Secure Coding for Java - An introduction
6 likes1,452 views
The document discusses secure coding practices for Java, focusing on application security and the necessity of protecting against cyber threats. It highlights the importance of implementing OWASP materials and standards, particularly the Application Security Verification Standard (ASVS), to guide developers in creating secure applications. Additionally, it underscores common vulnerabilities, defense techniques, and best practices such as input validation, user authentication, and session management.
![• Good
Regex
for
a
passwd
complexity
:
• Good
Storage
of
password
with
SALT
45
(?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
Friday, June 28, 13](https://image.slidesharecdn.com/2013-06-27-securecoding-en-jugpch-130628082814-phpapp01/85/Secure-Coding-for-Java-An-introduction-85-320.jpg)
![Log4J
Example
81
import com.sec.dev;
// Import log4j classes.
import org.apache.log4j.Logger;
import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the
// Logger instance named "MyApp".
static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console.
BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used
// Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application.");
Bar bar = new Bar();
bar.doIt();
logger.info("Exiting application.");
}
}
Friday, June 28, 13](https://image.slidesharecdn.com/2013-06-27-securecoding-en-jugpch-130628082814-phpapp01/85/Secure-Coding-for-Java-An-introduction-134-320.jpg)
Secure Coding for Java - An introduction
- 1. Secure Coding for Java (an introduc3on) Java User Group Poitou-‐Charentes (Niort) 27 Juin 2013 Sébas3en Gioria [email protected] Chapter Leader OWASP France Friday, June 28, 13
- 2. http://www.google.fr/#q=sebastien gioria ‣OWASP France Leader & Founder & Evangelist ‣Innovation & Technology @ Advens Twitter :@SPoint / @OWASP_France 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Ne vous inquietez pas c’est le seul slide en anglais, par contre il y aura des trucs d’écrits partout en bas... Friday, June 28, 13
- 3. ForeWords • This is a presenta,on made from my own experience with some company using OWASP materials. • Only the documents from OWASP wiki are OWASP officials (see hEps://www.owasp.org) • Some extracts come from document I wrote as OWASP leader, this is why you could find it elsewhere. 5 Friday, June 28, 13
- 4. • Applica,on Security : –where we are (no bullshit) –where we are (hopefully) going ? • Using OWASP materials to secure code • Secure Coding principles Agenda Friday, June 28, 13
- 6. Why Applica0on Security ? 6 Friday, June 28, 13
- 7. Why Applica0on Security ? 6 Your Application been Hacked Friday, June 28, 13
- 8. Why Applica0on Security ? 6 Your Application been Hacked YES Friday, June 28, 13
- 9. Why Applica0on Security ? 6 Your Application been Hacked NO YES Friday, June 28, 13
- 10. Why Applica0on Security ? 6 Your Application will be Hacked ;) Your Application been Hacked NO YES Friday, June 28, 13
- 11. Why Applica0on Security ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Friday, June 28, 13
- 12. Why Applica0on Security ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
- 13. Why Applica0on Security ? 6 Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
- 14. Why Applica0on Security ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
- 15. Why Applica0on Security ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Friday, June 28, 13
- 16. We are living in a Digital environment, in a Connected World vMost of websites vulnerable to aTacks vImportant % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...) Why Applica0on Security ? Age of An0virus Age of Network Security Age of Applica0on Security 7 Friday, June 28, 13
- 17. Consequences of bad or no security –IdenPty theQ –Hardware theQ –IT downPme –Bad Media coverage –Financials loss –Customers loss –Legals/business penalty 8 Friday, June 28, 13
- 18. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 19. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 20. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 21. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 22. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 23. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 24. What Verizon (PCI-‐DSS company) said ? © Verizon 2012 9 Friday, June 28, 13
- 25. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 26. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 27. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 28. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 29. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 30. © Verizon 2012 Verizon Study 10 Friday, June 28, 13
