Cross-Site Scripting (XSS) involves injecting malicious scripts into web pages viewed by other users. Attackers can use XSS to steal user cookies and session tokens, or hijack user sessions to impersonate them. To prevent XSS, developers must sanitize all user input, escape output, and configure browsers to prevent script execution. The best practices are to use container security features whenever possible and review the OWASP Application Security Verification Standard.
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
In questa presentazione viene descritto un possibile approccio alla messa insicurezza di codice legacy attraverso l'utilizzo di svariati progetti OWASP.
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
If you want to learn what are the top ten security risks that a software engineer requires to pay attention to and you want to know how to address them in your Java EE software, this session is for you. The Open Web Application Security Project (OWASP) publishes the top 10 security risks and concerns of software development periodically and the new list is published in 2013.
Developers can use Java EE provided features and functionalities to address or mitigate these risks. This presentation covers how to spot these risks in the code, how to avoid them, what are the best practices around each one of them. During the session, when application server or configuration is involved GlassFish is discussed as one of the Java EE 7 App server.
Come mettere in sicurezza le applicazioni legacy, un approccio pragmaticoAntonio Parata
In questa presentazione viene descritto un possibile approccio alla messa insicurezza di codice legacy attraverso l'utilizzo di svariati progetti OWASP.
As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.
Presentation held at Web Monday Stockholm in March 2008. I am introducing JCR, Sling and the µjax AJAX-based access layer to a JCR repository. The presentation included a demo of a small Dojo application built using the µjax-Dojo-integration.
Presentation held at Web Montag Stockholm, March 2008. Introduction of JCR, Sling and the µjax AJAX-based access layer to a content repository. The presentation includes the demo of the µjax Dojo integration.
Better API Security With A SecDevOps ApproachNordic APIs
In an ever agile world where APIs are designed and implemented at an incredible rate, securing APIs is often a last moment thought and security teams as a obstacle. Security vulnerabilities are bugs, and like any other bug must be found as early as possible. In this session, Isabelle explains how developers can take advantage of an automated approach to discover and fix security issues as early as possible and how security teams can put the right tools in place to ensure that their security requirements are met as part of the API lifecycle. We will talk about static/dynamic code analysis, OpenAPI and dynamic security policies.
API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
µjax is a lightweight AJAX library for accessing content in a Java Content Repository (JCR) over the web. This presentation was given at Web Montag in Berlin, 01-21-2008.
Netflix Cloud Platform Building BlocksSudhir Tonse
Architectural Building Blocks of the Netflix Cloud Platform and lessons learned while implementing the same.
Commandments of Web Scale Cloud Deployments
Decomposing applications for scalability and deployability (devnexus 2013)Chris Richardson
Today, there are several trends that are forcing application architectures to evolve. Users expect a rich, interactive and dynamic user experience on a wide variety of clients including mobile devices. Applications must be highly scalable, highly available and run on cloud environments. Organizations often want to frequently roll out updates, even multiple times a day. Consequently, it’s no longer adequate to develop simple, monolithic web applications that serve up HTML to desktop browsers.
In this talk we describe the limitations of a monolithic architecture. You will learn how to use the scale cube to decompose your application into a set of narrowly focused, independently deployable back-end services and an HTML 5 client. We will also discuss the role of technologies such as NodeJS and AMQP brokers. You will learn how a modern PaaS such as Cloud Foundry simplifies the development and deployment of this style of application.
To View this webinar replay:
http://ecast.opensystemsmedia.com/316
As Operational Technologies (OT) like embedded devices, control and monitoring systems are increasingly integrated with Information Technology (IT) systems running in the back office, interaction patterns between systems are becoming more complex and diverse. Publish-Subscribe is the most commonly used messaging pattern for OT systems. It provides the real-time information access, scalability, and loose coupling required for integration of these types of systems. IT and OT integration, however, commonly requires messaging patterns that provide stronger end-to-end properties, such as Guaranteed Delivery, Request-Reply, and (load-balancing) Queues. RTI is greatly enhancing its infrastructure software with new messaging patterns that combine the performance, scalability, and reliability needed by OT systems with the integration and flexible messaging capabilities of IT systems.
