This document discusses securing applications in the cloud using Angular and Spring Boot. It covers topics like authentication, authorization, injection attacks, cross-site scripting, and securing APIs. Angular provides protection against XSS by sanitizing templates and inputs. Spring Security enables authentication, CSRF protection, and secure sessions by default. The document also discusses securing configurations and secrets in the cloud using Spring Cloud and Vault. Overall it provides an overview of application security best practices for building apps with Angular and Spring Boot that are deployed to the cloud.

1. SICHER IN DIE CLOUD
MIT ANGULAR UND SPRING BOOT
9. MAI 2017
1

2. ANDREAS FALK
http://www.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
2

3. ARCHITECTURE /
THREAT MODEL
3 . 1

4. 3 . 2

5. SQLInjectionCSRFXSS OWASP OAuth2
OpenID-Connect AbUser-Stories
AuthenticationAuthorization Secure Coding
Security-Testing SSO DoSSensitive-Data Data-
Privacy Crypto Code-ReviewsThreat-
ModelingArchitectureDependencies
DASTSAML SAST DevSecOps
3 . 3

6. SQLInjectionCSRFXSS OWASP
OAuth2OpenID-Connect
Authentication Authorization Secure CodingSecurity-
Testing
3 . 4

7. HTTPS://GITHUB.COM/OWASP/TOP10
3 . 5

8. APP SECURITY VERIFICATION STANDARD PRO ACTIVE CONTROLS
https://github.com/OWASP/ASVS
https://www.owasp.org/index.php/
OWASP_Proactive_Controls
3 . 6

9. ANGULAR
4 . 1

10. ANGULARJS = ANGULAR 1
ANGULAR = ANGULAR 2.X, 4.X, 5.X, ...
4 . 2

11. A3: CROSS-SITE SCRIPTING (XSS)
4 . 3

12. ANGULAR JS SECURITY
https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html
4 . 4

13. ANGULAR SECURITY
“...The basic idea is to implement
automatic, secure escaping for all values
that can reach the DOM... By default,
with no speci c action for developers,
Angular apps must be secure...”
https://github.com/angular/angular/issues/8511
4 . 5

14. ANGULAR XSS
PROTECTION
ANGULAR TEMPLATE = SAFE
INPUT VALUES = UNSAFE
4 . 6

15. ANGULAR COMPONENT
TYPESCRIPT
@Component({
selector: 'app-root',
templateUrl: 'app.component.html',
styleUrls: ['app.component.css']
})
export class AppComponent {
untrustedHtml:string =
'<em><script>alert("hello")</script></em>';
}
4 . 7

16. ANGULAR TEMPLATE
HTML BINDINGS
<h2>Binding of potentially dangerous HTML-snippets</h2>
<h3>Encoded HTML snippet</h3>
<h3 class="trusted">{{untrustedHtml}}</h3>
<h3>Sanitized HTML snippet</h3>
<h3 class="trusted" [innerhtml]="untrustedHtml"></h3>
4 . 8

17. UNSAFE ANGULAR API'S
ElementRef: Direct access to DOM!
DomSanitizer: Deactivates XSS-Protection!
Do NOT use!
https://angular.io/docs/ts/latest
4 . 9

18. DEMO
4 . 10

19. BACKEND
5 . 1

20. A1: INJECTION
5 . 2

21. SPRING MVC + SPRING DATA JPA
PREVENT INJECTIONS USING BEAN VALIDATION
@Entity
public class Person extends AbstractPersistable<Long> {
@NotNull
@Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$")
private String lastName;
@NotNull
@Enumerated(EnumType.STRING)
private GenderEnum gender;
...
}
5 . 3

22. SPRING DATA JPA
PREVENT SQL-INJECTION USING PREPARED STATEMENTS
@Query(
"select u from User u where u.username = "
+ " :username and u.password = :password")
User findByUsernameAndPassword(
@Param("username") String username,
@Param("password") String password);
5 . 4

