Code review for secure web applications

2,157 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,157
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
77
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Code review for secure web applications

  1. 1. Code Review for Secure Web Applications With java samples
  2. 2. Bibliography• OWASP – Open web applications security projects – www.owasp.org• OWASP Code review guide
  3. 3. Introduction• Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection• Purpose – security
  4. 4. Code review strategies• Automatic• Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  5. 5. Checklist based on best practices• Authentication• Authorization• Session management• Input validation and output sanitization
  6. 6. Checklist based on best practices To be presented next meeting• Prevent Cross Site Request Forgery• Cryptographic controls• Error handling• Logging• Prevent Race conditions
  7. 7. Authentication• Check user is not allowed to choose weak passwordsBad:String password = request.getParameter("Password");if (password == Null) {throw InvalidPasswordException() }
  8. 8. Authentication• Check user is not allowed to choose weak passwordsOK:if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true;elsereturn false;
  9. 9. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK hashing:import java.security.MessageDigest;public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8"));}
  10. 10. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK salting:import java.security.MessageDigest;public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
  11. 11. Authorization• Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle• Check the business logic for errorsBad:if user.equals("NormalUser") { grantUser(Normal_Permissions);} else{ //user must be admin/super grantUser("Super_Permissions);}
  12. 12. Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String action = request.getParameter("action"); if (action.equals("doStuff"))boolean permit = session.authTable.isAuthorised(action);if (permit) doStuff();else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate();}
  13. 13. Session Management• Check if only framework’s session manager is used• Check the cryptographic strength, the length of the sessions and character pool• Check that sessionIds coming from clients are validated• Check there is a timeout implemented for idle sessions• Check session is destroyed on logout
  14. 14. Input validation and output sanitization• Ensure 2 separate validations occur: first a security validation, then a business validation• Ensure in the security validation, data are canonicalized firstpublic static void main(String[] args) {File x = new File("/cmd/" + args[1]);String absPath = x.getAbsolutePath();String canonicalPath = x.getCanonicalPath();}
  15. 15. Input validation and output sanitization• Check that all input that traversed untrusted zones is validated, not only user input• Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc• Check validators are applied in a safe side (never client side)
  16. 16. Input validation and output sanitizationpublic class DoStuff {public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);}catch(Exception e) { e.printStackTrace(); } } }
  17. 17. Input validation and output sanitizationString myQuery = “select food from foods where name=?”;String sortOrder=request.getParameter(“order”);myQuery+=sortOrder;PreparedStatement preparedStatement = connection.prepareStatement(myQuery);preparedStatement.setString(1, “Shaorma”);ResultSet resultSet = preparedStatement.executeQuery();
  18. 18. Input validation and output sanitizationimport java.io.*;import javax.servlet.http.*;import javax.servlet.*;public class HelloServlet extends HttpServlet {public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close();}}
  19. 19. Thank you for the interestQuestions?
  20. 20. Prevent Cross Site Script Forgery
  21. 21. Cryptographic controls
  22. 22. Error handling
  23. 23. Logging
  24. 24. Prevent Race Conditions

×