SlideShare uma empresa Scribd logo

Xebia Knowledge Exchange - Owasp Top Ten

Transferir como KEY, PDF
Cyrille Le Clerc
Cyrille Le Clerc

OWASP Security Top Ten and ways to prevent them in Java EE

Tecnologia
1 de 43
OWASP Security Top Ten OWASP top ten www.xebia.fr / blog.xebia.fr
OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2
Cross Site Scripting (XSS) www.xebia.fr / blog.xebia.fr
Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: Cyrille "><script ... /> 4
Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) Be an @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { C @RequestMapping(method=RequestMethod.POST) on tro public void save(@Valid Person person) { lle r // ... } } 5
Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL <h2>Welcome <c:out value="${person.lastName}" /></h2>  Expression language danger DO NOT ESCAPE !!! JS T e N P sc O EL a <h2>Welcome ${person.lastName} NOT ESCAPED !!! do e ! </h2> es !! p  Spring MVC » Global escaping <web-app> <context-param> <param-name>defaultHtmlEscape</param- name> <param-value>true</param-value> </context-param> ... </web-app> » Page level <spring:htmlEscape defaultHtmlEscape="true" /> 6
Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0 N igu SI co JSE o nf S w rati NI eb o D cookie.setHttpOnly(true); .x n f m or l O  Since Tomcat 6.0.20 for session cookies <Context useHttpOnly="true"> ... </Context>  Manual workaround response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); 7
Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8
Injection Flaws www.xebia.fr / blog.xebia.fr
Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: Cyrille "; INSERT INTO MONEY_TRANSFER ... 10
Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11
Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC preparedStatement.setString(1, lastName);  JPA query.setParameter("lastName", lastName);  HTTP GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});  XML Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName));  XPath :-( 12
Injection Flaws How to prevent it ? Ca uti on !  If not, use escaping libraries very cautiously !!!  HTML "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";  Javascript "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";  HTTP "/findPerson?" + URLEncoder.encode(lastName, "UTF-8");  XML "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</ lastName>";  Don’t use simple escaping functions ! StringUtils.replaceChars(lastName, "’", "’’"); 13
Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } if (StringUtils.isNotEmpty(lastName)) { C JP ia rit criteria.add(Restrictions.like("lastName", lastName)); A AP er 2 } I Map<String, Object> parameters = new HashMap<String, Object>(); JP A if (StringUtils.isNotEmpty(lastName)) { 1 jpaQl += " lastName like :lastName "; Q ue parameters.put("lastName", lastName); ry } AP I Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } 14
Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15
Malicious File Execution www.xebia.fr / blog.xebia.fr
Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: ../../WEB-INF/web.xml 17
Malicious File Execution How to prevent it ?  Don’t build file path from user provided data String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName));  Don’t execute commands with user provided data Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18
Insecure Direct Object Reference www.xebia.fr / blog.xebia.fr
Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); 20
Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();  Control access permissions  See Spring Security 21
Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);  See org.owasp.esapi.AccessReferenceMap 22
Cross Site Request Forgery (CSRF) www.xebia.fr / blog.xebia.fr
Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample http://mybank.com/transfer.do? amount=100000&recipientAccount=12345 24
Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" / > <input name="amount" /> ... </form>  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25
Information Leakage and Improper Exception Handling www.xebia.fr / blog.xebia.fr
Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27
Information Leakage and Improper Exception Handling  Sample 28
Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app>  Tomcat <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> 29
Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30
Broken Authentication and Session Management www.xebia.fr / blog.xebia.fr
Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32
Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33
Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34
Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35
Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36
Insecure Cryptographic Storage www.xebia.fr / blog.xebia.fr
Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38
Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39
Insecure Communications www.xebia.fr / blog.xebia.fr
Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41
Insecure Communications How to prevent it ?  Use SSL with the Servlet API request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> 42
Insecure Communications How to prevent it ?  Use SSL with Spring Security <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> 43

Recomendados

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
CouchDB on Android
CouchDB on AndroidCouchDB on Android
CouchDB on AndroidSven Haiges
 
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTwitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTaylor Singletary
 
JavaScript
JavaScriptJavaScript
JavaScriptRowena LI
 
Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09永昇 陳
 
What's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidWhat's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidSilvio Gustavo de Oliveira Santos
 
deepjs - tools for better programming
deepjs - tools for better programmingdeepjs - tools for better programming
deepjs - tools for better programmingnomocas
 