- 31. Verizon study 11 © Verizon 2012 Friday, June 28, 13
- 32. Verizon study 11 © Verizon 2012 Friday, June 28, 13
- 33. 12 (c) WhiteHatSecurity 2013 Friday, June 28, 13
- 34. 12 (c) WhiteHatSecurity 2013 Friday, June 28, 13
- 35. 12 (c) WhiteHatSecurity 2013 Friday, June 28, 13
- 36. 12 (c) WhiteHatSecurity 2013 Friday, June 28, 13
- 37. What you CIO Said : I got a Firewall ! 27 Friday, June 28, 13
- 38. What your business user said : I have SSL based Web Site 28 Friday, June 28, 13
- 39. What your business user said : only the hacker can aMack my website • Tools are more and more simples. • Try a simple request on google website on SQL InjecPon and look at it. • An aEack on a Web Server cost 100$/ 200$ per day on the underground market. 29 Friday, June 28, 13
- 40. What your user said : a vulnerability on internal ApplicaPon is not criPcal. • No, The web is anywhere, and CSRF, HTML5 CORS and more can make this complete destrucPve • Be aware and share this : • AJAX doing a lot of things without you • Be aware and share this : • HTML5 will come with “nice” user funcPonality , but with big impact on security (WebSocket, CORS, ...) 30 Friday, June 28, 13
- 41. But I do Security tesPng ! 17 Security Tes3ng Coding Friday, June 28, 13
- 42. Majors OWASP publications you can use All are on the wiki https://www.owasp.org All are under GPL or friendly licenses Majors publications you can use to secure your projects/SDLC Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) Top10 reference this 3 guides Ø OWASP Top10 Ø Auditor/Testing Guide Ø Code Review Guide Ø Building Guide Ø Application Security Verification Standard (ASVS) Ø Secure Coding Practices 12 Friday, June 28, 13
- 43. Friday, June 28, 13
- 44. Learn Friday, June 28, 13
- 45. Learn Friday, June 28, 13
- 46. Learn Contract Friday, June 28, 13
- 47. Learn Contract Friday, June 28, 13
- 48. Learn Contract Design Friday, June 28, 13
- 49. Learn Contract Design Friday, June 28, 13
- 50. Learn Contract Design Build Friday, June 28, 13
- 51. Learn Contract Design Build Friday, June 28, 13
- 54. Learn Contract Test Design Build Progress Friday, June 28, 13
- 55. Learn Contract Test Design Build Progress Friday, June 28, 13
- 56. OWASP Applica,on Security Verifica,on Standard 20 Friday, June 28, 13
- 57. What is ASVS ? • A standard that provides a basis for the verificaPon of web applicaPons applicaPon-‐ independent. • A standard life-‐cycle model independent. • A standard that define requirements that can be applied across applicaPons without special interpretaPon. 43 Friday, June 28, 13
- 58. What are ASVS responses ? • How much trust can be placed in a web applicaPon? • What features should be built into security controls? • How do I acquire a web applicaPon that is verified to have a certain range in coverage and level of rigor? Friday, June 28, 13
- 59. ASVS secure controls requirements Security Area Level 1A Level 1B Level 2A Level 2B Level 3 Level 4 V1 – Security Architecture Verification Requirements 1 1 2 2 4 5 V2 – Authentication Verification Requirements 3 2 9 13 13 14 V3 – Session Management Verification Requirements 4 1 6 7 8 9 V4 – Access Control Verification Requirements 5 1 12 13 14 15 V5 – Input Validation Verification Requirements 3 1 5 7 8 9 V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10 V7 – Cryptography Verification Requirements 0 0 2 8 9 10 V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9 V9 – Data Protection Verification Requirements 1 1 2 3 4 4 V10 – Communication Security Verification Requirements 1 0 3 6 8 8 V11 – HTTP Security Verification Requirements 3 3 6 6 7 7 V12 – Security Configuration Verification Requirements 0 0 0 2 3 4 V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5 V14 – Internal Security Verification Requirements 0 0 0 0 1 3 Totals 22 12 51 83 96 112 23 Friday, June 28, 13
- 60. But ASVS stand for VerificaPon ? • ASVS just said funcPonals needs for controls. • You should use it as a Secure Coding Policy. ★Don’t be medium(ASVS Level1/2), just target excellence (ASVS Level 4) 24 Friday, June 28, 13
- 61. Using ASVS as a secure coding policy • ASVS : Verify that all password fields do not echo the user’s password when it is entered. ➡All Password fields must be define as HTML password fields and must not echo user password. ➡All login forms must include autocomplete=off tag • ASVS : Verify that all input validaPon is performed on the server side. ➡Performs all input valida,on on the server. Nothing in the browser 25 Friday, June 28, 13
