Code review for secure web applications
Upcoming SlideShare
Loading in...5

Code review for secure web applications






Total Views
Views on SlideShare
Embed Views



3 Embeds 9 6 2 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Code review for secure web applications Code review for secure web applications Presentation Transcript

    • Code Review for Secure Web Applications With java samples
    • Bibliography• OWASP – Open web applications security projects –• OWASP Code review guide
    • Introduction• Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection• Purpose – security
    • Code review strategies• Automatic• Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
    • Checklist based on best practices• Authentication• Authorization• Session management• Input validation and output sanitization
    • Checklist based on best practices To be presented next meeting• Prevent Cross Site Request Forgery• Cryptographic controls• Error handling• Logging• Prevent Race conditions
    • Authentication• Check user is not allowed to choose weak passwordsBad:String password = request.getParameter("Password");if (password == Null) {throw InvalidPasswordException() }
    • Authentication• Check user is not allowed to choose weak passwordsOK:if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true;elsereturn false;
    • Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK hashing:import;public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8"));}
    • Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK salting:import;public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
    • Authorization• Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle• Check the business logic for errorsBad:if user.equals("NormalUser") { grantUser(Normal_Permissions);} else{ //user must be admin/super grantUser("Super_Permissions);}
    • Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String action = request.getParameter("action"); if (action.equals("doStuff"))boolean permit = session.authTable.isAuthorised(action);if (permit) doStuff();else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate();}
    • Session Management• Check if only framework’s session manager is used• Check the cryptographic strength, the length of the sessions and character pool• Check that sessionIds coming from clients are validated• Check there is a timeout implemented for idle sessions• Check session is destroyed on logout
    • Input validation and output sanitization• Ensure 2 separate validations occur: first a security validation, then a business validation• Ensure in the security validation, data are canonicalized firstpublic static void main(String[] args) {File x = new File("/cmd/" + args[1]);String absPath = x.getAbsolutePath();String canonicalPath = x.getCanonicalPath();}
    • Input validation and output sanitization• Check that all input that traversed untrusted zones is validated, not only user input• Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc• Check validators are applied in a safe side (never client side)
    • Input validation and output sanitizationpublic class DoStuff {public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);}catch(Exception e) { e.printStackTrace(); } } }
    • Input validation and output sanitizationString myQuery = “select food from foods where name=?”;String sortOrder=request.getParameter(“order”);myQuery+=sortOrder;PreparedStatement preparedStatement = connection.prepareStatement(myQuery);preparedStatement.setString(1, “Shaorma”);ResultSet resultSet = preparedStatement.executeQuery();
    • Input validation and output sanitizationimport*;import javax.servlet.http.*;import javax.servlet.*;public class HelloServlet extends HttpServlet {public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close();}}
    • Thank you for the interestQuestions?
    • Prevent Cross Site Script Forgery
    • Cryptographic controls
    • Error handling
    • Logging
    • Prevent Race Conditions