SlideShare a Scribd company logo

Xebia Knowledge Exchange - Owasp Top Ten

Download as KEY, PDF
Cyrille Le Clerc
Cyrille Le Clerc

The document discusses the OWASP top 10 security vulnerabilities. It summarizes Cross-Site Scripting (XSS), providing an example of how XSS can be exploited by injecting malicious scripts. It then discusses how to prevent XSS through input validation, output encoding, and using HTTP-only cookies. The document continues summarizing other top vulnerabilities like injection flaws, file execution, insecure object references, and countermeasures.

1 of 43
OWASP Security Top Ten OWASP top ten www.xebia.fr / blog.xebia.fr
OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2
Cross Site Scripting (XSS) www.xebia.fr / blog.xebia.fr
Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: Cyrille "><script ... /> 4
Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) Be an @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { C @RequestMapping(method=RequestMethod.POST) on tro public void save(@Valid Person person) { lle r // ... } } 5
Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL <h2>Welcome <c:out value="${person.lastName}" /></h2>  Expression language danger DO NOT ESCAPE !!! JS T e N P sc O EL a <h2>Welcome ${person.lastName} NOT ESCAPED !!! do e ! </h2> es !! p  Spring MVC » Global escaping <web-app> <context-param> <param-name>defaultHtmlEscape</param- name> <param-value>true</param-value> </context-param> ... </web-app> » Page level <spring:htmlEscape defaultHtmlEscape="true" /> 6
Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0 N igu SI co JSE o nf S w rati NI eb o D cookie.setHttpOnly(true); .x n f m or l O  Since Tomcat 6.0.20 for session cookies <Context useHttpOnly="true"> ... </Context>  Manual workaround response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); 7
Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8
Injection Flaws www.xebia.fr / blog.xebia.fr
Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: Cyrille "; INSERT INTO MONEY_TRANSFER ... 10
Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11
Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC preparedStatement.setString(1, lastName);  JPA query.setParameter("lastName", lastName);  HTTP GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});  XML Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName));  XPath :-( 12
Injection Flaws How to prevent it ? Ca uti on !  If not, use escaping libraries very cautiously !!!  HTML "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";  Javascript "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";  HTTP "/findPerson?" + URLEncoder.encode(lastName, "UTF-8");  XML "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</ lastName>";  Don’t use simple escaping functions ! StringUtils.replaceChars(lastName, "’", "’’"); 13
Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } if (StringUtils.isNotEmpty(lastName)) { C JP ia rit criteria.add(Restrictions.like("lastName", lastName)); A AP er 2 } I Map<String, Object> parameters = new HashMap<String, Object>(); JP A if (StringUtils.isNotEmpty(lastName)) { 1 jpaQl += " lastName like :lastName "; Q ue parameters.put("lastName", lastName); ry } AP I Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } 14
Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15
Malicious File Execution www.xebia.fr / blog.xebia.fr
Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: ../../WEB-INF/web.xml 17
Malicious File Execution How to prevent it ?  Don’t build file path from user provided data String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName));  Don’t execute commands with user provided data Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18
Insecure Direct Object Reference www.xebia.fr / blog.xebia.fr
Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); 20
Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();  Control access permissions  See Spring Security 21
Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);  See org.owasp.esapi.AccessReferenceMap 22
Cross Site Request Forgery (CSRF) www.xebia.fr / blog.xebia.fr
Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample http://mybank.com/transfer.do? amount=100000&recipientAccount=12345 24
Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" / > <input name="amount" /> ... </form>  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25
Information Leakage and Improper Exception Handling www.xebia.fr / blog.xebia.fr
Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27
Information Leakage and Improper Exception Handling  Sample 28
Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app>  Tomcat <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> 29
Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30
Broken Authentication and Session Management www.xebia.fr / blog.xebia.fr
Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32
Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33
Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34
Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35
Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36
Insecure Cryptographic Storage www.xebia.fr / blog.xebia.fr
Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38
Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39
Insecure Communications www.xebia.fr / blog.xebia.fr
Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41
Insecure Communications How to prevent it ?  Use SSL with the Servlet API request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> 42
Insecure Communications How to prevent it ?  Use SSL with Spring Security <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> 43

