OWASP Top 10 : Let’s know & solve Harit Kothari

Top 10 Cross Site Scripting (XSS) Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to Restrict URL Access

Cross Site Scripting (XSS)

Injection Flaws

Malicious File Execution

Insecure Direct Object Reference

Cross Site Request Forgery (CSRF)

Information Leakage and Improper Error Handling

Broken Authentication and Session Management

Insecure Cryptographic Storage

Insecure Communications

Failure to Restrict URL Access

Cross Site Scripting (XSS)

Remedies Client side validation (using JavaScript etc.) Specify character set (e.g. UTF-8, 8859_1) in HTML with CHARSET header Server side validation Best practse : Error reporting / Server logs

Client side validation (using JavaScript etc.)

Specify character set (e.g. UTF-8, 8859_1) in HTML with CHARSET header

Server side validation

Best practse : Error reporting / Server logs

Examples Replace special character(s) with blanks ‘ ’ final String filterPattern=&quot;[<>{}\[\];\&]&quot;; String inputStr = s.replaceAll(filterPattern,&quot; &quot;); Another – check if String matches any of characters except numeric, using RegEx final String inputStr = request.getParameter(&quot;input&quot;); final String numericPattern = &quot;^\d+$&quot;; if (!inputStr.matches(numericPattern)) { /* invalid input, do something with error*/ } Yet another, change characters representation into decimal equivalent, of course paying performance penalty public static String encode(String data) { final StringBuffer buf = new StringBuffer(); final char[] chars = data.toCharArray(); for (int i = 0; i < chars.length; i++) { buf.append(&quot;&#&quot; + (int) chars[i]); } return buf.toString(); }

Replace special character(s) with blanks ‘ ’

final String filterPattern=&quot;[<>{}\[\];\&]&quot;;

String inputStr = s.replaceAll(filterPattern,&quot; &quot;);

Another – check if String matches any of characters except numeric, using RegEx

final String inputStr = request.getParameter(&quot;input&quot;);

final String numericPattern = &quot;^\d+$&quot;;

if (!inputStr.matches(numericPattern))

{

/* invalid input, do something with error*/

}

Yet another, change characters representation into decimal equivalent, of course paying performance penalty

public static String encode(String data)

{

final StringBuffer buf = new StringBuffer();

final char[] chars = data.toCharArray();

for (int i = 0; i < chars.length; i++)

{

buf.append(&quot;&#&quot; + (int) chars[i]);

}

return buf.toString();

}

Examples continued Secure Exceptions thrown at server pages <!-- Maps the 404 Not Found response code to the error page /errPage404 --> <error-page> <error-code>404</error-code> <location>/errPage404</location> </error-page> <!-- Maps any thrown ServletExceptions to the error page /errPageServ --> <error-page> <exception-type>javax.servlet.ServletException</exception-type> <location>/errPageServ</location> </error-page> <!-- Maps any other thrown exceptions to a generic error page /errPageGeneric --> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/errPageGeneric</location> </error-page>

Secure Exceptions thrown at server pages

<!-- Maps the 404 Not Found response code to the error page /errPage404 -->

<error-page>

<error-code>404</error-code>

<location>/errPage404</location>

</error-page>

<!-- Maps any thrown ServletExceptions to the error page /errPageServ -->

<error-page>

<exception-type>javax.servlet.ServletException</exception-type>

<location>/errPageServ</location>

</error-page>

<!-- Maps any other thrown exceptions to a generic error page /errPageGeneric -->

<error-page>

<exception-type>java.lang.Throwable</exception-type>

<location>/errPageGeneric</location>

</error-page>

Injection Flaws

Remedies Input validation Strongly typed query APIs (PreparedStatement in JDBC & ORM in Hibernate) Avoid dynamic query APIs (Statement in JDBC) Use of escape characters as prefix and sufix to values to eliminate LDAP injection

Input validation

Strongly typed query APIs (PreparedStatement in JDBC & ORM in Hibernate)

Avoid dynamic query APIs (Statement in JDBC)

