Rest Security with JAX-RS

REST Security with JAX-‐RS

JavaOne 2013

•  Frank Kim – SANS InsBtute •  Curriculum Lead, ApplicaBon Security •  Author, Secure Coding in Java

About

2

Outline

•  AuthenBcaBon •  EncrypBon •  ValidaBon •  Wrap Up

3

AuthenBcaBon

•  Process of verifying an idenBty •  Can be based on three factors – Something you know – Something you have – Something you are

4

Java EE AuthenBcaBon

•  ConfiguraBon in web.xml ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 <auth-constraint>! 8 <role-name>user</role-name>! 9 <role-name>admin</role-name>!10 </auth-constraint>!11 </security-constraint>!12!13 <login-config>!14 <auth-method>FORM</auth-method>!15 <form-login-config>!16 <form-login-page>/login.jsp</form-login-page>!17 <form-error-page>/loginerror.jsp</form-error-page>!18 </form-login-config>!19 </login-config>!

5

JAX-‐RS SecurityContext!

•  getAuthenticationScheme()!–  Returns String authenBcaBon scheme used to protect the resource

–  BASIC, FORM, CLIENT_CERT

•  getUserPrincipal()!–  Returns Principal object containing the username

•  isUserInRole(String role)!–  Returns a boolean indicaBng if the user has the specified logical role

6

Photo Sharing Site Demo

7

Photo Sharing Site API h]p://www.sparklr.com:8080/sparklr2/photos?&format=json !{ "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] !}!

8

Issues

•  Userid/password authenBcaBon is fine –  If the API is used only by your site

•  But what if your API needs to be used by – Other web apps – Mobile apps – NaBve apps

•  Do you want these apps to – Have your password? – Have full access to your account?

9

10

OAuth

•  Way to authenBcate a service – Valet key metaphor coined by Eran Hammer-‐Lahav

•  AuthorizaBon token with limited rights – You agree which rights are granted – You can revoke rights at any Bme – Can gracefully upgrade rights if needed

11

OAuth Roles

12

User

Client

Server -‐ Person using the app -‐ Also known as the "resource owner"

-‐ Photo prinBng service called Tonr

-‐ Photo sharing service called Sparklr -‐ Also known as the "resource server"

Simplified OAuth Flow

13

User

Client

Server 1) You log in to Tonr


-‐ Photo sharing service called Sparklr

2) Tonr needs pictures to print and redirects you to Sparklr's log in page

3) You log in to Sparklr directly

Simplified OAuth Flow

14

User

Client

Server 6) You are happy prin<ng and viewing your pictures


-‐ Photo sharing service called Sparklr

5) Tonr stores the "access token" with your account

4) Sparklr returns an OAuth "access token"

Photo PrinBng Site Demo

15

Detailed OAuth Flow

1)  Via browser: Tonr starts OAuth process –  Once you click the "Authorize" bu]on

http://www.sparklr.com:8080/sparklr2/oauth/authorize?

client_id=tonr&redirect_uri=http://www.tonr.com:8080/

tonr2/sparklr/photos&

response_type=code&

scope=read write&state=92G53T

16

Detailed OAuth Flow

1)  Via browser: Tonr starts OAuth process –  Once you click the "Authorize" bu]on

http://www.sparklr.com:8080/sparklr2/oauth/authorize?

client_id=tonr&redirect_uri=http://www.tonr.com:8080/

tonr2/sparklr/photos&

response_type=code&

scope=read write&state=92G53T

17

Detailed OAuth Flow

2) Via browser: Sparklr redirects back to Tonr

http://www.tonr.com:8080/tonr2/sparklr/photos?

code=cOuBX6&state=92G53T

18

Detailed OAuth Flow

3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password

Request: POST /sparklr2/oauth/token HTTP/1.1

Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos

Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",

"token_type":"bearer","expires_in":"42528",

"scope":"read write"} 19

Detailed OAuth Flow







Detailed OAuth Flow







Detailed OAuth Flow




Response: {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}

22

Detailed OAuth Flow

4) Via "Client": Tonr gets pictures from Sparklr

All Requests include: Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb

23

When to Use OAuth

•  Use OAuth for consuming APIs from – Third-‐party web apps – Mobile apps – NaBve apps

•  Don't need to use OAuth –  If API is only consumed by the user within the same web app

