Some introductory slides about how to increase security in Java web applications.

1. Securing Java Web
Applications
An introduction
Jonas Flesch
me@jonasflesch.com

2. Index
• Spring Security
• Passwords
• Sql Injection
• JSTL
• Client sent content
• Stacktraces
• Test
• Legal issues

3. STEP 1
Use Spring Security!!

4. Spring Security
• Authentication
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticate")
.failureUrl("/login?error=true")
.usernameParameter("username")
.passwordParameter("password")
.permitAll();

5. Spring Security
• Authorization
@Controller
@Secured(Roles.ROLE_ADMINISTRATOR)
@RequestMapping(UserController.BASE_URL)
public class UserController extends BaseController {

6. Spring Security
• Cross Site Request Forgery Token
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}"/>

7. Spring Security
• Good practices headers

8. Step 2
Passwords

9. Passwords
• Store it using a strong salted hash
• Bcrypt
• Never send it by e-mail or store it in plain text
• Protect user creation/password recovery forms with
captcha
• Recaptcha when possible
• JCaptcha second choice

10. Step 3
SQL Injection

11. SQL Injection
• Always use SQL Parameters:
@SqlUpdate("UPDATE User ug "
+ " SET DsEmail = :dsEmail"
+ " WHERE idUser = :idUser")

12. Step 4
Use JSTL carefully

13. JSTL
• Wrong:
<input type="hidden" name="uuid" value="${UUID}"/>
• Correct:
<input type="hidden" name="uuid" value="<c:out value=“${UUID}”/>"/>
• Why?
<input type="hidden" name="uuid" value=“”><script>alert(1)</script>”/>”/
>
• c:out escapes the string with html entities like &lt;

14. Step 5
Never trust content from the
client

15. Never trust content from the
client
• Never use file names from uploads
• Use UUID as filename when saving to the hard
drive
• Put a file size limit
• Endless uploads can crash the server
• Validations made on Javascript should be done
again in the server

16. Step 6
Hide the stacktraces!!!

18. Hide the stack traces
• Evil user can discover:
• Frameworks/versions
• Paths
• Pieces of code/details of implementation
• Solution:
• Spring MVC @ControllerAdvice @ExceptionHandler
• Web.xml error-page

19. Step 7
Test it!

20. Test
• OWASP ZAP
• Automated testing
• Every error found is important
• Use the proxy in every functionality
• Can be integrated to the Continuous Integration
• Evil user in the scenarios
• Automate it too!

21. Step 8
Legal issues

22. Legal issues
• Privacy police
• Terms of Use
• Age validation
• Copied images/logotypes
• Personal Data storage (document number, birth date,
etc)
• Classified disclosure

23. Jonas Flesch
me@jonasflesch.com