Secure Coding For Java - Une introduction
4 likes6,830 views
The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.
![public
class
LDAPAuth{
private
void
searchRecord(String
userSN,
String
userPassword)
throws
NamingException
{
Hashtable<String,
String>
env
=
new
Hashtable<String,
String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
try
{
DirContext
dctx
=
new
InitialDirContext(env);
SearchControls
sc
=
new
SearchControls();
String[]
attributeFilter
=
{"cn",
"mail"};
sc.setReturningAttributes(attributeFilter);
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String
base
=
"dc=example,dc=com";
String
filter
=
"(&(sn="
+
userSN
+
")(userPassword="
+
userPassword
+
"))";
NamingEnumeration<?>
results
=
dctx.search(base,
filter,
sc);
while
(results.hasMore())
{
SearchResult
sr
=
(SearchResult)
results.next();
Attributes
attrs
=
sr.getAttributes();
Attribute
attr
=
attrs.get("cn");
System.out.println(attr.get());
attr
=
attrs.get("mail");
System.out.println(attr.get());
}](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-24-320.jpg)
![2)
Use
a
cryptographically
strong
creden3al-‐
specific
salt
• protect(
[salt]
+
[password]
);
• Use
a
32char
or
64char
salt
(actual
size
dependent
on
protecCon
funcCon);
• Do
not
depend
on
hiding,
spli}ng,
or
otherwise
obscuring
the
salt](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-57-320.jpg)
![3a)
Impose
difficult
verifica3on
on
the
aZacker
and
defender
• PBKDF2([salt]
+
[password],
c=140,000);
• Use
PBKDF2
when
FIPS
cerCficaCon
or
enterprise
support
on
many
pla€orms
is
required
• Use
Scrypt
where
resisCng
any/all
hardware
accelerated
aeacks
is
necessary
but
enterprise
support
and
scale
is
not.
(bcrypt
is
also
a
reasonable
choice)](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-58-320.jpg)
![3b)
Impose
difficult
verifica3on
on
only
the
aZacker
• HMAC-‐SHA-‐256(
[private
key],
[salt]
+
[password]
)
• Protect
this
key
as
any
private
key
using
best
pracCces
• Store
the
key
outside
the
credenCal
store
• Build
the
password-‐to-‐hash
conversion
as
a
separate
webservice
(cryptograpic
isolaCon).](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-59-320.jpg)
![//import
java.security
and
java.crypto
and
java.u3l
needed
//
Based
on
recommenda<on
from
NIST
SP800-‐132.pdf
public
class
PasswordEncrypConService
{
public
boolean
authenCcate(String
aeemptedPassword,
byte[]
encryptedPassword,
byte[]
salt)
throws
NoSuchAlgorithmExcepCon,
InvalidKeySpecExcepCon
{
byte[]
encryptedAeemptedPassword
=
getEncryptedPassword(aeemptedPassword,
salt);
return
Arrays.equals(encryptedPassword,
encryptedAeemptedPassword);
}
public
byte[]
getEncryptedPassword(String
password,
byte[]
salt)
throws
NoSuchAlgorithmExcepCon,
InvalidKeySpecExcepCon
{
String
algorithm
=
"PBKDF2WithHmacSHA1’’;
//
SHA1
recommende
by
nist
int
derivedKeyLength
=
160;
int
iteraCons
=
20000;
//
minimum
1000
its
from
NIST
KeySpec
spec
=
new
PBEKeySpec(password.toCharArray(),
salt,
iteraCons,
derivedKeyLength);
SecretKeyFactory
f
=
SecretKeyFactory.getInstance(algorithm);
return
f.generateSecret(spec).getEncoded();
}
public
byte[]
generateSalt()
throws
NoSuchAlgorithmExcepCon
{
SecureRandom
random
=
SecureRandom.getInstance("SHA1PRNG");
byte[]
salt
=
new
byte[8];
random.nextBytes(salt);
return
salt;
}
}
SecurePasswordStorage](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-62-320.jpg)
![Beeer
than
catching
NPE...