–  If APIs are only consumed server to server

24

Benefits

•  No passwords shared between web apps •  No passwords stored on mobile devices •  Limits impact of security incidents –  If you lose your mobile device

•  You revoke the access Sparklr gave to the Tonr mobile app

–  If Tonr gets hacked •  Sparklr revokes OAuth access

–  If Sparklr gets hacked •  You change your Sparklr password •  Revoke access from Tonr to generate a new access token

25

OAuth Versions

26

Version Comments

1.0 -‐ Has a security flaw related to session fixaBon -‐ Don’t use it

1.0a -‐ Stable and well understood -‐ Uses a signature to exchange credenBals and signs every request -‐ Signatures are more of a pain than it seems

2.0 -‐ Spec is final with good support

OAuth 2.0 AuthorizaBon Grant Types

27

Grant Type Descrip<on

1) AuthorizaBon Code -‐ OpBmized for confidenBal clients -‐ Uses a authorizaBon code from the Server -‐ User doesn't see the access token

2) Implicit Grant -‐ OpBmized for script heavy web apps -‐ Does not use an authorizaBon code from the Server -‐ User can see the access token

3) Resource Owner Password CredenBals

-‐ Use in cases where the User trusts the Client -‐ Exposes User credenBals to the Client

4) Client CredenBals -‐ Client gets an access token based on Client credenBals only

OAuth 2.0 Access Token Types

•  Bearer – Large random token – Need SSL to protect it in transit – Server needs to store it securely hashed like a user password

•  Mac – Uses a nonce to prevent replay – Does not require SSL – OAuth 1.0 only supported a mac type token

28

Outline


29

Session Hijacking

Public WiFi "Network"

mybank.com

VicBm

A]acker

Internet"

1) Vic<m goes to mybank.com via HTTP

30

Session Hijacking


mybank.com

VicBm

A]acker

Internet"

2) AMacker sniffs the public wifi network and steals the JSESSIONID

31

Session Hijacking


mybank.com

VicBm

A]acker

Internet"

3) AMacker uses the stolen JSESSIONID to access the vic<m's session

32

Enable SSL in web.xml ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 ...! 8! 9 <user-data-constraint>!10 <transport-guarantee>!11 CONFIDENTIAL!12 </transport-guarantee>!13 </user-data-constraint>!14 </security-constraint>!

33

JAX-‐RS SecurityContext!

•  iSecure()!– Returns a boolean indicaBng whether the request was made via HTTPS

34

Secure Flag

•  Ensures that the Cookie is only sent via SSL •  Configure in web.xml as of Servlet 3.0

<session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config>!

•  ProgrammaBcally Cookie cookie = new Cookie("mycookie", "test");!cookie.setSecure(true);!

35

Strict-‐Transport-‐Security

•  Tells browser to only talk to the server via HTTPS –  First Bme your site accessed via HTTPS and the header is used the browser stores the cerBficate info

–  Subsequent requests to HTTP automaBcally use HTTPS

•  Supported browsers –  Implemented in Firefox and Chrome – Defined in RFC 6797

Strict-Transport-Security: max-age=seconds! ! ! ! ! ! ! ! ! [; includeSubdomains]!

36

Outline


37

Restrict Input

•  Restrict to POST –  Use @POST annotaBon

•  Restrict the Content-‐Type –  Use @Consumes({MediaType.APPLICATION_JSON})!–  Invalid Content-‐Type results in HTTP 415 Unsupported Media Type

•  Restrict to Ajax if applicable –  Check X-Requested-With:XMLHttpRequest header

•  Restrict response types –  Check Accept header for valid response types

38

Cross-‐Site Request Forgery (CSRF)

39

VicBm browser

mybank.com

1) VicBm signs on to mybank

2) VicBm visits a]acker.com

3) Page contains CSRF code

4) Browser sends the request to mybank <form acBon=h]ps://mybank.com/transfer.jsp

method=POST> <input name=recipient value=a]acker> <input name=amount value=1000> </form> <script>document.forms[0].submit()</script>

POST /transfer.jsp HTTP/1.1 Cookie: <mybank authenBcaBon cookie> recipient=a]acker&amount=1000

a]acker.com

CSRF and OAuth 2.0

•  How can an a]acker use CSRF to take over your account? – Many sites allow logins from third-‐party idenBty providers like Facebook

– Many idenBty providers use OAuth – A]acker can automaBcally associate your account with an a]acker controlled Facebook account

40

OAuth CSRF Research

•  Accounts at many sites could be taken over using OAuth CSRF –  Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest,

Groupon, Foursquare, SlideShare, Kickstarter, and others

•  Research by Rich Lundeen –  h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐

can-‐use-‐to-‐take-‐over-‐accounts

•  Prior research by Stephen Sclafani –  h]p://stephensclafani.com/2011/04/06/oauth-‐2-‐0-‐csrf-‐vulnerability

41

OAuth CSRF A]ack Flow

1)  Create a]acker controlled Facebook account 2)  VicBm is signed on to provider account (i.e.