Recomendados

Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법guestad13b55
 
CouchDB on Android
CouchDB on AndroidCouchDB on Android
CouchDB on AndroidSven Haiges
 
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTwitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entities
Twitter WWDC 2010 Meetup: OAuth Echo, xAuth, trim_users, and entitiesTaylor Singletary
 
JavaScript
JavaScriptJavaScript
JavaScriptRowena LI
 
Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09Spring Data for KSDG 2012/09
Spring Data for KSDG 2012/09永昇 陳
 
What's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidWhat's new in Liferay Mobile SDK 2.0 for Android
What's new in Liferay Mobile SDK 2.0 for AndroidSilvio Gustavo de Oliveira Santos
 
deepjs - tools for better programming
deepjs - tools for better programmingdeepjs - tools for better programming
deepjs - tools for better programmingnomocas
 
Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'mStanisław Wasiutyński
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7Sébastien Prunier
 
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
 
zinno
zinnozinno
zinnoguest6a7933
 
Html
HtmlHtml
Htmlg Nama
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
Node.js in action
Node.js in actionNode.js in action
Node.js in actionSimon Su
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internalsjeresig
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 
Max
MaxMax
MaxInes Pereira
 
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Cyrille Le Clerc
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderCyrille Le Clerc
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveCyrille Le Clerc
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information AccessSaurav Sahay
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKaguesteb2d32
 
Slides
SlidesSlides
Slidesvti
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Os Pruett
Os PruettOs Pruett
Os Pruettoscon2007
 

Mais conteúdo relacionado

Mais procurados

[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)Night Sailer
 
Node.js in action
Node.js in actionNode.js in action
Node.js in actionSimon Su
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internalsjeresig
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!Luís Cobucci
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks Felipe Prado
 

Mais procurados (11)

Couchdb w Ruby'm
Couchdb w Ruby'mCouchdb w Ruby'm
Couchdb w Ruby'm
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자
 
zinno
zinnozinno
zinno
 
Html
HtmlHtml
Html
 
From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)From mysql to MongoDB(MongoDB2011北京交流会)
From mysql to MongoDB(MongoDB2011北京交流会)
 
Node.js in action
Node.js in actionNode.js in action
Node.js in action
 
Recent Changes to jQuery's Internals
Recent Changes to jQuery's InternalsRecent Changes to jQuery's Internals
Recent Changes to jQuery's Internals
 
JWT - To authentication and beyond!
JWT - To authentication and beyond!JWT - To authentication and beyond!
JWT - To authentication and beyond!
 
MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2MongoDB Online Conference: Introducing MongoDB 2.2
MongoDB Online Conference: Introducing MongoDB 2.2
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
 

Destaque

Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Cyrille Le Clerc
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderCyrille Le Clerc
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveCyrille Le Clerc
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information AccessSaurav Sahay
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKaguesteb2d32
 

Destaque (6)

Max
MaxMax
Max
 
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
Paris NoSQL User Group - In Memory Data Grids in Action (without transactions...
 
Java Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' FounderJava Application Monitoring with AppDynamics' Founder
Java Application Monitoring with AppDynamics' Founder
 
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspectiveGeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
GeeCon 2011 - NoSQL and In Memory Data Grids from a developer perspective
 
Cobot: Conversational Information Access
Cobot: Conversational Information AccessCobot: Conversational Information Access
Cobot: Conversational Information Access
 
Jornades ArtístiKa
Jornades ArtístiKaJornades ArtístiKa
Jornades ArtístiKa
 

Semelhante a Xebia Knowledge Exchange - Owasp Top Ten

Slides
SlidesSlides
Slidesvti
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIAguestfdcb8a
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 securityHuang Toby
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
Automated code audits
Automated code auditsAutomated code audits
Automated code auditsDamien Seguy
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror StoriesSimon Willison
 

Semelhante a Xebia Knowledge Exchange - Owasp Top Ten (20)

Slides
SlidesSlides
Slides
 
Php Security
Php SecurityPhp Security
Php Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Ajax
AjaxAjax
Ajax
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Rails and security
Rails and securityRails and security
Rails and security
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 

