SlideShare a Scribd company logo

java2days 2014: Attacking JavaEE Application Servers

Download as pptx, pdf
Martin Toshev
Martin Toshev

The document discusses attacking Java EE application servers by exploring various attack vectors and strategies. It outlines how attacks could originate externally, from within the application server itself, or from deployed applications. It then discusses tools that can be used to exploit vulnerabilities and recommends secure coding practices like applying patches, implementing proper security configurations, and performing testing to harden applications and servers against attacks.

1 of 47
Downloaded 75 times
1
Attacking JavaEE Application Servers Martin Toshev
2
Bulgarian Java Users Group (BG JUG): https://groups.google.com/forum/#!forum/bg-jug http://java-bg.org/
3
Agenda • Attack vectors • Strategies and tools • Secure coding and deployment
4
Attack Vectors OS Java EE Application Server war/ear war/ear
5
Attack Vectors • An attack could be originating: • externally • from the application server itself • from an application
6
Attack Vectors OS Java EE Application Server war/ear war/ear
7
Attack Vectors • An external attack can: o exploit directly remote services exposed by the JavaEE application server o exploit another remotely accessible process running in the OS
8
Attack Vectors • An external attack can: o exploit input for applications deployed in the Java EE Server (such as input validation attacks, SQL injection, XSS …)
9
Attack Vectors OS Java EE Application Server war/ear war/ear
10
Attack Vectors • An attack can: o originate from a malicious application running in the same OS • Administrators do not always install from trusted sources or check against MD5 checksums …
11
Attack Vectors OS Java EE Application Server war/ear war/ear
12
Attack Vectors • An attack originating from the application server can: • be crafted by modifying the codebase and rebuilding the application server • be achieved more easily by targeting open-source application servers such as Glassfish and Wildfly
13
Attack Vectors … Administrators do not always install JavaEE application servers from trusted sources or check against MD5 checksums … … which makes this type of attacks a real scenario
14
Attack Vectors OS Java EE Application Server war/ear war/ear
15
Attack Vectors • An attack originating from an application can be performed due to: o misconfigured security during deployment o intentional malicious code inside the application
16
Attack Vectors (scenario 1: misconfigured security in the app) … leads to opening holes in the Java EE security model
17
Attack Vectors (scenario 1: misconfigured security in the app) Application server war (with missing security configuration) ear (with missing security configuration)
18
Attack Vectors Java EE Security Model in a nutshell: Application server war • roles • role ear mappings • users • roles • role mappings • groups • realms JDBC realm file realm
19
Attack Vectors Java EE Security Model in a nutshell: 1. initial request is made 2. server authenticates the client using an authentication mechanism 3. URL authorization based on info from deployment descriptors or from annotations in source code is done 4. In case an EJB method is invoked the EJB container checks the appropriate permissions based on user roles (the web container delegates information about the user and its roles to the EJB container)
20
Attack Vectors Example: import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; ... @DeclareRoles({"MANAGER", "EMPLOYEE", "ADMIN"}) @Stateless public class PaymentServiceImpl implements PaymentService { // Jim: temporarily commented for testing purposes // TODO: uncomment before deployment on PROD // @RolesAllowed("MANAGER") public void increaseSalary(User employee, int ammount) { … }
21
Attack Vectors (scenario 2: malicious code in the app) … can be made possible due to misconfiguration of the Java SE security model of the application server
22
Attack Vectors (scenario 2: malicious code in the app) Application server war (with malicious code) ear (with malicious code)
23
Attack Vectors Java SE Security Model in a nutshell: Application server war • invokes ear restricted operation • performs permission checks • invokes restricted operation security.policy
24
Strategies and Tools (external) Try to exploit services exposed by the OS or the application server (such as JMX) Vulnerability databases such as SecurityFocus, osvdb and nvd and application server changelogs are valuable sources of information
25
Strategies and Tools Tools: o network scanners - Nmap, SATAN, Nessus, GFI LANguard, TripWire, SuperScan o remote system administration - Back Office, ProRat o vulnerability scanners - metasploit, w3af, Nexpose o MITM on the local network - Ettercap
26
Strategies and Tools … This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password …
27
Strategies and Tools … Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers … Affected versions: 6.1, 7.0, 8.1, 9.0, 9.1, 9.2, 10.0
28
Strategies and Tools … Earlier community editions of JBoss allow you to use default authentication to the JMX server running on the server (shutting down the server via JMX is made possible to attackers) - CVE- 2013-4810 … Affected versions: 4x, 5x
29
Strategies and Tools (ear/war) • craft malicious code that bypasses code reviews and code analysis tools (and possibly open a "back-door" in the application server)
30
