SlideShare uma empresa Scribd logo

Rest Security with JAX-RS

Frank Kim
Frank Kim
TecnologiaArte e fotografia
1 de 62
Baixar para ler offline
REST  Security  with  JAX-­‐RS   JavaOne  2013  
•  Frank  Kim   – SANS  InsBtute   •  Curriculum  Lead,  ApplicaBon  Security   •  Author,  Secure  Coding  in  Java   About   2  
Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   3  
AuthenBcaBon   •  Process  of  verifying  an  idenBty   •  Can  be  based  on  three  factors   – Something  you  know   – Something  you  have   – Something  you  are   4  
Java  EE  AuthenBcaBon   •  ConfiguraBon  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 <auth-constraint>! 8 <role-name>user</role-name>! 9 <role-name>admin</role-name>! 10 </auth-constraint>! 11 </security-constraint>! 12! 13 <login-config>! 14 <auth-method>FORM</auth-method>! 15 <form-login-config>! 16 <form-login-page>/login.jsp</form-login-page>! 17 <form-error-page>/loginerror.jsp</form-error-page>! 18 </form-login-config>! 19 </login-config>! 5  
JAX-­‐RS  SecurityContext! •  getAuthenticationScheme()! –  Returns  String  authenBcaBon  scheme  used  to  protect   the  resource   –  BASIC,  FORM,  CLIENT_CERT   •  getUserPrincipal()! –  Returns  Principal  object  containing  the  username   •  isUserInRole(String role)! –  Returns  a  boolean  indicaBng  if  the  user  has  the  specified   logical  role   6  
    Photo  Sharing  Site   Demo   7  
Photo  Sharing  Site  API   h]p://www.sparklr.com:8080/sparklr2/photos?&format=json   ! { "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] ! }! 8  
Issues   •  Userid/password  authenBcaBon  is  fine     – If  the  API  is  used  only  by  your  site   •  But  what  if  your  API  needs  to  be  used  by   – Other  web  apps   – Mobile  apps   – NaBve  apps   •  Do  you  want  these  apps  to   – Have  your  password?   – Have  full  access  to  your  account?   9  
10  
OAuth   •  Way  to  authenBcate  a  service   – Valet  key  metaphor  coined  by  Eran  Hammer-­‐Lahav   •  AuthorizaBon  token  with  limited  rights   – You  agree  which  rights  are  granted   – You  can  revoke  rights  at  any  Bme   – Can  gracefully  upgrade  rights  if  needed   11  
OAuth  Roles   12   User   Client   Server   -­‐  Person  using  the  app   -­‐  Also  known  as  the   "resource  owner"   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   -­‐  Also  known  as  the   "resource  server"  
Simplified  OAuth  Flow   13   User   Client   Server   1)  You  log  in  to  Tonr   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   2)  Tonr  needs  pictures  to  print  and   redirects  you  to  Sparklr's  log  in  page   3)  You  log  in  to  Sparklr  directly  
Simplified  OAuth  Flow   14   User   Client   Server   6)  You  are  happy   prin<ng  and  viewing   your  pictures     -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   5)  Tonr  stores  the  "access  token"   with  your  account   4)  Sparklr  returns  an  OAuth   "access  token"    
    Photo  PrinBng  Site   Demo   15  
Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 16  
Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 17  
Detailed  OAuth  Flow   2)  Via  browser:  Sparklr  redirects  back  to  Tonr   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 18  
Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   19  
Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   20  
Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   21  
Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   22  
Detailed  OAuth  Flow   4)  Via  "Client":  Tonr  gets  pictures  from  Sparklr   All  Requests  include:   Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb   23  
When  to  Use  OAuth   •  Use  OAuth  for  consuming  APIs  from   – Third-­‐party  web  apps   – Mobile  apps   – NaBve  apps   •  Don't  need  to  use  OAuth   – If  API  is  only  consumed  by  the  user  within  the   same  web  app   – If  APIs  are  only  consumed  server  to  server   24  
Benefits   •  No  passwords  shared  between  web  apps   •  No  passwords  stored  on  mobile  devices   •  Limits  impact  of  security  incidents   –  If  you  lose  your  mobile  device     •  You  revoke  the  access  Sparklr  gave  to  the  Tonr  mobile  app   –  If  Tonr  gets  hacked     •  Sparklr  revokes  OAuth  access   –  If  Sparklr  gets  hacked     •  You  change  your  Sparklr  password     •  Revoke  access  from  Tonr  to  generate  a  new  access  token     25  
