Successfully reported this slideshow.

Uniface Web Application Security

1,439 views

Published on

This is the presentation from the online session of how to protect your Uniface applications from security threats. Covering security threats faced by web developers and what security features developers should consider.

Published in: Technology
  • Be the first to comment

Uniface Web Application Security

  1. 1. WEB APPLICATION SECURITY James Rodger Solution Consultant 30/04/2014
  2. 2. Agenda Introduction Client Server vs. Web Security Areas Threats • Password Cracking • Interpreter Injection • Session Hijacking
  3. 3. Why Bother? Internet facing web applications Internal web applications Increasingly a developer role Good tooling helps improve security
  4. 4. Introduction Huge topic Taking a developer point of view Looking at Uniface based solutions Example code
  5. 5. Client Server vs. Web Stateless No control over client Network is part of the application
  6. 6. Overview
  7. 7. Security Areas Some areas we need to consider: Authentication Authorisation Browser Security Session Management Data I/O Configuration and Deployment
  8. 8. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
  9. 9. Password Cracking These attacks include techniques like: Brute forcing the login page (remotely) Brute forcing the database with common passwords Brute forcing the database with rainbow tables
  10. 10. Brute Force Simply trying a lot of passwords at a login page Basic protection include: Throttling login requests Logging failed attempts: • Locking out accounts • Issuing a CAPTCHA Password policies
  11. 11. Cracking Hashed Passwords Attacker has access to the user database Plain text passwords make abuse trivial Passwords should be properly hashed
  12. 12. Password Hashing Basics
  13. 13. Demo Storing Passwords
  14. 14. Uniface sleep $webinfo(“WEBSERVERCONTEXT”) $encode LDAP driver
  15. 15. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
  16. 16. Interpreter Injection These attacks include techniques like: SQL Injection JavaScript Injection Parameter Manipulation
  17. 17. SQL Injection ID: 1 Date of Birth: 23-feb-1982 Name: Robert INSERT INTO students VALUES (1, ‘23-feb-1982', ‘Robert');
  18. 18. Demo SQL Injection
  19. 19. SQL Injection ID: 2 Date of Birth: 13-Nov-1973 Name: Robert'); DROP TABLE students;-- INSERT INTO students VALUES (1, ‘23-feb-1982', ‘Robert'); DROP TABLE students; --’);
  20. 20. JavaScript Injection Getting a browser to execute unintended JS Usually injected where user input is allowed Malicious code runs for anyone visiting the page The code appears to have come from the application
  21. 21. Demo JavaScript Injection
  22. 22. Parameter Manipulation User has control of the browser JavaScript based validation can be bypassed Requests can be sent at any time to: • Any Public Web operation • Any Public Trigger
  23. 23. Demo Read Only Fields
  24. 24. Uniface SQL Injection • Database drivers prevent SQL injection JavaScript Injection • Widgets correctly escape HTML • Any Public Web operation • Any Public Trigger Parameter Manipulation • Model definitions used for validation at each step • Read-only field handling • Public web / Public trigger • Standard triggers
  25. 25. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
  26. 26. Session Hijacking These attacks include techniques like: Session Fixation Session Sidejacking Physical Access
  27. 27. Demo Session Sidejacking
  28. 28. Uniface Tomcat session handling • $webinfo(“SESSIONCOMMANDS”) • $webinfo(“WEBSERVERCONTEXT”) HTTP only cookies by default
  29. 29. Summary Security needs to be designed in Good tooling helps improve security What else? • Security audits • Vericode – regular security testing
  30. 30. Heartbleed Uniface uses OpenSSL 9.5 / 9.6 vulnerable if using SSL Patches out now • Uniface 9.5 – E123s • Uniface 9.6 – X402s Tomcat version shipped with Uniface is safe • Changed Tomcat version? • Using different servlet engine? More information at unifaceinfo.com
  31. 31. Questions If you have any questions, or feedback about this session, please send an email to ask.uniface@uniface.com
  32. 32. Enterprise Application Development

×