Strategies and Tools (ear/war) • make use of techniques for: o initialization of classes based on loadable services or configuration files o AOP weaving o servlet filters o annotation processors
31
Strategies and Tools Tools: … write your own …
32
Secure Coding and Deployment • The OS: • secure the environment of your application server • always patch your OS with latest updates
33
Secure Coding and Deployment • The application server: • check that application server comes from a trusted source (compare against true MD5 checksum) • disable unused services when installing application servers
34
Secure Coding and Deployment • The application server: • always enable encryption for the remote services exposed by the application server • check the documentation of your application server on the default security manager and security policy enabled by the application server
35
Secure Coding and Deployment • The application server: • if necessary define proper security policy and define additional access control checks for the applications being deployed • always apply security patches to your application server installation
36
Secure Coding and Deployment • The ear/war: • allow minimum set of permissions to roles in the application context • follow best security practices as defined by the Secure Coding Guidelines for Java SE
37
Secure Coding and Deployment • The ear/war: • perform static & dynamic code analysis in order to find possible bugs or resource leaks (that may lead to implicit DoS) • do not leave behind test/unused URLs
38
Secure Coding and Deployment • The ear/war: • perform in-container security policy tests (e.g. using Cactus or Arquillian frameworks …) • perform in-container resource consumption tests
39
Go ahead and try to find leaks … 9.0.0.Alpha1 4.1 12.1.3
40
Thank you
41
References Java EE 7 tutorial part X: Security https://docs.oracle.com/javaee/7/tutorial/doc/ Java Platform, Enterprise Edition (JavaEE) Specification, v7 http://download.oracle.com/otndocs/jcp/java_ee-7-fr-eval-spec/ index.html
42
References Back door into JavaEE application servers macaron.googlecode.com/files/en-macaron.pdf OWASP Top 10 for JavaEE https://www.owasp.org/images/8/89/OWASP_Top_10_2007 _for_JEE.pdf Attacking Jboss like a boss https://www.defcon.org/images/defcon-18/dc-18- presentations/Krpata/DEFCON-18-Krpata-Attacking- JBoss.pdf
43
References Oracle Security Alert for CVE-2008-3257 http://www.oracle.com/technetwork/middleware/ias/downlo ads/alert-cve2008-3257-088842.html Securing a WebLogic Server deployment https://docs.oracle.com/cd/E13222_01/wls/docs61/security/ lockdown.html Whitepaper on Jboss exploitation http://securityxploded.com/JBoss%20Whitepaper.pdf
44
References Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper- 149932.pdf Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/sec urity/spec/security-spec.doc.html Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform- Security-Implementation/dp/0201787911
45
References Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide -139067.html#0
46
References Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/sec urity/index.html
47
References Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/intr ojps.htm#CHDCEJGH
Attacking JavaEE Application Servers Martin Toshev
Bulgarian Java Users Group (BG JUG): https://groups.google.com/forum/#!forum/bg-jug http://java-bg.org/
Agenda • Attack vectors • Strategies and tools • Secure coding and deployment
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack could be originating: • externally • from the application server itself • from an application
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An external attack can: o exploit directly remote services exposed by the JavaEE application server o exploit another remotely accessible process running in the OS
Attack Vectors • An external attack can: o exploit input for applications deployed in the Java EE Server (such as input validation attacks, SQL injection, XSS …)
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack can: o originate from a malicious application running in the same OS • Administrators do not always install from trusted sources or check against MD5 checksums …
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack originating from the application server can: • be crafted by modifying the codebase and rebuilding the application server • be achieved more easily by targeting open-source application servers such as Glassfish and Wildfly
Attack Vectors … Administrators do not always install JavaEE application servers from trusted sources or check against MD5 checksums … … which makes this type of attacks a real scenario
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack originating from an application can be performed due to: o misconfigured security during deployment o intentional malicious code inside the application
Attack Vectors (scenario 1: misconfigured security in the app) … leads to opening holes in the Java EE security model
Attack Vectors (scenario 1: misconfigured security in the app) Application server war (with missing security configuration) ear (with missing security configuration)
Attack Vectors Java EE Security Model in a nutshell: Application server war • roles • role ear mappings • users • roles • role mappings • groups • realms JDBC realm file realm