Use of escape characters as prefix and sufix to values to eliminate LDAP injection

Examples Using PreparedStatement try { // Prepare a statement to insert a record String sql = &quot;INSERT INTO my_table (columnName) VALUES(?)&quot;; PreparedStatement pstmt = connection.prepareStatement(sql); // Insert 10 rows for (int i=0; i<10; i++) { // Set the value pstmt.setString(1, &quot;row &quot;+i); // Insert the row pstmt.executeUpdate(); } } catch (SQLException e) { }

Using PreparedStatement

try

{

// Prepare a statement to insert a record

String sql = &quot;INSERT INTO my_table (columnName) VALUES(?)&quot;;

PreparedStatement pstmt = connection.prepareStatement(sql);

// Insert 10 rows

for (int i=0; i<10; i++)

{

// Set the value

pstmt.setString(1, &quot;row &quot;+i);

// Insert the row

pstmt.executeUpdate();

}

}

catch (SQLException e)

{

}

Examples Continued To add Escape Chars public static String escapeDN(String name) { StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) sb.append('\'); // add the leading backslash if needed for (int i = 0; i < name.length(); i++) { char curChar = name.charAt(i); switch (curChar) { case '\': sb.append(&quot;\\&quot;); break; case ',': sb.append(&quot;\,&quot;); break; case '+' sb.append(&quot;\+&quot;); break; case '&quot;': sb.append(&quot;\&quot;&quot;); break; case '<': sb.append(&quot;\<&quot;); break; case '>': sb.append(&quot;\>&quot;); break; case ';': sb.append(&quot;\;&quot;); break; default: sb.append(curChar); } } if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) sb.insert(sb.length() - 1, '\'); // add the trailing backslash if needed return sb.toString(); }

To add Escape Chars

public static String escapeDN(String name)

{

StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder

if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#')))

sb.append('\'); // add the leading backslash if needed

for (int i = 0; i < name.length(); i++)

{

char curChar = name.charAt(i);

switch (curChar)

{

case '\': sb.append(&quot;\\&quot;); break;

case ',': sb.append(&quot;\,&quot;); break;

case '+' sb.append(&quot;\+&quot;); break;

case '&quot;': sb.append(&quot;\&quot;&quot;); break;

case '<': sb.append(&quot;\<&quot;); break;

case '>': sb.append(&quot;\>&quot;); break;

case ';': sb.append(&quot;\;&quot;); break;

default: sb.append(curChar);

}

}

if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' '))

sb.insert(sb.length() - 1, '\'); // add the trailing backslash if needed

return sb.toString();

}

To filter Escape Chars public static final String escapeLDAPSearchFilter(String filter) { StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder for (int i = 0; i < filter.length(); i++) { char curChar = filter.charAt(i); switch (curChar) { case '\': sb.append(&quot;\5c&quot;); break; case '*': sb.append(&quot;\2a&quot;); break; case '(': sb.append(&quot;\28&quot;); break; case ')': sb.append(&quot;\29&quot;); break; case 'u0000': sb.append(&quot;\00&quot;); break; default: sb.append(curChar); } } return sb.toString(); }

To filter Escape Chars

public static final String escapeLDAPSearchFilter(String filter)

{

StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder

for (int i = 0; i < filter.length(); i++)

{

char curChar = filter.charAt(i);

switch (curChar)

{

case '\':

sb.append(&quot;\5c&quot;);

break;

case '*':

sb.append(&quot;\2a&quot;);

break;

case '(':

sb.append(&quot;\28&quot;);

break;

case ')':

sb.append(&quot;\29&quot;);

break;

case 'u0000':

sb.append(&quot;\00&quot;);

break;

default:

sb.append(curChar);

}

}

return sb.toString();

}

Malicious File Execution

Remedies Strongly validate user Add firewall Check any user supplied files or filenames Consider implementing a chroot jail / SandBox

Strongly validate user

Add firewall

Check any user supplied files or filenames

Consider implementing a chroot jail / SandBox

Insecure Direct Object Reference

Remedies Limit direct reference (public access) to secure entities (objects) Use some alternate parameter to check for access permission, e.g. userID Use of index values to avoid actual name / parameter manipulation