Mais de Cyrille Le Clerc

Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryCyrille Le Clerc
 
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Cyrille Le Clerc
 
Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013Cyrille Le Clerc
 
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Cyrille Le Clerc
 
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMXParis Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMXCyrille Le Clerc
 
Bonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la productionBonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la productionCyrille Le Clerc
 
Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Cyrille Le Clerc
 
Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)Cyrille Le Clerc
 

Mais de Cyrille Le Clerc (8)

Embracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetryEmbracing Observability in CI/CD with OpenTelemetry
Embracing Observability in CI/CD with OpenTelemetry
 
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
Open Source Monitoring for Java with JMX and Graphite (GeeCON 2013)
 
Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013Joe Mobile sur le Cloud - DevoxxFR 2013
Joe Mobile sur le Cloud - DevoxxFR 2013
 
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
Monitoring Open Source pour Java avec JmxTrans, Graphite et Nagios - DevoxxFR...
 
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMXParis Devops - Monitoring And Feature Toggle Pattern With JMX
Paris Devops - Monitoring And Feature Toggle Pattern With JMX
 
Bonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la productionBonnes pratiques des applications java prêtes pour la production
Bonnes pratiques des applications java prêtes pour la production
 
Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)Soirée OSGi au Paris Jug (14/10/2008)
Soirée OSGi au Paris Jug (14/10/2008)
 
Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)Soirée Data Grid au Paris JUG (2009/05/12)
Soirée Data Grid au Paris JUG (2009/05/12)
 

Último

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Xebia Knowledge Exchange - Owasp Top Ten

