Web Security Threats
Transcript of Web Security Threats
-
8/13/2019 Web Security Threats
1/83
Web ApplicationWeb ApplicationSecurity ThreatsSecurity Threatsandand
Counter MeasuresCounter Measures
Sang ShinSang [email protected]@sun.com
www.javapassion.comwww.javapassion.comJava Technology EvangelistJava Technology Evangelist
Sun Microsystems, Inc.Sun Microsystems, Inc.
-
8/13/2019 Web Security Threats
2/83
Today's Presentation is available fromToday's Presentation is available fromhttp://www.javapassion.comhttp://www.javapassion.com
Demo is available fromDemo is available fromhttp://www.javapassion.com/handsonlabs/http://www.javapassion.com/handsonlabs/
4010webappsec!rity."ip4010webappsec!rity."ip
-
8/13/2019 Web Security Threats
3/83
. 3
#$enda How real is the Web application threat?
! most common Web application threats an"
counter measures Security principles
Tools
-
8/13/2019 Web Security Threats
4/83
. 4
%& of (eb #pps )ave
*!lnerabilities #ross$site scripting %&! percent'
S() in*ection %+ percent'
-arameter tampering %+! percent'
#ooie poisoning %/0 percent'
1atabase server %// percent'
Web server %/ percent'
2u33er over3low %4 percent'
-
8/13/2019 Web Security Threats
5/83
. 5
+(#,P Top 10 (eb ,ec!rity Threats. 5nvali"ate" input. 2roen access control
/. 2roen authentication
6. #ross$site scripting %7SS'8. 2u33er over3lows
+. In*ection 3laws
0. Improper error han"ling
&. Insecure storage4. 9pplication "enial$o3$service
!. Insecure con3iguration management
,o!rce: www.owasp.or$
-
8/13/2019 Web Security Threats
6/83
-1: nvalidated-1: nvalidatednp!t: other ofnp!t: other of#ll (ebtier#ll (ebtier
,ec!rity Threats,ec!rity Threats
-
8/13/2019 Web Security Threats
7/83. 7
-1: nvalidated np!t 2Description3 9ttacer can easily tamper any part o3 the HTT- re:uest
be3ore submitting> 5;)
> #ooies> Hea"ers
#ommon names 3or common input tampering attacs> 3orce" browsing, comman" insertion, cross site scripting, bu33er
over3lows, 3ormat string attacs, S() in*ection, cooiepoisoning, an" hi""en 3iel" manipulation
-
8/13/2019 Web Security Threats
8/83. 8
-1: nvalidated np!t 2,ol!tions3 1o rigorous input "ata vali"ation
> 9ll parameters shoul" be vali"ate" be3ore use
1o server$si"e vali"ation> #lient si"e vali"ation coul" be bypasse" by the
attacer easily
> #lient si"e vali"ation is to be use" mainly 3or :uicuser responsiveness
1o canonicali=ation o3 input "ata> The process o3 simpli3ying the enco"ing
-
8/13/2019 Web Security Threats
9/83. 9
-1: nvalidated np!t 2,ol!tions3 5se centrali=e" co"e 3or input vali"ation
> Scattere" co"e is har" to maintain
Each parameter shoul" be chece" against astrict 3ormat that speci3ies e>actly what input willbe allowe"> This is calle" positive@ input vali"ation
> Aegative@ approaches that involve 3iltering out certainba" input or approaches that rely on signatures are notliely to be e33ective an" may be "i33icult to maintain
-
8/13/2019 Web Security Threats
10/83. 10
-1: nvalidated np!t 2,ol!tions3 Bali"ation #riteria
> 1ata type %string, integer, real, etcC'
> 9llowe" character set
> Minimum an" ma>imum length
> Whether null is allowe"
> Whether the parameter is re:uire" or not
> Whether "uplicates are allowe"
> Aumeric range
> Speci3ic legal values %enumeration'
> Speci3ic patterns %regular e>pressions'
-
8/13/2019 Web Security Threats
11/83. 11
(hats (ron$ (ith This Pict!re5
-
8/13/2019 Web Security Threats
12/83. 12
-1: nvalidated np!t 267ample3
public void doPost(HttpServletRequest req,) {
String customerId =
req.getParameter(customerId!)"
String s#u = req.getParameter(s#u!)" String stringPrice = req.getParameter(price!)"
