The document discusses the OWASP top 10 security vulnerabilities. It summarizes Cross-Site Scripting (XSS), providing an example of how XSS can be exploited by injecting malicious scripts. It then discusses how to prevent XSS through input validation, output encoding, and using HTTP-only cookies. The document continues summarizing other top vulnerabilities like injection flaws, file execution, insecure object references, and countermeasures.
Liferay Mobile SDK has been enabling developers to create native apps backed by Liferay Portal’s power. We’ve been using it in production since 2013 and have noticed many improvement points. We also listened to the community and added new features that will make app development even faster. The new Liferay Mobile SDK for Android brings a lot of new features that boosts apps development. Things from automatic JSON parsing and RxJava compatibility to better code generation are ones of the improvements in this new major release.
Liferay Mobile SDK has been enabling developers to create native apps backed by Liferay Portal’s power. We’ve been using it in production since 2013 and have noticed many improvement points. We also listened to the community and added new features that will make app development even faster. The new Liferay Mobile SDK for Android brings a lot of new features that boosts apps development. Things from automatic JSON parsing and RxJava compatibility to better code generation are ones of the improvements in this new major release.
We use tokens to identify resources and try to ensure data security in insecure environments, however the management of these tokens can get quite complex. When we have distributed environments things are harder to deal with. Come to the magical world of JSON Web Tokens and make your life simpler!
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Cyrille Le Clerc
In Memory Data Grids in Action with Oracle Coherence presented to No SQL users.
The "transactions" chapter is missing as it has been rescheduled to another session.
We use tokens to identify resources and try to ensure data security in insecure environments, however the management of these tokens can get quite complex. When we have distributed environments things are harder to deal with. Come to the magical world of JSON Web Tokens and make your life simpler!
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Cyrille Le Clerc
In Memory Data Grids in Action with Oracle Coherence presented to No SQL users.
The "transactions" chapter is missing as it has been rescheduled to another session.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.
Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Similar to Xebia Knowledge Exchange - Owasp Top Ten (20)
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
Discover how observability and OpenTelemetry offer unprecedented solutions for both CI/CD administrators and dev teams to troubleshoot CI platforms and solve much more problems thanks to a vibrant community and a growing ecosystem. We will see with real life CI/CD pipelines using Jenkins, Maven, and Ansible how OpenTelemetry offers unprecedented solutions to troubleshoot software delivery pipelines. How the open source and standard nature of OpenTelemetry enables the emergence of a vibrant ecosystem of OpenTelemetry aware CI/CD tools to observe the entire software supply chain and help DevOps teams solve problems that go way beyond the observability use cases we have in mind.
https://community.cncf.io/events/details/cncf-cloud-native-canada-presents-november-2021-eastern-canadian-cncf-meetup-kubernetes-123-release-update-and-cicd-observability/
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Cyrille Le Clerc
Fast feedback from monitoring is a key of Continuous Delivery. JMX is the right Java API to do so but it unfortunately stayed underused and underappreciated as it was difficult to connect to monitoring and graphing systems.
Throw in the sin bin the poor solutions based on log files and weakly secured web interfaces! A new generation of Open Source tooling makes it easy to graph java application metrics and integrate them to traditional monitoring systems like Nagios.
Following the logic of DevOps, we will look together how best to integrate the monitoring dimension in a project: from design to development, to QA and finally to production on both traditional deployment and in the Cloud.
Come and discover how the JmxTrans-Graphite ticket can make your life easier.
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Cyrille Le Clerc
Le feedback rapide offert par le monitoring est un element essentiel des bonnes pratiques de Continuous Delivery. Java dispose dans son ecosysteme d'un composant robuste dedie a cela : JMX.
Cependant, la difficulte de raccordement de JMX a des outils de supervision et de graphe a longtemps ete un frein a son adoption.
Jetez aux orties les solutions bancales a base de logs applicatifs ou d'interface web mal protegees, et venez decouvrir une voie ouverte. Une nouvelle generation d'outils Open Source permet de grapher simplement les metriques de vos applications et de les fournir a un systeme de supervision et d'alerte.
Dans une logique DevOps, nous verrons ensemble comment integrer la dimension Monitoring dans un projet : de la conception des metriques par les developpeurs, a l'integration des besoins des equipes Ops et Q&A, en deploiement traditionnel ou dans le Cloud. JmxTrans, Graphite et Nagios, ce tryptique peut vous faciliter la vie, venez decouvrir comment.
