Defeating XSS and XSRF with JSF Frameworks



Similar documents
ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Where every interaction matters.

Web Application Security

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

The Top Web Application Attacks: Are you vulnerable?

Web-Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Magento Security and Vulnerabilities. Roman Stepanov

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Data Breaches and Web Servers: The Giant Sucking Sound

Sichere Software- Entwicklung für Java Entwickler

Check list for web developers

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Essential IT Security Testing

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Security features of ZK Framework

Web Application Guidelines

Testing the OWASP Top 10 Security Issues

Web application security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Exploits: XSS, SQLI, Buffer Overflow

Dissecting Java Server Faces for Penetration Testing

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

OWASP TOP 10 ILIA

WebCruiser Web Vulnerability Scanner User Guide

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Security Testing with Selenium

Web Application Security Assessment and Vulnerability Mitigation Tests

Penetration from application down to OS

Web Application Report

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

How To Fix A Web Application Security Vulnerability

Columbia University Web Security Standards and Practices. Objective and Scope

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Project 2: Web Security Pitfalls

SQL Injection and XSS

Sitefinity Security and Best Practices

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Cross-Site Scripting

05.0 Application Development

Still Aren't Doing. Frank Kim

Intrusion detection for web applications

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

(WAPT) Web Application Penetration Testing

Enterprise Application Security Workshop Series

Workday Mobile Security FAQ

Network Security Exercise #8

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Implementation of Web Application Firewall

Application Security Vulnerabilities, Mitigation, and Consequences

JWIG Yet Another Framework for Maintainable and Secure Web Applications

SQL INJECTION IN MYSQL

Application Security. Petr Křemen.

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Preparing for the Cross Site Request Forgery Defense

Web Vulnerability Assessment Report

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Passing PCI Compliance How to Address the Application Security Mandates

Advanced Web Security, Lab

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

A Survey on Threats and Vulnerabilities of Web Services

Web Security Testing Cookbook*

Objectives. Security. Fixing Our JSTL Problem. Web Application Architecture. Web Security. A few lines of code can wreak more havoc than a bomb.

OWASP AND APPLICATION SECURITY

How To Write A Web Application Vulnerability Scanner And Security Auditor

New Security Features in Oracle E-Business Suite 12.2

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Cross Site Scripting in Joomla Acajoom Component

Web Application Attacks And WAF Evasion

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Columbia University Web Application Security Standards and Practices. Objective and Scope

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

Auditing Web Applications

Criteria for web application security check. Version

Rational AppScan & Ounce Products

Web Application Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Gateway Apps - Security Summary SECURITY SUMMARY

Web Application Penetration Testing

WEB APPLICATION SECURITY

Thick Client Application Security

Transcription:

Defeating XSS and XSRF with JSF Frameworks

About Me Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/

JSF Based Frameworks Oracle/Java Reference Implementation Apache MyFaces Family Other Third Party Build your own

Cross Site Scripting Hacker Favorite Persistent XSS Non-persistent XSS

Preventing Cross Site Scripting Validate ALL User Input Context Appropriate Encoding Protect the Cookies

JSF Based Frameworks Validation Frameworks Context Appropriate Encoding Anti-Samy Input Filters Web Application Firewalls

JSF Validation Framework JSF 2.2 Server Side Validation Pre-defined Validation Mechanisms Custom Validators

Pre-defined Validators LongRange Validator <h:inputtext id= num1" value="#{mydatabean.num1}"> <f:validatelongrange minimum="10" maximum="133" /> </h:inputtext> <h:message for= num1" style="color:red" /><br/>

Other Pre-defined Validators LengthValidator <f:validatelength minimum="5" maximum="10" /> DoubleRangeValidator <f:validatedoublerange minimum="10.11" maximum="1000.11 /> RegexValidator <f:validateregex pattern="((?=.*[a-z])(?=.*[a-z]))" /> RequiredValidator <f:validaterequired /> Date Time Validator <f:convertdatetime pattern="d-m-yyy"/>

Custom Validators Validator Class Public class EmailValidator implements Validator { } public void validate(facescontext context, UIComponent } component, Object value) throws ValidatorException { matcher = "^[_A-Za-z0-9-]+(\\." + "[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(\\.[A-Za-z0-9]+)*" + "(\\.[A-Za-z]{2,})$"; if(!matcher.matches()){ } FacesMessage msg = new FacesMessage("E-mail validation failed.", "Invalid E-mail format."); msg.setseverity(facesmessage.severity_error); throw new ValidatorException(msg);

Custom Validators Info.xhtml <h:panelgrid columns="3"> Enter your email : <h:inputtext id="email" value="#{user.email}" size="20" required="true" label="email Address"> <f:validator validatorid="com.myvalidators.emailvalidator" /> </h:inputtext> <h:message for="email" style="color:red" /> </h:panelgrid>

Output Encoding JSF 1.1 Literal text output <h:outputtext value="#{user.name}" /> JSF 2.0 Literal text output using EL #{user.name} Encoding turned off <h:outputtext value="#{user.name}" escape="false" />

Another Technique Jboss SeamTextParser <s:formattedtext value= <b>#{user.name}</b> />

Some Early Flaws Select Items Renderer <f:selectitems value= #{bean.selectitems} var="obj" itemvalue="#{obj}" itemlabel="#{obj.name}"/> JSF Version 1.2 before 1.2_08 Some tags were not rendering escape=true by default. Websphere JSF Widget Library before 7.0.0.10 TreeControl and ResourceServlet allowing XSS. GlassFish Admin Console 2.1 Injection via query string on some pages. Apache MyFaces Tomhawk before 1.1.6 Injections in autoscroll parameter.

Cross Site Request Forgery Tricks the Browser into Sending Requests Susceptible Pages are those that Alter Data Inherits Identity and Privileges of the Victim Usually Initiated through Fiche or XSS

Cross Site Request Forgery Full Protection in JSF 2.2 Post vs. Get Protecting the View State Some earlier JSF based Frameworks

Protecting a Postback Request Post is always Protected Non-Postback Require Config

Protecting a non-postback Request faces-config.xml <protected-views> <url-pattern>my_protected_page.xhtml</url-pattern> </protected-views>

Protecting a non-postback Request URL when Calling the Protected Page http://localhost/faces/my_protected_page.xhtml?javax.faces.token=98791798361565472309342

Using JSF 2.2 Built-in Protection web.xml <env-entry> <env-entry-name> com.sun.faces.clientstatesavingpassword </env-entry-name> <env-entry-type>java.lang.string</env-entry-type> <env-entry-value>my_password</env-entry-value> </env-entry>

Encrypting MyFaces Viewstate web.xml <context-param> <param-name>org.apache.myfaces.use_encryption</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.algorithm</param-name> <param-value>aes</param-value> </context-param>

Be Informed About the Implementation Implementations Differ Doc is Not always Good Unit Test your Implementation Corporate Standards

Wrap-up JSF Validation Framework Output Encoding Protect the View State

Defeating XSS and XSRF with JSF Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information