if
(s
==
null)
{
return
false;
}
String
names[]
=
s.split("
");
if
(names.length
!=
2)
{
return
false;
}
return
(isCapitalized(names[0])
&&
isCapitalized(names[1]));
}](https://image.slidesharecdn.com/2015-03-19-chtijug-150320093822-conversion-gate01/85/Secure-Coding-For-Java-Une-introduction-82-320.jpg)
Secure Coding For Java - Une introduction
- 1. Secure Coding Java, An introduc3on Sébas3en Gioria [email protected] OWASP France Leader
- 2. Agenda • OWASP ? • Secure Coding ? • 10 simply principles to secure code • Controlling code security • Q&A Beer J 2
- 4. 2 http://www.google.fr/#q=sebastien gioria ‣ OWASP France Leader & Founder & Evangelist, ‣ OWASP ISO Project & OWASP SonarQube Project Leader ‣ Innovation and Technology @Advens && Application Security Expert Twitter :@SPoint/@OWASP_France/@AppSecAcademy 2 ‣ Application Security group leader for the CLUSIF ‣ Proud father of youngs kids trying to hack my digital life.
- 5. CORE MISSION The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registered in Europe as a worldwide charitable organization focused on improving the security of software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is welcomed to participate in OWASP and all of our materials are available under free and open software licenses.
- 6. Open Web ApplicaCon Security Project • OWASP Moto : “Making ApplicaCon Security Visible” • Born in 2001; when Web explode. “W” of Name is actually a big cannonball for us • An American FondaCon (under 501(c)3 ) => in France a 1901 associaCon • Cited in a lot of standards : – PCI-‐DSS – NIST – ANSSI guides, – .... • OWASP is everywhere : Tools, API, DocumentaCon, Conferences, blog, youtube, podcast, ....
- 7. 7 Learn Contract TesCng Design Maturity Code
- 8. OWASP publicaCons ! • Lot of PublicaCons : – Top10 ApplicaCon Security Risk ; bestseller – TesCng Guide ; second bestseller – OWASP Cheat Sheets !!! – ApplicaCon Security VerificaCon Standard ; not the best well known document – OpenSAMM : improve your applicaCon security – OWASP Secure Contract Annex – OWASP Top10 for ... (mobile, cloud, privacy, ...) • and many more....
- 9. OWASP Tools and API • Lot of Tools / API – OWASP Zed Aeack Proxy ; replace WebScarab with a lot of new funcConaliCes – OWASP ESAPI : API for securing your Sogware – OWASP AppSensor ; a IDS/IPS in the heart of your sogware – OWASP Cornucoppia ; applicaCon security play with cards – OWASP Snake and ladder : play Top10 • and many more....
- 10. Secure Coding ?