Real world RESTful service development problems and solutionsMasoud Kalali
This session is a deep dive as well as an interactive discussion on design principles, considerations, lessons learned from mistakes that can be taken into account when developing RESTful services. It will cover a variety of topics from Designing of RESTful resources, Versioning,Exception Handling, Caching, Validation, Security, Rate limiting, HATEOAS, Testing and Documentation. This talk will walk through and compare the different REST API provided by companies like Twitter, Paypal, Google, Stripe and more we can learn the good, the bad and ugly. So join me in this talk to build high quality applications that can be highly scalable, available and reliable. Summary: Learn all you ever wanted to learn about RESTful services development challenges in large scale applications Outline: This session is a deep dive as well as an interactive discussion on design principles, considerations, lessons learned from mistakes that can be taken into account when developing RESTful services. It will cover a variety of topics from Designing of RESTful resources, Versioning, Exception Handling, Caching, Validation, Security, Rate limiting, HATEOAS, Testing and Documentation. This talk will walk through and compare the different REST API provided by companies like Twitter, Paypal, Google, Stripe and more we can learn the good, the bad and ugly. So join me in this talk to build high quality applications that can be highly scalable, available and reliable.
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
This presentation covers the whole spectrum of Asynchronous processing present in Java EE through introducing a use case. The coverage starts with introducing the usecase and showing how a mix of JMS, MDB and Async Servlet can address the requirement of the use case. The session will also cover asynchronicity in JAX-RS as well as covering NIO in Servlet 3.1
More Related Content
Similar to Confess 2013: OWASP Top 10 and Java EE security in practice
As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.
Presentation held at Web Monday Stockholm in March 2008. I am introducing JCR, Sling and the µjax AJAX-based access layer to a JCR repository. The presentation included a demo of a small Dojo application built using the µjax-Dojo-integration.
Presentation held at Web Montag Stockholm, March 2008. Introduction of JCR, Sling and the µjax AJAX-based access layer to a content repository. The presentation includes the demo of the µjax Dojo integration.
Better API Security With A SecDevOps ApproachNordic APIs
In an ever agile world where APIs are designed and implemented at an incredible rate, securing APIs is often a last moment thought and security teams as a obstacle. Security vulnerabilities are bugs, and like any other bug must be found as early as possible. In this session, Isabelle explains how developers can take advantage of an automated approach to discover and fix security issues as early as possible and how security teams can put the right tools in place to ensure that their security requirements are met as part of the API lifecycle. We will talk about static/dynamic code analysis, OpenAPI and dynamic security policies.
API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
µjax is a lightweight AJAX library for accessing content in a Java Content Repository (JCR) over the web. This presentation was given at Web Montag in Berlin, 01-21-2008.
Netflix Cloud Platform Building BlocksSudhir Tonse
Architectural Building Blocks of the Netflix Cloud Platform and lessons learned while implementing the same.
Commandments of Web Scale Cloud Deployments
Decomposing applications for scalability and deployability (devnexus 2013)Chris Richardson
Today, there are several trends that are forcing application architectures to evolve. Users expect a rich, interactive and dynamic user experience on a wide variety of clients including mobile devices. Applications must be highly scalable, highly available and run on cloud environments. Organizations often want to frequently roll out updates, even multiple times a day. Consequently, it’s no longer adequate to develop simple, monolithic web applications that serve up HTML to desktop browsers.
In this talk we describe the limitations of a monolithic architecture. You will learn how to use the scale cube to decompose your application into a set of narrowly focused, independently deployable back-end services and an HTML 5 client. We will also discuss the role of technologies such as NodeJS and AMQP brokers. You will learn how a modern PaaS such as Cloud Foundry simplifies the development and deployment of this style of application.
