Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
members; --"; // user-input Query query = em.createNativeQuery("SELECT * FROM PHOTO WHERE ID =" + id, Photo.class); Query query2 = em.createNativeQuery("SELECT * FROM MAG WHERE ID ?1", Magazine.class); query2.setParameter(1, id);
• Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • Rewrite web page or parts • Redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Way of saving Passwords • Not testing security
whenever possible • If you need custom ones: Test them extremely carefully! • Use transport layer encryption (TLS/SSL) • Use Cookie flags: – secure (avoid clear text transmission)
https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
Use data-driven security • Always Perform additional data authorization on the view http://app?file=1 http://app?id=7d3J93 http://app?id=9182374 http://app?file=Report123.xls
code executes functions on your behalf while being authenticated • Deep links make this easier • JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
manager • Network interfaces/sockets access control • Relaxed File system access control • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Using a not hardened OS!
version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file • Set correct file system permissions http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes!
plus: – Use Container security (security-constraint) – Use programmatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
• Use container authentication/authorization features or extend on top of them • If not enough use proven frameworks/ products to protect the resources • If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
– On every level (application, appserver, db) – with the right algorithm and – with the right mechanism • Don’t keep clear text copies • To decrypt and view clear text should be restricted to authorized personnel • Keep the keys as protected as possible (HSM) • Keep offsite encrypted backups in addition to on-site copies
using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be securely transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
• Install the right server certificates to be used by SSL listeners • Properly configure the ORB over SSL listeners if needed (set the right keystore) • Enable auditing under Security and access log under HTTP Service
sensitivity using web-resource-collection • Use user-data-constraint as widely as you need for data integrity and encryption needs • Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
user provided parameters • Forward to another URL computed by user provided parameters http://www.java.net/external?url=http://www.adam- bien.com/roller/abien/entry/conveniently_transactionally_a nd_legally_starting
(e.g container managed and proper security- constraint ) • Redirecting to a user provided parameter, e.g to an external website • Not to validate/verify the target with user’s access level before doing the forward
much as possible • Accurately verify/validate the target URL before forwarding or redirecting • Redirects are safe when using container managed authentication/authorization properly • Forwards happen without authentication and thus requires triple check to prevent unauthorized access.