- 62. Posi,ve aatude Nega0ve The tester shall search for XSS holes Posi0ve Verify that the applica0on performs input valida0on and output encoding on all user input See: hTp://www.owasp.org/index.php/ XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet 56 Friday, June 28, 13
- 63. OWASP Secure Coding Prac3ces 27 Friday, June 28, 13
- 64. OWASP Secure Coding PracPces • Small document (only 9 pages) • Could be use as an simple checklist for your policy. • Could be use together with ASVS or alone. • More technical and deeper approach than ASVS . • Wrote and use by Boeing :) 28 Friday, June 28, 13
- 65. Secure Coding PracPces Contents • Input ValidaPon • Output Encoding • AuthenPcaPon and Password Management • Session Management • Access Control • Cryptographic PracPces • Error Handling and Logging • Data ProtecPon • CommunicaPon Security • System ConfiguraPon • Database Security • File Management • Memory Management • General Coding PracPces 29 Friday, June 28, 13
- 66. Now the torture room 30 Friday, June 28, 13
- 67. (extracts from OWASP Secure Coding Prac0ces/OWASP CheatSheets OWASP ASVS, ...) Let talk Secure Coding now 31 Friday, June 28, 13
- 68. Some secures principles to follow 32 •Deep defense of applica,on is mandatory • Following less privileges is the best soluPon • Segregate duty more that user think ➡Remember that applica,on need to answer user needs and not security pleasure. Friday, June 28, 13
- 69. Deep defense of a Web Applica0on (example) 70 Fi re w all Applica0onWeb Apps SGBDApp ServerWeb Server Browser User auth Input Validation Secure configuration Good crash mecanisms • Critical data transport protection • Preventing session and ID theft Critical data protections Logs/Audit of transactions Authorisation and authentication Authorisation and authentication Critical data protectionsPreventing parameters thefts Friday, June 28, 13
- 70. Fail securely • Don’t give user technical details of the error/crash. • Clean state or use objects in catch clause 34 Friday, June 28, 13
- 71. Fail securely • Don’t give user technical details of the error/crash. • Clean state or use objects in catch clause 34 Friday, June 28, 13
- 72. Don’t try to make obscure things 72 Friday, June 28, 13
- 73. Don’t try to make obscure things 72 GEOPORTAIL Friday, June 28, 13
- 74. Don’t try to make obscure things 72 Friday, June 28, 13
- 75. Don’t try to make obscure things 72 GOOGLE MAPS Friday, June 28, 13
- 76. • ObfuscaPon is not the soluPon • There is someone in the matrix who will send you evil data • Be evil ! • Protect area with filter is the best soluPon 36 Friday, June 28, 13
- 77. Controls • Controls need : –to be simple –to be used correctly –funcPonal –present in every part of the applicaPon 74 Bad understanding of a control result of unused it by developers and application will be vulnerable. Friday, June 28, 13
- 78. Minimals controls to have • You must have at least this components in your applicaPon : –AuthenPcaPon –AuthorizaPon –Logging and audit –Secure Storage –Secure transport –Secure input and output manipulaPon of data 75 Friday, June 28, 13
- 80. Implement good passwd strategy • Password length -‐ Categorize applicaPons : • Important : at least 6 characters • Cri0cal : at least 8 characters and perhaps mul0-‐factors authen0ca0on • High Cri0cal : at least 14 characters and mul0-‐factors authen0ca0on • Password strength -‐ Implement passwd complexity with previous categories • at least : 1 upper, 1 lower, 1 digit, 1 special • don’t allow dic0onnary passwd • don’t allow con0nuous characters 40 Friday, June 28, 13
- 81. Implement good passwd strategy •Let the user choose it •Force the user to change it regulary, and add no reuse capability. •Don’t allow too much “I forgot my passwd” •Don’t allow change of passwd without user approval; require actual passwd from the user and more for high cri0cal. •Add sleep strategy ! •Add detec3on of misuse strategy ! •Don’t store passwd in clear !!!!! use hash ! 41 Friday, June 28, 13
- 82. MulP-‐Factor authenPcaPon •Passwds are bad •Passwds are guessable •MulP-‐factor combine: –something you have (token, mobile, ...) –something you know (details about you, passwd, ...) –somePme, something you are (biometrics) –Use it for high criPcal applicaPons. 42 Friday, June 28, 13
- 83. Implement good global strategy • Ask second authenPcaPon for criPcal transacPons (with mulP-‐factor auth...) • Force authenPcaPon to be in TLS/SSL • Regenerate Session ID aQer authenPcaPon • Force Session ID to be “secure” • LimiPng forgoEen passwd,change of login/ passwd 43 Friday, June 28, 13