- 13. Be accurate
- 19. Some Stats.... (c) IBM March 2014
- 22. @Inject EntityManager em; @Transactional public User updateEmail(String username,String email) { TypedQuery<User> q = em.createQuery( String.format(”update Users set email ‘%s’ where username = '%s’", email, username), User.class); return q.getSingleResult(); }
- 23. 1. update users set email='$NEW_EMAIL' where username=‘sgioria’ 2. $NEW_EMAIL = '[email protected] 3. update users set email='’[email protected] where username = ‘sgioria’
- 24. public class LDAPAuth{ private void searchRecord(String userSN, String userPassword) throws NamingException { Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); try { DirContext dctx = new InitialDirContext(env); SearchControls sc = new SearchControls(); String[] attributeFilter = {"cn", "mail"}; sc.setReturningAttributes(attributeFilter); sc.setSearchScope(SearchControls.SUBTREE_SCOPE); String base = "dc=example,dc=com"; String filter = "(&(sn=" + userSN + ")(userPassword=" + userPassword + "))"; NamingEnumeration<?> results = dctx.search(base, filter, sc); while (results.hasMore()) { SearchResult sr = (SearchResult) results.next(); Attributes attrs = sr.getAttributes(); Attribute attr = attrs.get("cn"); System.out.println(attr.get()); attr = attrs.get("mail"); System.out.println(attr.get()); }
- 25. 1. Soit : userSN = ad* userPassword = * 2. => filter = "(&(sn=ad*)(userPassword=*));
- 26. Parametrize ! don't Jeopardize !!! String eMail= request.getParameter("email") ; String userName= request.getParameter("username"); //SQL PreparedStatement pstmt = con.prepareStatement("update Users set email = ? where username = ?); pstmt.setString(1, eMail); pstmt.setString(2, userName); //JPA Query safeQuery = entityManager.createQuery( "update Users u SET u.email = ?1 WHERE u.username = ?2"); safeQuery.setParameter(1, eMail) ; safeQuery.setParameter(2, userName); safeQuery.executeUpdate();
- 27. Moral ! NEVER re-implements security mechanisms that are approuved in a core library !! This is the same thing for crypto and other mechanisms that are not security....
- 28. Spot the vuln ! <%@page import="java.util.Enumeration"%>" <%@ page language="java" contentType="text/html; charset=ISO-8859-15"" pageEncoding="ISO-8859-15"%>" //........" <script language="javascript »> function sendPaymentRequest(){" form = document.getElementById("sendForm");" //Code return false;" }" </script>" </head><body> <form method="POST" name="sendForm" id="sendForm" onsubmit="return sendPaymentRequest()">" <%" final String amount = request.getParameter("amount");" Enumeration<String> pNames = request.getParameterNames();" while (pNames.hasMoreElements()){" final String pName = pNames.nextElement();" final String pVal = request.getParameter(pName);" %>" <input type="hidden" name="<%=pName%>" value="<%=pVal%>" />" <% } %>" <table>" <tr> <td>Credit card</td><td> <input type="text" name="cc" value="" maxlength="16" size="16"/></td></tr>" <tr> <td>Exp Date (mm/yy)</td><td><input type="text" name="expMonth" value="" maxlength="2" size="2"/> /<input type="text" name="expYear" value="" maxlength="2" size="2"/></td></tr>" <tr><td>CVV2</td><td><input type="password" name="cvv" value="" maxlength="3" size="3"/></td></tr>" <tr><input type="submit" value="Pay" name="button1" id="button1" /></td></tr>" </table>" </form></body></html>
- 30. public final class InsertEmployeeAction extends Action {" public ActionForward execute(ActionMapping mapping, ActionForm form," HttpServletRequest request, HttpServletResponse response) throws Exception{" " Obj1 service = new Obj1();" ObjForm objForm = (ObjForm) form;" InfoADT adt = new InfoADT ();" BeanUtils.copyProperties(adt, objForm);" String searchQuery = objForm.getqueryString();" String payload = objForm.getPayLoad();" " try {" service.doWork(adt); / /do something with the data" ActionMessages messages = new ActionMessages();" ActionMessage message = new ActionMessage("success", adt.getName() );" messages.add( ActionMessages.GLOBAL_MESSAGE, message );" saveMessages( request, messages );" request.setAttribute("Record", adt);" return (mapping.findForward("success"));" }" catch( DatabaseException de )" {" ActionErrors errors = new ActionErrors();" ActionError error = new ActionError("error.employee.databaseException" + “Payload: “+payload);" errors.add( ActionErrors.GLOBAL_ERROR, error );" saveErrors( request, errors );" return (mapping.findForward("error: "+ searchQuery));" }" }" } Spot the vuln(s) !
