6. JAX-‐RS
SecurityContext!
• getAuthenticationScheme()!
– Returns
String
authenBcaBon
scheme
used
to
protect
the
resource
– BASIC,
FORM,
CLIENT_CERT
• getUserPrincipal()!
– Returns
Principal
object
containing
the
username
• isUserInRole(String role)!
– Returns
a
boolean
indicaBng
if
the
user
has
the
specified
logical
role
6
9. Issues
• Userid/password
authenBcaBon
is
fine
– If
the
API
is
used
only
by
your
site
• But
what
if
your
API
needs
to
be
used
by
– Other
web
apps
– Mobile
apps
– NaBve
apps
• Do
you
want
these
apps
to
– Have
your
password?
– Have
full
access
to
your
account?
9
11. OAuth
• Way
to
authenBcate
a
service
– Valet
key
metaphor
coined
by
Eran
Hammer-‐Lahav
• AuthorizaBon
token
with
limited
rights
– You
agree
which
rights
are
granted
– You
can
revoke
rights
at
any
Bme
– Can
gracefully
upgrade
rights
if
needed
11
12. OAuth
Roles
12
User
Client
Server
-‐
Person
using
the
app
-‐
Also
known
as
the
"resource
owner"
-‐
Photo
prinBng
service
called
Tonr
-‐
Photo
sharing
service
called
Sparklr
-‐
Also
known
as
the
"resource
server"
13. Simplified
OAuth
Flow
13
User
Client
Server
1)
You
log
in
to
Tonr
-‐
Photo
prinBng
service
called
Tonr
-‐
Photo
sharing
service
called
Sparklr
2)
Tonr
needs
pictures
to
print
and
redirects
you
to
Sparklr's
log
in
page
3)
You
log
in
to
Sparklr
directly
14. Simplified
OAuth
Flow
14
User
Client
Server
6)
You
are
happy
prin<ng
and
viewing
your
pictures
-‐
Photo
prinBng
service
called
Tonr
-‐
Photo
sharing
service
called
Sparklr
5)
Tonr
stores
the
"access
token"
with
your
account
4)
Sparklr
returns
an
OAuth
"access
token"
16. Detailed
OAuth
Flow
1) Via
browser:
Tonr
starts
OAuth
process
– Once
you
click
the
"Authorize"
bu]on
http://www.sparklr.com:8080/sparklr2/oauth/authorize?
client_id=tonr&redirect_uri=http://www.tonr.com:8080/
tonr2/sparklr/photos&
response_type=code&
scope=read write&state=92G53T
16
17. Detailed
OAuth
Flow
1) Via
browser:
Tonr
starts
OAuth
process
– Once
you
click
the
"Authorize"
bu]on
http://www.sparklr.com:8080/sparklr2/oauth/authorize?
client_id=tonr&redirect_uri=http://www.tonr.com:8080/
tonr2/sparklr/photos&
response_type=code&
scope=read write&state=92G53T
17
18. Detailed
OAuth
Flow
2)
Via
browser:
Sparklr
redirects
back
to
Tonr
http://www.tonr.com:8080/tonr2/sparklr/photos?
