Web Application Security and Modern Frameworks

•

1 like•1,743 views

lastrand

Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.

Software Technology

Platinum Sponsor
Kim Leppänen & Leif Åstrand
Web Application
Security and Modern
Frameworks
Disclaimer: Highly technical content ahead. Participating in this
lecture might change your perspective towards the security of
your application. In some cases, listening to this presentation
might cause symptoms such as raised awareness of security and
general interest towards web application security.

<script language="javascript">!
if ( prompt("Enter password") == "supersecret" ) {!
! document.location.href = "secret.html";!
}!
</script>

OWASP Top 10
Open Web Application Security Project

Client Server
UI logic
Business
logic
DB
GWT
DOM

Client Server
UI logic
Business
logic
DB
Vaadin
DOM
Handled by the framework

Username demouser
Password ************
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘“ + request.getParameter(“username”) + “‘ AND!
! ! password=‘“ + request.getParameter(“password”) + “‘“;

!
!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser‘ AND!
! ! password=‘secretpass‘“;
// username = demouser!
// password = secretpass

// username = demouser’ --!
// password = secretpass!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser’--‘ AND!
! ! password=‘secretpass‘“;

GWT
!
• N/A
Vaadin
!
• N/A
Web frameworks can help

A2: Broken
Authentication
and Session
Management

Session ID fixation
!
Exposure of session ID
!
Exposing user credentials

GWT
!
• N/A
Vaadin
!
• Helper for changing
session id
Web frameworks can help

GWT
!
• setText
• SafeHtml
Vaadin
!
• setHtmlContent
Allowed(false)
• Beware of tooltips
(setDescription)
Web frameworks can help

Other things to keep in
mind
The XSS ﬁlter evasion cheat
sheet
Context is king
Consider using Markdown

GWT
!
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“invisible”
Vaadin
!
• All ids are
generated values
that the server uses
to ﬁnd the right
object when
needed
Web frameworks can help

GWT
!
• N/A
Vaadin
!
• productionMode =
true
Web frameworks can help

Keep in mind
Avoid handling sensitive data,
e.g. credit card numbers
Salt and hash passwords
Use SSL, no excuses!

A7: Missing
Function Level
Access Control

Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00

http://your.bank/transfer?
account=4059820-440198&amount=130,00
<img src=“
“ />

Creative commons - http://www.ﬂickr.com/photos/esparta/367002402/

You’ve got mail
Creative Commons - http://www.ﬂickr.com/photos/8058853@N06/2685196800/

Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00
&token=ab8342d8943nkg34iung3o9j

GWT
!
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
Vaadin
!
• Secured out of the
box
Web frameworks can help

A9: Using
Components
with Known
Vulnerabilities

How do you
know whether
they are
vulnerable?

<a href=”http://myapp.com?
redirect=example.com/evil"> Open app </a>!

Questions?
!
? leif@vaadin.com
kim@vaadin.com

What's hot

Securing Web Applications with Token AuthenticationStormpath

Coding Uirajivmordani

Mobile Authentication for iOS Applications - Stormpath 101Stormpath

Cross Site Scripting Defense Presentation Ikhade Maro Igbape

Cross-Site Scripting (XSS)Daniel Tumser

Rest Introduction (Chris Jimenez)PiXeL16

The Cross Site Scripting GuideDaisuke_Dan

BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi

Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar

XSSHrishikesh Mishra

Cross site scripting (xss)Manish Kumar

XSS-Alert-Pentration testing toolArjun Jain

XssRajendra Dangwal

Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx

How to Use Stormpath in angular jsStormpath

Cross site scripting XSSRonan Dunne, CEH, SSCP

What is xss, blind xss and xploiting google gadgetsZiv Ginsberg

You wanna crypto in AEMDamien Antipa

Cross Site Scripting(XSS)Nabin Dutta

Web Application SecurityNelsan Ellis

What's hot (20)

Securing Web Applications with Token Authentication

Coding Ui

Mobile Authentication for iOS Applications - Stormpath 101

Cross Site Scripting Defense Presentation

Cross-Site Scripting (XSS)

Rest Introduction (Chris Jimenez)

The Cross Site Scripting Guide

BsidesDelhi 2018: DomGoat - the DOM Security Playground

Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar

XSS

Cross site scripting (xss)

XSS-Alert-Pentration testing tool

Xss

Owasp Top 10 A3: Cross Site Scripting (XSS)

How to Use Stormpath in angular js

Cross site scripting XSS

What is xss, blind xss and xploiting google gadgets

You wanna crypto in AEM

Cross Site Scripting(XSS)

Web Application Security

Similar to Web Application Security and Modern Frameworks

Jan 2008 Allupllangit

Writing Secure Code – Threat Defenseamiable_indian

Application Securitynirola

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

phpbhuvana553

The top 10 security issues in web applicationsDevnology

Devbeat Conference - Developer First SecurityMichael Coates

Hacking Client Side Insecuritiesamiable_indian

Starwest 2008Caleb Sima

Top Ten Tips For Tenacious Defense In Asp.Netalsmola

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff

Token Authentication for Java ApplicationsStormpath

Become a Security NinjaPaul Gilzow

Web Application Security: The Land that Information Security ForgotJeremiah Grossman

Secure coding in C#Siddharth Bezalwar

Spa Secure Coding GuideGeoffrey Vandiest

Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network

Web Application Security - "In theory and practice"Jeremiah Grossman

Defcon9 Presentation2001Miguel Ibarra

Top 10 Web Security VulnerabilitiesCarol McDonald

Similar to Web Application Security and Modern Frameworks (20)