OAuth  Versions   26   Version   Comments   1.0   -­‐  Has  a  security  flaw  related  to  session  fixaBon   -­‐  Don’t  use  it   1.0a   -­‐  Stable  and  well  understood   -­‐  Uses  a  signature  to  exchange  credenBals  and  signs  every  request   -­‐  Signatures  are  more  of  a  pain  than  it  seems   2.0   -­‐  Spec  is  final  with  good  support  
OAuth  2.0   AuthorizaBon  Grant  Types   27   Grant  Type   Descrip<on   1)  AuthorizaBon  Code   -­‐  OpBmized  for  confidenBal  clients   -­‐  Uses  a  authorizaBon  code  from  the  Server   -­‐  User  doesn't  see  the  access  token   2)  Implicit  Grant   -­‐  OpBmized  for  script  heavy  web  apps   -­‐  Does  not  use  an  authorizaBon  code  from  the  Server   -­‐  User  can  see  the  access  token   3)  Resource  Owner   Password  CredenBals   -­‐  Use  in  cases  where  the  User  trusts  the  Client   -­‐  Exposes  User  credenBals  to  the  Client   4)  Client  CredenBals   -­‐  Client  gets  an  access  token  based  on  Client  credenBals   only  
OAuth  2.0     Access  Token  Types   •  Bearer   – Large  random  token   – Need  SSL  to  protect  it  in  transit   – Server  needs  to  store  it  securely  hashed  like  a   user  password   •  Mac   – Uses  a  nonce  to  prevent  replay   – Does  not  require  SSL   – OAuth  1.0  only  supported  a  mac  type  token   28  
Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   29  
Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 1)  Vic<m  goes  to  mybank.com  via  HTTP   30  
Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 2)  AMacker  sniffs  the  public  wifi  network  and   steals  the  JSESSIONID   31  
Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 3)  AMacker  uses  the  stolen  JSESSIONID   to  access  the  vic<m's  session   32  
Enable  SSL  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 ...! 8! 9 <user-data-constraint>! 10 <transport-guarantee>! 11 CONFIDENTIAL! 12 </transport-guarantee>! 13 </user-data-constraint>! 14 </security-constraint>! 33  
JAX-­‐RS  SecurityContext! •  iSecure()! – Returns  a  boolean  indicaBng  whether  the   request  was  made  via  HTTPS   34  
Secure  Flag   •  Ensures  that  the  Cookie  is  only  sent  via  SSL   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config>
    <cookie-config>
      <secure>true</secure>
    </cookie-config>
 </session-config>! •  ProgrammaBcally   Cookie cookie = new Cookie("mycookie", "test");! cookie.setSecure(true);! 35  
Strict-­‐Transport-­‐Security   •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  Bme  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cerBficate  info   –  Subsequent  requests  to  HTTP  automaBcally  use  HTTPS   •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Defined  in  RFC  6797     Strict-Transport-Security: max-age=seconds ! ! ! ! ! ! ! ! ! [; includeSubdomains]! 36  
Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   37  
Restrict  Input   •  Restrict  to  POST   –  Use  @POST  annotaBon   •  Restrict  the  Content-­‐Type   –  Use  @Consumes({MediaType.APPLICATION_JSON})! –  Invalid  Content-­‐Type  results  in  HTTP  415  Unsupported  Media  Type   •  Restrict  to  Ajax  if  applicable   –  Check  X-Requested-With:XMLHttpRequest  header   •  Restrict  response  types   –  Check  Accept  header  for  valid  response  types   38  
Cross-­‐Site  Request  Forgery  (CSRF)   39   VicBm  browser   mybank.com   1)  VicBm  signs  on  to  mybank   2)  VicBm  visits   a]acker.com   3)  Page  contains   CSRF  code   4)  Browser  sends   the  request  to  mybank   <form  acBon=h]ps://mybank.com/transfer.jsp      method=POST>      <input  name=recipient  value=a]acker>      <input  name=amount  value=1000>   </form>   <script>document.forms[0].submit()</script>   POST  /transfer.jsp  HTTP/1.1   Cookie:  <mybank  authenBcaBon  cookie>   recipient=a]acker&amount=1000   a]acker.com  
CSRF  and  OAuth  2.0   •  How  can  an  a]acker  use  CSRF  to  take  over   your  account?   – Many  sites  allow  logins  from  third-­‐party  idenBty   providers  like  Facebook   – Many  idenBty  providers  use  OAuth   – A]acker  can  automaBcally  associate  your  account   with  an  a]acker  controlled  Facebook  account     40  
OAuth  CSRF  Research   •  Accounts  at  many  sites  could  be  taken  over   using  OAuth  CSRF   –  Stack  Exchange,  woot.com,  IMDB,  Goodreads,  SoundCloud,  Pinterest,   Groupon,  Foursquare,  SlideShare,  Kickstarter,  and  others   •  Research  by  Rich  Lundeen   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐ can-­‐use-­‐to-­‐take-­‐over-­‐accounts   •  Prior  research  by  Stephen  Sclafani   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability     41  