code=cOuBX6&state=92G53T
18
19. Detailed
OAuth
Flow
3)
Via
"Client":
Tonr
sends
OAuth
request
to
Sparklr
using
client
id/password
Request:
POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ=
grant_type=authorization_code&code=cOuBX6&
redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
19
20. Detailed
OAuth
Flow
3)
Via
"Client":
Tonr
sends
OAuth
request
to
Sparklr
using
client
id/password
Request:
POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ=
grant_type=authorization_code&code=cOuBX6&
redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
20
21. Detailed
OAuth
Flow
3)
Via
"Client":
Tonr
sends
OAuth
request
to
Sparklr
using
client
id/password
Request:
POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ=
grant_type=authorization_code&code=cOuBX6&
redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
21
22. Detailed
OAuth
Flow
3)
Via
"Client":
Tonr
sends
OAuth
request
to
Sparklr
using
client
id/password
Request:
POST /sparklr2/oauth/token HTTP/1.1
Authorization: Basic dG9ucjpzZWNyZXQ=
grant_type=authorization_code&code=cOuBX6&
redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
22
23. Detailed
OAuth
Flow
4)
Via
"Client":
Tonr
gets
pictures
from
Sparklr
All
Requests
include:
Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb
23
24. When
to
Use
OAuth
• Use
OAuth
for
consuming
APIs
from
– Third-‐party
web
apps
– Mobile
apps
– NaBve
apps
• Don't
need
to
use
OAuth
– If
API
is
only
consumed
by
the
user
within
the
same
web
app
– If
APIs
are
only
consumed
server
to
server
24
25. Benefits
• No
passwords
shared
between
web
apps
• No
passwords
stored
on
mobile
devices
• Limits
impact
of
security
incidents
– If
you
lose
your
mobile
device
• You
revoke
the
access
Sparklr
gave
to
the
Tonr
mobile
app
– If
Tonr
gets
hacked
• Sparklr
revokes
OAuth
access
– If
Sparklr
gets
hacked
• You
change
your
Sparklr
password
• Revoke
access
from
Tonr
to
generate
a
new
access
token
25
26. OAuth
Versions
26
Version
Comments
1.0
-‐
Has
a
security
flaw
related
to
session
fixaBon
-‐
Don’t
use
it
1.0a
-‐
Stable
and
well
understood
-‐
Uses
a
signature
to
exchange
credenBals
and
signs
every
request
-‐
Signatures
are
more
of
a
pain
than
it
seems
2.0
-‐
Spec
is
final
with
good
support
27. OAuth
2.0
AuthorizaBon
Grant
Types
27
Grant
Type
Descrip<on
1)
AuthorizaBon
Code
-‐
OpBmized
for
confidenBal
clients
-‐
Uses
a
authorizaBon
code
from
the
Server
-‐
User
doesn't
see
the
access
token
2)
Implicit
Grant
-‐
OpBmized
for
script
heavy
web
apps
-‐
Does
not
use
an
authorizaBon
code
from
the
Server
-‐
User
can
see
the
access
token
3)
Resource
Owner
Password
CredenBals
-‐
Use
in
cases
where
the
User
trusts
the
Client
-‐
Exposes
User
credenBals
to
the
Client
4)
Client
CredenBals
-‐
Client
gets
an
access
token
based
on
Client
credenBals
only
28. OAuth
2.0
Access
Token
Types
• Bearer
– Large
random
token
– Need
SSL
to
protect
it
in
transit
– Server
needs
to
store
it
securely
hashed
like
a
user
password
• Mac
– Uses
a
nonce
to
prevent
replay
– Does
not
require
SSL
– OAuth
1.0
only
supported
a
mac
type
token
28
35. Secure
Flag
• Ensures
that
the
Cookie
is
only
sent
via
SSL
• Configure
in
web.xml
as
of
Servlet
3.0
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>!
• ProgrammaBcally
Cookie cookie = new Cookie("mycookie", "test");!
cookie.setSecure(true);!
35
36. Strict-‐Transport-‐Security
• Tells
browser
to
only
talk
to
the
server
via
HTTPS
– First
Bme
your
site
accessed
via
HTTPS
and
the
header
is
used
the
browser
stores
the
cerBficate
info
– Subsequent
requests
to
HTTP
automaBcally
use
HTTPS
• Supported
browsers
– Implemented
in
Firefox
and
Chrome
– Defined
in
RFC
6797
Strict-Transport-Security: max-age=seconds
! ! ! ! ! ! ! ! ! [; includeSubdomains]!
36
38. Restrict
Input
• Restrict
to
POST
– Use
@POST
annotaBon
• Restrict
the
Content-‐Type
– Use
@Consumes({MediaType.APPLICATION_JSON})!
– Invalid
Content-‐Type
results
in
HTTP
415
Unsupported
Media
Type
• Restrict
to
Ajax
if
applicable
– Check
X-Requested-With:XMLHttpRequest
header
• Restrict
response
types
– Check
Accept
header
for
valid
response
types
38
40. CSRF
and
OAuth
2.0
• How
can
an
a]acker
use
CSRF
to
take
over
your
account?