Jan 2008 Allup

Writing Secure Code – Threat Defense

Application Security

Building Secure User Interfaces With JWTs (JSON Web Tokens)

php

The top 10 security issues in web applications

Devbeat Conference - Developer First Security

Hacking Client Side Insecurities

Starwest 2008

Top Ten Tips For Tenacious Defense In Asp.Net

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Token Authentication for Java Applications

Become a Security Ninja

Web Application Security: The Land that Information Security Forgot

Secure coding in C#

Spa Secure Coding Guide

Developing Secure Applications and Defending Against Common Attacks

Web Application Security - "In theory and practice"

Defcon9 Presentation2001

Top 10 Web Security Vulnerabilities

Recently uploaded

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILNatan Silnitsky

2024 RoOUG Security model for the cloud.pptxGeorgi Kodinov

Accelerate Enterprise Software Engineering with PlatformlessWSO2

Designing for Privacy in Amazon Web ServicesKrzysztofKkol1

De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171

Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus

Advanced Flow Concepts Every Developer Should KnowPeter Caitens

First Steps with Globus Compute Multi-User EndpointsGlobus

Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl

Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus

AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAlluxio, Inc.

Corporate Management | Session 3 of 3 | Tendenci AMSTendenci - The Open Source AMS (Association Management Software)

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro

Globus Connect Server Deep Dive - GlobusWorld 2024Globus

How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo

SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar

Recently uploaded (20)

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

2024 RoOUG Security model for the cloud.pptx

Accelerate Enterprise Software Engineering with Platformless

Designing for Privacy in Amazon Web Services

De mooiste recreatieve routes ontdekken met RouteYou en FME

Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...

A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf

Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...

Advanced Flow Concepts Every Developer Should Know

First Steps with Globus Compute Multi-User Endpoints

Agnieszka Andrzejewska - BIM School Course in Kraków

Enhancing Research Orchestration Capabilities at ORNL.pdf

AI/ML Infra Meetup | Perspective on Deep Learning Framework

Corporate Management | Session 3 of 3 | Tendenci AMS

OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam

How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?

Globus Connect Server Deep Dive - GlobusWorld 2024

How Recreation Management Software Can Streamline Your Operations.pptx

SOCRadar Research Team: Latest Activities of IntelBroker

Web Application Security and Modern Frameworks

1. Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks Disclaimer: Highly technical content ahead. Participating in this lecture might change your perspective towards the security of your application. In some cases, listening to this presentation might cause symptoms such as raised awareness of security and general interest towards web application security.

2. <script language="javascript">! if ( prompt("Enter password") == "supersecret" ) {! ! document.location.href = "secret.html";! }! </script>

3. OWASP Top 10 Open Web Application Security Project

4. Rich Internet Applications

7. Client Server UI logic Business logic DB GWT DOM

8. Client Server UI logic Business logic DB Vaadin DOM Handled by the framework

9. A1: Injection

10. Username demouser Password ************ String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘“ + request.getParameter(“username”) + “‘ AND! ! ! password=‘“ + request.getParameter(“password”) + “‘“;

11. ! ! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser‘ AND! ! ! password=‘secretpass‘“; // username = demouser! // password = secretpass

12. // username = demouser’ --! // password = secretpass! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser’--‘ AND! ! ! password=‘secretpass‘“;

13. GWT ! • N/A Vaadin ! • N/A Web frameworks can help

14. A2: Broken Authentication and Session Management

15. Session ID fixation ! Exposure of session ID ! Exposing user credentials

16. GWT ! • N/A Vaadin ! • Helper for changing session id Web frameworks can help

17. A3: Cross-Site Scripting (XSS)

18. Demo: auction application

19. GWT ! • setText • SafeHtml Vaadin ! • setHtmlContent Allowed(false) • Beware of tooltips (setDescription) Web frameworks can help

20. Other things to keep in mind The XSS ﬁlter evasion cheat sheet Context is king Consider using Markdown

21. A4: Insecure Direct Object References

22. GWT ! • Not so much, since this is mostly a server-side thing • Can be hard to realize the problem since requests are “invisible” Vaadin ! • All ids are generated values that the server uses to ﬁnd the right object when needed Web frameworks can help

23. A5: Security Misconfiguration

24. GWT ! • N/A Vaadin ! • productionMode = true Web frameworks can help

25. A6: Sensitive Data Exposure

26. Keep in mind Avoid handling sensitive data, e.g. credit card numbers Salt and hash passwords Use SSL, no excuses!

27. A7: Missing Function Level Access Control

28. A8: Cross-Site Request Forgery (CSRF)

29. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00

30. http://your.bank/transfer? account=4059820-440198&amount=130,00 <img src=“ “ />

31. Creative commons - http://www.ﬂickr.com/photos/esparta/367002402/

32. You’ve got mail Creative Commons - http://www.ﬂickr.com/photos/8058853@N06/2685196800/

33. Your bank Rogue bank

34. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00 &token=ab8342d8943nkg34iung3o9j

35. GWT ! • GWT-RPC: XsrfTokenService and/or HasRpcToken • RequestFactory: Make your own RequestTransport Vaadin ! • Secured out of the box Web frameworks can help

36. A9: Using Components with Known Vulnerabilities

37. How do you know whether they are vulnerable?

38. A10: Unvalidated Redirects and Forwards

39. <a href=”http://myapp.com? redirect=example.com/evil"> Open app </a>!

40. Very quick conclusion

41. Questions? ! ? leif@vaadin.com kim@vaadin.com