To View this webinar replay:
http://ecast.opensystemsmedia.com/316
As Operational Technologies (OT) like embedded devices, control and monitoring systems are increasingly integrated with Information Technology (IT) systems running in the back office, interaction patterns between systems are becoming more complex and diverse. Publish-Subscribe is the most commonly used messaging pattern for OT systems. It provides the real-time information access, scalability, and loose coupling required for integration of these types of systems. IT and OT integration, however, commonly requires messaging patterns that provide stronger end-to-end properties, such as Guaranteed Delivery, Request-Reply, and (load-balancing) Queues. RTI is greatly enhancing its infrastructure software with new messaging patterns that combine the performance, scalability, and reliability needed by OT systems with the integration and flexible messaging capabilities of IT systems.
Similar to Confess 2013: OWASP Top 10 and Java EE security in practice (20)
Real world RESTful service development problems and solutionsMasoud Kalali
This session is a deep dive as well as an interactive discussion on design principles, considerations, lessons learned from mistakes that can be taken into account when developing RESTful services. It will cover a variety of topics from Designing of RESTful resources, Versioning,Exception Handling, Caching, Validation, Security, Rate limiting, HATEOAS, Testing and Documentation. This talk will walk through and compare the different REST API provided by companies like Twitter, Paypal, Google, Stripe and more we can learn the good, the bad and ugly. So join me in this talk to build high quality applications that can be highly scalable, available and reliable. Summary: Learn all you ever wanted to learn about RESTful services development challenges in large scale applications Outline: This session is a deep dive as well as an interactive discussion on design principles, considerations, lessons learned from mistakes that can be taken into account when developing RESTful services. It will cover a variety of topics from Designing of RESTful resources, Versioning, Exception Handling, Caching, Validation, Security, Rate limiting, HATEOAS, Testing and Documentation. This talk will walk through and compare the different REST API provided by companies like Twitter, Paypal, Google, Stripe and more we can learn the good, the bad and ugly. So join me in this talk to build high quality applications that can be highly scalable, available and reliable.
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
This presentation covers the whole spectrum of Asynchronous processing present in Java EE through introducing a use case. The coverage starts with introducing the usecase and showing how a mix of JMS, MDB and Async Servlet can address the requirement of the use case. The session will also cover asynchronicity in JAX-RS as well as covering NIO in Servlet 3.1
BOF 2193 - How to work from home effectivelyMasoud Kalali
This is a BOF that shares the experience, pitfalls, to-dos, and to-avoids of working from home and working remotely. Lots of people are working primarily from home, and some are losing interest, losing touch with work, getting sidetracked, getting slowly ignored, and becoming ineffective. The speaker shares what he learned in the past six years of working from home with distributed developer, QA, documentation team, and product management.
Real-World RESTful Service Development Problems and SolutionsMasoud Kalali
This session covers some of the best practices and lessons learned and takes a deep dive into designing RESTful services.
It discusses a variety of topics, from validation and exception handling to tracing, caching, security, rate limiting, and other RESTful services topics.
The presentation is suitable for anyone from novices to advanced programmers.
The Java EE 7 specification has evolved quite a lot since the early days of the specification. One one hand, Java EE 7 continues the ease of development push that characterized prior releases by bringing further simplification to enterprise development. On the other hand, Java EE 7 tackle new emerging requirements such as HTML 5 support.
Last but not least, Java EE 7 also adds new, APIs such as the REST client API in JAX-RS 2.0, WebSockets, JSON-P, JMS 2, Batch Processing, etc.
This session will give an technical overview of the Java EE 7 platform. GlassFish 4.0, the world first Java EE 7 Application Server, will be used to demonstrate some of the Java EE 7 features.
