SlideShare a Scribd company logo

Tighten your Security and Privacy

connectwebex
connectwebex

Presentation “Tighten your Security and Privacy“ by Lars Krapf at CQCON2013 in Basel on 19 and 20 June 2013.

1 of 27
Download to read offline
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Tighten your Security and Privacy Lars Krapf | Security Researcher
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. About me  Lars Krapf <lkrapf@adobe.com>  MSc ETH C.S. (Information Security)  Joined Bidule in 1997  Security Researcher (AEM)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Outline  Cross-site scripting (XSS) – Definition – XSS in the AEM context – Prevention  loginAdministrative & Friends – Risks & Threats – Identifying Security Issues – Conclusions
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Cross-Site Scripting
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. What is Cross-Site scripting?  Web-application security vulnerability  Often underrated  Injection problem – Same channel used for data and logic  Abuse browser trust – Circumvent same-origin policy – HTTPS will not save you  Most web-applications affected
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Types of Vulnerabilities  Reflected (non-persistent) XSS – Most common – Data from client is displayed back directly – Typically delivered via email or a neutral site  Stored (Persistent) XSS – Malicious content stored in DB e.g. Forum post, Profile information, Logfile – Usually higher impact  DOM based XSS
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSS and AEM  Most frequent security bug – 500+ Issues in JIRA – Pentest-report contained ~70% XSS bugs – Large amount of scripts affected  Difficult challenge – XSS vs SSS – Customers want HTML paragraph – DAM – Can we trust our authors?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Attack Vectors ● Request parameters ● URL components (Path, Selectors, Extension, Suffix, Hash) ● HTTP Headers ● Cookies ● Repository – Content – Configuration properties – Node names / path (Problem: JCR special characters) ● Log-files ● Filenames
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Types of Attackers  Anonymous User – Usually not able to store content – Can forge a link and send it to other users / authors (reflected XSS) – Almost impossible to trace  Authenticated User – Can store content / profile information – Largest impact → Critical  Author – Has read-write access to /content – Has to be trusted to certain extent – Good traceability
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSS Risks  Manipulate content  Execute scripts  Steal cookies  Clickjacking  Phishing
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Author vs. Publish  Author – Attack WEM functionality – Must be authenticated to access/store content – Access to Workflows – Security/Functionality trade-off  Publish – Large audience – Weak authentication (or even anonymous) → Critical Risk
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AEM XSS Philosophy → Allow all input – Encode all output → Encode at the very end → Don't think too much → Never do it yourself 12
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. How can we prevent XSS?  Serverside: XSSAPI (AntiSamy), Taglib, JSON-Writer  Clientside: escape(), _g.XSS.getXSSValue()  Cookie Security  Additional measures (e.g. password dialog, hashing)  Browser Security
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSSAPI: Methods 14 // Validators public Integer getValidInteger(String integer, int defaultValue); public String getValidDimension(String dimension, String defaultValue); public String getValidHref(String url); // Encoders public String encodeForHTML(String source); public String encodeForHTMLAttr(String source); public String encodeForXML(String source); public String encodeForXMLAttr(String source); public String encodeForJSString(String source); // Filters public String filterHTML(String source); // JCR based URL mapping public XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request); public XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver); com.adobe.granite.xssprotection.XSSAPI
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AntiSamy configuration  XML configuration file (/libs/cq/xssprotection/config.xml)  Can be overlayed in /apps  Should be adapted to project-specific needs
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References: Cross-Site Scripting  XSS Cheat Sheet  https://wiki.day.com/content/wiki/Dev/Communique/Security/OwaspTopTen/wiki:attachments/xss_cheat_sheet.pdf  OWASP XSS:  https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29  OWASP AntiSamy:  https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project  XSSAPI JavaDoc:  http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/xss/XSSAPI.html 16
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. loginAdministrative & Friends
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. loginAdministrative & Friends  Sling API – SlingRepository.loginAdministrative – ResourceResolverFactory.getAdministrativeResourceResolver – ResourceResolverFactory.getAdministrativeResourceProvider  JCR API – Session.impersonate  Custom API and Services – Exposing resources, adaptables or data with admin session
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Risks & Threats ● General – Circumventing access control – Trust boundary violation – Privilege escalation ● Effects on Read – Information disclosure – Privacy violations – SQL/XPath injections ● Effects on Write – Content manipulation – Changing access control – Creating or modifying executable content – Access to web console – File system access – Access to runtime
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Request Handling – Admin session used in servlets and scripts – Usage of API/Services that use admin session – Mixing different sessions – Combination with ● missing path normalization ● missing property validation / restriction ● missing node type structure that would help enforcing constraints
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Services and API – API definition forces the use of admin session – Implementation makes use of admin session ● Reading or writing data with admin ● Objects bound to admin session ● Mixing different sessions – Caching Issues – Admin session fields
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Content Structure – Data model requires use of admin session – Data containers such as e.g. ● storing backup information ● collecting status information ● tracking – Structure created by services without proper ACL setup
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Request Handling – Servlets and scripts consistently use the request session: ● a single session processes one request ● no admin session is used – Understand the nature of services and API used – Review access paths of scripts/servlets – Security risks associated with the input parameters ● normalize and verify paths ● don't write arbitrary properties / nodes ● think about potential exploits
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Services and API design – Consider security requirements at an early stage – Design API/Services such that implementation is possible without admin session – Use a dedicated user with limited permissions → Sling Service Authentication – Don't mix different sessions – Don't access caches with different sessions
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Content Modeling – Security requirements drive the content structure, such that ● managing access control “feels natural” ● access control is enforces by the repository and not by the application – Verify that content has proper permission setup – Make use of node types to enforce contstraints and limit risk of 'public' write
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References: loginAdministrative & Friends  Wiki https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends.html  CheckList https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends/checklist.html  Security FAQ: https://wiki.day.com/content/wiki/Dev/Communique/Security/SecurityFAQ.html
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Recommended