L'application demo : http://demo-cocktail.jmxtrans.cloudbees.net
Le code source de l'application demo : https://github.com/jmxtrans/embedded-jmxtrans-samples/tree/master/embedded-jmxtrans-webapp-coktail
Embedded JmxTrans : https://github.com/jmxtrans/embedded-jmxtrans
Bonnes pratiques des applications java prêtes pour la productionCyrille Le Clerc
Les bonnes pratiques des applications Java prêtes pour la production.
Les enjeux :
* Améliorer la disponibilité des applications
* Réduire le cycle de vie des projets
* Améliorer les plateformes
* Diminuer le coût d’exploitation
Les axes clefs :
* Le déploiement
* La supervision et le monitoring
* La gestion des logs
* La robustesse
* L’organisation
Cyrille Le Clerc (Xebia), Erwan Alliaume (Xebia), Jean Michel Bea (Fast Connect) ont présenté au Paris Java User Group les principes du Data Grid.
Cache distribué, Network Attached Memory, Data Grid ou Cloud Computing sont des termes très à la mode qui s’inscrivent dans la même tendance.
Nous présenterons pendant cette soirée le chemin qui nous à conduit d’un simple EH Cache à des grilles de centaines de giga octects de données qui s’étalent sur des data center.
CACHES DISTRIBUES
Les Cache Distribués se sont banalisés avec les frameworks Open Source Jboss Cache et EH Cache distribué. Où en sommes nous aujourd’hui ?
- Quels sont les cas d’utilisation d’un cache distribué ? Quels gains en attendre ?
- Comment migrer d’un cache local à un cache distribué ? Nos frameworks sont-ils adaptés à ces caches distribués ?
- Comment fonctionne un cache distribué ?
NETWORK ATTACHED MEMORY
Le concept de Network Attached Memory a décollé dans l’univers Java avec Terracotta et offre à nos applications un espace mémoire encore inimaginable il y a peu. Que se cache-t-il derrière ?
- Quels sont les cas d’utilisation des technologies de Network Attached Memory ?
- Cette mémoire virtuellement infinie n’introduit-elle pas des contraintes ?
- Si la mémoire est partagée, qu’en est-il des traitements ?
- Quelles sont les perspectives des technologies de Network Attached Memory ?
DATA GRID
Le concept de data grid s’est popularisé avec les services Google Big Table ou Amazon S3 mais aussi avec des sites comme eBay qui annoncent des data center gigantesques. Cela va-t-il arriver dans l’informatique classique ?
- Qu’est-ce qu’une grille de donnée ? Comment ça marche ?
- Qui a besoin de Data Grid ? Est-ce réservé aux hyper scalable comme eBay ou Facebook ? Comment faisait-on avant ? En ai-je besoin ?
- Comment structurer une application pour utiliser une grille de données ? Cela la change-t-il la façon de programmer ?
- Map Reduce est-il un pattern utilisable avec une grille de données ? Est-ce le seul ?
- Les grilles de données vont-elles remplacer les bases de données traditionnelles ? Comment peuvent-elles cohabiter ?
DATA GRID, CLOUD ET LES AUTRES
Data Grid, Grid Computing, Cloud Computing et eXtreme Transaction Processing (XTP) sont fréquement associés.
Comment positionner Data Grid par rapport à ces technologies ?
Quels positionnements ont les acteurs de cet univers ? Amazon S3&EC2 ? Coherence ? Gigaspace ? Google App engine & Big Table ? Grid Gain ? Terracotta ? Websphere eXtreme Scale ?
Et les mainframes dans tout ça ?
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. OWASP Security Top Ten
This presentation is based on
OWASP Top 10 For Java EE
The Ten Most Critical Web Application Security
Vulnerabilities For Java Enterprise Applications
http://www.owasp.org/index.php/Top_10_2007
2
4. Cross Site Scripting (XSS)
What ?
Subset of HTML injections
Data provided by malicious users are rendered in web pages and
execute scripts
Goal ?
Hijack user session, steal user data, deface web site, etc
Sample
lastName: Cyrille "><script ... />
4
5. Cross Site Scripting (XSS)
How to prevent it ?
Input Validation : JSR 303 Bean Validation
public class Person {
@Size(min = 1, max = 256)
private String lastName;
@Size(max = 256)
Be
an
@Pattern(regexp = ".+@.+.[a-z]+")
private String email;
...
