Tomcat Webapp Security
description
Transcript of Tomcat Webapp Security
![Page 1: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/1.jpg)
Tomcat Webapp SecurityJason BrittainSoftware Architect, MulesoftCo-author, Tomcat: The Definitive Guide
![Page 2: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/2.jpg)
HTTP Request Model Vulnerabilities Request Parameters
- XSS
- CSRF
- HTML Injection
- SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering
![Page 3: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/3.jpg)
How to Write Secure Webapps
Use only HTTPS and disable small key length ciphers Distrust and sanitize allall input from the client Filter for CSRF (Enable the CsrfPreventionFilter) Filter for XSS (Enable the BadInputFilter)
http://www.sf.net/projects/catnip Generally secure Tomcat Enable the Tomcat security manager and customize
catalina.policy
![Page 4: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/4.jpg)
Scanning Tools and Remediation
Tools Process
![Page 5: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/5.jpg)
Scanning Tools and Remediation (cont)
Commercial scanning tools:
- IBM Rational AppScan
- HP WebInspect
- Acunetix Web Vulnerability Scanner Open Source:
- Ratproxy
![Page 6: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/6.jpg)
Scanning Tools and Remediation (cont)
Process for removing vulnerabilities:
1. Scan
2. Investigate Reported Vulnerabilities
3. Fix vulnerability
4. Goto 1.
![Page 7: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/7.jpg)
HTTP Caching and Security
Browser Cache Proxy Cache// Standard HTTP 1.1 cache disabling header.
httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate");
// Set IE extended HTTP 1.1 no-cache headers.
httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0");
// Tell proxy caches not to cache this resource.
httpResponse.addHeader("Cache-Control", "proxy-revalidate");
// Standard HTTP 1.0 cache disabling header.
httpResponse.setHeader("Pragma", "no-cache");
// Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server.
httpResponse.setDateHeader("Expires", 0);
![Page 8: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/8.jpg)
Use HTTPS
Configure Your Webapp to Require HTTPS Disable Insecure Key Lengths / Ciphers Use v6.0.24 and Higher sessionCacheSize and sessionTimeout
![Page 9: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/9.jpg)
Configuring for HTTPS-onlyConfigure your HTTPS connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="450" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS”
keystoreFile="conf/keystore" keystorePass="shhhh"
proxyHost="10.1.1.1" proxyPort="443"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
![Page 10: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/10.jpg)
Configuring for HTTPS-only (cont.)Configure your HTTP connector to redirect to HTTPS:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyHost="10.1.1.1" proxyPort="80"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
![Page 11: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/11.jpg)
Configuring for HTTPS-only (cont.)In your webapp's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>NonSecureConnectionOk</web-resource-name>
<url-pattern>*.ico</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
![Page 12: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/12.jpg)
Configuring HTTPS
Disable “weak” encryption:
<Connector ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, ...”>
See http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
![Page 13: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/13.jpg)
Connector Hardening
<Server port="-1"port="-1" shutdown="SHUTDOWN"> Max Post Size Max Http Header Size Max Threads
![Page 14: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/14.jpg)
Java Security Manager
Prevents your webapp from: Reading/writing arbitrary files Making network connections Instantiating/using arbitrary Java packages & classes Etc.
To effectively use it you must:
- Write custom permissions rules
- Debug permissions issues
- Test exhaustively
.. it's not for everyone!
![Page 15: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/15.jpg)
Webapp File Permissions
- Tomcat needs these readable, but not writable
- Don't write files in your webapp tree
![Page 16: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/16.jpg)
Tomcat File Permissions
CIS: Apache Tomcat Security
http://www.cisecurity.org/benchmarks.html
In general:
- Start with the whole tree read only
- conf/Catalinaconf/Catalina and conf/Catalina/localhost must be read/write
- temp/ work/ and logs/ need to be read/write
- webapps/ needs to be read/write, but not webapp dirs
![Page 17: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/17.jpg)
Monitor for Announced Vulnerabilities
Tomcat project security vulnerabilities page:
http://tomcat.apache.org/security.html
Upgrade when there is a fix!
![Page 18: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/18.jpg)
Additional Resources
MuleSoft Tcat Server
http://www.mulesoft.com/tcat-server-enterprise-tomcat-application-server
TLS Renegotiation Extension and Vulnerability
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
Web App Scanners Miss Half of Vulnerabilities
http://news.slashdot.org/story/10/02/06/1933211/Web-App-Scanners-Miss-Half-of-Vulnerabilities?art_pos=5
Turning XSS Into Clickjacking
http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking
![Page 19: Tomcat Webapp Security](https://reader035.fdocuments.in/reader035/viewer/2022062322/56814eef550346895dbc8019/html5/thumbnails/19.jpg)
Q&AThanks!