23. A8: CROSS-SITE REQUEST FORGERY (CSRF)
5 . 5

24. DOUBLE SUBMIT CSRF TOKEN
5 . 6

25. SPRING SECURITY
SECURE BY DEFAULT
Authentication required for all HTTP endpoints
Session Fixation Protection
Session Cookie (HttpOnly, Secure)
CSRF Protection
Security Response Header
5 . 7

26. SPRING SECURITY CSRF CONFIGURATION
ANGULAR SUPPORT
@Configuration
public class WebSecurityConfiguration
extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http)
throws Exception {
…
http
.csrf().csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse()
);
}
5 . 8

27. WHO AM I?
A2: BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A10: UNDERPROTECTED APIS
5 . 9

28. AUTHENTICATION (STATEFUL OR STATELESS?)
Session Cookie Token (Bearer, JWT)
With each Request Manually as Header
Potential CSRF! No CSRF possible
Persisted when unloading
DOM
No automatic
persistence
One domain Cross domain (CORS)
Sensitive Information
(HTTPS)
Sensitive Information
(HTTPS)
5 . 10

29. OAUTH 2
5 . 11

30. OPENID CONNECT
5 . 12

31. OAUTH 2 / OPENID CONNECT RESOURCE
@EnableResourceServer
@Configuration
public class OAuth2Configuration {
@Bean
public JwtAccessTokenConverterConfigurer
jwtAccessTokenConverterConfigurer() {
return new MyJwtConfigurer(...);
}
static class MyJwtConfigurer
implements JwtAccessTokenConverterConfigurer {
@Override
public void configure(
JwtAccessTokenConverter converter) {...}
}
}
OAuth 2.0 Threat Model and Security Considerations
5 . 13

32. IMPLICIT GRANT
Implicit Client Implementer’s Guide
OAuth 2.0 Threat Model and Security Considerations
5 . 14

33. CLIENT CREDENTIALS
GRANT
5 . 15

34. RESOURCE OWNER
GRANT
DO NOT USE!
5 . 16

35. WHAT CAN I ACCESS?
A4: BROKEN ACCESS CONTROL
A10: UNDERPROTECTED APIS
5 . 17

36. AUTHORIZATION OF REST API
ROLE BASED
public class UserBoundaryService {
@PreAuthorize("hasRole('ADMIN')")
public List<User> findAllUsers() {...}
}
5 . 18

37. AUTHORIZATION OF REST API
PERMISSION BASED
public class TaskBoundaryService {
@PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')")
public Task findTask(UUID taskId) {...}
}
5 . 19

38. AUTHORIZATION OF REST API
INTEGRATIONTEST
public class AuthorizationIntegrationTest {
@WithMockUser(roles = "ADMIN")
@Test
public void verifyFindAllUsersAuthorized() {...}
@WithMockUser(roles = "USER")
@Test(expected = AccessDeniedException.class)
public void verifyFindAllUsersUnauthorized() {...}
}
5 . 20

39. DEMO
5 . 21

40. WHAT ABOUT THE
CLOUD?
6 . 1

41. GOOD OLD FRIENDS ...UND MORE...
CSRF XSS SQL Injection Session Fixation
Vulnerable Dependencies Weak Passwords
Broken Authorization Sensitive Data Exposure
Distributed DoS
Economic DoS
6 . 2

42. WEAK PASSWORDS
6 . 3

43. SO WHAT HAS BEEN CHANGED
IN THE CLOUD?
6 . 4

44. 6 . 5

45. ROTATE, REPAIR, REPAVE
JUSTIN SMITH
“What if every server inside my data
center had a maximum lifetime of two
hours? This approach would frustrate
malware writers...”
6 . 6

46. WHAT ABOUT APPLICATION
CONFIGURATION AND SENSIBLE DATA IN
THE CLOUD?
6 . 7

47. MANAGE DISTRIBUTED CONFIGURATION AND SECRETS
WITH SPRING CLOUD AND VAULT
Friday 19th May, 2017 6:00pm to 6:50pm
6 . 8

48. ONE MORE THING...
7 . 1

49. A7: INSUFFICIENT ATTACK PROTECTION
7 . 2

50. 7 . 3

51. http://www.novatec-gmbh.de
http://blog.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
8