- 31. XSS risks • Session Hijacking • Site Defacement • Network Scanning • Undermining CSRF Defenses • Site Redirection/Phishing • Load of Remotely Hosted Scripts • Data Theft • Keystroke Logging • Attackers using XSS more frequently
- 32. <
- 33. <
- 34. Encoding Output Characters Decimal Hexadecimal HTML Character Set Unicode " (double quotaCon marks) " " " u0022 ' (single quotaCon mark) ' ' ' u0027 & (ampersand) & & & u0026 < (less than) < < < u003c > (greater than) > > > u003e Safe ways to represent dangerous characters in a web page
- 35. OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project • No third party libraries or configuration necessary • This code was designed for high-availability/high- performance encoding functionality • Simple drop-in encoding functionality • Redesigned for performance • More complete API (uri and uri component encoding, etc) in some regards. • Java 1.5+ • Current version 1.1.1 • Last update, January 16th 2015 https://code.google.com/ p/owasp-java-encoder/source/detail?r=57
- 36. OWASP Java Encoder Project https://www.owasp.org/index.php/OWASP_Java_Encoder_Project HTML Contexts Encode#forHtml Encode#forHtmlContent Encode#forHtmlAeribute Encode#forHtmlUnquotedAeribute XML Contexts Encode#forXml Encode#forXmlContent Encode#forXmlAeribute Encode#forXmlComment Encode#forCDATA CSS Contexts Encode#forCssString Encode#forCssUrl JavaScript Contexts Encode#forJavaScript Encode#forJavaScriptAeribute Encode#forJavaScriptBlock Encode#forJavaScriptSource URI/URL contexts Encode#forUri Encode#forUriComponent
- 37. Simple fix for XSS1 <form method="POST" name="sendForm" id="sendForm" onsubmit="return sendPaymentRequest()">" " <%" final String amount = request.getParameter("amount");" Enumeration<String> pNames = request.getParameterNames();" while (pNames.hasMoreElements()){" final String pName = pNames.nextElement();" final String pVal = request.getParameter(pName); %>" <input type="hidden" name="<%=Encode.ForHTMLAttribute(pName)%>" value="< %=Encode.ForHTMLAttribute(pval)%>" />" <%" }" %>" " <table>
- 38. (3) Validate All Inputs
- 40. OWASP HTML Sanitizer Project https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project • HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. • This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review https://code.google.com/p/owasp-java-html-sanitizer/wiki/ AttackReviewGroundRules. • It allows for simple programmatic POSITIVE policy configuration. No XML config. • Actively maintained by Mike Samuel from Google's AppSec team! • This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
- 41. public static final PolicyFactory IMAGES = new HtmlPolicyBuilder() .allowUrlProtocols("http", "https").allowElements("img") .allowAttributes("alt", "src").onElements("img") .allowAttributes("border", "height", "width").matching(INTEGER) .onElements("img") .toFactory(); public static final PolicyFactory LINKS = new HtmlPolicyBuilder() .allowStandardUrlProtocols().allowElements("a") .allowAttributes("href").onElements("a").requireRelNofollowOnLinks() .toFactory();
- 42. • Pure JavaScript, client side HTML SaniCzaCon with CAJA! – hep://code.google.com/p/google-‐caja/wiki/JsHtmlSaniCzer – heps://code.google.com/p/google-‐caja/source/browse/trunk/src/com/google/caja/ plugin/html-‐saniCzer.js • Java – heps://www.owasp.org/index.php/OWASP_Java_HTML_SaniCzer_Project
- 43. • Upload Verification – Filename and Size validation + antivirus • Upload Storage – Use only trusted filenames + separate domain • Beware of "special" files – "crossdomain.xml" or "clientaccesspolicy.xml". • Image Upload Verification – Enforce proper image size limits – Use image rewriting libraries – Set the extension of the stored image to be a valid image extension – Ensure the detected content type of the image is safe • Generic Upload Verification – Ensure decompressed size of file < maximum size – Ensure that an uploaded archive matches the type expected (zip, rar) – Ensure structured uploads such as an add-on follow proper standard
- 45. Access Control Anti-Patterns • Hard-coded role checks in application code • Lack of centralized access control logic • Untrusted data driving access control decisions • Access control that is “open by default” • Lack of addressing horizontal access control in a standardized way (if at all) • Access control logic that needs to be manually added to every endpoint in code • Access Control that is “sticky” per session • Access Control that requires per-user policy