Integer price = Integer.value$%(stringPrice)"
&& Store in t'e database it'out input validation
&& 'at 'appens i% a 'ac#er provides 'is on
&& price as a value o% price! %orm %ield*
order+anager.submit$rder(s#u,customerId,price)"
&& end doPost
-
8/13/2019 Web Security Threats
13/83. 13
-1: nvalidated np!t 28orrected3
public void doPost(HttpServletRequest req,) {
&& -et customer data
StringcustomerId =
req.getParameter(customerId!)" Strings#u = req.getParameter(s#u!)"
&& -et price %rom database
Integerprice = s#u+anager.getPrice(s#u)"
&& Store in t'e database
order+anager.submit$rder(s#u,customerId,price)"
&& end doPost
-
8/13/2019 Web Security Threats
14/83. 14
-1: nvalidated np!t 2Tools3 DW9S-s WebScarab
> 2y submitting une>pecte" values in HTT- re:uests
an" viewing the web applications responses, youcan i"enti3y places where tainte" parameters areuse"
Stinger HTT- re:uest vali"ation engine
%stinger.source3orge.net'> 1evelope" by DW9S- 3or JEE environments
-
8/13/2019 Web Security Threats
15/83
-9: ro;en-9: ro;en
#ccess 8ontrol#ccess 8ontrol
-
8/13/2019 Web Security Threats
16/83. 16
-9: ro;en #ccess 8ontrol
267amples3 Insecure I1Fs
-
8/13/2019 Web Security Threats
17/83. 17
-
8/13/2019 Web Security Threats
18/83
-
-
8/13/2019 Web Security Threats
19/83. 19
-
-
8/13/2019 Web Security Threats
20/83. 20
-,,+3public void do-et(HttpServletRequest req,) {
&& -et user name
String userId = req.getRemoteser()"
&& -enerate coo#ie it' no encr/ption
0oo#ie sso0oo#ie =
ne 0oo#ie(userid!,userId)"
sso0oo#ie.setPat'(&!)" sso0oo#ie.set1omain(cisco.com!)"
response.add0oo#ie(sso0oo#ie)"
-
8/13/2019 Web Security Threats
21/83
. 21
-,,+3public void do-et(HttpServletRequest req,) { && -et user name
0oo#ie23 coo#ies = req.0oo#ies()"
%or (i=4" i 5 coo#ies.lengt'" i66) { 0oo#ie coo#ie = coo#ies2i3"
i% (coo#ie.get7ame().equals(sso0oo#ie!)) {
String userId = coo#ie.get8alue()"
HttpSession session = req.getSession()"session.set9ttribute(userId!,userId)"
&& end i%
&& end %or
&& end do-et
-
8/13/2019 Web Security Threats
22/83
. 22
-,,+3public void do-et(HttpServletRequest req,) {
&& -et user name
String userId = req.getRemoteser()"
&& :ncr/pt t'e ser I1 be%ore passing it
&& to t'e client as part o% a coo#ie.
encr/ptedserId = :ncr/pter.encr/pt(userId)"
0oo#ie sso0oo#ie =
ne 0oo#ie(userid!,encr/pteduserId)"
sso0oo#ie.setPat'(&!)"
sso0oo#ie.set1omain(cisco.com!)"
