Rest Security with JAX-RS

  • 4,980 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,980
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
73
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. REST  Security  with  JAX-­‐RS   JavaOne  2013  
  • 2. •  Frank  Kim   – SANS  InsBtute   •  Curriculum  Lead,  ApplicaBon  Security   •  Author,  Secure  Coding  in  Java   About   2  
  • 3. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   3  
  • 4. AuthenBcaBon   •  Process  of  verifying  an  idenBty   •  Can  be  based  on  three  factors   – Something  you  know   – Something  you  have   – Something  you  are   4  
  • 5. Java  EE  AuthenBcaBon   •  ConfiguraBon  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 <auth-constraint>! 8 <role-name>user</role-name>! 9 <role-name>admin</role-name>! 10 </auth-constraint>! 11 </security-constraint>! 12! 13 <login-config>! 14 <auth-method>FORM</auth-method>! 15 <form-login-config>! 16 <form-login-page>/login.jsp</form-login-page>! 17 <form-error-page>/loginerror.jsp</form-error-page>! 18 </form-login-config>! 19 </login-config>! 5  
  • 6. JAX-­‐RS  SecurityContext! •  getAuthenticationScheme()! –  Returns  String  authenBcaBon  scheme  used  to  protect   the  resource   –  BASIC,  FORM,  CLIENT_CERT   •  getUserPrincipal()! –  Returns  Principal  object  containing  the  username   •  isUserInRole(String role)! –  Returns  a  boolean  indicaBng  if  the  user  has  the  specified   logical  role   6  
  • 7.     Photo  Sharing  Site   Demo   7  
  • 8. Photo  Sharing  Site  API   h]p://www.sparklr.com:8080/sparklr2/photos?&format=json   ! { "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] ! }! 8  
  • 9. Issues   •  Userid/password  authenBcaBon  is  fine     – If  the  API  is  used  only  by  your  site   •  But  what  if  your  API  needs  to  be  used  by   – Other  web  apps   – Mobile  apps   – NaBve  apps   •  Do  you  want  these  apps  to   – Have  your  password?   – Have  full  access  to  your  account?   9  
  • 10. 10  
  • 11. OAuth   •  Way  to  authenBcate  a  service   – Valet  key  metaphor  coined  by  Eran  Hammer-­‐Lahav   •  AuthorizaBon  token  with  limited  rights   – You  agree  which  rights  are  granted   – You  can  revoke  rights  at  any  Bme   – Can  gracefully  upgrade  rights  if  needed   11  
  • 12. OAuth  Roles   12   User   Client   Server   -­‐  Person  using  the  app   -­‐  Also  known  as  the   "resource  owner"   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   -­‐  Also  known  as  the   "resource  server"  
  • 13. Simplified  OAuth  Flow   13   User   Client   Server   1)  You  log  in  to  Tonr   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   2)  Tonr  needs  pictures  to  print  and   redirects  you  to  Sparklr's  log  in  page   3)  You  log  in  to  Sparklr  directly  
  • 14. Simplified  OAuth  Flow   14   User   Client   Server   6)  You  are  happy   prin<ng  and  viewing   your  pictures     -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   5)  Tonr  stores  the  "access  token"   with  your  account   4)  Sparklr  returns  an  OAuth   "access  token"    
  • 15.     Photo  PrinBng  Site   Demo   15  
  • 16. Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 16  
  • 17. Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 17  
  • 18. Detailed  OAuth  Flow   2)  Via  browser:  Sparklr  redirects  back  to  Tonr   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 18  
  • 19. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   19  
  • 20. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   20  
  • 21. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   21  
  • 22. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   22  
  • 23. Detailed  OAuth  Flow   4)  Via  "Client":  Tonr  gets  pictures  from  Sparklr   All  Requests  include:   Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb   23  
  • 24. When  to  Use  OAuth   •  Use  OAuth  for  consuming  APIs  from   – Third-­‐party  web  apps   – Mobile  apps   – NaBve  apps   •  Don't  need  to  use  OAuth   – If  API  is  only  consumed  by  the  user  within  the   same  web  app   – If  APIs  are  only  consumed  server  to  server   24  
  • 25. Benefits   •  No  passwords  shared  between  web  apps   •  No  passwords  stored  on  mobile  devices   •  Limits  impact  of  security  incidents   –  If  you  lose  your  mobile  device     •  You  revoke  the  access  Sparklr  gave  to  the  Tonr  mobile  app   –  If  Tonr  gets  hacked     •  Sparklr  revokes  OAuth  access   –  If  Sparklr  gets  hacked     •  You  change  your  Sparklr  password     •  Revoke  access  from  Tonr  to  generate  a  new  access  token     25  