}
@Controller("/person")
public class PersonController {
C
@RequestMapping(method=RequestMethod.POST)
on
tro
public void save(@Valid Person person) {
lle
r
// ...
}
}
5
6. Cross Site Scripting (XSS)
How to prevent it ?
HTML output escaping
JSTL
<h2>Welcome <c:out value="${person.lastName}" /></h2>
Expression language danger DO NOT ESCAPE !!!
JS T e
N
P sc
O
EL a
<h2>Welcome ${person.lastName} NOT ESCAPED !!!
do e !
</h2>
es !!
p
Spring MVC
» Global escaping
<web-app>
<context-param>
<param-name>defaultHtmlEscape</param-
name>
<param-value>true</param-value>
</context-param>
...
</web-app>
» Page level
<spring:htmlEscape defaultHtmlEscape="true" />
6
7. Cross Site Scripting (XSS)
How to prevent it ?
Use HTTP Only cookies
Cookies not accessible via javascript
Introduced with Servlet 3.0
N igu SI
co JSE
o
nf S
w rati NI
eb o D
cookie.setHttpOnly(true);
.x n f
m or
l
O
Since Tomcat 6.0.20 for session cookies
<Context useHttpOnly="true">
...
</Context>
Manual workaround
response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly");
7
8. Cross Site Scripting (XSS)
How to prevent it ?
Do not use blacklist validation but blacklist
Forbidden : <script>, <img>
Prefer wiki/forum white list style: [img], [url], [strong]
8
10. Injection Flaws
What ?
Malicious data provided by user to read or modify sensitive data
Types of injection : SQL, Hibernate Query Language (HQL), LDAP,
XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP
requests, and many more
Goal ?
Create, modify, delete, read data
Sample
lastName: Cyrille "; INSERT INTO
MONEY_TRANSFER ...
10
11. Injection Flaws
How to prevent it ?
Input validation
XSD with regular expression, min and max values, etc
JSR 303 Bean Validation
11
12. Injection Flaws
How to prevent it ?
Use strongly typed parameterized query API
JDBC
preparedStatement.setString(1, lastName);
JPA
query.setParameter("lastName", lastName);
HTTP
GetMethod getMethod = new GetMethod("/findPerson");
getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});
XML
Element lastNameElt = doc.createElement("lastName");
lastNameElt.appendChild(doc.createTextNode(lastName));
XPath :-(
12
13. Injection Flaws
How to prevent it ? Ca
uti
on
!
If not, use escaping libraries very cautiously !!!
HTML
"<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";
Javascript
"lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";
HTTP
"/findPerson?" + URLEncoder.encode(lastName, "UTF-8");
XML
"<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</
lastName>";
Don’t use simple escaping functions !
StringUtils.replaceChars(lastName, "’", "’’");
13
14. Injection Flaws
How to prevent it ?
Don’t use dynamic queries at all !
if (StringUtils.isNotEmpty(lastName)) {
jpaQl += " lastName like '" + lastName + "'";
}
if (StringUtils.isNotEmpty(lastName)) {
C
JP ia
rit
criteria.add(Restrictions.like("lastName", lastName));
A AP
er
2
}
I
Map<String, Object> parameters = new HashMap<String, Object>();
JP
A
if (StringUtils.isNotEmpty(lastName)) {
1
jpaQl += " lastName like :lastName ";
Q
ue
parameters.put("lastName", lastName);
ry
}
AP
I
Query query = entityManager.createQuery(jpaQl);
for (Entry<String, Object> parameter : parameters.entrySet()) {
query.setParameter(parameter.getKey(), parameter.getValue());
}
14
15. Injection Flaws
How to prevent it ?
Enforce least privileges
Don’t be root
Limit database access to Data Manipulation Language
Limit file system access
Use firewalls to enter-from / go-to the Internet
15
17. Malicious File Execution
What ?
Malicious file or file path provided by users access files
Goal ?
Read or modify sensitive data
Remotely execute files (rootkits, etc)
Sample
pictureName: ../../WEB-INF/web.xml
17
18. Malicious File Execution
How to prevent it ?
Don’t build file path from user provided data
String picturesFolder = servletContext.getRealPath("/pictures") ;
String pictureName = request.getParameter("pictureName");
File picture = new File((picturesFolder + "/" + pictureName));
Don’t execute commands with user provided data
Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));
Use an indirection identifier to users
Use firewalls to prevent servers to connect to outside sites
18
20. Insecure Direct Object Reference
What ?
