Real World Java Web Security

Similar documents
Security starts in the head(er)

Sichere Webanwendungen mit Java

Java Web Security Antipatterns

AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Recent Advances in Web Application Security

Protecting Web Applications and Users

Secure development and the SDLC. Presented By Jerry

Web Application Security

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Magento Security and Vulnerabilities. Roman Stepanov

Adobe Systems Incorporated

Secure Coding in Node.js

Sichere Software- Entwicklung für Java Entwickler

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

(WAPT) Web Application Penetration Testing

How To Fix A Web Application Security Vulnerability

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Where every interaction matters.

OWASP AND APPLICATION SECURITY

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Vulnerability Testing with Nessus

Web Application Security Assessment and Vulnerability Mitigation Tests

What is Web Security? Motivation

Criteria for web application security check. Version

Enterprise Application Security Workshop Series

Web Application Security

How To Understand And Understand The Security Of A Web Browser (For Web Users)

OWASP Top Ten Tools and Tactics

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

OWASP TOP 10 ILIA

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

APPLICATION SECURITY AND ITS IMPORTANCE

TYPO3 Security. Jochen Weiland CertiFUNcation 2016

How to Build a Trusted Application. John Dickson, CISSP

Sitefinity Security and Best Practices

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

elearning for Secure Application Development

Cloud Security:Threats & Mitgations

Secure Programming Lecture 12: Web Application Security III

Check list for web developers

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Weird New Tricks for Browser Fingerprinting. yan ToorCon 2015

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

IJMIE Volume 2, Issue 9 ISSN:

Testing the OWASP Top 10 Security Issues

Web Application Report

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Thomas Röthlisberger IT Security Analyst

The Top Web Application Attacks: Are you vulnerable?

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

JVA-122. Secure Java Web Development

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Web Application Attacks And WAF Evasion

Addressing Cyber Security in Oracle Utilities Applications

Web Application Security

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Web Application Firewalls Evaluation and Analysis. University of Amsterdam System & Network Engineering MSc

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Web Application Guidelines

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Table of Contents. Page 2/13

Security Testing with Selenium

05.0 Application Development

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Columbia University Web Security Standards and Practices. Objective and Scope

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Security Basics - Lessons From a Paranoid. Stuart Larsen Yahoo! Paranoids - Pentest

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Next Generation Clickjacking

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Application Security. Petr Křemen.

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Early Vulnerability Detection for Supporting Secure Programming

Web Application Security

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Ethical Hacking as a Professional Penetration Testing Technique

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Security features of ZK Framework

Web application security

Cross-Site Scripting

MANAGED SECURITY TESTING

Development Processes (Lecture outline)

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Web Security - Hardening estudy

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web Application Penetration Testing

Transcription:

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow bridgingit

Who thinks about architecture while coding? architecture before coding?

Who thinks about security while coding? security before coding?

OWASP TOP 10 2013 (1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

Software that is secure by design Know the web application Know all external entities Identify all data flows Identify all risks

Threat model

Avoid design flaws

Fight the identified threats

Maintain all threat models

Instrument the Browser

Defense in Depth

Force HTTPS

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926;includesubdomains"); chain.dofilter(req, response); } // }

Prevent framing

response.addheader( "X-Frame-Options", "DENY" );

response.addheader( "X-Frame-Options", "DENY" );

response.addheader( "X-Frame-Options", "DENY" );

response.addheader( "X-Frame-Options", "SAME-ORIGIN" );

response.addheader( "X-Frame-Options", "ALLOW-FROM http://www.safe.de" );

Prevent Cross-Site Scripting

response.addheader( "Content-Security-Policy", "default-src 'self'" );

response.addheader( "Content-Security-Policy", "default-src 'self'" );

response.addheader( "Content-Security-Policy", "default-src 'self'" );

Content Security Policy Directives default-src object-src script-src default if specific directive is not set Sources in object, embed or applet tags Script sources (includes XSLT) connect-src font-src frame-src img-src media-src style-src XMLHttpRequest, WebSocket, Font sources Sources embeddable as frames Image sources Video and audio sources CSS sources (does not include XSLT) www.w3.org/tr/csp

response.addheader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

response.addheader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

Violation Report { "document-uri":"http://.../reporting.jsp? name=%3cscript%3ealert(%27xss%27)%3c/script%3e", referrer :"http://www.sample.com/security-header/ index.jsp", "blocked-uri":"self", "violated-directive":"default-src http://www.sample.com", "source-file":"http://.../reporting.jsp? name=%3cscript%3ealert(%27xss%27)%3c/script%3e", "script-sample":"alert('xss')", "line-number":10 }

Content Security Policy Level 2 frame-ancestors Allow resource frame embedding Obsoletes X-Frame-Options header reflected-xss (De-)activate user agent XSS heuristics Obsoletes X-XSS-Protection header child-src form-action plugin-types referrer sandbox Replaces frame-src Form targets to send data to Allowed plug-ins (their MIME type) Referrer URL exposed to others Load resource in restricted sandbox www.w3.org/tr/csp2

response.addheader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

response.addheader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

Demo

And now?

OWASP TOP 10 Proactive Controls (1) Parameterize Queries (2) Encode Data (3) Validate All Inputs (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (10) Design and Architect Security in Threat Modeling

Leverage Security Features of Frameworks and Security Libraries

Use it!

Spring Security (Java config) adds headers automatically X-Content-Type-Options Cache-Control X-Frame-Options HTTP Strict Transport Security X-XSS-Protection

Frameworks and libraries decline

<reporting> <plugins><plugin> <groupid>org.owasp</groupid> <artifactid>dependency-check-maven</artifactid> <version>1.3.1</version> <reportsets> <reportset> <reports> <report>aggregate</report> </reports> </reportset> </reportsets> </plugin></plugins> </reporting>

Implement Appropriate Access Controls Establish Identity and Authentication Controls

Standardized building blocks

4E01EF46D8446D1C 10CB5C08EDA69DD1 User usually receives a session id when visiting web application

Demo

Protect Data and Privacy

Slow down brute force attacks

PBKDF2 Iterations against brute force attacks Available in plain Java

Demo

bcrypt Iterations against brute force attacks Integrated in Spring Security

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordencoder() { return new BCryptPasswordEncoder(10); } }

scrypt Memory against brute force attacks Best protection against dictionary attacks

Summary

Plan security with threat modeling

Think (like an attacker) during implementation

Keep 3rd party libraries up-to-date

Enjoy secure programming

Königstraße 42 70173 Stuttgart dominik.schadow@bridging-it.de www.bridging-it.de Blog blog.dominikschadow.de Twitter @dschadow Demo Projects github.com/dschadow/javasecurity Microsoft Threat Modeling Tool www.microsoft.com/en-us/sdl/adopt/ threatmodeling.aspx OWASP Dependency Check www.owasp.org/index.php/ OWASP_Dependency_Check OWASP TOP 10 www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project OWASP TOP 10 Proactive Controls www.owasp.org/index.php/ OWASP_Proactive_Controls Recx Security Analyser www.recx.co.uk/products/chromeplugin.php Spring Security projects.spring.io/spring-security Pictures www.dreamstime.com Jobs@bridgingIT www.bridging-it.de/java

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information