Recommended

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
CouchDB on Android
CouchDB on AndroidCouchDB on Android
CouchDB on AndroidSven Haiges
 
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTwitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Taylor Singletary
 
JavaScript
JavaScriptJavaScript
JavaScriptRowena LI
 
Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09
永昇 陳
 
What's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidWhat's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for Android
Silvio Gustavo de Oliveira Santos
 
deepjs - tools for better programming
deepjs - tools for better programmingdeepjs - tools for better programming
deepjs - tools for better programming
nomocas
 

Recommended

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
CouchDB on Android
CouchDB on AndroidCouchDB on Android
CouchDB on AndroidSven Haiges
 
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTwitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Taylor Singletary
 
JavaScript
JavaScriptJavaScript
JavaScriptRowena LI
 
Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09
永昇 陳
 
What's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidWhat's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for Android
Silvio Gustavo de Oliveira Santos
 
deepjs - tools for better programming
deepjs - tools for better programmingdeepjs - tools for better programming
deepjs - tools for better programming
nomocas
 
Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'mStanisław Wasiutyński
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
 
zinno
zinnozinno
zinno
guest6a7933
 
Html
HtmlHtml
Htmlg Nama
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
Node.js in action
Node.js in actionNode.js in action
Node.js in action
Simon Su
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internals
jeresig
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
Max
MaxMax
MaxInes Pereira
 
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Cyrille Le Clerc
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' Founder
Cyrille Le Clerc
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
Cyrille Le Clerc
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information Access
Saurav Sahay
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKa
guesteb2d32
 
Slides
SlidesSlides
Slidesvti
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Os Pruett
Os PruettOs Pruett
Os Pruettoscon2007
 

More Related Content

What's hot

Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
Node.js in action
Node.js in actionNode.js in action
Node.js in action
Simon Su
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internals
jeresig
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
Luís Cobucci
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 

What's hot (11)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
 
zinno
zinnozinno
zinno
 
Html
HtmlHtml
Html
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)
 
Node.js in action
Node.js in actionNode.js in action
Node.js in action
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internals
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
 

Viewers also liked

Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Cyrille Le Clerc
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' Founder
Cyrille Le Clerc
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
Cyrille Le Clerc
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information Access
Saurav Sahay
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKa
guesteb2d32
 

Viewers also liked (6)

Max
MaxMax
Max
 
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' Founder
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information Access
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKa
 

Similar to Xebia Knowledge Exchange - Owasp Top Ten

Slides
SlidesSlides
Slidesvti
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
Jim Manico
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Joe Walker
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Rails and security
Rails and securityRails and security
Rails and security
Andrey Tokarchuk
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
Huang Toby
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
Ayesh Karunaratne
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Automated code audits
Automated code auditsAutomated code audits
Automated code audits
Damien Seguy
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 

Similar to Xebia Knowledge Exchange - Owasp Top Ten (20)

Slides
SlidesSlides
Slides
 
Php Security
Php SecurityPhp Security
Php Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Ajax
AjaxAjax
Ajax
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Rails and security
Rails and securityRails and security
Rails and security
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 

More from Cyrille Le Clerc

Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
Cyrille Le Clerc
 
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Cyrille Le Clerc
 
Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013
Cyrille Le Clerc
 
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Cyrille Le Clerc
 
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMXParis Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
Cyrille Le Clerc
 
Bonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la productionBonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la production
Cyrille Le Clerc
 
Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Cyrille Le Clerc
 
Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)
Cyrille Le Clerc
 

More from Cyrille Le Clerc (8)

Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
 
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
 
Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013
 
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
 
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMXParis Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
 
Bonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la productionBonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la production
 
Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)
 
Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

Xebia Knowledge Exchange - Owasp Top Ten

  • 1. OWASP Security Top Ten OWASP top ten www.xebia.fr / blog.xebia.fr
  • 2. OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2
  • 3. Cross Site Scripting (XSS) www.xebia.fr / blog.xebia.fr
  • 4. Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: Cyrille "><script ... /> 4
  • 5. Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) Be an @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { C @RequestMapping(method=RequestMethod.POST) on tro public void save(@Valid Person person) { lle r // ... } } 5
  • 6. Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL <h2>Welcome <c:out value="${person.lastName}" /></h2>  Expression language danger DO NOT ESCAPE !!! JS T e N P sc O EL a <h2>Welcome ${person.lastName} NOT ESCAPED !!! do e ! </h2> es !! p  Spring MVC » Global escaping <web-app> <context-param> <param-name>defaultHtmlEscape</param- name> <param-value>true</param-value> </context-param> ... </web-app> » Page level <spring:htmlEscape defaultHtmlEscape="true" /> 6
  • 7. Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0 N igu SI co JSE o nf S w rati NI eb o D cookie.setHttpOnly(true); .x n f m or l O  Since Tomcat 6.0.20 for session cookies <Context useHttpOnly="true"> ... </Context>  Manual workaround response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); 7
  • 8. Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8
  • 9. Injection Flaws www.xebia.fr / blog.xebia.fr
  • 10. Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: Cyrille "; INSERT INTO MONEY_TRANSFER ... 10
  • 11. Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11
  • 12. Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC preparedStatement.setString(1, lastName);  JPA query.setParameter("lastName", lastName);  HTTP GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});  XML Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName));  XPath :-( 12
  • 13. Injection Flaws How to prevent it ? Ca uti on !  If not, use escaping libraries very cautiously !!!  HTML "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";  Javascript "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";  HTTP "/findPerson?" + URLEncoder.encode(lastName, "UTF-8");  XML "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</ lastName>";  Don’t use simple escaping functions ! StringUtils.replaceChars(lastName, "’", "’’"); 13
  • 14. Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } if (StringUtils.isNotEmpty(lastName)) { C JP ia rit criteria.add(Restrictions.like("lastName", lastName)); A AP er 2 } I Map<String, Object> parameters = new HashMap<String, Object>(); JP A if (StringUtils.isNotEmpty(lastName)) { 1 jpaQl += " lastName like :lastName "; Q ue parameters.put("lastName", lastName); ry } AP I Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } 14
  • 15. Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15
  • 16. Malicious File Execution www.xebia.fr / blog.xebia.fr
  • 17. Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: ../../WEB-INF/web.xml 17
  • 18. Malicious File Execution How to prevent it ?  Don’t build file path from user provided data String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName));  Don’t execute commands with user provided data Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18
  • 19. Insecure Direct Object Reference www.xebia.fr / blog.xebia.fr
  • 20. Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); 20
  • 21. Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();  Control access permissions  See Spring Security 21
  • 22. Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);  See org.owasp.esapi.AccessReferenceMap 22
  • 23. Cross Site Request Forgery (CSRF) www.xebia.fr / blog.xebia.fr
  • 24. Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample http://mybank.com/transfer.do? amount=100000&recipientAccount=12345 24
  • 25. Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" / > <input name="amount" /> ... </form>  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25
  • 26. Information Leakage and Improper Exception Handling www.xebia.fr / blog.xebia.fr
  • 27. Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27
  • 28. Information Leakage and Improper Exception Handling  Sample 28
  • 29. Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app>  Tomcat <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> 29
  • 30. Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30
  • 31. Broken Authentication and Session Management www.xebia.fr / blog.xebia.fr
  • 32. Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32
  • 33. Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33
  • 34. Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34
  • 35. Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35
  • 36. Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36
  • 37. Insecure Cryptographic Storage www.xebia.fr / blog.xebia.fr
  • 38. Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38
  • 39. Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39
  • 40. Insecure Communications www.xebia.fr / blog.xebia.fr
  • 41. Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41
  • 42. Insecure Communications How to prevent it ?  Use SSL with the Servlet API request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> 42
  • 43. Insecure Communications How to prevent it ?  Use SSL with Spring Security <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> 43