www.xebia.fr / blog.xebia.fr

OWASP Security Top TenOWASP top ten and Java protections

Cyrille Le Clerccleclerc@xebia.fr

Tuesday, November 24, 2009

OWASP Security Top Ten

This presentation is based on

OWASP Top 10 For Java EEThe Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applicationshttp://www.owasp.org/index.php/Top_10_2007

2Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Cross Site Scripting (XSS)

Tuesday, November 24, 2009

Cross Site Scripting (XSS)

What ? Subset of HTML injections Data provided by malicious users are rendered in web pages and

execute scripts

Goal ? Hijack user session, steal user data, deface web site, etc

Sample lastName:

4

Cyrille "><script ... />

Tuesday, November 24, 2009

Cross Site Scripting (XSS)How to prevent it ?

Input Validation : JSR 303 Bean Validation

5

public class Person { @Size(min = 1, max = 256) private String lastName;

@Size(max = 256) @Pattern(regexp = ".+@.+\\.[a-z]+") private String email; ...}

@Controller("/person")public class PersonController {

@RequestMapping(method=RequestMethod.POST) public void save(@Valid Person person) { // ... }}

Bean

Controller

Tuesday, November 24, 2009

Cross Site Scripting (XSS)How to prevent it ?

HTML output escaping JSTL

Expression language danger DO NOT ESCAPE !!!

Spring MVC» Global escaping

» Page level

6

<h2>Welcome <c:out value="${person.lastName}" /></h2>

<web-app> <context-param> <param-name>defaultHtmlEscape</param-name> <param-value>true</param-value> </context-param> ...</web-app>

JSP EL does

NOT escape !!!

<h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2>

<spring:htmlEscape defaultHtmlEscape="true" />

Tuesday, November 24, 2009

Cross Site Scripting (XSS)How to prevent it ?

Use HTTP Only cookies Cookies not accessible via javascript

Introduced with Servlet 3.0

Since Tomcat 6.0.20 for session cookies

Manual workaround

7

<Context useHttpOnly="true">...</Context>

cookie.setHttpOnly(true);

response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly");

No web.xml

configuration for

JSESSIONID

Tuesday, November 24, 2009

Cross Site Scripting (XSS)How to prevent it ?

Do not use blacklist validation but blacklist Forbidden : <script>, <img> Prefer wiki/forum white list style: [img], [url], [strong]

8Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Injection Flaws

Tuesday, November 24, 2009

Injection Flaws

What ?

Malicious data provided by user to read or modify sensitive data Types of injection : SQL, Hibernate Query Language (HQL), LDAP,

XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more

Goal ? Create, modify, delete, read data

Sample lastName:

10

Cyrille "; INSERT INTO MONEY_TRANSFER ...

Tuesday, November 24, 2009

Injection FlawsHow to prevent it ?

Input validation XSD with regular expression, min and max values, etc JSR 303 Bean Validation

11Tuesday, November 24, 2009

Injection FlawsHow to prevent it ?

Use strongly typed parameterized query API JDBC

JPA

HTTP

XML

XPath :-(

12

Element lastNameElt = doc.createElement("lastName");lastNameElt.appendChild(doc.createTextNode(lastName));

GetMethod getMethod = new GetMethod("/findPerson");getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});

query.setParameter("lastName", lastName);

preparedStatement.setString(1, lastName);

Tuesday, November 24, 2009

Injection FlawsHow to prevent it ?

If not, use escaping libraries very cautiously !!! HTML

Javascript

HTTP

XML

Don’t use simple escaping functions !

13

"<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>";

"/findPerson?" + URLEncoder.encode(lastName, "UTF-8");

"lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";

"<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";

Caution !

StringUtils.replaceChars(lastName, "’", "’’");

Tuesday, November 24, 2009

Injection FlawsHow to prevent it ?

Don’t use dynamic queries at all !

14

JPA 2

Criteria API

if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'";}

Map<String, Object> parameters = new HashMap<String, Object>();

if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like :lastName "; parameters.put("lastName", lastName);}

Query query = entityManager.createQuery(jpaQl);for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue());}

if (StringUtils.isNotEmpty(lastName)) { criteria.add(Restrictions.like("lastName", lastName));}

JPA 1 Query API

Tuesday, November 24, 2009

Injection FlawsHow to prevent it ?

Enforce least privileges Don’t be root Limit database access to Data Manipulation Language Limit file system access Use firewalls to enter-from / go-to the Internet

15Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Malicious File Execution

Tuesday, November 24, 2009

Malicious File Execution

What ? Malicious file or file path provided by users access files

Goal ? Read or modify sensitive data Remotely execute files (rootkits, etc)

Sample pictureName:

17

../../WEB-INF/web.xml

Tuesday, November 24, 2009

Malicious File Execution How to prevent it ?

Don’t build file path from user provided data

Don’t execute commands with user provided data

Use an indirection identifier to users

Use firewalls to prevent servers to connect to outside sites

18

String picturesFolder = servletContext.getRealPath("/pictures") ;String pictureName = request.getParameter("pictureName");File picture = new File((picturesFolder + "/" + pictureName));

Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));

Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Insecure Direct Object Reference

Tuesday, November 24, 2009

Insecure Direct Object Reference

What ?