OAuth  CSRF  A]ack  Flow   1)  Create  a]acker  controlled  Facebook  account   2)  VicBm  is  signed  on  to  provider  account  (i.e.   Stack  Exchange)   3)  Lure  vicBm  into  visiBng  an  evil  site  with   OAuth  CSRF  code   – CSRF  code  sends  OAuth  authorizaBon  request     4)    A]acker's  Facebook  account  now  controls   vicBm  provider  account   42  
43  Image  from  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts     Linking  Stack  Exchange  with  an     Evil  Facebook  Account  
CSRF  ProtecBon   •  Spec  defines  a  "state"  parameter  that  must  be   included  in  the  redirect  to  the  Client   –  Value  must  be  non-­‐guessable  and  Bed  to  session   Client  sends  "state"  to  Server:   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server  sends  "state"  back  to  Client  ater  authorizaBon:   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 44  
    OAuth  CSRF  ProtecBon   Demo   45  
OWASP  1-­‐Liner   •  Deliberately  vulnerable  applicaBon   – Intended  for  demos  and  training   – Created  by  John  Wilander  @johnwilander   •  More  informaBon  at   – h]ps://www.owasp.org/index.php/OWASP_1-­‐ Liner   46  
    JSON  CSRF   Demo   47  
Normal  JSON  Message     {"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}! 48  
Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 49  
CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 50  
CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 51  
Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 52  
CSRF  Defense   •  Must  include  something  random  in  the  request   – Use  an  anB-­‐CSRF  token   •  OWASP  CSRFGuard   – Wri]en  by  Eric  Sheridan  @eric_sheridan   – Can  inject  anB-­‐CSRF  token  using   •  JSP  Tag  library  -­‐  for  manual,  fine  grained  protecBon   •  JavaScript  DOM  manipulaBon  -­‐  for  automated  protecBon   requiring  minimal  effort   – Filter  that  intercepts  requests  and  validates  tokens   53  
CSRFGuard  JSP  Tags   •  Tags  for  token  name  and  value   <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> ! </form>   •  Tag  for  name/value  pair  (delimited  with  "=")   <a href="protect.html?<csrf:token/>">protect.html</a>! •  Convenience  tags  for  forms  and  links  as  well   <csrf:form>  and  <csrf:a>! ! 54  Examples  from  h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon  
CSRFGuard  DOM  ManipulaBon   •  Include  JavaScript  in  every  page  that  needs  CSRF  protecBon   <script src="/securish/JavaScriptServlet"></script>! •  JavaScript  used  to  hook  the  open  and  send  methods   XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;! XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);! }! ! XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;! XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);! }!   55  
ProtecBng  XHR  Requests   •  CSRFGuard  sends  two  HTTP  headers   XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {! this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")! this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }! };! 56  
    JSON  CSRF  ProtecBon   Demo   57  
Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   58  
Summary   •  AuthenBcaBon   þ  Can  use  userid/password  for  services  consumed  by   your  app   þ  Use  OAuth  for  third-­‐party  web  apps  and  mobile  apps   •  EncrypBon   þ  Use  SSL   þ  Use  Secure  flag   þ  Use  Strict-­‐Transport-­‐Security  header   •  ValidaBon   þ  Restrict  input   þ  Protect  your  apps  against  CSRF       59  
Frank  Kim         wim@sans.org   @sansappsec                                
References   •  JAX-­‐RS  2.0   –  h]p://jcp.org/en/jsr/detail?id=339   –  h]ps://jax-­‐rs-­‐spec.java.net/nonav/2.0/apidocs   •  OAuth  2.0  SpecificaBon   –  h]p://tools.iex.org/html/rfc6749   –  h]p://oauth.net   •  Spring  Security  OAuth   –  h]p://www.springsource.org/spring-­‐security-­‐oauth   •  OAuth:  The  Big  Picture   –  h]p://pages.apigee.com/oauth-­‐big-­‐picture-­‐ebook.html   •  OAuth  CSRF  issues   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability   •  OWASP  1-­‐Liner   –  h]ps://www.owasp.org/index.php/OWASP_1-­‐Liner   •  CSRFGuard   –  h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project   –  h]p://ericsheridan.blogspot.com/2010/12/how-­‐csrfguard-­‐protects-­‐ajax.html   62  