response.add0oo#ie(sso0oo#ie)"
-
8/13/2019 Web Security Threats
23/83
. 23
-,,+3
public void do-et(HttpServletRequest req,) {
&& -et user name
0oo#ie23 coo#ies = req.0oo#ies()"
%or (i=4" i 5 coo#ies.lengt'" i66) {
0oo#ie coo#ie = coo#ies2i3" i% (coo#ie.get7ame().equals(sso0oo#ie!)) {
String encr/ptedserId = coo#ie.get8alue()"
String userId = :ncr/pter.decr/pt(encr/ptedserId)"
i% (is8alid(userId)) {
HttpSession session = req.getSession()"
session.set9ttribute(userId!,userId)"
&& end i% is8alid
&& end i% coo#ie = sso0oo#ie
&& end %or
&& end do-et
-
8/13/2019 Web Security Threats
24/83
-4 8ross ,ite-4 8ross ,ite
,criptin$ 2?,,3,criptin$ 2?,,3
-
8/13/2019 Web Security Threats
25/83
. 25
-4: 8ross ,ite ,criptin$ 2Description3
9n attacer can use cross site scripting techni:ue toimplement malicious script %into a server', which isthen sent to unsuspecting users accessing the sameserver> E>ampleG #hat server
The attace" users %victimFs' browser has no way tonow that the script shoul" not be truste", an" will
e>ecute the script> 2ecause it thins the script came 3rom a truste" source, themalicious script can access any cooies, session toens, orother sensitive in3ormation retaine" by your browser an" use"with that site
> These scripts can even rewrite the content o3 the HTM) page
-
8/13/2019 Web Security Threats
26/83
. 26
-4: 8ross ,ite ,criptin$2Description3
7SS attacs usually come in the 3orm o3 embe""e"JavaScript
> However, any embe""e" active content is a potential source o3"anger, inclu"ingG 9ctive7 %D)E', B2script, Shocwave,
-
8/13/2019 Web Security Threats
27/83
. 27
-4: 8onse@!ences of 8ross ,ite,criptin$ 267amples3
1isclosure o3 the users session cooie session high$*acing
1isclosure o3 en" user 3iles Installation o3 Tro*an horse programs
;e"irecting the user to some other page or
site Mo"i3ying presentation o3 content
-
8/13/2019 Web Security Threats
28/83
. 28
-4: 8ross ,ite ,criptin$
2)ow to Aind them3 Search 3or all places where input 3rom an HTT-
re:uest coul" possibly mae its way into the
HTM) output
-
8/13/2019 Web Security Threats
29/83
. 29
-4: 8ross ,ite ,criptin$
28o!nter eas!res3 Bali"ate all inputs, especially those inputs that
will later be use" as parameters to DS
comman"s, scripts, an" "atabase :ueries It is particularly important 3or content that will be
permanently store" somewhere
5sers shoul" not be able to create messagecontent that coul" cause another user to loa" anun"esireable page or un"esireable content whenthe userFs message is retrieve"
-
8/13/2019 Web Security Threats
30/83
. 30
-4: 8ross ,ite ,criptin$
28o!nter eas!res3 Bali"ate input against a rigorous positive
speci3ication o3 what is e>pecte"
> Bali"ation o3 all hea"ers, cooies, :uery strings, 3orm3iel"s, an" hi""en 3iel"s %i.e., all parameters' against arigorous speci3ication o3 what shoul" be allowe"
> Aegative or attac signature base" policies are "i33icultto maintain an" are liely to be incomplete
> White$listingG a$=, 9$, !$4, etc.> Truncate input 3iel"s to reasonable length
-
8/13/2019 Web Security Threats
31/83
. 31
-4: 8ross ,ite ,criptin$ 28o!nter eas!res3
Enco"e user supplie" output> -reventing inserte" scripts 3rom being transmitte" to users in
an e>ecutable 3orm
9pplications can gain signi3icant protection 3rom*avascript base" attacs by converting the3ollowing characters in all generate" output tothe appropriate HTM) entity enco"ingG> 3rom K@ to Llt@
> 3rom N@ to Lgt@> 3rom %@ to LO6!@> 3rom '@ to LO6@> 3rom O@ to LO/8@>
3rom L@ to LO/&@
-
8/13/2019 Web Security Threats
32/83
. 32
-4: 8ross,ite ,criptin$ 2Alawed3
protected void doPost(HttpServletRequest req, HttpServletResponse res){
String title = req.getParameter(;I;avaScript.
statement.setString(?,title)"
statement.setString(@,message)"
statement.eAecutepdate()"
catc' (:Aception e) {
&& end catc' && end doPost
-
8/13/2019 Web Security Threats
33/83
. 33
-4: 8ross,ite ,criptin$ 2,ol!tion3private static String strip:vil0'ars(String evilInput) {
Pattern evil0'ars = Pattern.compile(2BaC9D4E3!)"return evil0'ars.matc'er(evilInput).replace9ll(!)"
