Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Platinum Sponsor
Kim Leppänen & Leif Åstrand
Web Application
Security and Modern
Frameworks
Disclaimer: Highly technical c...
<script language="javascript">!
if ( prompt("Enter password") == "supersecret" ) {!
! document.location.href = "secret.htm...
OWASP Top 10
Open Web Application Security Project
Rich Internet Applications
Client Server
UI logic
Business
logic
DB
GWT
DOM
Client Server
UI logic
Business
logic
DB
Vaadin
DOM
Handled by the framework
A1: Injection
Username demouser
Password ************
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘“ + request.getPar...
!
!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser‘ AND!
! ! password=‘secretpass‘“;
// userna...
// username = demouser’ --!
// password = secretpass!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘de...
GWT
!
• N/A
Vaadin
!
• N/A
Web frameworks can help
A2: Broken
Authentication
and Session
Management
Session ID fixation
!
Exposure of session ID
!
Exposing user credentials
GWT
!
• N/A
Vaadin
!
• Helper for changing
session id
Web frameworks can help
A3: Cross-Site
Scripting (XSS)
Demo: auction
application
GWT
!
• setText
• SafeHtml
Vaadin
!
• setHtmlContent
Allowed(false)
• Beware of tooltips
(setDescription)
Web frameworks c...
Other things to keep in
mind
The XSS filter evasion cheat
sheet
Context is king
Consider using Markdown
A4: Insecure
Direct Object
References
GWT
!
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“inv...
A5: Security
Misconfiguration
GWT
!
• N/A
Vaadin
!
• productionMode =
true
Web frameworks can help
A6: Sensitive
Data Exposure
Keep in mind
Avoid handling sensitive data,
e.g. credit card numbers
Salt and hash passwords
Use SSL, no excuses!
A7: Missing
Function Level
Access Control
A8: Cross-Site
Request Forgery
(CSRF)
Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amoun...
http://your.bank/transfer?
account=4059820-440198&amount=130,00
<img src=“
“ />
Creative commons - http://www.flickr.com/photos/esparta/367002402/
You’ve got mail
Creative Commons - http://www.flickr.com/photos/8058853@N06/2685196800/
Your bank
Rogue bank
Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amoun...
GWT
!
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
Vaadin
!
• Secured o...
A9: Using
Components
with Known
Vulnerabilities
How do you
know whether
they are
vulnerable?
A10: Unvalidated
Redirects and
Forwards
<a href=”http://myapp.com?
redirect=example.com/evil"> Open app </a>!
Very quick
conclusion
Questions?
!
? leif@vaadin.com
kim@vaadin.com
Web Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
Upcoming SlideShare
Loading in …5
×

Web Application Security and Modern Frameworks

1,475 views

Published on

Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.

Published in: Software, Technology
  • Be the first to comment

Web Application Security and Modern Frameworks

  1. 1. Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks Disclaimer: Highly technical content ahead. Participating in this lecture might change your perspective towards the security of your application. In some cases, listening to this presentation might cause symptoms such as raised awareness of security and general interest towards web application security.
  2. 2. <script language="javascript">! if ( prompt("Enter password") == "supersecret" ) {! ! document.location.href = "secret.html";! }! </script>
  3. 3. OWASP Top 10 Open Web Application Security Project
  4. 4. Rich Internet Applications
  5. 5. Client Server UI logic Business logic DB GWT DOM
  6. 6. Client Server UI logic Business logic DB Vaadin DOM Handled by the framework
  7. 7. A1: Injection
  8. 8. Username demouser Password ************ String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘“ + request.getParameter(“username”) + “‘ AND! ! ! password=‘“ + request.getParameter(“password”) + “‘“;
  9. 9. ! ! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser‘ AND! ! ! password=‘secretpass‘“; // username = demouser! // password = secretpass
  10. 10. // username = demouser’ --! // password = secretpass! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser’--‘ AND! ! ! password=‘secretpass‘“;
  11. 11. GWT ! • N/A Vaadin ! • N/A Web frameworks can help
  12. 12. A2: Broken Authentication and Session Management
  13. 13. Session ID fixation ! Exposure of session ID ! Exposing user credentials
  14. 14. GWT ! • N/A Vaadin ! • Helper for changing session id Web frameworks can help
  15. 15. A3: Cross-Site Scripting (XSS)
  16. 16. Demo: auction application
  17. 17. GWT ! • setText • SafeHtml Vaadin ! • setHtmlContent Allowed(false) • Beware of tooltips (setDescription) Web frameworks can help
  18. 18. Other things to keep in mind The XSS filter evasion cheat sheet Context is king Consider using Markdown
  19. 19. A4: Insecure Direct Object References
  20. 20. GWT ! • Not so much, since this is mostly a server-side thing • Can be hard to realize the problem since requests are “invisible” Vaadin ! • All ids are generated values that the server uses to find the right object when needed Web frameworks can help
  21. 21. A5: Security Misconfiguration
  22. 22. GWT ! • N/A Vaadin ! • productionMode = true Web frameworks can help
  23. 23. A6: Sensitive Data Exposure
  24. 24. Keep in mind Avoid handling sensitive data, e.g. credit card numbers Salt and hash passwords Use SSL, no excuses!
  25. 25. A7: Missing Function Level Access Control
  26. 26. A8: Cross-Site Request Forgery (CSRF)
  27. 27. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00
  28. 28. http://your.bank/transfer? account=4059820-440198&amount=130,00 <img src=“ “ />
  29. 29. Creative commons - http://www.flickr.com/photos/esparta/367002402/
  30. 30. You’ve got mail Creative Commons - http://www.flickr.com/photos/8058853@N06/2685196800/
  31. 31. Your bank Rogue bank
  32. 32. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00 &token=ab8342d8943nkg34iung3o9j
  33. 33. GWT ! • GWT-RPC: XsrfTokenService and/or HasRpcToken • RequestFactory: Make your own RequestTransport Vaadin ! • Secured out of the box Web frameworks can help
  34. 34. A9: Using Components with Known Vulnerabilities
  35. 35. How do you know whether they are vulnerable?
  36. 36. A10: Unvalidated Redirects and Forwards
  37. 37. <a href=”http://myapp.com? redirect=example.com/evil"> Open app </a>!
  38. 38. Very quick conclusion
  39. 39. Questions? ! ? leif@vaadin.com kim@vaadin.com

×