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 

Recommended

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
Shreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
Eng Teong Cheah
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
Rupesh Kumar
 

More Related Content

What's hot

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
Stormpath
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
Shreeraj Shah
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
Gerald Villorente
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
Eng Teong Cheah
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
Cygnet Infotech
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
Jason Ferguson
 

What's hot (20)

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 

Similar to Tighten your Security and Privacy

Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
CA API Management
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
Rupesh Kumar
 
JCR and Sling Quick Dive
JCR and Sling Quick DiveJCR and Sling Quick Dive
JCR and Sling Quick Dive
Paolo Mottadelli
 
Show104 buried treasure
Show104 buried treasureShow104 buried treasure
Show104 buried treasureMark Myers
 
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes DataSHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Datapanagenda
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Pavan Kumar
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_iigoogli
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Paolo Mottadelli
 
S903 palla
S903 pallaS903 palla
S903 palla
Andrew Khoury
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
Amazon Web Services
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
distortdistort
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
Matt Raible
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Amazon Web Services
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & Out
PureSec
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
Amazon Web Services
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
Dileep Kalidindi
 

Similar to Tighten your Security and Privacy (20)

Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
 
JCR and Sling Quick Dive
JCR and Sling Quick DiveJCR and Sling Quick Dive
JCR and Sling Quick Dive
 
Show104 buried treasure
Show104 buried treasureShow104 buried treasure
Show104 buried treasure
 
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes DataSHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
SHOW104 - Buried treasure: Finding the Hidden Gold in Lotus Notes Data
 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
 
demo1
demo1demo1
demo1
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Web security programming_ii
Web security programming_iiWeb security programming_ii
Web security programming_ii
 
Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014Open Architecture in the Adobe Marketing Cloud - Summit 2014
Open Architecture in the Adobe Marketing Cloud - Summit 2014
 
S903 palla
S903 pallaS903 palla
S903 palla
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & Out
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Sightly_techInsight
Sightly_techInsightSightly_techInsight
Sightly_techInsight
 
Enterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-upEnterprise Cloud Security - Concepts Mash-up
Enterprise Cloud Security - Concepts Mash-up
 

More from connectwebex

Jackrabbit OCM in practice
Jackrabbit OCM in practiceJackrabbit OCM in practice
Jackrabbit OCM in practice
connectwebex
 
Building Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience ManagerBuilding Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience Manager
connectwebex
 
AEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, IntegrationsAEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, Integrations
connectwebex
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
connectwebex
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMconnectwebex
 
Presentation daniel takai
Presentation daniel takaiPresentation daniel takai
Presentation daniel takaiconnectwebex
 
Presentation thomas simlinger
Presentation thomas simlingerPresentation thomas simlinger
Presentation thomas simlingerconnectwebex
 
five Sling features you should know
five Sling features you should knowfive Sling features you should know
five Sling features you should know
connectwebex
 
Efficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQEfficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQ
connectwebex
 
Web, Mobile, App and Back!
Web, Mobile, App and Back!Web, Mobile, App and Back!
Web, Mobile, App and Back!
connectwebex
 
THE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love storyTHE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love story
connectwebex
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
connectwebex
 
Integration Testing in AEM
Integration Testing in AEMIntegration Testing in AEM
Integration Testing in AEM
connectwebex
 
Sling Component Filters in CQ5
Sling Component Filters in CQ5 Sling Component Filters in CQ5
Sling Component Filters in CQ5
connectwebex
 
Integrating Backend Systems
Integrating Backend SystemsIntegrating Backend Systems
Integrating Backend Systems
connectwebex
 
