View
5.135
Download
3
Category
Tags:
Preview:
DESCRIPTION
Citation preview
REST Security with JAX-‐RS
JavaOne 2013
• Frank Kim – SANS InsBtute • Curriculum Lead, ApplicaBon Security • Author, Secure Coding in Java
About
2
Outline
• AuthenBcaBon • EncrypBon • ValidaBon • Wrap Up
3
AuthenBcaBon
• Process of verifying an idenBty • Can be based on three factors – Something you know – Something you have – Something you are
4
Java EE AuthenBcaBon
• ConfiguraBon in web.xml ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 <auth-constraint>! 8 <role-name>user</role-name>! 9 <role-name>admin</role-name>!10 </auth-constraint>!11 </security-constraint>!12!13 <login-config>!14 <auth-method>FORM</auth-method>!15 <form-login-config>!16 <form-login-page>/login.jsp</form-login-page>!17 <form-error-page>/loginerror.jsp</form-error-page>!18 </form-login-config>!19 </login-config>!
5
JAX-‐RS SecurityContext!
• getAuthenticationScheme()!– Returns String authenBcaBon scheme used to protect the resource
– BASIC, FORM, CLIENT_CERT
• getUserPrincipal()!– Returns Principal object containing the username
• isUserInRole(String role)!– Returns a boolean indicaBng if the user has the specified logical role
6
Photo Sharing Site Demo
7
Photo Sharing Site API h]p://www.sparklr.com:8080/sparklr2/photos?&format=json !{ "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] !}!
8
Issues
• Userid/password authenBcaBon is fine – If the API is used only by your site
• But what if your API needs to be used by – Other web apps – Mobile apps – NaBve apps
• Do you want these apps to – Have your password? – Have full access to your account?
9
10
OAuth
• Way to authenBcate a service – Valet key metaphor coined by Eran Hammer-‐Lahav
• AuthorizaBon token with limited rights – You agree which rights are granted – You can revoke rights at any Bme – Can gracefully upgrade rights if needed
11
OAuth Roles
12
User
Client
Server -‐ Person using the app -‐ Also known as the "resource owner"
-‐ Photo prinBng service called Tonr
-‐ Photo sharing service called Sparklr -‐ Also known as the "resource server"
Simplified OAuth Flow
13
User
Client
Server 1) You log in to Tonr
-‐ Photo prinBng service called Tonr
-‐ Photo sharing service called Sparklr
2) Tonr needs pictures to print and redirects you to Sparklr's log in page
3) You log in to Sparklr directly
Simplified OAuth Flow
14
User
Client
Server 6) You are happy prin<ng and viewing your pictures
-‐ Photo prinBng service called Tonr
-‐ Photo sharing service called Sparklr
5) Tonr stores the "access token" with your account
4) Sparklr returns an OAuth "access token"
Photo PrinBng Site Demo
15
Detailed OAuth Flow
1) Via browser: Tonr starts OAuth process – Once you click the "Authorize" bu]on
http://www.sparklr.com:8080/sparklr2/oauth/authorize?
client_id=tonr&redirect_uri=http://www.tonr.com:8080/
tonr2/sparklr/photos&
response_type=code&
scope=read write&state=92G53T
16
Detailed OAuth Flow
1) Via browser: Tonr starts OAuth process – Once you click the "Authorize" bu]on
http://www.sparklr.com:8080/sparklr2/oauth/authorize?
client_id=tonr&redirect_uri=http://www.tonr.com:8080/
tonr2/sparklr/photos&
response_type=code&
scope=read write&state=92G53T
17
Detailed OAuth Flow
2) Via browser: Sparklr redirects back to Tonr
http://www.tonr.com:8080/tonr2/sparklr/photos?