Recomendados

Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
PHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングPHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングYo Ya
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
SpringBootにおけるテンプレートエンジンの活用
SpringBootにおけるテンプレートエンジンの活用SpringBootにおけるテンプレートエンジンの活用
SpringBootにおけるテンプレートエンジンの活用iPride Co., Ltd.
 
Apache Archiva を試す
Apache Archiva を試すApache Archiva を試す
Apache Archiva を試すbouzuya
 
PHPの今とこれから2023
PHPの今とこれから2023PHPの今とこれから2023
PHPの今とこれから2023Rui Hirokawa
 

Recomendados

Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
PHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングPHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングYo Ya
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
SpringBootにおけるテンプレートエンジンの活用
SpringBootにおけるテンプレートエンジンの活用SpringBootにおけるテンプレートエンジンの活用
SpringBootにおけるテンプレートエンジンの活用iPride Co., Ltd.
 
Apache Archiva を試す
Apache Archiva を試すApache Archiva を試す
Apache Archiva を試すbouzuya
 
PHPの今とこれから2023
PHPの今とこれから2023PHPの今とこれから2023
PHPの今とこれから2023Rui Hirokawa
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic ContentThe Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Contentbfanelli
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)Isaac Mathis
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
Pardus Kurulum Dokümanı
Pardus Kurulum DokümanıPardus Kurulum Dokümanı
Pardus Kurulum DokümanıKurtuluş Karasu
 
nioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になったnioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になったchibochibo
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppthimanshujoshi238
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1Murat KARA
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
 
Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-Murat KARA
 
Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
OAuth with Restful Web Services
OAuth with Restful Web Services OAuth with Restful Web Services
OAuth with Restful Web Services Vinay H G
 

Mais conteúdo relacionado

Mais procurados

Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic ContentThe Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Contentbfanelli
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBGA Cyber Security
 
SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)Isaac Mathis
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
nioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になったnioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になったchibochibo
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1Murat KARA
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal Tobias Neitzel
 
Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-Murat KARA
 

Mais procurados (20)

Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic ContentThe Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
 
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware SaldırılarıBir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
Bir Ransomware Saldırısının Anatomisi. A'dan Z'ye Ransomware Saldırıları
 
SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)SANS Holiday Hack 2017 (非公式ガイド)
SANS Holiday Hack 2017 (非公式ガイド)
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Pardus Kurulum Dokümanı
Pardus Kurulum DokümanıPardus Kurulum Dokümanı
Pardus Kurulum Dokümanı
 
nioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になったnioで作ったBufferedWriterに変えたら例外になった
nioで作ったBufferedWriterに変えたら例外になった
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Ethical hacking ppt
Ethical hacking pptEthical hacking ppt
Ethical hacking ppt
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1Siber Güvenlik ve Etik Hacking Sunu - 1
Siber Güvenlik ve Etik Hacking Sunu - 1
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
 
Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-Siber Guvenlik ve Etik Hacking -1-
Siber Guvenlik ve Etik Hacking -1-
 

Destaque

Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLinkJBUG London
 
OAuth with Restful Web Services
OAuth with Restful Web Services OAuth with Restful Web Services
OAuth with Restful Web Services Vinay H G
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Stormpath
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)Rudy De Busscher
 

Destaque (10)

Introduction to PicketLink
Introduction to PicketLinkIntroduction to PicketLink
Introduction to PicketLink
 