Stack Exchange) 3)  Lure vicBm into visiBng an evil site with

OAuth CSRF code – CSRF code sends OAuth authorizaBon request

4) A]acker's Facebook account now controls vicBm provider account

42

43 Image from h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐can-‐use-‐to-‐take-‐over-‐accounts

Linking Stack Exchange with an Evil Facebook Account

CSRF ProtecBon •  Spec defines a "state" parameter that must be included in the redirect to the Client –  Value must be non-‐guessable and Bed to session

Client sends "state" to Server: http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T

Server sends "state" back to Client ater authorizaBon: http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T

44

OAuth CSRF ProtecBon Demo

45

OWASP 1-‐Liner

•  Deliberately vulnerable applicaBon –  Intended for demos and training – Created by John Wilander @johnwilander

•  More informaBon at – h]ps://www.owasp.org/index.php/OWASP_1-‐Liner

46

JSON CSRF Demo

47

Normal JSON Message

{"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}!

48

Forged JSON Message

!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!

49

CSRF A]ack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!

50

CSRF A]ack Form <form id="target" method="POST"!action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" !enctype="text/plain" !style="visibility:hidden">!! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />!! <input type="submit" value="Go" />!</form>!

51

Forged JSON Message

!{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy!

52

CSRF Defense

•  Must include something random in the request – Use an anB-‐CSRF token

•  OWASP CSRFGuard – Wri]en by Eric Sheridan @eric_sheridan – Can inject anB-‐CSRF token using •  JSP Tag library -‐ for manual, fine grained protecBon •  JavaScript DOM manipulaBon -‐ for automated protecBon requiring minimal effort

– Filter that intercepts requests and validates tokens

53

CSRFGuard JSP Tags

•  Tags for token name and value <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> !</form>

•  Tag for name/value pair (delimited with "=") <a href="protect.html?<csrf:token/>">protect.html</a>!

•  Convenience tags for forms and links as well <csrf:form> and <csrf:a>!!

54 Examples from h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon

CSRFGuard DOM ManipulaBon •  Include JavaScript in every page that needs CSRF protecBon <script src="/securish/JavaScriptServlet"></script>!

•  JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);!}!!XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);!}!

55

ProtecBng XHR Requests

•  CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {!

this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")!

this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }!};!

56

JSON CSRF ProtecBon Demo

57

Outline


58

Summary •  AuthenBcaBon

þ  Can use userid/password for services consumed by your app

þ  Use OAuth for third-‐party web apps and mobile apps •  EncrypBon

þ  Use SSL þ  Use Secure flag þ  Use Strict-‐Transport-‐Security header

•  ValidaBon þ  Restrict input þ  Protect your apps against CSRF

59

Frank Kim [email protected]

@sansappsec

References •  JAX-‐RS 2.0

–  h]p://jcp.org/en/jsr/detail?id=339 –  h]ps://jax-‐rs-‐spec.java.net/nonav/2.0/apidocs

•  OAuth 2.0 SpecificaBon –  h]p://tools.iex.org/html/rfc6749 –  h]p://oauth.net

•  Spring Security OAuth –  h]p://www.springsource.org/spring-‐security-‐oauth

•  OAuth: The Big Picture –  h]p://pages.apigee.com/oauth-‐big-‐picture-‐ebook.html

•  OAuth CSRF issues –  h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐can-‐use-‐to-‐take-‐over-‐accounts –  h]p://stephensclafani.com/2011/04/06/oauth-‐2-‐0-‐csrf-‐vulnerability

•  OWASP 1-‐Liner –  h]ps://www.owasp.org/index.php/OWASP_1-‐Liner

•  CSRFGuard –  h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project –  h]p://ericsheridan.blogspot.com/2010/12/how-‐csrfguard-‐protects-‐ajax.html

62

Technology

Rest Security with JAX-RS