Successfully reported this slideshow.
Your SlideShare is downloading. ×

Security in practice with Java EE 6 and GlassFish

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Security in practice with Java EE 6 and GlassFish

  1. 1. Java EE 6 Security in practice with GlassFish Markus Eisele & Masoud Kalali
  2. 2. Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • Take Away
  3. 3. Masoud Kalali Markus Eisele http://kalali.me http://blog.eisele.net http://twitter.com/MasoudKalali http://twitter.com/myfear Masoud.Kalali@oracle.com Markus.eisele@msg-systems.com software engineer, Java EE 7 EG, author, blogger, architect, husband, father of two, climber and flute enthusiast photographer, speaker, writer
  4. 4. Java EE 6 & GlassFish glassfish.org
  5. 5. Galleria Project https://bitbucket.org/VineetReynolds/java-ee-6-galleria/
  6. 6. Galleria Project ? http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
  7. 7. Galleria and Security • Form based authentication • JDBCRealm • request.login(userId, new String(password)); • @RolesAllowed({ "RegisteredUsers" }) Enough? State-of-the-Art? Feeling-good-with-it™?
  8. 8. Motivation for this talk • Seen a lot of Java EE out there with no or not enough security. • Providing you a starting point • Having seen a lot – sharing something • Making you aware about security • Finding out about “the security state of Galleria”
  9. 9. The Top 10 Most Critical Web Application Security Risks Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  10. 10. What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  11. 11. A1 - Injection
  12. 12. What is it? • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP) • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP) – Database access (JPA, JDBC)
  13. 13. Worst-Practice Injection String id = "x'; DROP TABLE members; --"; // user-input Query query = em.createNativeQuery("SELECT * FROM PHOTO WHERE ID =" + id, Photo.class); Query query2 = em.createNativeQuery("SELECT * FROM MAG WHERE ID ?1", Magazine.class); query2.setParameter(1, id);
  14. 14. Prevent Injection • Sanitize the input • Escape/Quotesafe the input • Use bound parameters (the PREPARE statement) • Limit database permissions and segregate users • Use stored procedures for database access (might work) • Isolate the webserver • Configure error reporting
  15. 15. A2 - Cross-Site Scripting (XSS)
  16. 16. What is it? • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • rewrite web page • redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  17. 17. Worst Practices • Don’t sanitize at all <h:outputText value="#{user.content}" escape="false"/> • Sanitize on your own <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">T est</a>
  18. 18. Prevent • Sanitize the input • Escape/Quotesafe the input • Use Cookie flags: – httpOnly (prevents XSS access) https://code.google.com/p/owasp-esapi-java/
  19. 19. A3 - Broken Authentication and Session Management
  20. 20. What is it? • Container Security vs. own solution • Session Binding / Session Renewal • Password Strength (length/complexity) • Plain text passwords (http/https) • Password recovery • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  21. 21. Worst Practice • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Saving Passwords • Not testing security
  22. 22. Best Practices • Go with provided Standard Realms and LoginModules whenever possible • Use transport layer encryption (TLS/SSL) • Use Cookie flags: – secure (avoid clear text transmission)
  23. 23. A4 – Insecure Direct Object References
  24. 24. What is it? • Accessing domain objects with their PK https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
  25. 25. Worst Practice • No data separation for users (tenants) • No request mode access for data (RUD) • No query constraints
  26. 26. Best Practices • Use AccessReferenceMaps • Use data-driven security • Perform data authorization on the view
  27. 27. A5 - Cross Site Request Forgery (CSRF)
  28. 28. What is it? • Basically a capture-replay attack • Malicious code executes functions on your behalf while being authenticated • Deep links make this easier • JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  29. 29. Worst Practice • Using a “secret Cookie” • Only POST requests • Wizard like transactions • URL rewriting
  30. 30. Best Practices • Add Unpredictability (tokens) • CSRFPreventionForm http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html • Use OWASP ESAPI http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross- site-request-forgery-csrf/
  31. 31. A6 - Security Misconfiguration
  32. 32. What is it? • Applies to – Operating System – Application Server – Databases – Additional Services • Includes (beside _many_ others) – Missing Patches – All security relevant configuration – Default accounts
  33. 33. Running GlassFish in a Secure Environment • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file • Set correct file system permissions http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  34. 34. Review the *.policy files • server.policy and granted.policy • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes! // Following grant block is only required by Connectors. If Connectors// are not in use the recommendation is to remove this grant.grant { permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * "*"","read";};
  35. 35. Worst Practices • Not to redirect the default pages • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Not restricting GlassFish user nor enabling security manager. • Same security config for all environments • Using a not hardened OS!
  36. 36. A7 - Failure to Restrict URL Access
  37. 37. What is it? • Presentation layer access control • Related to A4 – Insecure Direct Object References
  38. 38. Worst Practice • Using home-grown security features instead of container provided ones • Assuming people wont know some URLs to try them • Assuming no one would miss use the extra permission and access they have
  39. 39. Java EE 6 • What you do to prevent A4 plus: – Use Container security (security-constraint) – Use programatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
  40. 40. Best Practices • Any no public URL should be protected • Use container authentication/authorization features or extend on top of them • If not enough use proven frameworks/ products to protect the resources • If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
  41. 41. A8 - Insecure Cryptographic Storage
  42. 42. What is it? • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
  43. 43. GlassFish • Protect the keystore • Protect sensitive data – Use salted hashing or double hashing for authentication realms (Custom realm development) – Evaluate logging output • Protect GlassFish accounts – Use aliasing to protect the password and keep the master password safe to protect the aliases
  44. 44. Worst Practices • Storing passwords in clear text without aliasing or the proper store • Using file authentication realm • Ignoring digest authentication/hashed password storage • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded
  45. 45. Prevention • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm and – with the right mechanism • Don’t keep clear text copies • Only authorized personnel have access to clear text data • Keep the keys as protected as possible (HSM) • Keep offsite encrypted backups in addition to on-site copies
  46. 46. A9- Insufficient Transport Layer Protection
  47. 47. What is it?
  48. 48. Worst Practice • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
  49. 49. GlassFish • Properly configure HTTPS listener/s (set the right keystore) • Install the right server certificates to be used by SSL listeners • Properly configure the ORB over SSL listeners if needed (set the right keystore) • Enable auditing under Security and and access log under HTTP Service
  50. 50. Java EE • Group the resources in regard to transport sensitivity using web-resource-collection • Use user-data-constraint as widely as you need for data integrity and encryption needs • Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
  51. 51. Best Practice • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient
  52. 52. A10 - Unvalidated Redirects and Forwards
  53. 53. What is it? • Redirecting to another URL computed by user provided parameters • Forward to another URL computed by user provided parameters http://www.java.net/external?url=http://www.adam- bien.com/roller/abien/entry/conveniently_transactionally_a nd_legally_starting
  54. 54. Java EE 6 • Don’t use redirect or forward as much as possible • Accurately verify/validate the target URL before forwarding or redirecting • Redirects are safe when using container managed authentication/authorization properly • Redirects happen without authentication and thus requires triple check to prevent unauthorized access.
  55. 55. Worst Practices • Not using a proper access control mechanism (e.g container managed and proper security- constraint ) • Redirecting to a user provided parameter, e.g to an external website • Not to validate/verify the target with user’s access level before doing the forward
  56. 56. WRAP-UP
  57. 57. Galleria Wrap Up
  58. 58. Security isn‘t all candy.. … but you will love it in the end!
  59. 59. CC picture reference • http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ • http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ • http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ • http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ • http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ • http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ • http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ • http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ • http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ • http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/

×