  • 1. OWASP Security Top Ten OWASP top ten www.xebia.fr / blog.xebia.fr
  • 2. OWASP Security Top Ten  This presentation is based on OWASP Top 10 For Java EE The Ten Most Critical Web Application Security Vulnerabilities For Java Enterprise Applications http://www.owasp.org/index.php/Top_10_2007 2
  • 3. Cross Site Scripting (XSS) www.xebia.fr / blog.xebia.fr
  • 4. Cross Site Scripting (XSS)  What ?  Subset of HTML injections  Data provided by malicious users are rendered in web pages and execute scripts  Goal ?  Hijack user session, steal user data, deface web site, etc  Sample  lastName: Cyrille "><script ... /> 4
  • 5. Cross Site Scripting (XSS) How to prevent it ?  Input Validation : JSR 303 Bean Validation public class Person { @Size(min = 1, max = 256) private String lastName; @Size(max = 256) Be an @Pattern(regexp = ".+@.+.[a-z]+") private String email; ... } @Controller("/person") public class PersonController { C @RequestMapping(method=RequestMethod.POST) on tro public void save(@Valid Person person) { lle r // ... } } 5
  • 6. Cross Site Scripting (XSS) How to prevent it ?  HTML output escaping  JSTL <h2>Welcome <c:out value="${person.lastName}" /></h2>  Expression language danger DO NOT ESCAPE !!! JS T e N P sc O EL a <h2>Welcome ${person.lastName} NOT ESCAPED !!! do e ! </h2> es !! p  Spring MVC » Global escaping <web-app> <context-param> <param-name>defaultHtmlEscape</param- name> <param-value>true</param-value> </context-param> ... </web-app> » Page level <spring:htmlEscape defaultHtmlEscape="true" /> 6
  • 7. Cross Site Scripting (XSS) How to prevent it ?  Use HTTP Only cookies  Cookies not accessible via javascript  Introduced with Servlet 3.0 N igu SI co JSE o nf S w rati NI eb o D cookie.setHttpOnly(true); .x n f m or l O  Since Tomcat 6.0.20 for session cookies <Context useHttpOnly="true"> ... </Context>  Manual workaround response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly"); 7
  • 8. Cross Site Scripting (XSS) How to prevent it ?  Do not use blacklist validation but blacklist  Forbidden : <script>, <img>  Prefer wiki/forum white list style: [img], [url], [strong] 8
  • 9. Injection Flaws www.xebia.fr / blog.xebia.fr
  • 10. Injection Flaws  What ?  Malicious data provided by user to read or modify sensitive data  Types of injection : SQL, Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP requests, and many more  Goal ?  Create, modify, delete, read data  Sample  lastName: Cyrille "; INSERT INTO MONEY_TRANSFER ... 10
  • 11. Injection Flaws How to prevent it ?  Input validation  XSD with regular expression, min and max values, etc  JSR 303 Bean Validation 11
  • 12. Injection Flaws How to prevent it ?  Use strongly typed parameterized query API  JDBC preparedStatement.setString(1, lastName);  JPA query.setParameter("lastName", lastName);  HTTP GetMethod getMethod = new GetMethod("/findPerson"); getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});  XML Element lastNameElt = doc.createElement("lastName"); lastNameElt.appendChild(doc.createTextNode(lastName));  XPath :-( 12
  • 13. Injection Flaws How to prevent it ? Ca uti on !  If not, use escaping libraries very cautiously !!!  HTML "<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";  Javascript "lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";  HTTP "/findPerson?" + URLEncoder.encode(lastName, "UTF-8");  XML "<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</ lastName>";  Don’t use simple escaping functions ! StringUtils.replaceChars(lastName, "’", "’’"); 13
  • 14. Injection Flaws How to prevent it ?  Don’t use dynamic queries at all ! if (StringUtils.isNotEmpty(lastName)) { jpaQl += " lastName like '" + lastName + "'"; } if (StringUtils.isNotEmpty(lastName)) { C JP ia rit criteria.add(Restrictions.like("lastName", lastName)); A AP er 2 } I Map<String, Object> parameters = new HashMap<String, Object>(); JP A if (StringUtils.isNotEmpty(lastName)) { 1 jpaQl += " lastName like :lastName "; Q ue parameters.put("lastName", lastName); ry } AP I Query query = entityManager.createQuery(jpaQl); for (Entry<String, Object> parameter : parameters.entrySet()) { query.setParameter(parameter.getKey(), parameter.getValue()); } 14
  • 15. Injection Flaws How to prevent it ?  Enforce least privileges  Don’t be root  Limit database access to Data Manipulation Language  Limit file system access  Use firewalls to enter-from / go-to the Internet 15
  • 16. Malicious File Execution www.xebia.fr / blog.xebia.fr
  • 17. Malicious File Execution  What ?  Malicious file or file path provided by users access files  Goal ?  Read or modify sensitive data  Remotely execute files (rootkits, etc)  Sample  pictureName: ../../WEB-INF/web.xml 17
  • 18. Malicious File Execution How to prevent it ?  Don’t build file path from user provided data String picturesFolder = servletContext.getRealPath("/pictures") ; String pictureName = request.getParameter("pictureName"); File picture = new File((picturesFolder + "/" + pictureName));  Don’t execute commands with user provided data Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));  Use an indirection identifier to users  Use firewalls to prevent servers to connect to outside sites 18
  • 19. Insecure Direct Object Reference www.xebia.fr / blog.xebia.fr
  • 20. Insecure Direct Object Reference  What ?  Transmit user forgeable identifiers without controlling them server side  Goal ?  Create, modify, delete, read other user’s data  Sample <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="32" /> ... </form> </body><html> ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id")); 20