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
In this session, learn how to utilize Java EE security and what GlassFish Server technology provides to address your security requirements. The presentation goes over how to develop new JASPIC (JSR196) or JACC (JSR-115) moduls and plug them to GlassFish
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
This session focuses on how Java EE 7 provides extensive set of new and enhanced features to support standards like HTML5, WebSockets, and Server Sent Events among others.In this session we will show how these new features are designed and matched to work together for developing lightweight solutions matching end users high expectation from a web application’s responsiveness. The session will cover best practices and design patterns governing application development using JAX-RS 2.0, Async Servlet, and JSON-P (among others) as well as iterating over the pitfalls that should be avoided. During the session we will show code snippets and block diagrams that clarify use of APIs coming from the demo application we will show at the end.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
4. Motivation for this talk
• Seen a lot
• Providing a starting point
• Sharing something
• Making you aware
5. The Top 10 Most Critical Web Application
Security Risks
A2: Broken
A2: Broken
A4: Insecure
A4: Insecure
Authentication and
Authentication and A2: Cross-Site
A2: Cross-Site
A1: Injection
A1: Injection Direct Object
Direct Object
Session
Session Scripting (XSS)
Scripting (XSS)
Management References
References
Management
A7: Missing
A7: Missing A8: Cross-Site
A8: Cross-Site
A5: Security
A5: Security A6: Sensitive Data
A6: Sensitive Data
Function Level
Function Level Request Forgery
Request Forgery
Misconfiguration
Misconfiguration Exposure
Exposure
Access Control
Access Control (CSRF)
(CSRF)
A9: Using
A9: Using A10: Unvalidated
A10: Unvalidated
Components with
Components with
Redirects and
Redirects and
Known
Known
Vulnerabilities
Forwards
Forwards
Vulnerabilities
Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)
Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
6. What is OWASP?
• Open Web Application Security Project
• Improving the security of (web) application software
– Not-for-profit organization since 2001
– Raise interest in secure development
• Documents
– Top 10
– Cheat Sheets
– Development Guides
• Solutions
– Enterprise Security API (ESAPI)
– WebScarab
– WebGoat
8. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sending unintended data to applications
• Manipulating and reading Data stores (e.g.
DB, LDAP, File System, etc.)
• Java EE 6 affected:
– UI technology of choice
– Database access (JPA, JDBC)
– File System API
– etc.
9. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it!
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
String customerId= request.getParameter("customerId")
String query = "SELECT balance FROM customer_data WHERE customer_id = "
+ customerId;
try {
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query );
}
String customerId = "x'; DROP TABLE members; --"; // user-input
10. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Prevent Injection
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sanitize the input
• Escape/Quotesafe the input, e.g. use ESAPI
• Use bound parameters (the PREPARED statement)
• Limit database permissions and segregate users
• Configure error reporting, e.g use OWASP
LAPSE+ Static Code Analysis Tool
11. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Prevent Injection, Sample
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
String customerId = request.getParameter("customerId");
//white list validation and encoding
String escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(),
customerId );
String query = "SELECT balance FROM customer_data WHERE customer_id = "
+ escapedCustomerId;
...
//OR
String query = "SELECT balance FROM customer_data WHERE customer_id = ? ";
//using pstmt or stmt with encoded/validate input parameters
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, customerId);
ResultSet results = pstmt.executeQuery( );
13. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Container Security vs. own solution
• Session Binding / Session Renewal
• Passwords
– Strength (length/complexity)
– Plain text passwords (http/https)
– Recovery mechanisms
• Number of factors used for authentication
• Java EE 6 affected:
– JAAS / JASPIC
– Filter / PhaseListener
– Container and Web-App configuration
14. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Authentication over http
• Custom security filter
• Not using Container Functionality
• No password strength requirements
• No HttpSession binding
• Way of saving Passwords
• Not testing security
15. A2:
A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6:
A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and Site
Direct
A9: A10:
re A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Object
stst
dated MisconRefere
Restric n n
Best Practices
graphi (XSS) Miscon Refere
ient
ient dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forger
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Use Container Managed Security!
• Go with provided Standard Realms and LoginModules
whenever possible
• Invalidate session and all relevant bits when logged out
• If you need custom ones: Test them extremely carefully!