Attack Vectors Java EE Security Model in a nutshell: 1. initial request is made 2. server authenticates the client using an authentication mechanism 3. URL authorization based on info from deployment descriptors or from annotations in source code is done 4. In case an EJB method is invoked the EJB container checks the appropriate permissions based on user roles (the web container delegates information about the user and its roles to the EJB container)
Attack Vectors Example: import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; ... @DeclareRoles({"MANAGER", "EMPLOYEE", "ADMIN"}) @Stateless public class PaymentServiceImpl implements PaymentService { // Jim: temporarily commented for testing purposes // TODO: uncomment before deployment on PROD // @RolesAllowed("MANAGER") public void increaseSalary(User employee, int ammount) { … }
Attack Vectors (scenario 2: malicious code in the app) … can be made possible due to misconfiguration of the Java SE security model of the application server
Attack Vectors (scenario 2: malicious code in the app) Application server war (with malicious code) ear (with malicious code)
Attack Vectors Java SE Security Model in a nutshell: Application server war • invokes ear restricted operation • performs permission checks • invokes restricted operation security.policy
Strategies and Tools (external) Try to exploit services exposed by the OS or the application server (such as JMX) Vulnerability databases such as SecurityFocus, osvdb and nvd and application server changelogs are valuable sources of information
Strategies and Tools Tools: o network scanners - Nmap, SATAN, Nessus, GFI LANguard, TripWire, SuperScan o remote system administration - Back Office, ProRat o vulnerability scanners - metasploit, w3af, Nexpose o MITM on the local network - Ettercap
Strategies and Tools … This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password …
Strategies and Tools … Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers … Affected versions: 6.1, 7.0, 8.1, 9.0, 9.1, 9.2, 10.0
Strategies and Tools … Earlier community editions of JBoss allow you to use default authentication to the JMX server running on the server (shutting down the server via JMX is made possible to attackers) - CVE- 2013-4810 … Affected versions: 4x, 5x
Strategies and Tools (ear/war) • craft malicious code that bypasses code reviews and code analysis tools (and possibly open a "back-door" in the application server)
Strategies and Tools (ear/war) • make use of techniques for: o initialization of classes based on loadable services or configuration files o AOP weaving o servlet filters o annotation processors
Strategies and Tools Tools: … write your own …
Secure Coding and Deployment • The OS: • secure the environment of your application server • always patch your OS with latest updates
Secure Coding and Deployment • The application server: • check that application server comes from a trusted source (compare against true MD5 checksum) • disable unused services when installing application servers
Secure Coding and Deployment • The application server: • always enable encryption for the remote services exposed by the application server • check the documentation of your application server on the default security manager and security policy enabled by the application server
Secure Coding and Deployment • The application server: • if necessary define proper security policy and define additional access control checks for the applications being deployed • always apply security patches to your application server installation
Secure Coding and Deployment • The ear/war: • allow minimum set of permissions to roles in the application context • follow best security practices as defined by the Secure Coding Guidelines for Java SE
Secure Coding and Deployment • The ear/war: • perform static & dynamic code analysis in order to find possible bugs or resource leaks (that may lead to implicit DoS) • do not leave behind test/unused URLs
Secure Coding and Deployment • The ear/war: • perform in-container security policy tests (e.g. using Cactus or Arquillian frameworks …) • perform in-container resource consumption tests
Go ahead and try to find leaks … 9.0.0.Alpha1 4.1 12.1.3
Thank you
References Java EE 7 tutorial part X: Security https://docs.oracle.com/javaee/7/tutorial/doc/ Java Platform, Enterprise Edition (JavaEE) Specification, v7 http://download.oracle.com/otndocs/jcp/java_ee-7-fr-eval-spec/ index.html
References Back door into JavaEE application servers macaron.googlecode.com/files/en-macaron.pdf OWASP Top 10 for JavaEE https://www.owasp.org/images/8/89/OWASP_Top_10_2007 _for_JEE.pdf Attacking Jboss like a boss https://www.defcon.org/images/defcon-18/dc-18- presentations/Krpata/DEFCON-18-Krpata-Attacking- JBoss.pdf
References Oracle Security Alert for CVE-2008-3257 http://www.oracle.com/technetwork/middleware/ias/downlo ads/alert-cve2008-3257-088842.html Securing a WebLogic Server deployment https://docs.oracle.com/cd/E13222_01/wls/docs61/security/ lockdown.html Whitepaper on Jboss exploitation http://securityxploded.com/JBoss%20Whitepaper.pdf
References Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper- 149932.pdf Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/sec urity/spec/security-spec.doc.html Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform- Security-Implementation/dp/0201787911
References Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide -139067.html#0
References Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/sec urity/index.html
References Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/intr ojps.htm#CHDCEJGH
Ad