OAuth with Restful Web Services
OAuth with Restful Web Services OAuth with Restful Web Services
OAuth with Restful Web Services
 
Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)Secure Your REST API (The Right Way)
Secure Your REST API (The Right Way)
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)What is tackled in the Java EE Security API (Java EE 8)
What is tackled in the Java EE Security API (Java EE 8)
 

Semelhante a Rest Security with JAX-RS

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesMichał Wcisło
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect ProtocolClément OUDOT
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedTaswar Bhatti
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 

Semelhante a Rest Security with JAX-RS (20)

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Some OAuth love
Some OAuth loveSome OAuth love
Some OAuth love
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystifiedDevteach 2017 OAuth and Open id connect demystified
Devteach 2017 OAuth and Open id connect demystified
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Rest Security with JAX-RS

  • 1. REST  Security  with  JAX-­‐RS   JavaOne  2013  
  • 2. •  Frank  Kim   – SANS  InsBtute   •  Curriculum  Lead,  ApplicaBon  Security   •  Author,  Secure  Coding  in  Java   About   2  
  • 3. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   3  
  • 4. AuthenBcaBon   •  Process  of  verifying  an  idenBty   •  Can  be  based  on  three  factors   – Something  you  know   – Something  you  have   – Something  you  are   4  
  • 5. Java  EE  AuthenBcaBon   •  ConfiguraBon  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 <auth-constraint>! 8 <role-name>user</role-name>! 9 <role-name>admin</role-name>! 10 </auth-constraint>! 11 </security-constraint>! 12! 13 <login-config>! 14 <auth-method>FORM</auth-method>! 15 <form-login-config>! 16 <form-login-page>/login.jsp</form-login-page>! 17 <form-error-page>/loginerror.jsp</form-error-page>! 18 </form-login-config>! 19 </login-config>! 5  
  • 6. JAX-­‐RS  SecurityContext! •  getAuthenticationScheme()! –  Returns  String  authenBcaBon  scheme  used  to  protect   the  resource   –  BASIC,  FORM,  CLIENT_CERT   •  getUserPrincipal()! –  Returns  Principal  object  containing  the  username   •  isUserInRole(String role)! –  Returns  a  boolean  indicaBng  if  the  user  has  the  specified   logical  role   6  
  • 7.     Photo  Sharing  Site   Demo   7  
  • 8. Photo  Sharing  Site  API   h]p://www.sparklr.com:8080/sparklr2/photos?&format=json   ! { "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] ! }! 8  
  • 9. Issues   •  Userid/password  authenBcaBon  is  fine     – If  the  API  is  used  only  by  your  site   •  But  what  if  your  API  needs  to  be  used  by   – Other  web  apps   – Mobile  apps   – NaBve  apps   •  Do  you  want  these  apps  to   – Have  your  password?   – Have  full  access  to  your  account?   9  
  • 10. 10  
  • 11. OAuth   •  Way  to  authenBcate  a  service   – Valet  key  metaphor  coined  by  Eran  Hammer-­‐Lahav   •  AuthorizaBon  token  with  limited  rights   – You  agree  which  rights  are  granted   – You  can  revoke  rights  at  any  Bme   – Can  gracefully  upgrade  rights  if  needed   11  
  • 12. OAuth  Roles   12   User   Client   Server   -­‐  Person  using  the  app   -­‐  Also  known  as  the   "resource  owner"   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   -­‐  Also  known  as  the   "resource  server"  
  • 13. Simplified  OAuth  Flow   13   User   Client   Server   1)  You  log  in  to  Tonr   -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   2)  Tonr  needs  pictures  to  print  and   redirects  you  to  Sparklr's  log  in  page   3)  You  log  in  to  Sparklr  directly  
  • 14. Simplified  OAuth  Flow   14   User   Client   Server   6)  You  are  happy   prin<ng  and  viewing   your  pictures     -­‐  Photo  prinBng  service   called  Tonr     -­‐  Photo  sharing  service   called  Sparklr   5)  Tonr  stores  the  "access  token"   with  your  account   4)  Sparklr  returns  an  OAuth   "access  token"    
