0 core tag library• Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/>© 2011 Security Compass inc. 7
  • 8. Demo: JSF 2.0 Validators
  • 9. Other JSF Validation Techniques• Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields• Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need)© 2011 Security Compass inc. 9
  • 10. Output Encoding in JSF <script>alert(xss) &lt; &gt; &#x28;&#x27;&#x29;© 2011 Security Compass inc. 10
  • 11. <h:outputText> & <h:outputFormat><h:outputText value="#{param.name}"/> escape attribute is set to “true” by default<h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
  • 12. Output encoding with Facelets<ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText></ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
  • 13. But there’s a problem …• <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS• Similar problem with: Facelets ${bean.name}© 2011 Security Compass inc. 13
  • 14. Problems with RichFaces• Some tags can lead to XSS• Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl>• Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth>© 2011 Security Compass inc. 14
  • 15. Solution: OWASP ESAPI EL<p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/></p><p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script></p> © 2011 Security Compass inc. 15
  • 16. Demo: ESAPI encoding
  • 17. Page Level Authorization
  • 18. ESAPI AccessController• Interface that provides access control for – URLs – Business functions – Data services & files• Contains: – assertAuthorizedForURL(String URL)© 2011 Security Compass inc. 18
  • 19. Demo: AccessController
  • 20. Defending Against CSRFAnti-CSRF tokens
  • 21. What about JSF “view state”?• javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ???© 2011 Security Compass inc. 21
  • 22. Problem: Padding Oracle Attack• Recently discovered exploit against CBC- mode encryption with PKCS#5 padding• Incorrect padding can result in java.crypto.BadPaddingException• Can use to decrypt STATE_SAVING_METHOD© 2011 Security Compass inc. 22
  • 23. Solution: OWASP CSRF Guard• Version 3 recently released!• Library that injects per-session or per- request tokens into HTML• Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library© 2011 Security Compass inc. 23
  • 24. Demo: Anti-CSRF Tokens