Recommended

Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
milad mahdavi
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Lionel Briand
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
Sri Prasanna
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim Ellison
Chris Bailey
 

More Related Content

What's hot (20)

Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Lionel Briand
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
Sri Prasanna
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Codemotion
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Lionel Briand
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
Sri Prasanna
 
Secure Coding in C/C++
Secure Coding in C/C++Secure Coding in C/C++
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest IrelandWhittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 

Similar to java2days 2014: Attacking JavaEE Application Servers (20)

The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim Ellison
Chris Bailey
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
Tim Ellison
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development Vulnerabilities
Narola Infotech
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
J2ee seminar
J2ee seminarJ2ee seminar
J2ee seminar
Sahil Kukreja
 
Session 8 Tp8
Session 8 Tp8Session 8 Tp8
Session 8 Tp8
phanleson
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
Abdalla Mahmoud
 
7) packaging and deployment
7) packaging and deployment7) packaging and deployment
7) packaging and deployment
techbed
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
IBM Security
 
Advance java1.1
Advance java1.1Advance java1.1
Advance java1.1
Prince Soni
 
t r
t rt r
t r
electronicmingle01
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Websphere on z/OS and RACF security
Websphere on z/OS and RACF securityWebsphere on z/OS and RACF security
Websphere on z/OS and RACF security
Michael Erichsen
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim Ellison
Chris Bailey
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
Tim Ellison
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
Web security
Web securityWeb security
Web security
Padam Banthia
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Java Application Development Vulnerabilities
Java Application Development VulnerabilitiesJava Application Development Vulnerabilities
Java Application Development Vulnerabilities
Narola Infotech
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
J2ee seminar
J2ee seminarJ2ee seminar
J2ee seminar
Sahil Kukreja
 
Session 8 Tp8
Session 8 Tp8Session 8 Tp8
Session 8 Tp8
phanleson
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
Abdalla Mahmoud
 
7) packaging and deployment
7) packaging and deployment7) packaging and deployment
7) packaging and deployment
techbed
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
IBM Security
 
Advance java1.1
Advance java1.1Advance java1.1
Advance java1.1
Prince Soni
 
t r
t rt r
t r
electronicmingle01
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Websphere on z/OS and RACF security
Websphere on z/OS and RACF securityWebsphere on z/OS and RACF security
Websphere on z/OS and RACF security
Michael Erichsen
 
Ad

More from Martin Toshev (20)

Building highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache SparkBuilding highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache Spark
Martin Toshev
 
Big data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle DatabaseBig data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle Database
Martin Toshev
 
Jdk 10 sneak peek
Jdk 10 sneak peekJdk 10 sneak peek
Jdk 10 sneak peek
Martin Toshev
 
Semantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12cSemantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12c
Martin Toshev
 
Practical security In a modular world
Practical security In a modular worldPractical security In a modular world
Practical security In a modular world
Martin Toshev
 
Java 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeJava 9 Security Enhancements in Practice
Java 9 Security Enhancements in Practice
Martin Toshev
 
Java 9 sneak peek
Java 9 sneak peekJava 9 sneak peek
Java 9 sneak peek
Martin Toshev
 
Writing Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMSWriting Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMS
Martin Toshev
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
Martin Toshev
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
Martin Toshev
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
Martin Toshev
 
JVM++: The Graal VM
JVM++: The Graal VMJVM++: The Graal VM
JVM++: The Graal VM
Martin Toshev
 
RxJS vs RxJava: Intro
RxJS vs RxJava: IntroRxJS vs RxJava: Intro
RxJS vs RxJava: Intro
Martin Toshev
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
Martin Toshev
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
Martin Toshev
 
Writing Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12cWriting Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12c
Martin Toshev
 
Concurrency Utilities in Java 8
Concurrency Utilities in Java 8Concurrency Utilities in Java 8
Concurrency Utilities in Java 8
Martin Toshev
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message Broker
Martin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Martin Toshev
 