• Use transport layer encryption (TLS/SSL) for
authentication, credentials transport
• Review and adopt OWASP’s ASVS(Application Security
Verification Standard)
17. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Objec
Restric n n Referestst
What is it?
graphi (XSS) Miscon Refere
ient
ient dated Miscon
dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forge
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Inject malicious code into user interfaces
• Get access to browser information
– E.g. javascript:alert(document.cookie)
• Steal user’s session, steal sensitive data
• Rewrite web page or parts
• Redirect user to phishing or malware site
• Java EE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
18. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Anywhere that untrusted data is used as one
of the following in outgoing response:
– HTML element’s attributes
– JavaScript variables
– CSS values
– Etc.
(String) page += "<input name='creditcard' type='TEXT‘ value='" +
request.getParameter("CC") + "'>";
19. A5:
Authen Insecu
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6:
A6:
Injectio Failure and Direct
Injectio Scripti Securit Site
A9: Failure and Site
Direct
A9: A10:
re A10:
nre Scripti SecuritReque
toto
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
InsufficRestric
ng yy Object
stst
dated MisconRefere
Restric n n
graphi (XSS) Miscon Refere
ient
Prevent
ient dated
graphi t URL Manag Forger
(XSS)
t URL figurati nces
Manag Forger
Transp Redire figurati
cc nces
Transp Acces
Redire yy
ement
Storag Acces ement
Storag cts
ortort cts on
on (CSRF
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Sanitize the input. E.g. use OWASP AntiSamy or
OWASP Java HTML Sanitizer, etc.
• Escape untrusted data based on the HTML
context (body, attribute, JavaScript, CSS, or
URL)
• Use Cookie flags:
– httpOnly (prevents XSS access)
21. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
What is it?
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Exposing secure objects without defense.
• Accessing domain objects with their PK. E.g.
https://you.com/user/1 => https://you.com/user/21
• Opening opportunities for intruders
• Information hiding on the client
• Parameter value tampering
• Java EE 6 affected:
– All layers
– Especially data access
22. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
How to spot it
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Direct user input to object mapping
• No verification on user input (defenseless)
• Data separation for users (tenants)
• Request mode access for data (RUD)
• Query constraints
23. A2:A2: Authen Insecu
A5:
A5:
A8: Cross- Authen Insecu
A8: Cross-tication Cross
A1: A7:
A1: Site re
A7: tication Cross
re
Insecu
Insecu Site A6: A6:
Injectio Failure and
A9: Failure and Site
Injectio Scripti Securit Direct
A10: Site
Direct
re
A9: A10:
nre Scripti SecuritReque
to
Insuffic Unvali Sessio Object
Crypto Unvali Sessio Reque
n
Crypto ng
to
InsufficRestric
ng yy Object
stst
RestricMiscon Refere
nn
Best Practices
graphi (XSS) Miscon Refere
ient
ient dated
dated
graphi t URL Manag Forger
(XSS)
Transp Redire figurati nces
cc t URL Manag Forger
Transp Acces figurati y
Redire nces
ement
Storag Acces ement
Storag cts
ortort cts onon (CSRF
y
ss (CSRF
Layer
Layer and
ee and ))
Protect Forwar
Protect Forwar
ionion dsds
• Use AccessReferenceMaps
http://app?file=Report123.xls
http://app?file=1
http://app?id=9182374
http://app?id=7d3J93
• Use data-driven security
• Validate object references
• Always Perform additional data authorization
on the view
25. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
What is it?
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Applies to
– Operating System
– Application Server
– Databases
– Additional Services
– Frameworks
– Developed Code
– Etc.
• Includes (beside _many_ others)
– All security relevant configuration
– Missing Patches
– Default accounts
26. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Worst Practices
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Network interfaces/sockets access control
• Relaxed File system access control
• Using any defaults like:
– Passwords: Admin, master password
– Network interface binding: Listening on 0.0.0.0
– Certificates: Self signed certificate
• Using a not hardened OS!