- 84. How to do ? • Authen0cate all pages but not public pages (login, logout, help, ....) • Don’t allow more than one authen0ca0on mecanism • Authen3cate on the SERVER • Simply send back “user or passwd mismatch” and nothing else aker a failed authen0ca0on. • Logged all failed and all correct authen0ca0on • Aker each authen0ca0on give the user the last status of his authen0ca0on. 44 Friday, June 28, 13
- 85. • Good Regex for a passwd complexity : • Good Storage of password with SALT 45 (?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); } Friday, June 28, 13
- 86. Session Management 46 Friday, June 28, 13
- 87. Session • Use Default Java Framework Generator • Use other name than the default name of the Framework (rename JSESSIONID...) • Force transport of ID authenPcaPon on SSL/TLS. • Don’t allow Session ID in URL ! • If using cookie : – Secure Cookie – HTTPOnly Cookie – LimiPng path + domain – Max Age and expiraPon 47 Friday, June 28, 13
- 88. Session tricky • AutomaPc expiraPon –categorize applicaPons : • default : 1 hour • cri0cal (some transac0on) : 20mns • high cri0cal (financials or account impact) : 5mns • Renew Session ID aQer any privilege change • Don’t allow simultaneous logon • Add Session AEack DetecPon • add in-‐session 0ps : ip of session, other random number, ... 48 Friday, June 28, 13
- 89. Browser defenses • Bind JavaScript events to close session –on window.close() –on window.stop() –on window.blur() –on window.home() • Use Javascripts Pmer to automaPc close session in high criPcal applicaPons • Disable WebBrowser Cross-‐tab Session if possible...(bad user experiences....) –If you use cookie, this is not possible !!!! 49 Friday, June 28, 13
- 90. 50 <session-‐config> <cookie-‐config> <http-‐only>true</http-‐only> <secure>true</secure> </cookie-‐config> </session-‐config> Using Servlet 3.0 ? Friday, June 28, 13
- 91. Access Controls 107 Friday, June 28, 13
- 92. Remember Friday, June 28, 13
- 93. Remember (1)Without access control, you can’t control the user in your applica,on Friday, June 28, 13
- 94. Remember (1)Without access control, you can’t control the user in your applica,on (2)All client inputs are EVIL Friday, June 28, 13
- 95. Authen0ca0on & Authoriza0on • Two Levels of authenPcaPon and authorizaPon are needed –In the ApplicaPon –In infrastructure Table A Table B Connexion Table A + duty A Role A Role B SGBDApp Server Connexion Table B + Duty B Friday, June 28, 13
- 96. AuthorizaPon • Have in mind the rule : –Nothing by default • Centralize all authorizaPon code on the SERVER • If client state are mandatory, use encrypPon and integrity checking on the server side to catch state tampering. • Limit number of transacPons per user at a interval Pme. 54 Friday, June 28, 13
- 97. AuthorizaPon • Enforce : – protec0on of URL to authorized account only – protec0on of func0on to authorized account only – protec0on of file access to authorized account only • Applica0on need to terminate session when authoriza0on failed. • Split administra0ve and user authoriza0on • Enforce dormant account : – loss privileges. – “disable account” – alerts 55 Friday, June 28, 13
- 98. Valida3on of Data 56 Friday, June 28, 13
- 99. Input ValidaPon • Ensure all data validaPon are done on THE SERVER. –If you do something on client side we can said you do “painPng” • Classify your data : –Trusted Data –Untrusted Data • Conduct trusted path. • Centralize your data validaPon • Use correct parametrize query when exists (SQL) 57 Friday, June 28, 13
- 100. Border validaPon • Consider validaPng data along all the entry points of your ApplicaPon border 58 Friday, June 28, 13
- 101. Input ValidaPon • Use proper characters set for all input • Encode all data to the same character set before doing anything <=>Canonicalize • Reject all not validated datas • Validate data : –expected type (convert as soon as possible to Java Types) –expected range –expected length –expected values –expected “white list” if possible 59 Friday, June 28, 13
- 102. Input ValidaPon • Be careful of using “hazardous” characters (ex: <>’,”! (+)& %.) • Add specific validaPon : –check for null bytes (%00) –check for new lines (%0D, %0A, n, r, ...) –check for dot-‐dot-‐slashes (../) 60 Friday, June 28, 13
- 103. Be careful of encoding for specific valida0on... URL %3c%73%63%72%69%70%74%3e%61%6c %65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e %0a HTML <script>ale 2;t(XSS);</sc&#x 72;ipt>
 UTF-8 %u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c %uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c %u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003 One space ? < s c r i p t > a l e r t ( X S S ) ; < / s c r i p t > <script>alert(XSS);</script> Friday, June 28, 13