Building highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache SparkBuilding highly scalable data pipelines with Apache Spark
Building highly scalable data pipelines with Apache Spark
Martin Toshev
 
Big data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle DatabaseBig data processing with Apache Spark and Oracle Database
Big data processing with Apache Spark and Oracle Database
Martin Toshev
 
Jdk 10 sneak peek
Jdk 10 sneak peekJdk 10 sneak peek
Jdk 10 sneak peek
Martin Toshev
 
Semantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12cSemantic Technology In Oracle Database 12c
Semantic Technology In Oracle Database 12c
Martin Toshev
 
Practical security In a modular world
Practical security In a modular worldPractical security In a modular world
Practical security In a modular world
Martin Toshev
 
Java 9 Security Enhancements in Practice
Java 9 Security Enhancements in PracticeJava 9 Security Enhancements in Practice
Java 9 Security Enhancements in Practice
Martin Toshev
 
Java 9 sneak peek
Java 9 sneak peekJava 9 sneak peek
Java 9 sneak peek
Martin Toshev
 
Writing Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMSWriting Stored Procedures in Oracle RDBMS
Writing Stored Procedures in Oracle RDBMS
Martin Toshev
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
Martin Toshev
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
Martin Toshev
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack Vectors
Martin Toshev
 
JVM++: The Graal VM
JVM++: The Graal VMJVM++: The Graal VM
JVM++: The Graal VM
Martin Toshev
 
RxJS vs RxJava: Intro
RxJS vs RxJava: IntroRxJS vs RxJava: Intro
RxJS vs RxJava: Intro
Martin Toshev
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
Martin Toshev
 
Spring RabbitMQ
Spring RabbitMQSpring RabbitMQ
Spring RabbitMQ
Martin Toshev
 
Writing Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12cWriting Stored Procedures with Oracle Database 12c
Writing Stored Procedures with Oracle Database 12c
Martin Toshev
 
Concurrency Utilities in Java 8
Concurrency Utilities in Java 8Concurrency Utilities in Java 8
Concurrency Utilities in Java 8
Martin Toshev
 
The RabbitMQ Message Broker
The RabbitMQ Message BrokerThe RabbitMQ Message Broker
The RabbitMQ Message Broker
Martin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
Martin Toshev
 
Ad

Recently uploaded (20)

Integrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FMEIntegrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FME
Safe Software
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Generative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its ApplicationsGenerative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its Applications
SandeepKS52
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
DevOps for AI: running LLMs in production with Kubernetes and KubeFlowDevOps for AI: running LLMs in production with Kubernetes and KubeFlow
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink TemplateeeeeeeeeeeeeeeeeeeeeeeeeeNeuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
alexandernoetzold
 
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdfTop 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Trackobit
 
Plooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your wayPlooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your way
Plooma
 
Automating Map Production With FME and Python
Automating Map Production With FME and PythonAutomating Map Production With FME and Python
Automating Map Production With FME and Python
Safe Software
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025
Orangescrum
 
Integrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FMEIntegrating Survey123 and R&H Data Using FME
Integrating Survey123 and R&H Data Using FME
Safe Software
 
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentricIntegration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Integration Ignited Redefining Event-Driven Architecture at Wix - EventCentric
Natan Silnitsky
 
Agile Software Engineering Methodologies
Agile Software Engineering MethodologiesAgile Software Engineering Methodologies
Agile Software Engineering Methodologies
Gaurav Sharma
 
Generative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its ApplicationsGenerative Artificial Intelligence and its Applications
Generative Artificial Intelligence and its Applications
SandeepKS52
 
IBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - IntroductionIBM Rational Unified Process For Software Engineering - Introduction
IBM Rational Unified Process For Software Engineering - Introduction
Gaurav Sharma
 
Topic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptxTopic 26 Security Testing Considerations.pptx
Topic 26 Security Testing Considerations.pptx
marutnand8
 
Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4Software Engineering Process, Notation & Tools Introduction - Part 4
Software Engineering Process, Notation & Tools Introduction - Part 4
Gaurav Sharma
 
Bonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdfBonk coin airdrop_ Everything You Need to Know.pdf
Bonk coin airdrop_ Everything You Need to Know.pdf
Herond Labs
 
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
DevOps for AI: running LLMs in production with Kubernetes and KubeFlowDevOps for AI: running LLMs in production with Kubernetes and KubeFlow
DevOps for AI: running LLMs in production with Kubernetes and KubeFlow
Aarno Aukia
 
Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3Software Engineering Process, Notation & Tools Introduction - Part 3
Software Engineering Process, Notation & Tools Introduction - Part 3
Gaurav Sharma
 
Providing Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better DataProviding Better Biodiversity Through Better Data
Providing Better Biodiversity Through Better Data
Safe Software
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink TemplateeeeeeeeeeeeeeeeeeeeeeeeeeNeuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
Neuralink Templateeeeeeeeeeeeeeeeeeeeeeeeee
alexandernoetzold
 
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdfTop 11 Fleet Management Software Providers in 2025 (2).pdf
Top 11 Fleet Management Software Providers in 2025 (2).pdf
Trackobit
 
Plooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your wayPlooma is a writing platform to plan, write, and shape books your way
Plooma is a writing platform to plan, write, and shape books your way
Plooma
 
Automating Map Production With FME and Python
Automating Map Production With FME and PythonAutomating Map Production With FME and Python
Automating Map Production With FME and Python
Safe Software
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
Maintaining + Optimizing Database Health: Vendors, Orchestrations, Enrichment...
BradBedford3
 
14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework14 Years of Developing nCine - An Open Source 2D Game Framework
14 Years of Developing nCine - An Open Source 2D Game Framework
Angelo Theodorou
 
Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025Top 5 Task Management Software to Boost Productivity in 2025
Top 5 Task Management Software to Boost Productivity in 2025
Orangescrum
 