  • 26. OAuth  Versions   26   Version   Comments   1.0   -­‐  Has  a  security  flaw  related  to  session  fixaBon   -­‐  Don’t  use  it   1.0a   -­‐  Stable  and  well  understood   -­‐  Uses  a  signature  to  exchange  credenBals  and  signs  every  request   -­‐  Signatures  are  more  of  a  pain  than  it  seems   2.0   -­‐  Spec  is  final  with  good  support  
  • 27. OAuth  2.0   AuthorizaBon  Grant  Types   27   Grant  Type   Descrip<on   1)  AuthorizaBon  Code   -­‐  OpBmized  for  confidenBal  clients   -­‐  Uses  a  authorizaBon  code  from  the  Server   -­‐  User  doesn't  see  the  access  token   2)  Implicit  Grant   -­‐  OpBmized  for  script  heavy  web  apps   -­‐  Does  not  use  an  authorizaBon  code  from  the  Server   -­‐  User  can  see  the  access  token   3)  Resource  Owner   Password  CredenBals   -­‐  Use  in  cases  where  the  User  trusts  the  Client   -­‐  Exposes  User  credenBals  to  the  Client   4)  Client  CredenBals   -­‐  Client  gets  an  access  token  based  on  Client  credenBals   only  
  • 28. OAuth  2.0     Access  Token  Types   •  Bearer   – Large  random  token   – Need  SSL  to  protect  it  in  transit   – Server  needs  to  store  it  securely  hashed  like  a   user  password   •  Mac   – Uses  a  nonce  to  prevent  replay   – Does  not  require  SSL   – OAuth  1.0  only  supported  a  mac  type  token   28  
  • 29. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   29  
  • 30. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 1)  Vic<m  goes  to  mybank.com  via  HTTP   30  
  • 31. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 2)  AMacker  sniffs  the  public  wifi  network  and   steals  the  JSESSIONID   31  
  • 32. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 3)  AMacker  uses  the  stolen  JSESSIONID   to  access  the  vic<m's  session   32  
  • 33. Enable  SSL  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 ...! 8! 9 <user-data-constraint>! 10 <transport-guarantee>! 11 CONFIDENTIAL! 12 </transport-guarantee>! 13 </user-data-constraint>! 14 </security-constraint>! 33  
  • 34. JAX-­‐RS  SecurityContext! •  iSecure()! – Returns  a  boolean  indicaBng  whether  the   request  was  made  via  HTTPS   34  
  • 35. Secure  Flag   •  Ensures  that  the  Cookie  is  only  sent  via  SSL   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config>
    <cookie-config>
      <secure>true</secure>
    </cookie-config>
 </session-config>! •  ProgrammaBcally   Cookie cookie = new Cookie("mycookie", "test");! cookie.setSecure(true);! 35  
  • 36. Strict-­‐Transport-­‐Security   •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  Bme  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cerBficate  info   –  Subsequent  requests  to  HTTP  automaBcally  use  HTTPS   •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Defined  in  RFC  6797     Strict-Transport-Security: max-age=seconds ! ! ! ! ! ! ! ! ! [; includeSubdomains]! 36  
  • 37. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   37  
  • 38. Restrict  Input   •  Restrict  to  POST   –  Use  @POST  annotaBon   •  Restrict  the  Content-­‐Type   –  Use  @Consumes({MediaType.APPLICATION_JSON})! –  Invalid  Content-­‐Type  results  in  HTTP  415  Unsupported  Media  Type   •  Restrict  to  Ajax  if  applicable   –  Check  X-Requested-With:XMLHttpRequest  header   •  Restrict  response  types   –  Check  Accept  header  for  valid  response  types   38  
  • 39. Cross-­‐Site  Request  Forgery  (CSRF)   39   VicBm  browser   mybank.com   1)  VicBm  signs  on  to  mybank   2)  VicBm  visits   a]acker.com   3)  Page  contains   CSRF  code   4)  Browser  sends   the  request  to  mybank   <form  acBon=h]ps://mybank.com/transfer.jsp      method=POST>      <input  name=recipient  value=a]acker>      <input  name=amount  value=1000>   </form>   <script>document.forms[0].submit()</script>   POST  /transfer.jsp  HTTP/1.1   Cookie:  <mybank  authenBcaBon  cookie>   recipient=a]acker&amount=1000   a]acker.com  
  • 40. CSRF  and  OAuth  2.0   •  How  can  an  a]acker  use  CSRF  to  take  over   your  account?   – Many  sites  allow  logins  from  third-­‐party  idenBty   providers  like  Facebook   – Many  idenBty  providers  use  OAuth   – A]acker  can  automaBcally  associate  your  account   with  an  a]acker  controlled  Facebook  account     40  
  • 41. OAuth  CSRF  Research   •  Accounts  at  many  sites  could  be  taken  over   using  OAuth  CSRF   –  Stack  Exchange,  woot.com,  IMDB,  Goodreads,  SoundCloud,  Pinterest,   Groupon,  Foursquare,  SlideShare,  Kickstarter,  and  others   •  Research  by  Rich  Lundeen   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐ can-­‐use-­‐to-­‐take-­‐over-­‐accounts   •  Prior  research  by  Stephen  Sclafani   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability     41  