- 104. Validate Datas 124 Friday, June 28, 13
- 105. SQL => bad 125 Friday, June 28, 13
- 106. SQL => bad 125 Friday, June 28, 13
- 107. SQL => bad 125 Friday, June 28, 13
- 108. SQL => a liEle bit beEer 126 Friday, June 28, 13
- 109. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 Friday, June 28, 13
- 110. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 Friday, June 28, 13
- 111. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 /* positional parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1"); List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList(); Friday, June 28, 13
- 112. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 /* positional parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1"); List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList(); /* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */ Query jpqlQuery = entityManager.createNamedQuery("myCart"); List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList(); Friday, June 28, 13
- 113. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 /* positional parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1"); List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList(); /* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */ Query jpqlQuery = entityManager.createNamedQuery("myCart"); List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList(); /* named parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive"); List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList(); Friday, June 28, 13
- 114. List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList(); List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList(); int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate(); JPA/EnPty 65 /* positional parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1"); List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList(); /* Native SQL */ Query sqlQuery = entityManager.createNativeQuery("Select * from Books where author = ?", Book.class); List results = sqlQuery.setParameter(1, "Charles Dickens").getResultList(); /* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */ Query jpqlQuery = entityManager.createNamedQuery("myCart"); List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList(); /* named parameter in JPQL */ Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive"); List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList(); Friday, June 28, 13
- 115. XML => bad 127 Friday, June 28, 13
- 116. XML => bad 127 Friday, June 28, 13
- 117. XML => ValidaPng via regexp/white list 128 Friday, June 28, 13
- 118. BeEer, a XML schema <xs:schema xmlns:xs="hTp://www.w3.org/2001/XMLSchema"> <xs:element name="item"> <xs:complexType> <xs:sequence> <xs:element name="descrip0on" type="xs:string"/> <xs:element name="price" type="xs:decimal"/> <xs:element name="quan0ty" type="xs:integer"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> Friday, June 28, 13
- 119. XML => XML Parser validaPon Friday, June 28, 13
- 120. LDAP => bad 131 Friday, June 28, 13
- 121. LDAP => bad 131 Friday, June 28, 13
- 122. LDAP => beEer 132 Friday, June 28, 13
- 123. Using OWASP ESAPI 72 Friday, June 28, 13
- 124. Output Encoding 73 Friday, June 28, 13
- 125. Output encoding • It’s a Defense in depth mechanism • Encode ON THE SERVER • Centralize the encoder funcPons • SaniPze all data send to the client –HTMLEncode is a minimum but did not work on all cases 74 Friday, June 28, 13
- 126. Essai 1 => bad 137 Friday, June 28, 13
- 127. Essai 1 => bad 137 Friday, June 28, 13
- 128. Essai 2 => it’s bad, but beTer than nothing 138 Friday, June 28, 13
- 129. Essai 2 => it’s bad, but beTer than nothing 138 Friday, June 28, 13
- 130. A good soluPon with a robust SaniPzer :) 139 Friday, June 28, 13
- 131. Error Logging 78 Friday, June 28, 13
- 132. Error Handling Your Applica3on will crash ! • Catch all excep0ons without excep0on (remember the null pointer excep0on !) – Clean all excep0on code of sensi0ve datas – Don’t give user any details about crash, just said “It’s a crash, try again later” • Logs are sensi0ve, you MUST PROTECT THEM • Log : – input valida0on failures – authen0ca0on request; especially failures – access control failures – systems excep0ons – administra0ve func0onality – crypto failures – invalid/expired session token access 79 Friday, June 28, 13
- 133. Logging/Errors • Split your logs with categories, examples : –Access –Error –Debug –Audit • Use log4j for standard logging 80 Friday, June 28, 13