code=cOuBX6&state=92G53T
18
Detailed OAuth Flow
3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password
Request: POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"} 19
Detailed OAuth Flow
3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password
Request: POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"} 20
Detailed OAuth Flow
3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password
Request: POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"} 21
Detailed OAuth Flow
3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password
Request: POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}
22
Detailed OAuth Flow
4) Via "Client": Tonr gets pictures from Sparklr
All Requests include: Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb
23
When to Use OAuth
• Use OAuth for consuming APIs from – Third-‐party web apps – Mobile apps – NaBve apps
• Don't need to use OAuth – If API is only consumed by the user within the same web app
– If APIs are only consumed server to server
24
Benefits
• No passwords shared between web apps • No passwords stored on mobile devices • Limits impact of security incidents – If you lose your mobile device
• You revoke the access Sparklr gave to the Tonr mobile app
– If Tonr gets hacked • Sparklr revokes OAuth access
– If Sparklr gets hacked • You change your Sparklr password • Revoke access from Tonr to generate a new access token
25
OAuth Versions
26
Version Comments
1.0 -‐ Has a security flaw related to session fixaBon -‐ Don’t use it
1.0a -‐ Stable and well understood -‐ Uses a signature to exchange credenBals and signs every request -‐ Signatures are more of a pain than it seems
2.0 -‐ Spec is final with good support
OAuth 2.0 AuthorizaBon Grant Types
27
Grant Type Descrip<on
1) AuthorizaBon Code -‐ OpBmized for confidenBal clients -‐ Uses a authorizaBon code from the Server -‐ User doesn't see the access token
2) Implicit Grant -‐ OpBmized for script heavy web apps -‐ Does not use an authorizaBon code from the Server -‐ User can see the access token
3) Resource Owner Password CredenBals
-‐ Use in cases where the User trusts the Client -‐ Exposes User credenBals to the Client
4) Client CredenBals -‐ Client gets an access token based on Client credenBals only
OAuth 2.0 Access Token Types
• Bearer – Large random token – Need SSL to protect it in transit – Server needs to store it securely hashed like a user password
• Mac – Uses a nonce to prevent replay – Does not require SSL – OAuth 1.0 only supported a mac type token
28
Outline
• AuthenBcaBon • EncrypBon • ValidaBon • Wrap Up
29
Session Hijacking
Public WiFi "Network"
mybank.com
VicBm
A]acker
Internet"
1) Vic<m goes to mybank.com via HTTP
30
Session Hijacking
Public WiFi "Network"
mybank.com
VicBm
A]acker
Internet"
2) AMacker sniffs the public wifi network and steals the JSESSIONID
31
Session Hijacking
Public WiFi "Network"
mybank.com
VicBm
A]acker
Internet"
3) AMacker uses the stolen JSESSIONID to access the vic<m's session
32
Enable SSL in web.xml ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 ...! 8! 9 <user-data-constraint>!10 <transport-guarantee>!11 CONFIDENTIAL!12 </transport-guarantee>!13 </user-data-constraint>!14 </security-constraint>!
33
JAX-‐RS SecurityContext!
• iSecure()!– Returns a boolean indicaBng whether the request was made via HTTPS
34
Secure Flag
• Ensures that the Cookie is only sent via SSL • Configure in web.xml as of Servlet 3.0
<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>!
• ProgrammaBcally Cookie cookie = new Cookie("mycookie", "test");!cookie.setSecure(true);!
35
Strict-‐Transport-‐Security
• Tells browser to only talk to the server via HTTPS – First Bme your site accessed via HTTPS and the header is used the browser stores the cerBficate info
– Subsequent requests to HTTP automaBcally use HTTPS
• Supported browsers – Implemented in Firefox and Chrome – Defined in RFC 6797
Strict-Transport-Security: max-age=seconds! ! ! ! ! ! ! ! ! [; includeSubdomains]!
36
Outline
• AuthenBcaBon • EncrypBon • ValidaBon • Wrap Up
37
Restrict Input
• Restrict to POST – Use @POST annotaBon
• Restrict the Content-‐Type – Use @Consumes({MediaType.APPLICATION_JSON})!– Invalid Content-‐Type results in HTTP 415 Unsupported Media Type
• Restrict to Ajax if applicable – Check X-Requested-With:XMLHttpRequest header
• Restrict response types – Check Accept header for valid response types
38
Cross-‐Site Request Forgery (CSRF)
39
VicBm browser
mybank.com
1) VicBm signs on to mybank
2) VicBm visits a]acker.com
3) Page contains CSRF code
4) Browser sends the request to mybank <form acBon=h]ps://mybank.com/transfer.jsp
method=POST> <input name=recipient value=a]acker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script>
POST /transfer.jsp HTTP/1.1 Cookie: <mybank authenBcaBon cookie> recipient=a]acker&amount=1000
a]acker.com
CSRF and OAuth 2.0
• How can an a]acker use CSRF to take over your account? – Many sites allow logins from third-‐party idenBty providers like Facebook
– Many idenBty providers use OAuth – A]acker can automaBcally associate your account with an a]acker controlled Facebook account
40
OAuth CSRF Research
• Accounts at many sites could be taken over using OAuth CSRF – Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest,
Groupon, Foursquare, SlideShare, Kickstarter, and others
• Research by Rich Lundeen – h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐
can-‐use-‐to-‐take-‐over-‐accounts
• Prior research by Stephen Sclafani – h]p://stephensclafani.com/2011/04/06/oauth-‐2-‐0-‐csrf-‐vulnerability
41
OAuth CSRF A]ack Flow
1) Create a]acker controlled Facebook account 2) VicBm is signed on to provider account (i.e.