• Not using segregated user for the service
• Not restricting GlassFish/Server component specific
user nor enabling security manager
27. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Policy Files location
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Global Policy File:
java.home/jre/lib/security/java.policy
• User Policy File: user.home/.java.policy
• Domain Policy File:
domain.home/config/server.policy
• Application Policy File:
domain.home/generated/policy/<app.name>/
<module.name>/granted.policy
28. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
A9:Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn
Review the *.policy files
ient Miscon Restric
dated
ient (XSS)
dated Refere
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
(CSRFort cts Acces Storag
cts
onon Acces
Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Policy files precedence order
• Remove unused grants
• Add extra permissions only to applications
or modules that require them, not to all
applications deployed to a domain.
• Document your changes!
29. A2:
A2:
A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site and A7:
Injectio A10: Failure Insecu
Site
Site Scripti Insecu
Direct
InjectioSecurit Failure Direct
and
Running GlassFish in a
A9:A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
Restric Refere
nn Refere
ient Miscon Restric
dated
ient (XSS)
dated
Forger Miscon tManag graphi
(XSS) graphi
Transp Redire Manag nces
Forger
Redire t URL nces
Transp figurati URL
figuratiement cc
yy ement
ort
ort cts Acces Storag
cts
on Acces
Secure Environment
(CSRF on Storag
(CSRF and
Layer ss
Layer
)) and ee
Protect Forwar
Protect Forwar
ion
ion dsds
• Use the latest version (3.1.2.2)
• Enable secure admin (TLS/https)
• Use password aliasing
• Enable security manager and put forth a
proper security policy file design
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
31. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
What is it?
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Sensitive data kept unprotected
• Sensitive data exposed to wrong persons
• Could be:
– Passwords
– Financial/Health care data
– Credit cards
32. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Worst Practices
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Storing sensitive data unencrypted
• Storing comparative data unhashed
(passwords/security question answer…)
• Keeping clear text copies of encrypted data
• Not keeping the keys/passwords well guarded
• caching/autocomplete on pages with sensitive
data
33. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Worst Practice
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Using basic/form authentication without SSL
• Not using HTTPS for pages with private information
• Using default self signed certificate
• Storing unencrypted cookies
• Not setting cookies to be securely transmitted
Cookie.setSecure(true)
• Forgetting about the rest of the
infrastructure
34. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Prevention
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Identify sensitive data
• Wisely encrypt sensitive data
– On every level (application, appserver, db)
– with the right algorithm, as strong as possible but not more!
– with the right mechanism, e.g scrypt and bcrypt
• Don’t keep clear text copies
• To decrypt and view clear text should be restricted to
authorized personnel
• Keep the keys as protected as possible
• Keep offsite encrypted backups in addition to on-site
copies
35. A5:
A5: Cross- Authen Insecu
Authen Insecu
Cross Cross-tication A8:
A1:
Cross Site
A1: tication re
A7: A8:
re
A6:
A6:
Site A7:
Injectio A10: Failure Insecu
Site
A9:Site Securit and and Insecu
Direct
Injectio Scripti Failure Direct
A9: A10:
Reque Securit Sessio Object
Scripti rere
Insuffic Unvali Sessio Object
nn
Reque ng
Insuffic Unvali toto Crypto
yy
ng
stst Crypto
ient Miscon Restric Refere
dated nn Refere
(XSS) Restric graphi
ient (XSS)
dated
Best Practice
Forger Miscon tManag graphi
Transp Redire Manag nces
Forger figurati URL
Transp Redire t URL nces
figuratiement cc
y
orty
ort onon
ement
cts Acces Storag
cts Acces
(CSRF
(CSRF and ss Storag
Layer
Layer and ee
))
Protect Forwar
Protect Forwar
ion
ion dsds
• Use TLS on all connections with sensitive data
• Individually encrypt messages
• Sign messages before transmission
• Use standard strong algorithms
• Use proven mechanisms when sufficient