Transmit user forgeable identifiers without controlling them server side
Goal ?
Create, modify, delete, read other user’s data
Sample
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="32" />
...
</form>
</body><html>
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id"));
20
21. Insecure Direct Object Reference
How to prevent it ?
Input identifier validation
reject wildcards (“10%20”)
Add server side identifiers
Criteria criteria = session.createCriteria(ShoppingCart.class);
criteria.add(Restrictions.like("id", request.getParameter("id")));
criteria.add(Restrictions.like("clientId", request.getRemoteUser()));
ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();
Control access permissions
See Spring Security
21
22. Insecure Direct Object Reference
How to prevent it ?
Use server side indirection with generated random
String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId());
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="${indirectId}" />
...
</form>
</body><html>
String indirectId = request.getParameter("id");
String id = accessReferenceMap.getDirectReference(indirectId);
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);
See org.owasp.esapi.AccessReferenceMap
22
24. Cross Site Request Forgery (CSRF)
What ?
Assume that the user is logged to another web site and send a
malicious request
Ajax web sites are very exposed !
Goal ?
Perform operations without asking the user
Sample
http://mybank.com/transfer.do?
amount=100000&recipientAccount=12345
24
25. Cross Site Request Forgery (CSRF)
How to prevent it ?
Ensure that no XSS vulnerability exists in your
application
Use a random token in sensitive forms
<form action="/transfer.do">
<input name="token" type="hidden" value="14689423257893257" /
>
<input name="amount" />
...
</form>
Spring Web Flow and Struts 2 provide such random token mechanisms
Re-authenticate user for sensitive operations
25
27. Information Leakage and Improper Exception Handling
What ?
Sensitive code details given to hackers
Usually done raising exceptions
Goal ?
Discover code details to discover vulnerabilities
27
29. Information Leakage and Improper Exception Handling
How to prevent it ?
Avoid detailed error messages
Beware of development mode messages !
web.xml
<web-app>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/empty-error-page.jsp</location>
</error-page>
...
</web-app>
Tomcat
<Server ...>
<Service ...>
<Engine ...>
<Host
errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve"
...>
...
</Host>
</Engine>
</Service>
</Server>
29
30. Information Leakage and Improper Exception Handling
How to prevent it ?
Don’t display stack traces in Soap Faults
Sanitize GUI error messages
Sample : “Invalid login or password”
30
32. Broken Authentication and Session Management
What ?
Web authentication and session handling have many tricks
Goal ?
Hijack user session
32
33. Broken Authentication and Session Management
How to prevent it ?
Log session initiation and sensitive data access
Remote Ip, time, login, sensitive data & operation accessed
Use a log4j dedicated non over-written output file
#Audit
log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.audit.datePattern='-'yyyyMMdd
log4j.appender.audit.file=audit.log
log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout
log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n
log4j.logger.com.mycompany.audit.Audit=INFO, audit
log4j.additivity.com.mycompany.audit.Audit=false
Use out of the box session and authentication
mechanisms
Don’t create your own cookies
Look at Spring Security
33
34. Broken Authentication and Session Management
How to prevent it ?
Use SSL and random token for authentication pages
including login page display
Regenerate a new session on successful authentication
Use Http Only session cookies, don’t use URL rewriting
based session handling
Prevent brute force attacks using timeouts or locking
password on authentication failures
Don’t store clear text password, consider SSHA
34
35. Broken Authentication and Session Management
How to prevent it ?
Use a timeout period
Remember Me cookies must be invalidated on password
change (see Spring Security)
Beware not to write password in log files
Server generated passwords (lost password, etc) must
be valid only once
Be able to distinguish SSL communications
35
36. Broken Authentication and Session Management
How to prevent it ?
For server to server communication, use remote ip
control in addition to password validation
36
41. Insecure Communications
What ?
Unsecure communications are easy to hack
Goal ?
Steal sensitive data, hijack user session
41
42. Insecure Communications
How to prevent it ?
Use SSL with the Servlet API
request.isSecure()
<web-app ...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted web services</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
</web-app>
42
43. Insecure Communications
How to prevent it ?
Use SSL with Spring Security
<beans ...>
<sec:http auto-config="true">
<sec:intercept-url
pattern="/services/**"
requires-channel="https"
access="IS_AUTHENTICATED_FULLY" />
</sec:http>
</beans>
43