– Many
sites
allow
logins
from
third-‐party
idenBty
providers
like
Facebook
– Many
idenBty
providers
use
OAuth
– A]acker
can
automaBcally
associate
your
account
with
an
a]acker
controlled
Facebook
account
40
41. OAuth
CSRF
Research
• Accounts
at
many
sites
could
be
taken
over
using
OAuth
CSRF
– Stack
Exchange,
woot.com,
IMDB,
Goodreads,
SoundCloud,
Pinterest,
Groupon,
Foursquare,
SlideShare,
Kickstarter,
and
others
• Research
by
Rich
Lundeen
– h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐
can-‐use-‐to-‐take-‐over-‐accounts
• Prior
research
by
Stephen
Sclafani
– h]p://stephensclafani.com/2011/04/06/oauth-‐2-‐0-‐csrf-‐vulnerability
41
42. OAuth
CSRF
A]ack
Flow
1) Create
a]acker
controlled
Facebook
account
2) VicBm
is
signed
on
to
provider
account
(i.e.
Stack
Exchange)
3) Lure
vicBm
into
visiBng
an
evil
site
with
OAuth
CSRF
code
– CSRF
code
sends
OAuth
authorizaBon
request
4)
A]acker's
Facebook
account
now
controls
vicBm
provider
account
42
43. 43
Image
from
h]p://webstersprodigy.net/2013/05/09/common-‐oauth-‐issue-‐you-‐can-‐use-‐to-‐take-‐over-‐accounts
Linking
Stack
Exchange
with
an
Evil
Facebook
Account
44. CSRF
ProtecBon
• Spec
defines
a
"state"
parameter
that
must
be
included
in
the
redirect
to
the
Client
– Value
must
be
non-‐guessable
and
Bed
to
session
Client
sends
"state"
to
Server:
http://www.sparklr.com:8080/sparklr2/oauth/authorize?
client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/
tonr2/sparklr/photos&
response_type=code&
scope=read write&state=92G53T
Server
sends
"state"
back
to
Client
ater
authorizaBon:
http://www.tonr.com:8080/tonr2/sparklr/photos?
code=cOuBX6&state=92G53T
44
46. OWASP
1-‐Liner
• Deliberately
vulnerable
applicaBon
– Intended
for
demos
and
training
– Created
by
John
Wilander
@johnwilander
• More
informaBon
at
– h]ps://www.owasp.org/index.php/OWASP_1-‐
Liner
46
52. Forged
JSON
Message
!
{"id": 0, "nickName": "John",!
"oneLiner": "I hate Java!",!
"timestamp": "20111006"}//=dummy!
52
53. CSRF
Defense
• Must
include
something
random
in
the
request
– Use
an
anB-‐CSRF
token
• OWASP
CSRFGuard
– Wri]en
by
Eric
Sheridan
@eric_sheridan
– Can
inject
anB-‐CSRF
token
using
• JSP
Tag
library
-‐
for
manual,
fine
grained
protecBon
• JavaScript
DOM
manipulaBon
-‐
for
automated
protecBon
requiring
minimal
effort
– Filter
that
intercepts
requests
and
validates
tokens
53
54. CSRFGuard
JSP
Tags
• Tags
for
token
name
and
value
<form name="test1" action="protect.html">!
<input type="text" name="text" value="text"/>!
<input type="submit" name="submit" value="submit"/>!
<input type="hidden" name="<csrf:token-name/>"!
value="<csrf:token-value/>"/> !
</form>
• Tag
for
name/value
pair
(delimited
with
"=")
<a href="protect.html?<csrf:token/>">protect.html</a>!
• Convenience
tags
for
forms
and
links
as
well
<csrf:form>
and
<csrf:a>!
!
54
Examples
from
h]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon
55. CSRFGuard
DOM
ManipulaBon
• Include
JavaScript
in
every
page
that
needs
CSRF
protecBon
<script src="/securish/JavaScriptServlet"></script>!
• JavaScript
used
to
hook
the
open
and
send
methods
XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;!
XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {!
// store a copy of the target URL!
this.url = url; !
this._open.apply(this, arguments);!
}!
!
XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;!
XMLHttpRequest.prototype.send = function(data) {!
if(this.onsend != null) {!
// call custom onsend method to modify the request!
this.onsend.apply(this, arguments);!
}!
this._send.apply(this, arguments);!
}!
55
59. Summary
• AuthenBcaBon
þ Can
use
userid/password
for
services
consumed
by
your
app
þ Use
OAuth
for
third-‐party
web
apps
and
mobile
apps
• EncrypBon
þ Use
SSL
þ Use
Secure
flag
þ Use
Strict-‐Transport-‐Security
header
• ValidaBon
þ Restrict
input
þ Protect
your
apps
against
CSRF
59