protected void doPost(HttpServletRequest req, HttpServletResponse res) { && 1o vigorous input validation
String title = strip:vil0'ars(req.getParameter(;I;
-
8/13/2019 Web Security Threats
34/83
8ross ,ite8ross ,ite
,criptin$ Demo,criptin$ Demo
-
8/13/2019 Web Security Threats
35/83
. 35
Demo ,cenario 2,tored ?,,3
The server is a chat server
The chat server "isplays whatever message that istype" in by a particular user to all other users
9n attacer %user 9' implements JavaScript as parto3 a message %message 9'
The chat server saves the message %into the
"atabase or whatever storage' without inputvali"ation
When unsuspecting user %user 2' rea"s themessage 9, the JavaScript will be e>ecute"
-
8/13/2019 Web Security Threats
36/83
. 36
Demo ,cenario 2Beflected ?,,3
Whatever type" in by a user is re3lecte" bac to abrowser
9 mal$inten"e" JavaScript will be re3lecte" bac to abrowser
-
8/13/2019 Web Security Threats
37/83
-& !ffer +verflow-& !ffer +verflow
-
8/13/2019 Web Security Threats
38/83
. 38
-&: !ffer +verflow 6rrors 2Description3
9ttacers use bu33er over3lows to corrupt thee>ecution stac o3 a web application
> 2y sen"ing care3ully cra3te" input to a web application, an
attacer can cause the web application to e>ecutearbitrary co"e
2u33er over3low 3laws can be present in both the webserver or application server pro"ucts or the webapplication itsel3
Aot generally an issue with Java apps
> Java type checing
-
8/13/2019 Web Security Threats
39/83
-C njection Alaws-C njection Alaws
-
8/13/2019 Web Security Threats
40/83
. 40
-C: njection Alaws 2Description3 In*ection 3laws allow attacers to relay malicious
co"e through a web application to another system
> #alls to the operating system via system calls> The use o3 e>ternal programs via shell comman"s> #alls to bacen" "atabases via S() %i.e., S() in*ection'
9ny time a web application uses an interpreter o3any type, there is a "anger o3 an in*ection attac
-
8/13/2019 Web Security Threats
41/83
. 41
-C: njection Alaws 2Description3 Many web applications use operating system
3eatures an" e>ternal programs to per3orm their
3unctions> ;untime.e>ec%' to e>ternal programs %lie sen"mail'
When a web application passes in3ormation 3rom anHTT- re:uest through as part o3 an e>ternal
re:uest, the attacer can in*ect special %meta'characters, malicious comman"s, or comman"mo"i3iers into the in3ormation
-
8/13/2019 Web Security Threats
42/83
. 42
-C: njection Alaws 267ample3 S() in*ection is a particularly wi"esprea" an"
"angerous 3orm o3 in*ection
> To e>ploit a S() in*ection 3law, the attacer must 3in" aparameter that the web application passes through to a"atabase
> 2y care3ully embe""ing malicious S() comman"s intothe content o3 the parameter, the attacer can tric theweb application into 3orwar"ing a malicious :uery to the"atabase
-
8/13/2019 Web Security Threats
43/83
. 43
-C: njection Alaws 267amples3 -ath traversal
> ..P@ characters as part o3 a 3ilename re:uest
9""itional comman"s coul" be tace" on to the en"o3 a parameter that is passe" to a shell script toe>ecute an a""itional shell comman"> rm r Q@
S() :ueries coul" be mo"i3ie" by a""ing a""itionalconstraints to a where clause> D; R@
-
8/13/2019 Web Security Threats
44/83
. 44
-C: njection Alaws 2)ow to find them3 Search the source co"e 3or all calls to e>ternal
resources
> e.g., system, e>ec, 3or, ;untime.e>ec, S() :ueries, orwhatever the synta> is 3or maing re:uests to interpretersin your environment
-
8/13/2019 Web Security Threats
45/83
. 45
-C: njection Alaws 28o!nter eas!res3 9voi" accessing e>ternal interpreters wherever possible
> 5se library 9-IFs instea"
Structure many re:uests in a manner that ensures that allsupplie" parameters are treate" as "ata, rather thanpotentially e>ecutable content
>
-
8/13/2019 Web Security Threats
46/83
. 46
-C: ,E njection 28o!nter eas!res3 When maing calls to bacen" "atabases, care3ully
vali"ate the "ata provi"e" to ensure that it "oes not
contain any malicious content 5se -repare"Statement or Store" proce"ures
-
8/13/2019 Web Security Threats
47/83
,E njection Demo,E njection Demo
-
8/13/2019 Web Security Threats
