www.xebia.fr / blog.xebia.fr
OWASP Security Top Ten
OWASP top ten and Java protections
Cyrille Le Clerc
cleclerc@xebia.fr
...
OWASP Security Top Ten
 This presentation is based on
OWASP Top 10 For Java EE
The Ten Most Critical Web Application Secu...
www.xebia.fr / blog.xebia.fr
Cross Site Scripting (XSS)
Tuesday, November 24, 2009
Cross Site Scripting (XSS)
 What ?
 Subset of HTML injections
 Data provided by malicious users are rendered in web pag...
Cross Site Scripting (XSS)
How to prevent it ?
 Input Validation : JSR 303 Bean Validation
5
public class Person {
@Size(...
Cross Site Scripting (XSS)
How to prevent it ?
 HTML output escaping
 JSTL
 Expression language danger DO NOT ESCAPE !!...
Cross Site Scripting (XSS)
How to prevent it ?
 Use HTTP Only cookies
 Cookies not accessible via javascript
 Introduce...
Cross Site Scripting (XSS)
How to prevent it ?
 Do not use blacklist validation but blacklist
 Forbidden : <script>, <im...
www.xebia.fr / blog.xebia.fr
Injection Flaws
Tuesday, November 24, 2009
Injection Flaws
 What ?
 Malicious data provided by user to read or modify sensitive data
 Types of injection : SQL, Hi...
Injection Flaws
How to prevent it ?
 Input validation
 XSD with regular expression, min and max values, etc
 JSR 303 Be...
Injection Flaws
How to prevent it ?
 Use strongly typed parameterized query API
 JDBC
 JPA
 HTTP
 XML
 XPath :-(
12
...
Injection Flaws
How to prevent it ?
 If not, use escaping libraries very cautiously !!!
 HTML
 Javascript
 HTTP
 XML
...
Injection Flaws
How to prevent it ?
 Don’t use dynamic queries at all !
14
JPA
2
C
riteria
API
if (StringUtils.isNotEmpty...
Injection Flaws
How to prevent it ?
 Enforce least privileges
 Don’t be root
 Limit database access to Data Manipulatio...
www.xebia.fr / blog.xebia.fr
Malicious File Execution
Tuesday, November 24, 2009
Malicious File Execution
 What ?
 Malicious file or file path provided by users access files
 Goal ?
 Read or modify s...
Malicious File Execution
How to prevent it ?
 Don’t build file path from user provided data
 Don’t execute commands with...
www.xebia.fr / blog.xebia.fr
Insecure Direct Object Reference
Tuesday, November 24, 2009
Insecure Direct Object Reference
 What ?
 Transmit user forgeable identifiers without controlling them server side
 Goa...
Insecure Direct Object Reference
How to prevent it ?
 Input identifier validation
 reject wildcards (“10%20”)
 Add serv...
Insecure Direct Object Reference
How to prevent it ?
 Use server side indirection with generated random
 See org.owasp.e...
www.xebia.fr / blog.xebia.fr
Cross Site Request Forgery (CSRF)
Tuesday, November 24, 2009
Cross Site Request Forgery (CSRF)
 What ?
 Assume that the user is logged to another web site and send a
malicious reque...
Cross Site Request Forgery (CSRF)
How to prevent it ?
 Ensure that no XSS vulnerability exists in your
application
 Use ...
www.xebia.fr / blog.xebia.fr
Information Leakage and Improper
Exception Handling
Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling
 What ?
 Sensitive code details given to hackers
 Usually done rais...
Information Leakage and Improper Exception Handling
 Sample
28
Tuesday, November 24, 2009
Information Leakage and Improper Exception Handling
How to prevent it ?
 Avoid detailed error messages
 Beware of develo...
Information Leakage and Improper Exception Handling
How to prevent it ?
 Don’t display stack traces in Soap Faults
 Sani...
www.xebia.fr / blog.xebia.fr
Broken Authentication and Session
Management
Tuesday, November 24, 2009
Broken Authentication and Session Management
 What ?
 Web authentication and session handling have many tricks
 Goal ?
...
Broken Authentication and Session Management
How to prevent it ?
 Log session initiation and sensitive data access
 Remo...
Broken Authentication and Session Management
How to prevent it ?
 Use SSL and random token for authentication pages
 inc...
Broken Authentication and Session Management
How to prevent it ?
 Use a timeout period
 Remember Me cookies must be inva...
Broken Authentication and Session Management
How to prevent it ?
 For server to server communication, use remote ip
contr...
www.xebia.fr / blog.xebia.fr
Insecure Cryptographic Storage
Tuesday, November 24, 2009
Insecure Cryptographic Storage
 What ?
 Cryptography has many traps
 Goal ?
 Steal sensitive data
38
Tuesday, November...
Insecure Cryptographic Storage
How to prevent it ?
 Don’t invent custom cryptography solutions
 Java offers approved alg...
www.xebia.fr / blog.xebia.fr
Insecure Communications
Tuesday, November 24, 2009
Insecure Communications
 What ?
 Unsecure communications are easy to hack
 Goal ?
 Steal sensitive data, hijack user s...
Insecure Communications
How to prevent it ?
 Use SSL with the Servlet API
42
request.isSecure()
<web-app ...>
...
<securi...
Insecure Communications
How to prevent it ?
 Use SSL with Spring Security
43
<beans ...>
<sec:http auto-config="true">
<s...
Upcoming SlideShare
Loading in...5
×

Xebia Knowledge Exchange - Owasp Top Ten

2,342
-1

Published on

OWASP Security Top Ten and the techniques to prevent them in Java

Published in: Technology
2 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,342
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
77
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide
  • Xebia Knowledge Exchange - Owasp Top Ten