- 46. What is Access Control? • Authorization is the process where a system determines if a specific user has access to a resource • Permission: Represents app behavior only • Entitlement: What a user is actually allowed to do • Principle/User: Who/what you are entitling • Implicit Role: Named permission, user associated – if (user.isRole(“Manager”)); • Explicit Role: Named permission, resource associated – if (user.isAuthorized(“report:view:3324”);
- 47. Aeacks on Access Control • VerCcal Access Control Aeacks – A standard user accessing administraCon funcConality • Horizontal Access Control Aeacks – Same role, but accessing another user's private data • Business Logic Access Control Aeacks – Abuse of one or more linked acCviCes that collecCvely realize a business objecCve
- 48. Access Controls Impact • Loss of accountability – Aeackers maliciously execute acCons as other users – Aeackers maliciously execute higher level acCons • Disclosure of confidenCal data – Compromising admin-‐level accounts ogen results in access to user’s confidenCal data • Data tampering – Privilege levels do not disCnguish users who can only view data and users permieed to modify data
- 49. void editProfile(User u, EditUser eu) { if (u.isManager()) { editUser(eu) } } HardCode Auth Rule
- 50. void editProfile(User u, EditUser eu) { if ((user.isManager() || user.isAdministrator() || user.isEditor()) && user.id() != 1132)) { // do stuff } } Policy evoluCon....
- 51. Hard-‐Coded Roles • Makes “proving” the policy of an applicaCon difficult for audit or Q/A purposes • Any Cme access control policy needs to change, new code need to be pushed • RBAC(hep://en.wikipedia.org/wiki/Role-‐ based_access_control) is ogen not granular enough • Fragile, easy to make mistakes
- 52. Never Depend on Untrusted Data • Never trust request data for access control decisions • Never make access control decisions in JavaScript • Never make authorizaCon decisions based solely on: hidden fields cookie values form parameters URL parameters anything else from the request • Never depend on the order of values sent from the client
- 53. Best PracCce: Centralized AuthZ • Define a centralized access controller – ACLService.isAuthorized(PERMISSION_CONSTANT) – ACLService.assertAuthorized(PERMISSION_CONSTANT) • Access control decisions go through these simple API’s • Centralized logic to drive policy behavior and persistence • May contain data-‐driven access control policy informaCon
- 54. int userId= request.getInt(”userID"); //Best to get it from sessionID.... if (validateUser(userId) ) { if ( currentUser.isPermitted( ”module:function:" + userId) ) { log.info(userId + “are permitted to access ."); doStuff(userId); } else { log.info(userId + “ is notallowed to access!"); throw new AuthorizationException (userId); } } Could be like this...
- 55. Establish Authentication and Identity Controls
- 56. 1) Do not limit the type of characters or length of user password within reason • LimiCng passwords to protect against injecCon is doomed to failure • Use proper encoder and other defenses described instead • Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013)
- 57. 2) Use a cryptographically strong creden3al-‐ specific salt • protect( [salt] + [password] ); • Use a 32char or 64char salt (actual size dependent on protecCon funcCon); • Do not depend on hiding, spli}ng, or otherwise obscuring the salt
- 58. 3a) Impose difficult verifica3on on the aZacker and defender • PBKDF2([salt] + [password], c=140,000); • Use PBKDF2 when FIPS cerCficaCon or enterprise support on many pla€orms is required • Use Scrypt where resisCng any/all hardware accelerated aeacks is necessary but enterprise support and scale is not. (bcrypt is also a reasonable choice)
- 59. 3b) Impose difficult verifica3on on only the aZacker • HMAC-‐SHA-‐256( [private key], [salt] + [password] ) • Protect this key as any private key using best pracCces • Store the key outside the credenCal store • Build the password-‐to-‐hash conversion as a separate webservice (cryptograpic isolaCon).