Transmit user forgeable identifiers without controlling them server side

Goal ? Create, modify, delete, read other user’s data

Sample

20

<html><body><form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ...</form></body><html>

ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id"));

Tuesday, November 24, 2009

Insecure Direct Object ReferenceHow to prevent it ?

Input identifier validation reject wildcards (“10%20”)

Add server side identifiers

Control access permissions See Spring Security

21

Criteria criteria = session.createCriteria(ShoppingCart.class);criteria.add(Restrictions.like("id", request.getParameter("id")));criteria.add(Restrictions.like("clientId", request.getRemoteUser()));

ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();

Tuesday, November 24, 2009

Insecure Direct Object ReferenceHow to prevent it ?

Use server side indirection with generated random

See org.owasp.esapi.AccessReferenceMap

22

String indirectId = request.getParameter("id");String id = accessReferenceMap.getDirectReference(indirectId);ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);

String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId());

<html><body><form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ...</form></body><html>

Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Cross Site Request Forgery (CSRF)

Tuesday, November 24, 2009

Cross Site Request Forgery (CSRF)

What ?

Assume that the user is logged to another web site and send a malicious request

Ajax web sites are very exposed !

Goal ? Perform operations without asking the user

Sample

24

http://mybank.com/transfer.do?amount=100000&recipientAccount=12345

Tuesday, November 24, 2009

Cross Site Request Forgery (CSRF)How to prevent it ?

Ensure that no XSS vulnerability exists in your application

Use a random token in sensitive forms

Spring Web Flow and Struts 2 provide such random token mechanisms

Re-authenticate user for sensitive operations

25

<form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" /> <input name="amount" /> ...</form>

Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Information Leakage and Improper Exception Handling

Tuesday, November 24, 2009

Information Leakage and Improper Exception Handling

What ?

Sensitive code details given to hackers Usually done raising exceptions

Goal ? Discover code details to discover vulnerabilities

27Tuesday, November 24, 2009

Information Leakage and Improper Exception Handling

Sample

28Tuesday, November 24, 2009

Information Leakage and Improper Exception HandlingHow to prevent it ?

Avoid detailed error messages Beware of development mode messages ! web.xml

Tomcat

29

<web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ...</web-app>

<Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service></Server>

Tuesday, November 24, 2009

Information Leakage and Improper Exception HandlingHow to prevent it ?

Don’t display stack traces in Soap Faults

Sanitize GUI error messages Sample : “Invalid login or password”

30Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Broken Authentication and Session Management

Tuesday, November 24, 2009

Broken Authentication and Session Management

What ?

Web authentication and session handling have many tricks

Goal ? Hijack user session

32Tuesday, November 24, 2009

Broken Authentication and Session ManagementHow to prevent it ?

Log session initiation and sensitive data access Remote Ip, time, login, sensitive data & operation accessed Use a log4j dedicated non over-written output file

Use out of the box session and authentication mechanisms Don’t create your own cookies Look at Spring Security

33

#Auditlog4j.appender.audit=org.apache.log4j.DailyRollingFileAppenderlog4j.appender.audit.datePattern='-'yyyyMMddlog4j.appender.audit.file=audit.loglog4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayoutlog4j.appender.audit.layout.conversionPattern=%m %throwable{short}\n

log4j.logger.com.mycompany.audit.Audit=INFO, auditlog4j.additivity.com.mycompany.audit.Audit=false

Tuesday, November 24, 2009

Broken Authentication and Session ManagementHow to prevent it ?

Use SSL and random token for authentication pages including login page display

Regenerate a new session on successful authentication

Use Http Only session cookies, don’t use URL rewriting based session handling

Prevent brute force attacks using timeouts or locking password on authentication failures

Don’t store clear text password, consider SSHA

34Tuesday, November 24, 2009

Broken Authentication and Session ManagementHow to prevent it ?

Use a timeout period

Remember Me cookies must be invalidated on password change (see Spring Security)

Beware not to write password in log files

Server generated passwords (lost password, etc) must be valid only once

Be able to distinguish SSL communications

35Tuesday, November 24, 2009

Broken Authentication and Session ManagementHow to prevent it ?

For server to server communication, use remote ip control in addition to password validation

36Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Insecure Cryptographic Storage

Tuesday, November 24, 2009

Insecure Cryptographic Storage

What ?

Cryptography has many traps

Goal ? Steal sensitive data

38Tuesday, November 24, 2009

Insecure Cryptographic StorageHow to prevent it ?

Don’t invent custom cryptography solutions Java offers approved algorithms for hashing, symmetric key and public

key encryptions Double hashing is a custom weak algorithm

Don’t use weak algorithms MD5 / SHA1, etc are weak. Prefer SHA-256

Beware of private keys storage Java doesn’t offer chroot mechanisms to limit private keys files access

to root Storing secrets on servers requires expertise

39Tuesday, November 24, 2009

www.xebia.fr / blog.xebia.fr

Insecure Communications

Tuesday, November 24, 2009

Insecure Communications

What ?

Unsecure communications are easy to hack

Goal ? Steal sensitive data, hijack user session

41Tuesday, November 24, 2009

Insecure CommunicationsHow to prevent it ?

Use SSL with the Servlet API

42

request.isSecure()

<web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ...</web-app>

Tuesday, November 24, 2009

Insecure CommunicationsHow to prevent it ?

Use SSL with Spring Security

43

<beans ...>

<sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http>

</beans>

Tuesday, November 24, 2009