Scaling CQ5
Scaling CQ5Scaling CQ5
Scaling CQ5
connectwebex
 
Auto-testing production CQ instances with Muppet
Auto-testing production CQ instances with MuppetAuto-testing production CQ instances with Muppet
Auto-testing production CQ instances with Muppet
connectwebex
 
CQ Maven Methods
CQ Maven MethodsCQ Maven Methods
CQ Maven Methods
connectwebex
 

More from connectwebex (19)

Jackrabbit OCM in practice
Jackrabbit OCM in practiceJackrabbit OCM in practice
Jackrabbit OCM in practice
 
Building Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience ManagerBuilding Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience Manager
 
AEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, IntegrationsAEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, Integrations
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEM
 
SonarQube for AEM
SonarQube for AEMSonarQube for AEM
SonarQube for AEM
 
Presentation daniel takai
Presentation daniel takaiPresentation daniel takai
Presentation daniel takai
 
Presentation thomas simlinger
Presentation thomas simlingerPresentation thomas simlinger
Presentation thomas simlinger
 
five Sling features you should know
five Sling features you should knowfive Sling features you should know
five Sling features you should know
 
Efficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQEfficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQ
 
Web, Mobile, App and Back!
Web, Mobile, App and Back!Web, Mobile, App and Back!
Web, Mobile, App and Back!
 
THE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love storyTHE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love story
 
Configuring CQ Security
Configuring CQ SecurityConfiguring CQ Security
Configuring CQ Security
 
Integration Testing in AEM
Integration Testing in AEMIntegration Testing in AEM
Integration Testing in AEM
 
Sling Component Filters in CQ5
Sling Component Filters in CQ5 Sling Component Filters in CQ5
Sling Component Filters in CQ5
 
Integrating Backend Systems
Integrating Backend SystemsIntegrating Backend Systems
Integrating Backend Systems
 
Scaling CQ5
Scaling CQ5Scaling CQ5
Scaling CQ5
 
Auto-testing production CQ instances with Muppet
Auto-testing production CQ instances with MuppetAuto-testing production CQ instances with Muppet
Auto-testing production CQ instances with Muppet
 
CQ Maven Methods
CQ Maven MethodsCQ Maven Methods
CQ Maven Methods
 

Recently uploaded

Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Avirahi City Dholera
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
zechu97
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
fakeloginn69
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
marketing317746
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Arihant Webtech Pvt. Ltd
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
Lital Barkan
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
Falcon Invoice Discounting
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
zoyaansari11365
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
BBPMedia1
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 

Recently uploaded (20)

Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraTata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s Dholera
 
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).pptENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
ENTREPRENEURSHIP TRAINING.ppt for graduating class (1).ppt
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05amptalk_RecruitingDeck_english_2024.06.05
amptalk_RecruitingDeck_english_2024.06.05
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdfSearch Disrupted Google’s Leaked Documents Rock the SEO World.pdf
Search Disrupted Google’s Leaked Documents Rock the SEO World.pdf
 
LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024LA HUG - Video Testimonials with Chynna Morgan - June 2024
LA HUG - Video Testimonials with Chynna Morgan - June 2024
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-indiafalcon-invoice-discounting-a-premier-platform-for-investors-in-india
falcon-invoice-discounting-a-premier-platform-for-investors-in-india
 
Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111Introduction to Amazon company 111111111111
Introduction to Amazon company 111111111111
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 