48/83
. 48
Demo ,cenario
9 user access "atabase through a web server toview his cre"itcar" number by giving a useri"
9 web server buil"s an S() :uery to the "atabaseserver using the user$entere" useri" withoutper3orming an input vali"ation
9n attacer sen"s .. D; R@ as part o3 useri"
The "atabase server "isplays all users
-
8/13/2019 Web Security Threats
49/83
-F: mproper 6rror-F: mproper 6rror
)andlin$)andlin$
-
8/13/2019 Web Security Threats
50/83
. 50
-F: mproper 6rror )andlin$
2Description3 The most common problem is when "etaile" internal error
messages such as stac traces, "atabase "umps, an" errorco"es are "isplaye" to a potential hacer
> These messages reveal implementation "etails that shoul" never bereveale"
Dther errors can cause the system to crash or consumesigni3icant resources, e33ectively "enying or re"ucing service
to legitimate users )e3t$over "uring "ebugging process
Inconsistent errors may reveal internal in3o.>
-
8/13/2019 Web Security Threats
51/83
. 51
-F: mproper 6rror )andlin$ 28o!nter
eas!res3 The errors must be han"le" accor"ing to a well
thought out scheme that will
> provi"e a meaning3ul error message to the user> provi"e "iagnostic in3ormation to the site maintainers> provi"e no use3ul in3ormation to an attacer
9ll security mechanisms shoul" "eny access untilspeci3ically grante", not grant access until "enie"
-
8/13/2019 Web Security Threats
52/83
. 52
-F: mproper 6rror )andlin$ 28o!nter
eas!res3 oo" error han"ling mechanisms shoul" be able to
han"le any 3easible set o3 inputs, while en3orcing
proper security Error han"ling shoul" not 3ocus solely on input
provi"e" by the user, but shoul" also inclu"e anyerrors that can be generate" by internal components
such as system calls, "atabase :ueries, or any otherinternal 3unctions
-
8/13/2019 Web Security Threats
53/83
. 53
-F: mproper 6rror )andlin$ 28o!nter
eas!res3 9 speci3ic policy 3or how to han"le errors shoul" be
"ocumente", inclu"ing
> The types o3 errors to be han"le"> 9n architect shoul" play a role o3 coming up an"
en3orcing a company$wi"e policy
-
8/13/2019 Web Security Threats
54/83
. 54
-F: mproper 6rror )andlin$ 28o!nter
eas!res3 In the implementation, ensure that the site is built to
grace3ully han"le all possible errors.
> When errors occur, the site shoul" respon" with aspeci3ically "esigne" result that is help3ul to the userwithout revealing unnecessary internal "etails.
> #ertain classes o3 errors shoul" be logge" to help "etectimplementation 3laws in the site an"Por hacing attempts.
-
8/13/2019 Web Security Threats
55/83
. 55
-F: mproper 6rror )andlin$ 28o!nter
eas!res3 Bery 3ew sites have any intrusion "etection
capabilities in their web application, but it is certainly
conceivable that a web application coul" tracrepeate" 3aile" attempts an" generate alerts> Aote that the vast ma*ority o3 web application attacs are
never "etecte" because so 3ew sites have the capabilityto "etect them. There3ore, the prevalence o3 webapplication security attacs is liely to be seriouslyun"erestimate"
-
8/13/2019 Web Security Threats
56/83
. 56
(hats (ron$ (ith This Pict!re5
-
8/13/2019 Web Security Threats
57/83
. 57
-F: mproper 6rror )andlin$ 2Alaw3
protected voiddoPost(HttpServletRequestreq,HttpServletResponseres){Stringquer/ =FS:
-
8/13/2019 Web Security Threats
58/83
. 58
-F: mproper 6rror )andlin$ 2,ol!tion3
protected voiddoPost(HttpServletRequestreq,HttpServletResponseres){Stringquer/ =FS:
-
8/13/2019 Web Security Threats
59/83
-% #pplication-% #pplicationDenial +f ,erviceDenial +f ,ervice
2D+,32D+,3
-
8/13/2019 Web Security Threats
60/83
. 60
-%: #pplication D+, 2Description3 Types o3 resources
> 2an"wi"th, "atabase connections, "is storage, #-5, memory,threa"s, or application speci3ic resources
9pplication level resources> Heavy ob*ect allocationPreclamation> Dveruse o3 logging
> 5nhan"le" e>ceptions> 5nresolve" "epen"encies on other systems> Web services> 1atabases
-
8/13/2019 Web Security Threats
61/83
. 61
-%: #pplication D+, 2)ow to
determine yo! v!lnerability3 )oa" testing tools, such as JMeter can generate web