    1. 1. www.xebia.fr / blog.xebia.fr OWASP Security Top Ten OWASP top ten and Java protections Cyrille Le Clerc cleclerc@xebia.fr Tuesday, November 24, 2009
    2. 2. OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2 Tuesday, November 24, 2009
    3. 3. www.xebia.fr / blog.xebia.fr Cross Site Scripting (XSS) Tuesday, November 24, 2009
    4. 4. Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: 4 Cyrille "><script ... /> Tuesday, November 24, 2009
    5. 5. Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation 5 public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { @RequestMapping(method=RequestMethod.POST) public void save(@Valid Person person) { // ... } } Bean C ontroller Tuesday, November 24, 2009
    6. 6. Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL  Expression language danger DO NOT ESCAPE !!!  Spring MVC » Global escaping » Page level 6 <h2>Welcome <c:out value="${person.lastName}" /></h2> <web-app> <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ... </web-app> JSP EL does N O T escape !!! <h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2> <spring:htmlEscape defaultHtmlEscape="true" /> Tuesday, November 24, 2009
    7. 7. Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0  Since Tomcat 6.0.20 for session cookies  Manual workaround 7 <Context useHttpOnly="true"> ... </Context> cookie.setHttpOnly(true); response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); N o w eb.xm l configuration for JSESSIO N ID Tuesday, November 24, 2009
    8. 8. Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8 Tuesday, November 24, 2009
    9. 9. www.xebia.fr / blog.xebia.fr Injection Flaws Tuesday, November 24, 2009
    10. 10. Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: 10 Cyrille "; INSERT INTO MONEY_TRANSFER ... Tuesday, November 24, 2009
    11. 11. Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11 Tuesday, November 24, 2009
    12. 12. Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC  JPA  HTTP  XML  XPath :-( 12 Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName)); GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)}); query.setParameter("lastName", lastName); preparedStatement.setString(1, lastName); Tuesday, November 24, 2009
    13. 13. Injection Flaws How to prevent it ?  If not, use escaping libraries very cautiously !!!  HTML  Javascript  HTTP  XML  Don’t use simple escaping functions ! 13 "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>"; "/findPerson?" + URLEncoder.encode(lastName, "UTF-8"); "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;"; "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>"; Caution ! StringUtils.replaceChars(lastName, "’", "’’"); Tuesday, November 24, 2009
    14. 14. Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! 14 JPA 2 C riteria API if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } Map<String, Object> parameters = new HashMap<String, Object>(); if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like :lastName "; parameters.put("lastName", lastName); } Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } if (StringUtils.isNotEmpty(lastName)) { criteria.add(Restrictions.like("lastName", lastName)); } JPA 1 Q uery API Tuesday, November 24, 2009
    15. 15. Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15 Tuesday, November 24, 2009
    16. 16. www.xebia.fr / blog.xebia.fr Malicious File Execution Tuesday, November 24, 2009
    17. 17. Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: 17 ../../WEB-INF/web.xml Tuesday, November 24, 2009
    18. 18. Malicious File Execution How to prevent it ?  Don’t build file path from user provided data  Don’t execute commands with user provided data  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18 String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName)); Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName")); Tuesday, November 24, 2009
    19. 19. www.xebia.fr / blog.xebia.fr Insecure Direct Object Reference Tuesday, November 24, 2009
    20. 20. Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample 20 <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); Tuesday, November 24, 2009
    21. 21. Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers  Control access permissions  See Spring Security 21 Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult(); Tuesday, November 24, 2009
    22. 22. Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random  See org.owasp.esapi.AccessReferenceMap 22 String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id); String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> Tuesday, November 24, 2009
    23. 23. www.xebia.fr / blog.xebia.fr Cross Site Request Forgery (CSRF) Tuesday, November 24, 2009
    24. 24. Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample 24 http://mybank.com/transfer.do?amount=100000&recipientAccount=12345 Tuesday, November 24, 2009
    25. 25. Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25 <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" /> <input name="amount" /> ... </form> Tuesday, November 24, 2009
    26. 26. www.xebia.fr / blog.xebia.fr Information Leakage and Improper Exception Handling Tuesday, November 24, 2009
    27. 27. Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27 Tuesday, November 24, 2009
    28. 28. Information Leakage and Improper Exception Handling  Sample 28 Tuesday, November 24, 2009
    29. 29. Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml  Tomcat 29 <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app> <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> Tuesday, November 24, 2009
    30. 30. Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30 Tuesday, November 24, 2009
    31. 31. www.xebia.fr / blog.xebia.fr Broken Authentication and Session Management Tuesday, November 24, 2009
    32. 32. Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32 Tuesday, November 24, 2009
    33. 33. Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33 #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false Tuesday, November 24, 2009
    34. 34. Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34 Tuesday, November 24, 2009
    35. 35. Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35 Tuesday, November 24, 2009
    36. 36. Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36 Tuesday, November 24, 2009
    37. 37. www.xebia.fr / blog.xebia.fr Insecure Cryptographic Storage Tuesday, November 24, 2009
    38. 38. Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38 Tuesday, November 24, 2009
    39. 39. Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39 Tuesday, November 24, 2009
    40. 40. www.xebia.fr / blog.xebia.fr Insecure Communications Tuesday, November 24, 2009
    41. 41. Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41 Tuesday, November 24, 2009
    42. 42. Insecure Communications How to prevent it ?  Use SSL with the Servlet API 42 request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> Tuesday, November 24, 2009
    43. 43. Insecure Communications How to prevent it ?  Use SSL with Spring Security 43 <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> Tuesday, November 24, 2009
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×