Tighten your Security and Privacy

  • 1. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Tighten your Security and Privacy Lars Krapf | Security Researcher
  • 2. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. About me  Lars Krapf <lkrapf@adobe.com>  MSc ETH C.S. (Information Security)  Joined Bidule in 1997  Security Researcher (AEM)
  • 3. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Outline  Cross-site scripting (XSS) – Definition – XSS in the AEM context – Prevention  loginAdministrative & Friends – Risks & Threats – Identifying Security Issues – Conclusions
  • 4. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Cross-Site Scripting
  • 5. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. What is Cross-Site scripting?  Web-application security vulnerability  Often underrated  Injection problem – Same channel used for data and logic  Abuse browser trust – Circumvent same-origin policy – HTTPS will not save you  Most web-applications affected
  • 6. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Types of Vulnerabilities  Reflected (non-persistent) XSS – Most common – Data from client is displayed back directly – Typically delivered via email or a neutral site  Stored (Persistent) XSS – Malicious content stored in DB e.g. Forum post, Profile information, Logfile – Usually higher impact  DOM based XSS
  • 7. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSS and AEM  Most frequent security bug – 500+ Issues in JIRA – Pentest-report contained ~70% XSS bugs – Large amount of scripts affected  Difficult challenge – XSS vs SSS – Customers want HTML paragraph – DAM – Can we trust our authors?
  • 8. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Attack Vectors ● Request parameters ● URL components (Path, Selectors, Extension, Suffix, Hash) ● HTTP Headers ● Cookies ● Repository – Content – Configuration properties – Node names / path (Problem: JCR special characters) ● Log-files ● Filenames
  • 9. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Types of Attackers  Anonymous User – Usually not able to store content – Can forge a link and send it to other users / authors (reflected XSS) – Almost impossible to trace  Authenticated User – Can store content / profile information – Largest impact → Critical  Author – Has read-write access to /content – Has to be trusted to certain extent – Good traceability
  • 10. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSS Risks  Manipulate content  Execute scripts  Steal cookies  Clickjacking  Phishing
  • 11. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Author vs. Publish  Author – Attack WEM functionality – Must be authenticated to access/store content – Access to Workflows – Security/Functionality trade-off  Publish – Large audience – Weak authentication (or even anonymous) → Critical Risk
  • 12. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AEM XSS Philosophy → Allow all input – Encode all output → Encode at the very end → Don't think too much → Never do it yourself 12
  • 13. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. How can we prevent XSS?  Serverside: XSSAPI (AntiSamy), Taglib, JSON-Writer  Clientside: escape(), _g.XSS.getXSSValue()  Cookie Security  Additional measures (e.g. password dialog, hashing)  Browser Security
  • 14. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. XSSAPI: Methods 14 // Validators public Integer getValidInteger(String integer, int defaultValue); public String getValidDimension(String dimension, String defaultValue); public String getValidHref(String url); // Encoders public String encodeForHTML(String source); public String encodeForHTMLAttr(String source); public String encodeForXML(String source); public String encodeForXMLAttr(String source); public String encodeForJSString(String source); // Filters public String filterHTML(String source); // JCR based URL mapping public XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request); public XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver); com.adobe.granite.xssprotection.XSSAPI
  • 15. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. AntiSamy configuration  XML configuration file (/libs/cq/xssprotection/config.xml)  Can be overlayed in /apps  Should be adapted to project-specific needs
  • 16. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References: Cross-Site Scripting  XSS Cheat Sheet  https://wiki.day.com/content/wiki/Dev/Communique/Security/OwaspTopTen/wiki:attachments/xss_cheat_sheet.pdf  OWASP XSS:  https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29  OWASP AntiSamy:  https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project  XSSAPI JavaDoc:  http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/xss/XSSAPI.html 16
  • 17. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. loginAdministrative & Friends
  • 18. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. loginAdministrative & Friends  Sling API – SlingRepository.loginAdministrative – ResourceResolverFactory.getAdministrativeResourceResolver – ResourceResolverFactory.getAdministrativeResourceProvider  JCR API – Session.impersonate  Custom API and Services – Exposing resources, adaptables or data with admin session
  • 19. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Risks & Threats ● General – Circumventing access control – Trust boundary violation – Privilege escalation ● Effects on Read – Information disclosure – Privacy violations – SQL/XPath injections ● Effects on Write – Content manipulation – Changing access control – Creating or modifying executable content – Access to web console – File system access – Access to runtime
  • 20. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Request Handling – Admin session used in servlets and scripts – Usage of API/Services that use admin session – Mixing different sessions – Combination with ● missing path normalization ● missing property validation / restriction ● missing node type structure that would help enforcing constraints
  • 21. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Services and API – API definition forces the use of admin session – Implementation makes use of admin session ● Reading or writing data with admin ● Objects bound to admin session ● Mixing different sessions – Caching Issues – Admin session fields
  • 22. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Identifying Security Issues  Content Structure – Data model requires use of admin session – Data containers such as e.g. ● storing backup information ● collecting status information ● tracking – Structure created by services without proper ACL setup
  • 23. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Request Handling – Servlets and scripts consistently use the request session: ● a single session processes one request ● no admin session is used – Understand the nature of services and API used – Review access paths of scripts/servlets – Security risks associated with the input parameters ● normalize and verify paths ● don't write arbitrary properties / nodes ● think about potential exploits
  • 24. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Services and API design – Consider security requirements at an early stage – Design API/Services such that implementation is possible without admin session – Use a dedicated user with limited permissions → Sling Service Authentication – Don't mix different sessions – Don't access caches with different sessions
  • 25. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Conclusions  Content Modeling – Security requirements drive the content structure, such that ● managing access control “feels natural” ● access control is enforces by the repository and not by the application – Verify that content has proper permission setup – Make use of node types to enforce contstraints and limit risk of 'public' write
  • 26. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. References: loginAdministrative & Friends  Wiki https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends.html  CheckList https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends/checklist.html  Security FAQ: https://wiki.day.com/content/wiki/Dev/Communique/Security/SecurityFAQ.html
  • 27. © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.