  • 21. Insecure Direct Object Reference How to prevent it ?  Input identifier validation  reject wildcards (“10%20”)  Add server side identifiers Criteria criteria = session.createCriteria(ShoppingCart.class); criteria.add(Restrictions.like("id", request.getParameter("id"))); criteria.add(Restrictions.like("clientId", request.getRemoteUser())); ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();  Control access permissions  See Spring Security 21
  • 22. Insecure Direct Object Reference How to prevent it ?  Use server side indirection with generated random String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId()); <html><body> <form name="shoppingCart"> <input name="id" type="hidden" value="${indirectId}" /> ... </form> </body><html> String indirectId = request.getParameter("id"); String id = accessReferenceMap.getDirectReference(indirectId); ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);  See org.owasp.esapi.AccessReferenceMap 22
  • 23. Cross Site Request Forgery (CSRF) www.xebia.fr / blog.xebia.fr
  • 24. Cross Site Request Forgery (CSRF)  What ?  Assume that the user is logged to another web site and send a malicious request  Ajax web sites are very exposed !  Goal ?  Perform operations without asking the user  Sample http://mybank.com/transfer.do? amount=100000&recipientAccount=12345 24
  • 25. Cross Site Request Forgery (CSRF) How to prevent it ?  Ensure that no XSS vulnerability exists in your application  Use a random token in sensitive forms <form action="/transfer.do"> <input name="token" type="hidden" value="14689423257893257" / > <input name="amount" /> ... </form>  Spring Web Flow and Struts 2 provide such random token mechanisms  Re-authenticate user for sensitive operations 25
  • 26. Information Leakage and Improper Exception Handling www.xebia.fr / blog.xebia.fr
  • 27. Information Leakage and Improper Exception Handling  What ?  Sensitive code details given to hackers  Usually done raising exceptions  Goal ?  Discover code details to discover vulnerabilities 27
  • 28. Information Leakage and Improper Exception Handling  Sample 28
  • 29. Information Leakage and Improper Exception Handling How to prevent it ?  Avoid detailed error messages  Beware of development mode messages !  web.xml <web-app> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/empty-error-page.jsp</location> </error-page> ... </web-app>  Tomcat <Server ...> <Service ...> <Engine ...> <Host errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve" ...> ... </Host> </Engine> </Service> </Server> 29
  • 30. Information Leakage and Improper Exception Handling How to prevent it ?  Don’t display stack traces in Soap Faults  Sanitize GUI error messages  Sample : “Invalid login or password” 30
  • 31. Broken Authentication and Session Management www.xebia.fr / blog.xebia.fr
  • 32. Broken Authentication and Session Management  What ?  Web authentication and session handling have many tricks  Goal ?  Hijack user session 32
  • 33. Broken Authentication and Session Management How to prevent it ?  Log session initiation and sensitive data access  Remote Ip, time, login, sensitive data & operation accessed  Use a log4j dedicated non over-written output file #Audit log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender log4j.appender.audit.datePattern='-'yyyyMMdd log4j.appender.audit.file=audit.log log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n log4j.logger.com.mycompany.audit.Audit=INFO, audit log4j.additivity.com.mycompany.audit.Audit=false  Use out of the box session and authentication mechanisms  Don’t create your own cookies  Look at Spring Security 33
  • 34. Broken Authentication and Session Management How to prevent it ?  Use SSL and random token for authentication pages  including login page display  Regenerate a new session on successful authentication  Use Http Only session cookies, don’t use URL rewriting based session handling  Prevent brute force attacks using timeouts or locking password on authentication failures  Don’t store clear text password, consider SSHA 34
  • 35. Broken Authentication and Session Management How to prevent it ?  Use a timeout period  Remember Me cookies must be invalidated on password change (see Spring Security)  Beware not to write password in log files  Server generated passwords (lost password, etc) must be valid only once  Be able to distinguish SSL communications 35
  • 36. Broken Authentication and Session Management How to prevent it ?  For server to server communication, use remote ip control in addition to password validation 36
  • 37. Insecure Cryptographic Storage www.xebia.fr / blog.xebia.fr
  • 38. Insecure Cryptographic Storage  What ?  Cryptography has many traps  Goal ?  Steal sensitive data 38
  • 39. Insecure Cryptographic Storage How to prevent it ?  Don’t invent custom cryptography solutions  Java offers approved algorithms for hashing, symmetric key and public key encryptions  Double hashing is a custom weak algorithm  Don’t use weak algorithms  MD5 / SHA1, etc are weak. Prefer SHA-256  Beware of private keys storage  Java doesn’t offer chroot mechanisms to limit private keys files access to root  Storing secrets on servers requires expertise 39
  • 40. Insecure Communications www.xebia.fr / blog.xebia.fr
  • 41. Insecure Communications  What ?  Unsecure communications are easy to hack  Goal ?  Steal sensitive data, hijack user session 41
  • 42. Insecure Communications How to prevent it ?  Use SSL with the Servlet API request.isSecure() <web-app ...> ... <security-constraint> <web-resource-collection> <web-resource-name>restricted web services</web-resource-name> <url-pattern>/services/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> ... </web-app> 42
  • 43. Insecure Communications How to prevent it ?  Use SSL with Spring Security <beans ...> <sec:http auto-config="true"> <sec:intercept-url pattern="/services/**" requires-channel="https" access="IS_AUTHENTICATED_FULLY" /> </sec:http> </beans> 43