  • 15.     Photo  PrinBng  Site   Demo   15  
  • 16. Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 16  
  • 17. Detailed  OAuth  Flow   1)  Via  browser:  Tonr  starts  OAuth  process   –  Once  you  click  the  "Authorize"  bu]on   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 17  
  • 18. Detailed  OAuth  Flow   2)  Via  browser:  Sparklr  redirects  back  to  Tonr   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 18  
  • 19. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   19  
  • 20. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   20  
  • 21. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   21  
  • 22. Detailed  OAuth  Flow   3)  Via  "Client":  Tonr  sends  OAuth  request  to   Sparklr  using  client  id/password   Request:   POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response:   {"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"}   22  
  • 23. Detailed  OAuth  Flow   4)  Via  "Client":  Tonr  gets  pictures  from  Sparklr   All  Requests  include:   Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb   23  
  • 24. When  to  Use  OAuth   •  Use  OAuth  for  consuming  APIs  from   – Third-­‐party  web  apps   – Mobile  apps   – NaBve  apps   •  Don't  need  to  use  OAuth   – If  API  is  only  consumed  by  the  user  within  the   same  web  app   – If  APIs  are  only  consumed  server  to  server   24  
  • 25. Benefits   •  No  passwords  shared  between  web  apps   •  No  passwords  stored  on  mobile  devices   •  Limits  impact  of  security  incidents   –  If  you  lose  your  mobile  device     •  You  revoke  the  access  Sparklr  gave  to  the  Tonr  mobile  app   –  If  Tonr  gets  hacked     •  Sparklr  revokes  OAuth  access   –  If  Sparklr  gets  hacked     •  You  change  your  Sparklr  password     •  Revoke  access  from  Tonr  to  generate  a  new  access  token     25  
  • 26. OAuth  Versions   26   Version   Comments   1.0   -­‐  Has  a  security  flaw  related  to  session  fixaBon   -­‐  Don’t  use  it   1.0a   -­‐  Stable  and  well  understood   -­‐  Uses  a  signature  to  exchange  credenBals  and  signs  every  request   -­‐  Signatures  are  more  of  a  pain  than  it  seems   2.0   -­‐  Spec  is  final  with  good  support  
  • 27. OAuth  2.0   AuthorizaBon  Grant  Types   27   Grant  Type   Descrip<on   1)  AuthorizaBon  Code   -­‐  OpBmized  for  confidenBal  clients   -­‐  Uses  a  authorizaBon  code  from  the  Server   -­‐  User  doesn't  see  the  access  token   2)  Implicit  Grant   -­‐  OpBmized  for  script  heavy  web  apps   -­‐  Does  not  use  an  authorizaBon  code  from  the  Server   -­‐  User  can  see  the  access  token   3)  Resource  Owner   Password  CredenBals   -­‐  Use  in  cases  where  the  User  trusts  the  Client   -­‐  Exposes  User  credenBals  to  the  Client   4)  Client  CredenBals   -­‐  Client  gets  an  access  token  based  on  Client  credenBals   only  
  • 28. OAuth  2.0     Access  Token  Types   •  Bearer   – Large  random  token   – Need  SSL  to  protect  it  in  transit   – Server  needs  to  store  it  securely  hashed  like  a   user  password   •  Mac   – Uses  a  nonce  to  prevent  replay   – Does  not  require  SSL   – OAuth  1.0  only  supported  a  mac  type  token   28  
  • 29. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   29  
  • 30. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 1)  Vic<m  goes  to  mybank.com  via  HTTP   30  
  • 31. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 2)  AMacker  sniffs  the  public  wifi  network  and   steals  the  JSESSIONID   31  
  • 32. Session  Hijacking   Public WiFi " Network" mybank.com   VicBm   A]acker   Internet" 3)  AMacker  uses  the  stolen  JSESSIONID   to  access  the  vic<m's  session   32  
  • 33. Enable  SSL  in  web.xml   ! 1 <security-constraint>! 2 <web-resource-collection>! 3 <web-resource-name>Example</web-resource-name>! 4 <url-pattern>/*</url-pattern>! 5 </web-resource-collection>! 6! 7 ...! 8! 9 <user-data-constraint>! 10 <transport-guarantee>! 11 CONFIDENTIAL! 12 </transport-guarantee>! 13 </user-data-constraint>! 14 </security-constraint>! 33  