java2days 2014: Attacking JavaEE Application Servers

  • 1. Attacking JavaEE Application Servers Martin Toshev
  • 2. Bulgarian Java Users Group (BG JUG): https://groups.google.com/forum/#!forum/bg-jug http://java-bg.org/
  • 3. Agenda • Attack vectors • Strategies and tools • Secure coding and deployment
  • 4. Attack Vectors OS Java EE Application Server war/ear war/ear
  • 5. Attack Vectors • An attack could be originating: • externally • from the application server itself • from an application
  • 6. Attack Vectors OS Java EE Application Server war/ear war/ear
  • 7. Attack Vectors • An external attack can: o exploit directly remote services exposed by the JavaEE application server o exploit another remotely accessible process running in the OS
  • 8. Attack Vectors • An external attack can: o exploit input for applications deployed in the Java EE Server (such as input validation attacks, SQL injection, XSS …)
  • 9. Attack Vectors OS Java EE Application Server war/ear war/ear
  • 10. Attack Vectors • An attack can: o originate from a malicious application running in the same OS • Administrators do not always install from trusted sources or check against MD5 checksums …
  • 11. Attack Vectors OS Java EE Application Server war/ear war/ear
  • 12. Attack Vectors • An attack originating from the application server can: • be crafted by modifying the codebase and rebuilding the application server • be achieved more easily by targeting open-source application servers such as Glassfish and Wildfly
  • 13. Attack Vectors … Administrators do not always install JavaEE application servers from trusted sources or check against MD5 checksums … … which makes this type of attacks a real scenario
  • 14. Attack Vectors OS Java EE Application Server war/ear war/ear
  • 15. Attack Vectors • An attack originating from an application can be performed due to: o misconfigured security during deployment o intentional malicious code inside the application
  • 16. Attack Vectors (scenario 1: misconfigured security in the app) … leads to opening holes in the Java EE security model
  • 17. Attack Vectors (scenario 1: misconfigured security in the app) Application server war (with missing security configuration) ear (with missing security configuration)
  • 18. Attack Vectors Java EE Security Model in a nutshell: Application server war • roles • role ear mappings • users • roles • role mappings • groups • realms JDBC realm file realm
  • 19. Attack Vectors Java EE Security Model in a nutshell: 1. initial request is made 2. server authenticates the client using an authentication mechanism 3. URL authorization based on info from deployment descriptors or from annotations in source code is done 4. In case an EJB method is invoked the EJB container checks the appropriate permissions based on user roles (the web container delegates information about the user and its roles to the EJB container)
  • 20. Attack Vectors Example: import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; ... @DeclareRoles({"MANAGER", "EMPLOYEE", "ADMIN"}) @Stateless public class PaymentServiceImpl implements PaymentService { // Jim: temporarily commented for testing purposes // TODO: uncomment before deployment on PROD // @RolesAllowed("MANAGER") public void increaseSalary(User employee, int ammount) { … }
  • 21. Attack Vectors (scenario 2: malicious code in the app) … can be made possible due to misconfiguration of the Java SE security model of the application server
  • 22. Attack Vectors (scenario 2: malicious code in the app) Application server war (with malicious code) ear (with malicious code)
  • 23. Attack Vectors Java SE Security Model in a nutshell: Application server war • invokes ear restricted operation • performs permission checks • invokes restricted operation security.policy
  • 24. Strategies and Tools (external) Try to exploit services exposed by the OS or the application server (such as JMX) Vulnerability databases such as SecurityFocus, osvdb and nvd and application server changelogs are valuable sources of information
  • 25. Strategies and Tools Tools: o network scanners - Nmap, SATAN, Nessus, GFI LANguard, TripWire, SuperScan o remote system administration - Back Office, ProRat o vulnerability scanners - metasploit, w3af, Nexpose o MITM on the local network - Ettercap
  • 26. Strategies and Tools … This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password …
  • 27. Strategies and Tools … Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers … Affected versions: 6.1, 7.0, 8.1, 9.0, 9.1, 9.2, 10.0
  • 28. Strategies and Tools … Earlier community editions of JBoss allow you to use default authentication to the JMX server running on the server (shutting down the server via JMX is made possible to attackers) - CVE- 2013-4810 … Affected versions: 4x, 5x
  • 29. Strategies and Tools (ear/war) • craft malicious code that bypasses code reviews and code analysis tools (and possibly open a "back-door" in the application server)
  • 30. Strategies and Tools (ear/war) • make use of techniques for: o initialization of classes based on loadable services or configuration files o AOP weaving o servlet filters o annotation processors
  • 31. Strategies and Tools Tools: … write your own …
  • 32. Secure Coding and Deployment • The OS: • secure the environment of your application server • always patch your OS with latest updates
  • 33. Secure Coding and Deployment • The application server: • check that application server comes from a trusted source (compare against true MD5 checksum) • disable unused services when installing application servers
  • 34. Secure Coding and Deployment • The application server: • always enable encryption for the remote services exposed by the application server • check the documentation of your application server on the default security manager and security policy enabled by the application server
  • 35. Secure Coding and Deployment • The application server: • if necessary define proper security policy and define additional access control checks for the applications being deployed • always apply security patches to your application server installation
  • 36. Secure Coding and Deployment • The ear/war: • allow minimum set of permissions to roles in the application context • follow best security practices as defined by the Secure Coding Guidelines for Java SE
  • 37. Secure Coding and Deployment • The ear/war: • perform static & dynamic code analysis in order to find possible bugs or resource leaks (that may lead to implicit DoS) • do not leave behind test/unused URLs
  • 38. Secure Coding and Deployment • The ear/war: • perform in-container security policy tests (e.g. using Cactus or Arquillian frameworks …) • perform in-container resource consumption tests
  • 39. Go ahead and try to find leaks … 9.0.0.Alpha1 4.1 12.1.3
  • 41. References Java EE 7 tutorial part X: Security https://docs.oracle.com/javaee/7/tutorial/doc/ Java Platform, Enterprise Edition (JavaEE) Specification, v7 http://download.oracle.com/otndocs/jcp/java_ee-7-fr-eval-spec/ index.html
  • 42. References Back door into JavaEE application servers macaron.googlecode.com/files/en-macaron.pdf OWASP Top 10 for JavaEE https://www.owasp.org/images/8/89/OWASP_Top_10_2007 _for_JEE.pdf Attacking Jboss like a boss https://www.defcon.org/images/defcon-18/dc-18- presentations/Krpata/DEFCON-18-Krpata-Attacking- JBoss.pdf
  • 43. References Oracle Security Alert for CVE-2008-3257 http://www.oracle.com/technetwork/middleware/ias/downlo ads/alert-cve2008-3257-088842.html Securing a WebLogic Server deployment https://docs.oracle.com/cd/E13222_01/wls/docs61/security/ lockdown.html Whitepaper on Jboss exploitation http://securityxploded.com/JBoss%20Whitepaper.pdf
  • 44. References Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper- 149932.pdf Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/sec urity/spec/security-spec.doc.html Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform- Security-Implementation/dp/0201787911
  • 45. References Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide -139067.html#0
  • 46. References Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/sec urity/index.html
  • 47. References Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/intr ojps.htm#CHDCEJGH