Rest Security with JAX-RS

download Rest Security with JAX-RS

of 62

  • date post

    15-Jan-2015
  • Category

    Technology

  • view

    5.122
  • download

    3

Embed Size (px)

description

 

Transcript of Rest Security with JAX-RS

  • 1. RESTSecuritywithJAX-RS JavaOne2013

2. FrankKim SANSInsBtute CurriculumLead,ApplicaBonSecurity Author,SecureCodinginJava About 2 3. Outline AuthenBcaBon EncrypBon ValidaBon WrapUp 3 4. AuthenBcaBon ProcessofverifyinganidenBty Canbebasedonthreefactors Somethingyouknow Somethingyouhave Somethingyouare 4 5. JavaEEAuthenBcaBon ConguraBoninweb.xml ! 1 ! 2 ! 3 Example! 4 /*! 5 ! 6! 7 ! 8 user! 9 admin! 10 ! 11 ! 12! 13 ! 14 FORM! 15 ! 16 /login.jsp! 17 /loginerror.jsp! 18 ! 19 ! 5 6. JAX-RSSecurityContext! getAuthenticationScheme()! ReturnsStringauthenBcaBonschemeusedtoprotect theresource BASIC,FORM,CLIENT_CERT getUserPrincipal()! ReturnsPrincipalobjectcontainingtheusername isUserInRole(String role)! ReturnsabooleanindicaBngiftheuserhasthespecied logicalrole 6 7. PhotoSharingSite Demo 7 8. PhotoSharingSiteAPI h]p://www.sparklr.com:8080/sparklr2/photos?&format=json ! { "photos" : [ ! { "id":"1" , "name":"photo1.jpg" } , ! { "id":"3" , "name":"photo3.jpg" } , ! { "id":"5" , "name":"photo5.jpg" }] ! }! 8 9. Issues Userid/passwordauthenBcaBonisne IftheAPIisusedonlybyyoursite ButwhatifyourAPIneedstobeusedby Otherwebapps Mobileapps NaBveapps Doyouwanttheseappsto Haveyourpassword? Havefullaccesstoyouraccount? 9 10. 10 11. OAuth WaytoauthenBcateaservice ValetkeymetaphorcoinedbyEranHammer-Lahav AuthorizaBontokenwithlimitedrights Youagreewhichrightsaregranted YoucanrevokerightsatanyBme Cangracefullyupgraderightsifneeded 11 12. OAuthRoles 12 User Client Server -Personusingtheapp -Alsoknownasthe "resourceowner" -PhotoprinBngservice calledTonr -Photosharingservice calledSparklr -Alsoknownasthe "resourceserver" 13. SimpliedOAuthFlow 13 User Client Server 1)YoulogintoTonr -PhotoprinBngservice calledTonr -Photosharingservice calledSparklr 2)Tonrneedspicturestoprintand redirectsyoutoSparklr'sloginpage 3)YoulogintoSparklrdirectly 14. SimpliedOAuthFlow 14 User Client Server 6)Youarehappy prin! 2 ! 3 Example! 4 /*! 5 ! 6! 7 ...! 8! 9 ! 10 ! 11 CONFIDENTIAL! 12 ! 13 ! 14 ! 33 34. JAX-RSSecurityContext! iSecure()! ReturnsabooleanindicaBngwhetherthe requestwasmadeviaHTTPS 34 35. SecureFlag EnsuresthattheCookieisonlysentviaSSL Congureinweb.xmlasofServlet3.0 true ! ProgrammaBcally Cookie cookie = new Cookie("mycookie", "test");! cookie.setSecure(true);! 35 36. Strict-Transport-Security TellsbrowsertoonlytalktotheserverviaHTTPS FirstBmeyoursiteaccessedviaHTTPSandtheheader isusedthebrowserstoresthecerBcateinfo SubsequentrequeststoHTTPautomaBcallyuseHTTPS Supportedbrowsers ImplementedinFirefoxandChrome DenedinRFC6797 Strict-Transport-Security:max-age=seconds ! ! ! ! ! ! ! ! ! [; includeSubdomains]! 36 37. Outline AuthenBcaBon EncrypBon ValidaBon WrapUp 37 38. RestrictInput RestricttoPOST Use@POSTannotaBon RestricttheContent-Type Use@Consumes({MediaType.APPLICATION_JSON})! InvalidContent-TyperesultsinHTTP415UnsupportedMediaType RestricttoAjaxifapplicable CheckX-Requested-With:XMLHttpRequestheader Restrictresponsetypes CheckAcceptheaderforvalidresponsetypes 38 39. Cross-SiteRequestForgery(CSRF) 39 VicBmbrowser mybank.com 1)VicBmsignsontomybank 2)VicBmvisits a]acker.com 3)Pagecontains CSRFcode 4)Browsersends therequesttomybank POST/transfer.jspHTTP/1.1 Cookie: recipient=a]acker&amount=1000 a]acker.com 40. CSRFandOAuth2.0 Howcanana]ackeruseCSRFtotakeover youraccount? Manysitesallowloginsfromthird-partyidenBty providerslikeFacebook ManyidenBtyprovidersuseOAuth A]ackercanautomaBcallyassociateyouraccount withana]ackercontrolledFacebookaccount 40 41. OAuthCSRFResearch Accountsatmanysitescouldbetakenover usingOAuthCSRF StackExchange,woot.com,IMDB,Goodreads,SoundCloud,Pinterest, Groupon,Foursquare,SlideShare,Kickstarter,andothers ResearchbyRichLundeen h]p://webstersprodigy.net/2013/05/09/common-oauth-issue-you- can-use-to-take-over-accounts PriorresearchbyStephenSclafani h]p://stephensclafani.com/2011/04/06/oauth-2-0-csrf-vulnerability 41 42. OAuthCSRFA]ackFlow 1) Createa]ackercontrolledFacebookaccount 2) VicBmissignedontoprovideraccount(i.e. StackExchange) 3) LurevicBmintovisiBnganevilsitewith OAuthCSRFcode CSRFcodesendsOAuthauthorizaBonrequest 4)A]acker'sFacebookaccountnowcontrols vicBmprovideraccount 42 43. 