- 134. Log4J Example 81 import com.sec.dev; // Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator; public class SecLogger { // Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class); public static void main(String[] args) { // Set up a simple configuration that logs on the console. BasicConfigurator.configure(); logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } } Friday, June 28, 13
- 135. Bad handling of ExcepPon 144 Friday, June 28, 13
- 136. Bad handling of ExcepPon 144 Friday, June 28, 13
- 137. Good Housecleaning 83 try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff…. } catch (IOException e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("IO exception ", e.getMessage()); } catch (Exception e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("Error occurred!”, e.getMessage()); } finally { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } if (out != null) { out.close(); // RELEASE RESOURCES } } Friday, June 28, 13
- 138. BeEer handling of excepPon and error 145 <error-‐page> <excepPon-‐type>java.lang.Throwable</ excepPon-‐type> <locaPon>/error.jsp</locaPon> </error-‐page> Friday, June 28, 13
- 139. Data Protec3on 85 Friday, June 28, 13
- 140. Data protecPon • Protect sensiPve datas, don’t store them in clear. • Store sensiPve datas in trusted systems • Don’t use GET request for sensiPve data. • Disable client site caching 86 Friday, June 28, 13
- 141. Disable Client Side caching 87 import javax.servlet.*; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Date; public class CacheControlFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT"); resp.setHeader("Last-‐Modified", new Date().toString()); resp.setHeader("Cache-‐Control", "no-‐store, no-‐cache, must-‐revalidate, max-‐age=0, post-‐check=0, pre-‐check=0"); resp.setHeader("Pragma", "no-‐cache"); chain.doFilter(request, response); } } <filter> <filter-‐name>SetCacheControl</filter-‐name> <filter-‐class>com.sec.dev.cacheControlFilter</filter-‐class> </filter> <filter-‐mapping> <filter-‐name>SetCacheControl</filter-‐name> <url-‐pattern>/*</url-‐pattern> </filter-‐mapping> web.xml Friday, June 28, 13
- 142. Access to FileSystem 88 Friday, June 28, 13
- 143. Absolute Path is bad 151 Friday, June 28, 13
- 144. Absolute Path is bad 151 Friday, June 28, 13
- 145. Absolute Path is bad 151 Friday, June 28, 13
- 146. Canonicalisa,on is good 90 Friday, June 28, 13
- 147. Secure Communica3ons 91 Friday, June 28, 13
- 148. Secure CommunicaPons • Use TLS/SSL : –at least SSL v3.0/TLS 1.0 –minimum of 128bits encrypPon –use secure crypto : AES is good • Don’t expose criPcal data in the URL • Failed SSL/TLS communicaPons should not fall back to insecure • Validate cerPficate when used • Protect all page, not just logon page ! 92 Friday, June 28, 13
- 149. Force TLS/SSL Response • Use HTTP Strict Transport Security (HSTS). –Available on some browsers (not IE) –draQ IETF : hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐ strict-‐transport-‐sec-‐04 93 HttpServletResponse ...; response.setHeader("Strict-‐Transport-‐Security", "max-‐age=7776000; includeSubdomains"); Friday, June 28, 13
- 150. ConfiguraPon 94 • Review all properPes, configuraPon files • Be careful of default passwords... • Remove, and not just de-‐acPvate, unused funcPons/modules • Use sandbox system when available : Be careful of Java Signed code who execute with more privileges ! Friday, June 28, 13
- 151. Now you can protect against him 95 Friday, June 28, 13
- 152. NEWS A BLOG A PODCAST MEMBERSHIPS MAILING LISTS A NEWSLETTER APPLE APP STORE VIDEO TUTORIALS TRAINING SESSIONS SOCIAL NETWORKING 96 On est aussi des humains, et on peut boire un coup tout simplement Friday, June 28, 13
- 153. Dates • AppSec Research Europe 2013 : 20/23 Aout – Hambourg – Allemagne • Octobre 2013 : OSSIR PARIS –OWASP Top10 2013; quoi de neuf ? • OWASP Benelux : 28/29 Novembre 2013 97 Un tour des JUG est prévu en France, si vous en connaissez un dans le coin... Friday, June 28, 13
- 154. Soutenir l’OWASP • Différentes soluPons : –Membre Individuel : 50 $ –Membre Entreprise : 5000 $ –DonaPon Libre • Soutenir uniquement le chapitre France : –Single MeePng supporter • Nous offrir une salle de mee0ng ! • Par0ciper par un talk ou autre ! • Dona0on simple –Local Chapter supporter : • 500 $ à 2000 $ 98 Friday, June 28, 13
- 155. Prochains meePngs • Septembre 2013 –Salle : Mozilla Center Paris –Speaker : • Security on Firefox OS • A définir • Novembre 2013 –Salle : a définir –Speaker : a définir Septembre s’annonce merveilleux avec plein d’annonces en tout genre.... Friday, June 28, 13
- 156. License 100 Si vous avez tout suivi vous connaissez le prochain slide.... @SPoint [email protected] Friday, June 28, 13