  • 42. OAuth  CSRF  A]ack  Flow   1)  Create  a]acker  controlled  Facebook  account   2)  VicBm  is  signed  on  to  provider  account  (i.e.   Stack  Exchange)   3)  Lure  vicBm  into  visiBng  an  evil  site  with   OAuth  CSRF  code   – CSRF  code  sends  OAuth  authorizaBon  request     4)    A]acker's  Facebook  account  now  controls   vicBm  provider  account   42  
  • 43. 43  Image  from  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts     Linking  Stack  Exchange  with  an     Evil  Facebook  Account  
  • 44. CSRF  ProtecBon   •  Spec  defines  a  "state"  parameter  that  must  be   included  in  the  redirect  to  the  Client   –  Value  must  be  non-­‐guessable  and  Bed  to  session   Client  sends  "state"  to  Server:   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server  sends  "state"  back  to  Client  ater  authorizaBon:   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 44  
  • 45.     OAuth  CSRF  ProtecBon   Demo   45  
  • 46. OWASP  1-­‐Liner   •  Deliberately  vulnerable  applicaBon   – Intended  for  demos  and  training   – Created  by  John  Wilander  @johnwilander   •  More  informaBon  at   – h]ps://www.owasp.org/index.php/OWASP_1-­‐ Liner   46  
  • 47.     JSON  CSRF   Demo   47  
  • 48. Normal  JSON  Message     {"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}! 48  
  • 49. Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 49  
  • 50. CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 50  
  • 51. CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 51  
  • 52. Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 52  
  • 53. CSRF  Defense   •  Must  include  something  random  in  the  request   – Use  an  anB-­‐CSRF  token   •  OWASP  CSRFGuard   – Wri]en  by  Eric  Sheridan  @eric_sheridan   – Can  inject  anB-­‐CSRF  token  using   •  JSP  Tag  library  -­‐  for  manual,  fine  grained  protecBon   •  JavaScript  DOM  manipulaBon  -­‐  for  automated  protecBon   requiring  minimal  effort   – Filter  that  intercepts  requests  and  validates  tokens   53  
  • 54. CSRFGuard  JSP  Tags   •  Tags  for  token  name  and  value   <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> ! </form>   •  Tag  for  name/value  pair  (delimited  with  "=")   <a href="protect.html?<csrf:token/>">protect.html</a>! •  Convenience  tags  for  forms  and  links  as  well   <csrf:form>  and  <csrf:a>! ! 54  Examples  from  h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon  
  • 55. CSRFGuard  DOM  ManipulaBon   •  Include  JavaScript  in  every  page  that  needs  CSRF  protecBon   <script src="/securish/JavaScriptServlet"></script>! •  JavaScript  used  to  hook  the  open  and  send  methods   XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;! XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);! }! ! XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;! XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);! }!   55  
  • 56. ProtecBng  XHR  Requests   •  CSRFGuard  sends  two  HTTP  headers   XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {! this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")! this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }! };! 56  
  • 57.     JSON  CSRF  ProtecBon   Demo   57  
  • 58. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   58  
  • 59. Summary   •  AuthenBcaBon   þ  Can  use  userid/password  for  services  consumed  by   your  app   þ  Use  OAuth  for  third-­‐party  web  apps  and  mobile  apps   •  EncrypBon   þ  Use  SSL   þ  Use  Secure  flag   þ  Use  Strict-­‐Transport-­‐Security  header   •  ValidaBon   þ  Restrict  input   þ  Protect  your  apps  against  CSRF       59  
  • 60. Frank  Kim         wim@sans.org   @sansappsec                                
  • 61. References   •  JAX-­‐RS  2.0   –  h]p://jcp.org/en/jsr/detail?id=339   –  h]ps://jax-­‐rs-­‐spec.java.net/nonav/2.0/apidocs   •  OAuth  2.0  SpecificaBon   –  h]p://tools.iex.org/html/rfc6749   –  h]p://oauth.net   •  Spring  Security  OAuth   –  h]p://www.springsource.org/spring-­‐security-­‐oauth   •  OAuth:  The  Big  Picture   –  h]p://pages.apigee.com/oauth-­‐big-­‐picture-­‐ebook.html   •  OAuth  CSRF  issues   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability   •  OWASP  1-­‐Liner   –  h]ps://www.owasp.org/index.php/OWASP_1-­‐Liner   •  CSRFGuard   –  h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project   –  h]p://ericsheridan.blogspot.com/2010/12/how-­‐csrfguard-­‐protects-­‐ajax.html   62