tra33ic so that you can test certain aspects o3 how yoursite per3orms un"er heavy loa"
> #ertainly one important test is how many re:uests persecon" your application can 3iel"
> Testing 3rom a single I- a""ress is use3ul as it will giveyou an i"ea o3 how many re:uests an attacer will haveto generate in or"er to "amage your site
To "etermine i3 any resources can be use" to create a"enial o3 service, you shoul" analy=e each one to see i3there is a way to e>haust it
-
8/13/2019 Web Security Threats
62/83
. 62
-%: #pplication D+, 28o!nter
eas!res3 )imit the resources allocate" to any user to a bare
minimum
#onsi"er only han"ling one re:uest per user at a time bysynchroni=ing on the users session
> #onsi"er "ropping any re:uests that you are currentlyprocessing 3or a user when another re:uest 3rom that userarrives
-
8/13/2019 Web Security Threats
63/83
. 63
-%: #pplication D+, 28o!nter
eas!res3
-
8/13/2019 Web Security Threats
64/83
+ther (eb+ther (eb#pplications#pplications
,ec!rity Threats,ec!rity Threats
-
8/13/2019 Web Security Threats
65/83
. 65
+ther (eb #pplication ,ec!rity
Threats 5nnecessary an" Malicious #o"e
2roen Threa" Sa3ety an" #oncurrent -rogramming
5nauthori=e" In3ormation athering 9ccountability -roblems an" Wea )ogging
1ata #orruption
2roen #aching, -ooling, an" ;euse
-
8/13/2019 Web Security Threats
66/83
ro;en Threadro;en Thread
,afety Demo,afety Demo
-
8/13/2019 Web Security Threats
67/83
. 67
Demo ,cenario
9 servlet uses static variable calle" current5ser toset the username an" then "isplays the value o3 it
9 servlet can be accesse" by multiple clients
9 servlet is not written to be multi$threa" sa3e
The instance variable can be in race$con"ition> 2rowser 9 sets the username to *e33
> 2rowser 2 sets the username to "ave> I3 these two browsers access the servlet almost at the
same time, both browsers "isplay one o3 the two names
-
8/13/2019 Web Security Threats
68/83
Principles ofPrinciples of,ec!re,ec!re
Pro$rammin$Pro$rammin$
-
8/13/2019 Web Security Threats
69/83
. 69
Principles of ,ec!re Pro$rammin$
. Minimi=e attac sur3ace area
. Secure "e3aults
/. -rinciple o3 least privilege
6. -rinciple o3 "e3ense in "epth8. ternal systems are insecure
0. Separation o3 "uties
&. 1o not trust security through obscurity
4. Simplicity
!. security issues correctly
-
8/13/2019 Web Security Threats
70/83
. 70
inimi"e #ttac; ,!rface #rea
The aim 3or secure "evelopment is to re"uce theoverall ris by re"ucing the attac sur3ace area
Every 3eature that is a""e" to an application a""s acertain amount o3 ris to the overall application> The value o3 a""ing a 3eature nee"s to be accesse" 3rom
security ris stan"point
-
8/13/2019 Web Security Threats
71/83
. 71
,ec!re Defa!lts
There are many ways to deliver an out of thebox experience for users. However, by default,the experience should be secure, and it shouldbe up to the user to reduce their security if theyare allowed
Example:> y default, password a!in! and complexity should be
enabled
> "sers mi!ht be allowed to turn off these two features tosimplify their use of the application
-
8/13/2019 Web Security Threats
72/83
. 72
Principle of Eeast Privile$e
#ccounts have the least amount of privile!ere$uired to perform their business processes.> This encompasses user ri!hts, resource
permissions such as %&" limits, memory, networ',and file system permissions
Example> (f a middleware server only re$uires access to the
networ', read access to a database table, and the
ability to write to a lo!, this describes all thepermissions that should be !ranted
-
8/13/2019 Web Security Threats
73/83
. 73
Principle of Defense n Depth
%ontrols, when used in depth, can ma'e severevulnerabilities extraordinarily difficult to exploitand thus unli'ely to occur.> )ith secure codin!, this may ta'e the form of tier*
based validation, centrali+ed auditin! controls, andre$uirin! users to be lo!!ed on all pa!es
-
8/13/2019 Web Security Threats
74/83
. 74
Aail ,afely
Applications regularly fail to process transactionsfor many reasons. How they fail can determine if anapplication is secure or not