Limit direct reference (public access) to secure entities (objects)

Use some alternate parameter to check for access permission, e.g. userID

Use of index values to avoid actual name / parameter manipulation

Example int bankAccountNo = Integer.parseInt( request.getParameter( &quot;AccountNo&quot; ) ); User user = (User)request.getSession().getAttribute( &quot;user&quot; ); String query = &quot;SELECT * FROM account_master WHERE ac_no=&quot; + bankAccountNo + &quot; AND userID=&quot; + user.getID();

int bankAccountNo = Integer.parseInt( request.getParameter( &quot;AccountNo&quot; ) );

User user = (User)request.getSession().getAttribute( &quot;user&quot; );

String query = &quot;SELECT * FROM account_master WHERE ac_no=&quot; + bankAccountNo + &quot; AND userID=&quot; + user.getID();

Cross Site Request Forgery (XSRF) Also knows as… Session Riding One-Click Attacks Hostile Linking Automation Attack

Also knows as…

Session Riding

One-Click Attacks

Hostile Linking

Automation Attack

Example Applications e.g. Ask for current password to change to new Avoid hidden form fields Use cryptographic tokens

Applications e.g.

Ask for current password to change to new

Avoid hidden form fields

Use cryptographic tokens

Remedies Limit direct reference (public access) to secure entities (objects) Use some alternate parameter to check for access permission, e.g. userID Use of index values to avoid actual name / parameter manipulation Extensive use of SessionID (JSessionID In case of JavaEE), which is unpredictable

Limit direct reference (public access) to secure entities (objects)

Use some alternate parameter to check for access permission, e.g. userID

Use of index values to avoid actual name / parameter manipulation

Extensive use of SessionID (JSessionID In case of JavaEE), which is unpredictable

Information Leakage and Improper Error Handling

Remedies Exception handling & simplified message (that too only if required) on user end – a key! Define error pages at AppServer level. E.g. 40X – Page related errors

Exception handling & simplified message (that too only if required) on user end – a key!

Define error pages at AppServer level. E.g. 40X – Page related errors

Broken Authentication and Session Management

Example On logout, Session.invalidate();

On logout,

Session.invalidate();

Remedies Proper session management No other routine then application server’s default mechanism Session timeout after specific time Destruction of session on logout / time out. No session details in logs or URL

Proper session management

No other routine then application server’s default mechanism

Session timeout after specific time

Destruction of session on logout / time out.

No session details in logs or URL

Insecure Cryptographic Storage

Remedies Really secure encryption algorithm Ensure that every sensitive piece of information is encrypted well Use publicly aproved algoriths instead of user defined Store private keys in extremely secure location (offline) Ensure encrypted data is not easily decrypted

Really secure encryption algorithm

Ensure that every sensitive piece of information is encrypted well

Use publicly aproved algoriths instead of user defined

Store private keys in extremely secure location (offline)

Ensure encrypted data is not easily decrypted

Insecure Communications

Remedies Use of secure encryption while sending important data over network (SSL) Encryption of sensitive data Ensure communication between infrastructure elements (e.g. DB &Server) uses transport layer security or protocol level encryption

Use of secure encryption while sending important data over network (SSL)

Encryption of sensitive data

Ensure communication between infrastructure elements (e.g. DB &Server) uses transport layer security or protocol level encryption

Failure to Restrict URL Access

Remedies Access control matrix No read access to unauthorized user Hidden URLs known only to the users, it is meant for, is wrong assumption Include / Header files out of public scope, outside root of application Block access to the type of files not entertained by application

Access control matrix

No read access to unauthorized user

Hidden URLs known only to the users, it is meant for, is wrong assumption

Include / Header files out of public scope, outside root of application

Block access to the type of files not entertained by application

References http://java.sun.com/javaee/security/ http://www.owasp.org/index.php/Top_10_2007

http://java.sun.com/javaee/security/

http://www.owasp.org/index.php/Top_10_2007