- 60. Password1!
- 61. Require 2 idenCty quesCons ! Last name, account number, email, DOB ! Enforce lockout policy Ask one or more good security quesCons ! heps://www.owasp.org/index.php/ Choosing_and_Using_Security_QuesCons_Cheat_Sheet Send the user a randomly generated token via out-‐of-‐band ! app, SMS or token Verify code in same web session ! Enforce lockout policy Change password ! Enforce password policy Changing Password
- 62. //import java.security and java.crypto and java.u3l needed // Based on recommenda<on from NIST SP800-‐132.pdf public class PasswordEncrypConService { public boolean authenCcate(String aeemptedPassword, byte[] encryptedPassword, byte[] salt) throws NoSuchAlgorithmExcepCon, InvalidKeySpecExcepCon { byte[] encryptedAeemptedPassword = getEncryptedPassword(aeemptedPassword, salt); return Arrays.equals(encryptedPassword, encryptedAeemptedPassword); } public byte[] getEncryptedPassword(String password, byte[] salt) throws NoSuchAlgorithmExcepCon, InvalidKeySpecExcepCon { String algorithm = "PBKDF2WithHmacSHA1’’; // SHA1 recommende by nist int derivedKeyLength = 160; int iteraCons = 20000; // minimum 1000 its from NIST KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iteraCons, derivedKeyLength); SecretKeyFactory f = SecretKeyFactory.getInstance(algorithm); return f.generateSecret(spec).getEncoded(); } public byte[] generateSalt() throws NoSuchAlgorithmExcepCon { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); byte[] salt = new byte[8]; random.nextBytes(salt); return salt; } } SecurePasswordStorage
- 63. • Authentication Cheat Sheet – https://www.owasp.org/index.php/Authentication_Cheat_Sheet • Password Storage Cheat Sheet – https://www.owasp.org/index.php/ Password_Storage_Cheat_Sheet • Forgot Password Cheat Sheet – https://www.owasp.org/index.php/ Forgot_Password_Cheat_Sheet • Session Management Cheat Sheet – https://www.owasp.org/index.php/ Session_Management_Cheat_Sheet • ASVS AuthN and Session Requirements – https://www.owasp.org/index.php/ OWASP_Application_Security_Verification_Standard_Project
- 65. • What benefits do HTTPS provide? – Confidentiality, Integrity and Authenticity – Confidentiality: Spy cannot view your data – Integrity: Spy cannot change your data – Authenticity: Server you are visiting is the right one
- 66. Encryption in Transit (HTTPS/TLS) • HTTPS configuration best practices – https://www.owasp.org/index.php/ Transport_Layer_Protection_Cheat_Sheet – https://www.ssllabs.com/projects/best- practices/
- 67. • CerCficate Pinning – heps://www.owasp.org/index.php/Pinning_Cheat_Sheet • HSTS (Strict Transport Security) – hep://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-‐Transport-‐Security: max-‐age=31536000 • Forward Secrecy – heps://whispersystems.org/blog/asynchronous-‐security/ • CerCficate CreaCon Transparency – hep://cerCficate-‐transparency.org • Browser CerCficate Pruning – Etsy/Zane Lackey
- 68. HSTS – Strict Transport Security • HSTS (Strict Transport Security) – hep://www.youtube.com/watch?v=zEV3HOuM_Vw – Strict-‐Transport-‐Security: max-‐age=31536000; includeSubdomains • Forces browser to only make HTTPS connecCon to server • Must be iniCally delivered over a HTTPS connecCon
- 69. • Current HSTS Chrome preload list hep://src.chromium.org/viewvc/chrome/trunk/src/net/hep/ transport_security_state_staCc.json • If you own a site that you would like to see included in the preloaded Chromium HSTS list, start sending the HSTS header and then contact: heps://hstspreload.appspot.com/ • A site is included in the Firefox preload list if the following hold: – It is in the Chromium list (with force-‐heps). – It sends an HSTS header. – The max-‐age sent is at least 10886400 (18 weeks). • More info at: hep://dev.chromium.org/sts