43Imagefromh]p://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts LinkingStackExchangewithan EvilFacebookAccount 44. CSRFProtecBon Specdenesa"state"parameterthatmustbe includedintheredirecttotheClient Valuemustbenon-guessableandBedtosession Clientsends"state"toServer: http://www.sparklr.com:8080/sparklr2/oauth/authorize? client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Serversends"state"backtoClientaterauthorizaBon: http://www.tonr.com:8080/tonr2/sparklr/photos? code=cOuBX6&state=92G53T 44 45. OAuthCSRFProtecBon Demo 45 46. OWASP1-Liner DeliberatelyvulnerableapplicaBon Intendedfordemosandtraining CreatedbyJohnWilander@johnwilander MoreinformaBonat h]ps://www.owasp.org/index.php/OWASP_1- Liner 46 47. JSONCSRF Demo 47 48. NormalJSONMessage {"id":0,"nickName":"John",! "oneLiner":"I LOVE Java!",! "timestamp":"2013-05-27T17:04:23"}! 48 49. ForgedJSONMessage ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 49 50. CSRFA]ackForm ! ! ! ! ! ! 50 51. CSRFA]ackForm ! ! ! ! ! ! 51 52. ForgedJSONMessage ! {"id": 0, "nickName": "John",! "oneLiner": "I hate Java!",! "timestamp": "20111006"}//=dummy! 52 53. CSRFDefense Mustincludesomethingrandomintherequest UseananB-CSRFtoken OWASPCSRFGuard Wri]enbyEricSheridan@eric_sheridan CaninjectanB-CSRFtokenusing JSPTaglibrary-formanual,negrainedprotecBon JavaScriptDOMmanipulaBon-forautomatedprotecBon requiringminimaleort Filterthatinterceptsrequestsandvalidatestokens 53 54. CSRFGuardJSPTags Tagsfortokennameandvalue ! ! ! ! Tagforname/valuepair(delimitedwith"=") protect.html! Conveniencetagsforformsandlinksaswell and! ! 54Examplesfromh]ps://www.owasp.org/index.php/CSRFGuard_3_Token_InjecBon 55. CSRFGuardDOMManipulaBon IncludeJavaScriptineverypagethatneedsCSRFprotecBon ! JavaScriptusedtohooktheopenandsendmethods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;! XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {! // store a copy of the target URL! this.url = url; ! this._open.apply(this, arguments);! }! ! XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;! XMLHttpRequest.prototype.send = function(data) {! if(this.onsend != null) {! // call custom onsend method to modify the request! this.onsend.apply(this, arguments);! }! this._send.apply(this, arguments);! }! 55 56. ProtecBngXHRRequests CSRFGuardsendstwoHTTPheaders XMLHttpRequest.prototype.onsend = function(data) {! if(isValidUrl(this.url)) {! this.setRequestHeader("X-Requested-With", ! "OWASP CSRFGuard Project")! this.setRequestHeader("OWASP_CSRFTOKEN", ! "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV");! }! };! 56 57. JSONCSRFProtecBon Demo 57 58. Outline AuthenBcaBon EncrypBon ValidaBon WrapUp 58 59. Summary AuthenBcaBon Canuseuserid/passwordforservicesconsumedby yourapp UseOAuthforthird-partywebappsandmobileapps EncrypBon UseSSL UseSecureag UseStrict-Transport-Securityheader ValidaBon Restrictinput ProtectyourappsagainstCSRF 59 60. FrankKim wim@sans.org @sansappsec 61. References JAX-RS2.0 h]p://jcp.org/en/jsr/detail?id=339 h]ps://jax-rs-spec.java.net/nonav/2.0/apidocs OAuth2.0SpecicaBon h]p://tools.iex.org/html/rfc6749 h]p://oauth.net SpringSecurityOAuth h]p://www.springsource.org/spring-security-oauth OAuth:TheBigPicture h]p://pages.apigee.com/oauth-big-picture-ebook.html OAuthCSRFissues h]p://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts h]p://stephensclafani.com/2011/04/06/oauth-2-0-csrf-vulnerability OWASP1-Liner h]ps://www.owasp.org/index.php/OWASP_1-Liner CSRFGuard h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project h]p://ericsheridan.blogspot.com/2010/12/how-csrfguard-protects-ajax.html 62