Enviar pesquisa
Carregar
JSF Input Validation
•
4 gostaram
•
5,280 visualizações
Título melhorado com IA
Source Conference
Seguir
SOURCE Seattle 2011 - Krishna Raja
Leia menos
Leia mais
Tecnologia
Vista de apresentação de diapositivos
Denunciar
Compartilhar
Vista de apresentação de diapositivos
Denunciar
Compartilhar
1 de 24
Baixar agora
Baixar para ler offline
Recomendados
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
Recomendados
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
OWASPKerala
Secure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
Java Security Framework's
Java Security Framework's
Mohammed Fazuluddin
Java Security
Java Security
elliando dias
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOS
Source Conference
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
Mais conteúdo relacionado
Mais procurados
JavaEE Security
JavaEE Security
Alex Kim
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Masoud Kalali
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Knoldus Inc.
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
Developing With JAAS
Developing With JAAS
rahmed_sct
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Enrico Micco
Creating Secure Applications
Creating Secure Applications
guest879f38
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Waratek Ltd
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
pigorcraveiro
Spring security 2017
Spring security 2017
Vortexbird
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
Struts & hibernate ppt
Struts & hibernate ppt
Pankaj Patel
Brisk WebApp penetration tester
Brisk WebApp penetration tester
BriskInfosec Solutions
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
Struts Interview Questions
Struts Interview Questions
jbashask
Struts presentation
Struts presentation
Nicolaescu Petru
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Security Date
Mais procurados
(19)
JavaEE Security
JavaEE Security
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Developing With JAAS
Developing With JAAS
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Creating Secure Applications
Creating Secure Applications
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Spring security jwt tutorial toptal
Spring security jwt tutorial toptal
Java EE Application Security With PicketLink
Java EE Application Security With PicketLink
Spring security 2017
Spring security 2017
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Struts & hibernate ppt
Struts & hibernate ppt
Brisk WebApp penetration tester
Brisk WebApp penetration tester
Secure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Struts Interview Questions
Struts Interview Questions
Struts presentation
Struts presentation
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
Semelhante a JSF Input Validation
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
Node.js vs Play Framework
Node.js vs Play Framework
Yevgeniy Brikman
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
Attacking HTML5
Attacking HTML5
AppSec_Labs
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Toru Wonyoung Choi
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Jeremy Kao
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Arun Gupta
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Anghel Leonard
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Arun Gupta
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Codemotion
Semelhante a JSF Input Validation
(20)
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
Node.js vs Play Framework
Node.js vs Play Framework
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Attacking HTML5
Attacking HTML5
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
How to React to JavaScript Insecurity
How to React to JavaScript Insecurity
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
Top 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Mais de Source Conference
Million Browser Botnet
Million Browser Botnet
Source Conference
iBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
How to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
Esteganografia
Esteganografia
Source Conference
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
Who should the security team hire next?
Who should the security team hire next?
Source Conference
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
Mais de Source Conference
(20)
Million Browser Botnet
Million Browser Botnet
iBanking - a botnet on Android
iBanking - a botnet on Android
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
How to Like Social Media Network Security
How to Like Social Media Network Security
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Esteganografia
Esteganografia
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Who should the security team hire next?
Who should the security team hire next?
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Último
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
AndikSusilo4
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Último
(20)
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
JSF Input Validation
1.
JSF Security © 2011
Security Compass inc. 1
2.
JSF Input Validation
abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
3.
MyFaces: validateRegExpr Tag <%@
taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
4.
Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText
type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
5.
Demo: Facelets validation
6.
Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text"
id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
7.
JSF 2.0 Validators •
Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
8.
Demo: JSF 2.0
Validators
9.
Other JSF Validation
Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
10.
Output Encoding in
JSF <script>alert('xss') < > (') © 2011 Security Compass inc. 10
11.
<h:outputText> & <h:outputFormat> <h:outputText
value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
12.
Output encoding with
Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
13.
But there’s a
problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
14.
Problems with RichFaces •
Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
15.
Solution: OWASP ESAPI
EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
16.
Demo: ESAPI encoding
17.
Page Level Authorization
18.
ESAPI AccessController • Interface
that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
19.
Demo: AccessController
20.
Defending Against CSRF Anti-CSRF
tokens
21.
What about JSF
“view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
22.
Problem: Padding Oracle
Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
23.
Solution: OWASP CSRF
Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23
24.
Demo: Anti-CSRF Tokens
Baixar agora