- 70. /*! in the doGet() or doPost()! */! ! if(request.getScheme().equals("https"))" {" // HTTPs so force HSTS! response.setHeader("Strict-Transport-Security", "max-age=3628800; includeSubdomains");" } else {" // other protocol than HTTPS (HTTP ? )! response.setStatus(301);" // Force HTTPS! // Avoid redirection to pishing site! String serverName = validateServerName (request.getServerName());" String serverUrl = validateURL(request.getRequestURL());" String url = "https://" + serverName + serverURL;" response.setHeader("Location", url);" }" SecurePasswordStorage
- 71. Perfect Forward Secrecy • If you use older SSL ciphers, every Cme anyone makes a SSL connecCon to your server, that message is encrypted with (basically) the same private server key • Perfect forward secrecy: Peers in a conversaCon instead negoCate secrets through an ephemeral (temporary) key exchange • With PFS, recording ciphertext traffic doesn't help an aeacker even if the private server key is stolen! From heps://whispersystems.org/blog/asynchronous-‐security/
- 72. SSL/TLS Example Ciphers • Forward Secrecy: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) • NOT Forward Secrecy TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
- 73. Solving Real World Crypto Storage Problems With Google KeyCzar Crypter crypter = new Crypter("/path/to/your/keys"); String ciphertext = crypter.encrypt("Secret message"); String plaintext = crypter.decrypt(ciphertext); Keyczar is an open source cryptographic toolkit for Java Designed to make it easier and safer for developers to use cryptography in their applicaCons. • A simple API • Key rotaCon and versioning • Safe default algorithms, modes, and key lengths • Automated generaCon of iniCalizaCon vectors and ciphertext signatures • Java – Python – C++
- 74. Error Handling, Logging and Intrusion Detection
- 75. Risks ? • Error messages can disclose informaCon valuable to an aeacker • Failure can lead to an unhandled state, which can lead to denial of service – Unhandled failures can lead to malicious behavior being unnoCced
- 76. Fail Securely ! • Not Just catching excepCon • Not Just logging excepCon/errors Handle all failures securely and return the system to a proper state
- 77. public class MyAccessControl { public boolean accessGrant (Object ressource, Objec user) { boolean accessGranted = false; try { if (myAccessControl().isAuthorize(ressource, user)){ accessGranted = true; //do Stuff like logging and other oppera<on than may fail opera<onThatMayFailed (ressource); } } catch (ExcepCon ex){ logger.audit ("Access control fail") ; // Fail Securely accessGranted = false; } return accessGranted; } } SecurePasswordStorage
- 78. Design Paeerns • Don't assume that an error condiCon won't occur • It's what the aeackers want you to assume • Errors are like accidents, you don't expect them, but they happen • Any code that can throw an excepCon should be in a Try Block • Handle all possible excepCons • Use Finally Blocks: leaving files open or excepCons defined ager use creates resource leaks and possible system failure • Short specific Try Blocks give you more control over the error state
- 79. App Layer Intrusion Detec3on • Great detection points to start with – Input validation failure server side when client side validation exists – Input validation failure server side on non-user editable parameters such as hidden fields, checkboxes, radio buttons or select lists – Forced browsing to common attack entry points – Honeypot URL (e.g. a fake path listed in robots.txt like e.g. /admin/secretlogin.jsp)