  • 34. JAX-­‐RS  SecurityContext! •  iSecure()! – Returns  a  boolean  indicaBng  whether  the   request  was  made  via  HTTPS   34  
  • 35. Secure  Flag   •  Ensures  that  the  Cookie  is  only  sent  via  SSL   •  Configure  in  web.xml  as  of  Servlet  3.0   <session-config>
    <cookie-config>
      <secure>true</secure>
    </cookie-config>
 </session-config>! •  ProgrammaBcally   Cookie cookie = new Cookie("mycookie", "test");! cookie.setSecure(true);! 35  
  • 36. Strict-­‐Transport-­‐Security   •  Tells  browser  to  only  talk  to  the  server  via  HTTPS   –  First  Bme  your  site  accessed  via  HTTPS  and  the  header   is  used  the  browser  stores  the  cerBficate  info   –  Subsequent  requests  to  HTTP  automaBcally  use  HTTPS   •  Supported  browsers   –  Implemented  in  Firefox  and  Chrome   –  Defined  in  RFC  6797     Strict-Transport-Security: max-age=seconds ! ! ! ! ! ! ! ! ! [; includeSubdomains]! 36  
  • 37. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   37  
  • 38. Restrict  Input   •  Restrict  to  POST   –  Use  @POST  annotaBon   •  Restrict  the  Content-­‐Type   –  Use  @Consumes({MediaType.APPLICATION_JSON})! –  Invalid  Content-­‐Type  results  in  HTTP  415  Unsupported  Media  Type   •  Restrict  to  Ajax  if  applicable   –  Check  X-Requested-With:XMLHttpRequest  header   •  Restrict  response  types   –  Check  Accept  header  for  valid  response  types   38  
  • 39. Cross-­‐Site  Request  Forgery  (CSRF)   39   VicBm  browser   mybank.com   1)  VicBm  signs  on  to  mybank   2)  VicBm  visits   a]acker.com   3)  Page  contains   CSRF  code   4)  Browser  sends   the  request  to  mybank   <form  acBon=h]ps://mybank.com/transfer.jsp      method=POST>      <input  name=recipient  value=a]acker>      <input  name=amount  value=1000>   </form>   <script>document.forms[0].submit()</script>   POST  /transfer.jsp  HTTP/1.1   Cookie:  <mybank  authenBcaBon  cookie>   recipient=a]acker&amount=1000   a]acker.com  
  • 40. CSRF  and  OAuth  2.0   •  How  can  an  a]acker  use  CSRF  to  take  over   your  account?   – Many  sites  allow  logins  from  third-­‐party  idenBty   providers  like  Facebook   – Many  idenBty  providers  use  OAuth   – A]acker  can  automaBcally  associate  your  account   with  an  a]acker  controlled  Facebook  account     40  
  • 41. OAuth  CSRF  Research   •  Accounts  at  many  sites  could  be  taken  over   using  OAuth  CSRF   –  Stack  Exchange,  woot.com,  IMDB,  Goodreads,  SoundCloud,  Pinterest,   Groupon,  Foursquare,  SlideShare,  Kickstarter,  and  others   •  Research  by  Rich  Lundeen   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐ can-­‐use-­‐to-­‐take-­‐over-­‐accounts   •  Prior  research  by  Stephen  Sclafani   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability     41  
  • 42. OAuth  CSRF  A]ack  Flow   1)  Create  a]acker  controlled  Facebook  account   2)  VicBm  is  signed  on  to  provider  account  (i.e.   Stack  Exchange)   3)  Lure  vicBm  into  visiBng  an  evil  site  with   OAuth  CSRF  code   – CSRF  code  sends  OAuth  authorizaBon  request     4)    A]acker's  Facebook  account  now  controls   vicBm  provider  account   42  
  • 43. 43  Image  from  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts     Linking  Stack  Exchange  with  an     Evil  Facebook  Account  
  • 44. CSRF  ProtecBon   •  Spec  defines  a  "state"  parameter  that  must  be   included  in  the  redirect  to  the  Client   –  Value  must  be  non-­‐guessable  and  Bed  to  session   Client  sends  "state"  to  Server:   http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server  sends  "state"  back  to  Client  ater  authorizaBon:   http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 44  
  • 45.     OAuth  CSRF  ProtecBon   Demo   45  
