Code review for secure web applications
-
Upload
silviad74 -
Category
Technology
-
view
1.104 -
download
1
Transcript of Code review for secure web applications
![Page 1: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/1.jpg)
Code Review for Secure Web Applications
With java samples
![Page 2: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/2.jpg)
Bibliography
• OWASP – Open web applications security projects – www.owasp.org
• OWASP Code review guide
![Page 3: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/3.jpg)
Introduction
• Code reviews:– Ad hoc reviews– Pair programming– Walkthrough– Team review– Inspection
• Purpose – security
![Page 4: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/4.jpg)
Code review strategies
• Automatic• Manual – use checklists– Risk based– Most encountered programming mistakes– Mitigation of most encountered vulnerabilities
exploited in the world– Security best practices
![Page 5: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/5.jpg)
Checklist based on best practices
• Authentication• Authorization• Session management• Input validation and output sanitization
![Page 6: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/6.jpg)
Checklist based on best practicesTo be presented next meeting
• Prevent Cross Site Request Forgery• Cryptographic controls• Error handling• Logging• Prevent Race conditions
![Page 7: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/7.jpg)
Authentication
• Check user is not allowed to choose weak passwords
Bad:String password = request.getParameter("Password"); if (password == Null) {throw InvalidPasswordException()
}
![Page 8: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/8.jpg)
Authentication• Check user is not allowed to choose weak
passwordsOK:if password.RegEx([a-z])
and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()])
return true;elsereturn false;
![Page 9: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/9.jpg)
Authentication
• Password storage strategy: hashing using a one-way hash algorithm + salting
OK hashing:import java.security.MessageDigest; public byte[] getHash(String password) throws
NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8"));
}
![Page 10: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/10.jpg)
Authentication• Password storage strategy: hashing using a one-way
hash algorithm + saltingOK salting:import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws
NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));
}
![Page 11: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/11.jpg)
Authorization
• Check the access roles matrix and make sure it is created respecting the need-to-know and least-privilege principle
• Check the business logic for errorsBad:if user.equals("NormalUser")
{ grantUser(Normal_Permissions); } else{ //user must be admin/super
grantUser("Super_Permissions); }
![Page 12: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/12.jpg)
Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String action = request.getParameter("action"); if (action.equals("doStuff")) boolean permit = session.authTable.isAuthorised(action); if (permit) doStuff(); else{
throw new (InvalidRequestException("Unauthorised request"); session.invalidate();
}
![Page 13: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/13.jpg)
Session Management
• Check if only framework’s session manager is used
• Check the cryptographic strength, the length of the sessions and character pool
• Check that sessionIds coming from clients are validated
• Check there is a timeout implemented for idle sessions
• Check session is destroyed on logout
![Page 14: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/14.jpg)
Input validation and output sanitization
• Ensure 2 separate validations occur: first a security validation, then a business validation
• Ensure in the security validation, data are canonicalized first
public static void main(String[] args) { File x = new File("/cmd/" + args[1]); String absPath = x.getAbsolutePath(); String canonicalPath = x.getCanonicalPath();}
![Page 15: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/15.jpg)
Input validation and output sanitization
• Check that all input that traversed untrusted zones is validated, not only user input
• Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc
• Check validators are applied in a safe side (never client side)
![Page 16: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/16.jpg)
Input validation and output sanitization
public class DoStuff { public String executeCommand(String userName) { try {
String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);
}catch(Exception e) { e.printStackTrace(); } } }
![Page 17: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/17.jpg)
Input validation and output sanitization
String myQuery = “select food from foods where name=?”;
String sortOrder=request.getParameter(“order”);myQuery+=sortOrder;PreparedStatement preparedStatement =
connection.prepareStatement(myQuery);preparedStatement.setString(1, “Shaorma”);ResultSet resultSet =
preparedStatement.executeQuery();
![Page 18: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/18.jpg)
Input validation and output sanitization
import java.io.*;import javax.servlet.http.*;import javax.servlet.*; public class HelloServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse
res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close();
}}
![Page 19: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/19.jpg)
Thank you for the interest
Questions?
![Page 20: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/20.jpg)
Prevent Cross Site Script Forgery
![Page 21: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/21.jpg)
Cryptographic controls
![Page 22: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/22.jpg)
Error handling
![Page 23: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/23.jpg)
Logging
![Page 24: Code review for secure web applications](https://reader035.fdocuments.in/reader035/viewer/2022062702/55491e66b4c90547498b79dc/html5/thumbnails/24.jpg)
Prevent Race Conditions