Example: In the code below, if codehich!ay"ail#$fails, the attac%er gets an admin pri&iledge
isAdmin ' true(try )
codehich!ay"ail#$( isAdmin ' is*serIn+ole# Administrator- $(catch #Exception ex$ ) log.write#ex.to/tring#$$(
-
8/13/2019 Web Security Threats
75/83
. 75
67ternal ,ystems #re nsec!re
(mplicit trust of externally run systems is notwarranted> #ll external systems should be treated in a similar
fashion
Example:> # loyalty pro!ram provider provides data that is
used by (nternet an'in!, providin! the number ofreward points and a small list of potential
redemption items> However, the data should be chec'ed to ensure
that it is safe to display to end users, and that thereward points are a positive number, and notimprobably lar!e
-
8/13/2019 Web Security Threats
76/83
. 76
,eparation of D!ties
# 'ey fraud control is separation of duties
%ertain roles have different levels of trust thannormal users
> (n particular, #dministrators are different to normalusers. (n !eneral, administrators should not be users ofthe application
Example> #n administrator should be able to turn the system on
or off, set password policy but shouldnt be able to lo!on to the storefront as a super privile!ed user, such asbein! able to buy !oods on behalf of other users.
-
8/13/2019 Web Security Threats
77/83
. 77
Do Got Tr!st ,ec!rity Thro!$h+bsc!rity
-ecurity throu!h obscurity is a wea' securitycontrol, and nearly always fails when it is the onlycontrol> This is not to say that 'eepin! secrets is a bad idea, it
simply means that the security of 'ey systems shouldnot be reliant upon 'eepin! details hidden
Example> The security of an application should not rely upon only
on 'nowled!e of the source code bein! 'ept secret> The security of an application should rely upon many
other factors, includin! reasonable password policies,defense in depth, business transaction limits, solidnetwor' architecture, and fraud and audit controls
-
8/13/2019 Web Security Threats
78/83
. 78
,implicity
#ttac' surface area and simplicity !o hand inhand. %ertain software en!ineerin! fads preferoverly complex approaches to what wouldotherwise be relatively strai!htforward and simplecode.
Example> #lthou!h it mi!ht be fashionable to have a slew of
sin!leton entity beans runnin! on a separate
middleware server, it is more secure and faster tosimply use !lobal variables with an appropriate mutexmechanism to protect a!ainst race conditions.
-
8/13/2019 Web Security Threats
79/83
. 79
Ai7 ,ec!rity ss!es 8orrectly
nce a security issue has been identified, it isimportant to develop a test for it, and to understandthe root cause of the issue
Example
> # user has found that they can see another usersbalance by ad/ustin! their coo'ie. The fix seems tobe relatively strai!htforward, but as the coo'iehandlin! code is shared amon!st all applications,a chan!e to /ust one application will tric'le throu!h
to all other applications. The fix must therefore betested on all affected applications.
-
8/13/2019 Web Security Threats
80/83
ToolsHToolsH
-
8/13/2019 Web Security Threats
81/83
. 81
Tools
)eb-carab * a web application vulnerabilityassessment suite includin! proxy tools
0alidation 1ilters 2-tin!er for 34EE, filters for
&H&5 !eneric security boundary filters thatdevelopers can use in their own applications
%ode-py loo' for security issues usin!reflection in 34EE apps
-
8/13/2019 Web Security Threats
82/83
. 82
Tools
%ode-ee'er * an commercial $uality applicationlevel firewall and (ntrusion 6etection -ystem thatruns on )indows and 7inux and supports ((-,#pache and i&lanet web servers,
)eb8oat * an interactive trainin! andbenchmar'in! tool that users can learn aboutweb application security in a safe and le!alenvironment
)eb-phinx web crawler loo'in! for securityissues in web applications
)#-& &ortal * our own 3ava based portal codedesi!ned with security as a prime concern
-
8/13/2019 Web Security Threats
83/83
Web ApplicationWeb ApplicationSecurity ThreatsSecurity Threatsand Counterand Counter
MeasuresMeasures
Sang ShinSang [email protected]@sun.com
www.javapassion.comwww.javapassion.comJava Technology EvangelistJava Technology Evangelist