Stack Exchange) 3) Lure vicBm into visiBng an evil site with
OAuth CSRF code – CSRF code sends OAuth authorizaBon request
4) A]acker's Facebook account now controls vicBm provider account
42
43 Image from h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐can-‐use-‐to-‐take-‐over-‐accounts
Linking Stack Exchange with an Evil Facebook Account
CSRF ProtecBon • Spec defines a "state" parameter that must be included in the redirect to the Client – Value must be non-‐guessable and Bed to session
Client sends "state" to Server: http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T
Server sends "state" back to Client ater authorizaBon: http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T
44
OAuth CSRF ProtecBon Demo
45
OWASP 1-‐Liner
• Deliberately vulnerable applicaBon – Intended for demos and training – Created by John Wilander @johnwilander
• More informaBon at – h]ps://www.owasp.org/index.php/OWASP_1-‐Liner
46
JSON CSRF Demo
47
Normal JSON Message
{"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}!
48
Forged JSON Message
!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!
49
CSRF A]ack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!
50
CSRF A]ack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!
51
Forged JSON Message
!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!
52
CSRF Defense
• Must include something random in the request – Use an anB-‐CSRF token
• OWASP CSRFGuard – Wri]en by Eric Sheridan @eric_sheridan – Can inject anB-‐CSRF token using • JSP Tag library -‐ for manual, fine grained protecBon • JavaScript DOM manipulaBon -‐ for automated protecBon requiring minimal effort
– Filter that intercepts requests and validates tokens
53
CSRFGuard JSP Tags
• Tags for token name and value <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> !</form>
• Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a>!
• Convenience tags for forms and links as well <csrf:form> and <csrf:a>!!
54 Examples from h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon
CSRFGuard DOM ManipulaBon • Include JavaScript in every page that needs CSRF protecBon <script src="/securish/JavaScriptServlet"></script>!
• JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);!}!!XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);!}!
55
ProtecBng XHR Requests
• CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {!
this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")!
this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }!};!
56
JSON CSRF ProtecBon Demo
57
Outline
• AuthenBcaBon • EncrypBon • ValidaBon • Wrap Up
58
Summary • AuthenBcaBon
þ Can use userid/password for services consumed by your app
þ Use OAuth for third-‐party web apps and mobile apps • EncrypBon
þ Use SSL þ Use Secure flag þ Use Strict-‐Transport-‐Security header
• ValidaBon þ Restrict input þ Protect your apps against CSRF
59
Frank Kim wim@sans.org
@sansappsec
References • JAX-‐RS 2.0
– h]p://jcp.org/en/jsr/detail?id=339 – h]ps://jax-‐rs-‐spec.java.net/nonav/2.0/apidocs
• OAuth 2.0 SpecificaBon – h]p://tools.iex.org/html/rfc6749 – h]p://oauth.net
• Spring Security OAuth – h]p://www.springsource.org/spring-‐security-‐oauth
• OAuth: The Big Picture – h]p://pages.apigee.com/oauth-‐big-‐picture-‐ebook.html
• OAuth CSRF issues – h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐can-‐use-‐to-‐take-‐over-‐accounts – h]p://stephensclafani.com/2011/04/06/oauth-‐2-‐0-‐csrf-‐vulnerability
• OWASP 1-‐Liner – h]ps://www.owasp.org/index.php/OWASP_1-‐Liner
• CSRFGuard – h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project – h]p://ericsheridan.blogspot.com/2010/12/how-‐csrfguard-‐protects-‐ajax.html
62
Recommended