Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.

1. Platinum Sponsor
Kim Leppänen & Leif Åstrand
Web Application
Security and Modern
Frameworks
Disclaimer: Highly technical content ahead. Participating in this
lecture might change your perspective towards the security of
your application. In some cases, listening to this presentation
might cause symptoms such as raised awareness of security and
general interest towards web application security.

2. <script language="javascript">!
if ( prompt("Enter password") == "supersecret" ) {!
! document.location.href = "secret.html";!
}!
</script>

3. OWASP Top 10
Open Web Application Security Project

4. Rich Internet Applications

7. Client Server
UI logic
Business
logic
DB
GWT
DOM

8. Client Server
UI logic
Business
logic
DB
Vaadin
DOM
Handled by the framework

9. A1: Injection

10. Username demouser
Password ************
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘“ + request.getParameter(“username”) + “‘ AND!
! ! password=‘“ + request.getParameter(“password”) + “‘“;

11. !
!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser‘ AND!
! ! password=‘secretpass‘“;
// username = demouser!
// password = secretpass

12. // username = demouser’ --!
// password = secretpass!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser’--‘ AND!
! ! password=‘secretpass‘“;

13. GWT
!
• N/A
Vaadin
!
• N/A
Web frameworks can help

14. A2: Broken
Authentication
and Session
Management

15. Session ID fixation
!
Exposure of session ID
!
Exposing user credentials

16. GWT
!
• N/A
Vaadin
!
• Helper for changing
session id
Web frameworks can help

17. A3: Cross-Site
Scripting (XSS)

18. Demo: auction
application

19. GWT
!
• setText
• SafeHtml
Vaadin
!
• setHtmlContent
Allowed(false)
• Beware of tooltips
(setDescription)
Web frameworks can help

20. Other things to keep in
mind
The XSS filter evasion cheat
sheet
Context is king
Consider using Markdown

21. A4: Insecure
Direct Object
References

22. GWT
!
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“invisible”
Vaadin
!
• All ids are
generated values
that the server uses
to find the right
object when
needed
Web frameworks can help

23. A5: Security
Misconfiguration

24. GWT
!
• N/A
Vaadin
!
• productionMode =
true
Web frameworks can help

25. A6: Sensitive
Data Exposure

26. Keep in mind
Avoid handling sensitive data,
e.g. credit card numbers
Salt and hash passwords
Use SSL, no excuses!

27. A7: Missing
Function Level
Access Control

28. A8: Cross-Site
Request Forgery
(CSRF)

29. Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00

30. http://your.bank/transfer?
account=4059820-440198&amount=130,00
<img src=“
“ />

31. Creative commons - http://www.flickr.com/photos/esparta/367002402/

32. You’ve got mail
Creative Commons - http://www.flickr.com/photos/8058853@N06/2685196800/

33. Your bank
Rogue bank

34. Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00
&token=ab8342d8943nkg34iung3o9j

35. GWT
!
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
Vaadin
!
• Secured out of the
box
Web frameworks can help

36. A9: Using
Components
with Known
Vulnerabilities

37. How do you
know whether
they are
vulnerable?

38. A10: Unvalidated
Redirects and
Forwards

39. <a href=”http://myapp.com?
redirect=example.com/evil"> Open app </a>!

40. Very quick
conclusion

41. Questions?
!
? leif@vaadin.com
kim@vaadin.com