- 80. App Layer Intrusion Detec3on • Others – Blatant SQLi or XSS injection attacks – Workflow sequence abuse (e.g. multi-part form in wrong order) – Custom business logic (e.g. basket vs catalogue price mismatch) – Further Study: • “libinjection: from SQLi to XSS” – Nick Galbreath • “Attack Driven Defense” – Zane Lackey
- 81. OWASP AppSensor (Java) • Project and mailing list https://www.owasp.org/index.php/ OWASP_AppSensor_Project • Four-page briefing, Crosstalk, Journal of Defense Software Engineering • http://www.crosstalkonline.org/storage/issue- archives/2011/201109/201109-Watson.pdf
- 82. Beeer than catching NPE... if (s == null) { return false; } String names[] = s.split(" "); if (names.length != 2) { return false; } return (isCapitalized(names[0]) && isCapitalized(names[1])); }
- 83. PrevenCng StackTrace leak <error-‐page> <excep3on-‐type>java.lang.Throwable </excep3on-‐type> <loca3on>/WEB-‐INF/error.jsp </loca3on> </error-‐page>
- 86. Bad Design
- 87. Security Architecture and Design Strategic effort • Business, technical and security stakeholders • FuncConal and non-‐funcConal security properCes • Different flavors/efforts based on SDL/culture Example: state • Should you use the request? • Should you use a web session? • Should you use the database? These decisions have dramaCc security implicaCons
- 88. Trusting Input • Treating all client side data as untrusted is important, and can be tied back to trust zones/boundaries in design/architecture. • Ideally we want to consider all tiers to be untrusted and build controls at all layers, but this is not practical or even possible for some very large systems.
- 89. Security Architecture and Design Addi3onal Considera3ons • Overall Architecture/Design • Trust Zones/Boundaries/Tiers 1. User Interface, API (Webservices), 2. Business Layer (Custom Logic), 3. Data Layer (Keys to the Kingdom) 4. What sources can/cannot be trusted? • What is inside/outside of a trust zone/boundary • Specific controls need to exist at certain layers • Aeack Surface
- 90. LAST BUT NOT LEAST....
- 91. Lack of knowledge... String myString = "insecure"; myString.replace("i","1") // do Stuff
- 92. Good Try...but...catch J public class BadCatch { public void mymethodErr1() { try { //do Stuff } catch (SecurityExcepCon se){ System.err.println (se); } } }
- 93. Nice comments // PaTern to match the string Paeern myPaeern = "bword1W+(?:w+/W+){1,6}?word2b"; String updated = MYCONSTANT1.replaceAll(mypaeern, "$2"); // i iterate from 0 to 10 for (int i=0; i <10 ; i++) { // do stuff myMethod(updated); }
- 94. Unit tesCng • In computer programming, unit tes3ng is a sogware tesCng method by which individual units of source code, sets of one or more computer program modules together with associated control data, usage procedures, and operaCng procedures, are tested to determine whether they are fit for use.. (c) Wikipedia
- 95. Controlling code in one picture
- 96. Pentest or code review for CISO Top10 Web Pentest Code Review A1-‐InjecCon ++ +++ A2-‐Broken AuthenCcaCon and Session Management ++ + A3-‐Cross-‐Site ScripCng (XSS) +++ +++ A4-‐Insecure Direct Object References + +++ A5-‐Security MisconfiguraCon + ++ A6-‐SensiCve Data Exposure ++ + A7-‐Missing FuncCon Level Access Control + + A8-‐Cross-‐Site Request Forgery (CSRF) ++ + A9-‐Using Components with Known VulnerabiliCes +++ A10-‐Unvalidated Redirects and Forwards + +
- 97. PentesCng and code review for a developer
- 98. EvoluCon of sogware developement Makefile ConCnuous Security Unit tesCng ConCnuous inspecCon Git/CVS/SVN
- 99. 10 reasons to use .... • Wrieen in Java J • Integrated with CI Tools (Jenkins/Hudson/ Bamboo) • Modular (plugins by languages) • Developer tools • Dashboard • OWASP project J • Open-‐Source (and commercial too)
- 100. Of Course !
- 101. Démo
- 102. Thanks • Somes slides from Jim Manico (@manicode) && OWASP Top10 ProacCve Project