  • 46. OWASP  1-­‐Liner   •  Deliberately  vulnerable  applicaBon   – Intended  for  demos  and  training   – Created  by  John  Wilander  @johnwilander   •  More  informaBon  at   – h]ps://www.owasp.org/index.php/OWASP_1-­‐ Liner   46  
  • 47.     JSON  CSRF   Demo   47  
  • 48. Normal  JSON  Message     {"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}! 48  
  • 49. Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 49  
  • 50. CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 50  
  • 51. CSRF  A]ack  Form   <form id="target" method="POST"! action="https://local.1-liner.org:8444/ws/ vulnerable/oneliners" ! enctype="text/plain" ! style="visibility:hidden">! ! <input type="text" ! name='{"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//' ! value="dummy" />! ! <input type="submit" value="Go" />! </form>! 51  
  • 52. Forged  JSON  Message   ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 52  
  • 53. CSRF  Defense   •  Must  include  something  random  in  the  request   – Use  an  anB-­‐CSRF  token   •  OWASP  CSRFGuard   – Wri]en  by  Eric  Sheridan  @eric_sheridan   – Can  inject  anB-­‐CSRF  token  using   •  JSP  Tag  library  -­‐  for  manual,  fine  grained  protecBon   •  JavaScript  DOM  manipulaBon  -­‐  for  automated  protecBon   requiring  minimal  effort   – Filter  that  intercepts  requests  and  validates  tokens   53  
  • 54. CSRFGuard  JSP  Tags   •  Tags  for  token  name  and  value   <form name="test1" action="protect.html">! <input type="text" name="text" value="text"/>! <input type="submit" name="submit" value="submit"/>! <input type="hidden" name="<csrf:token-name/>"! value="<csrf:token-value/>"/> ! </form>   •  Tag  for  name/value  pair  (delimited  with  "=")   <a href="protect.html?<csrf:token/>">protect.html</a>! •  Convenience  tags  for  forms  and  links  as  well   <csrf:form>  and  <csrf:a>! ! 54  Examples  from  h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon  
  • 55. CSRFGuard  DOM  ManipulaBon   •  Include  JavaScript  in  every  page  that  needs  CSRF  protecBon   <script src="/securish/JavaScriptServlet"></script>! •  JavaScript  used  to  hook  the  open  and  send  methods   XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;! XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);! }! ! XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;! XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);! }!   55  
  • 56. ProtecBng  XHR  Requests   •  CSRFGuard  sends  two  HTTP  headers   XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {! this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")! this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }! };! 56  
  • 57.     JSON  CSRF  ProtecBon   Demo   57  
  • 58. Outline   •  AuthenBcaBon   •  EncrypBon   •  ValidaBon   •  Wrap  Up   58  
  • 59. Summary   •  AuthenBcaBon   þ  Can  use  userid/password  for  services  consumed  by   your  app   þ  Use  OAuth  for  third-­‐party  web  apps  and  mobile  apps   •  EncrypBon   þ  Use  SSL   þ  Use  Secure  flag   þ  Use  Strict-­‐Transport-­‐Security  header   •  ValidaBon   þ  Restrict  input   þ  Protect  your  apps  against  CSRF       59  
  • 60.
  • 61. Frank  Kim         wim@sans.org   @sansappsec                                
  • 62. References   •  JAX-­‐RS  2.0   –  h]p://jcp.org/en/jsr/detail?id=339   –  h]ps://jax-­‐rs-­‐spec.java.net/nonav/2.0/apidocs   •  OAuth  2.0  SpecificaBon   –  h]p://tools.iex.org/html/rfc6749   –  h]p://oauth.net   •  Spring  Security  OAuth   –  h]p://www.springsource.org/spring-­‐security-­‐oauth   •  OAuth:  The  Big  Picture   –  h]p://pages.apigee.com/oauth-­‐big-­‐picture-­‐ebook.html   •  OAuth  CSRF  issues   –  h]p://webstersprodigy.net/2013/05/09/common-­‐oauth-­‐issue-­‐you-­‐can-­‐use-­‐to-­‐take-­‐over-­‐accounts   –  h]p://stephensclafani.com/2011/04/06/oauth-­‐2-­‐0-­‐csrf-­‐vulnerability   •  OWASP  1-­‐Liner   –  h]ps://www.owasp.org/index.php/OWASP_1-­‐Liner   •  CSRFGuard   –  h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project   –  h]p://ericsheridan.blogspot.com/2010/12/how-­‐csrfguard-­‐protects-­‐ajax.html   62