3. The OWASP Foundation
http://www.owasp.org
• Developer approaches application
based on what it is intended to do
• Attacker’s approach is based on
what application can be made to do
• Any action not specifically denied is
considered allowed
3
Fundamental
difference
4. The OWASP Foundation
http://www.owasp.org
• Minimize Attack Surface Area
• Secure Defaults
• Principle of Least Privilege
• Principle of Defense in Depth
• Fail Securely
• External Systems are Insecure
• Separation of Duties
• Do not trust Security through Obscurity
• Simplicity
• Fix Security Issues Correctly
4
Security
Principles
5. The OWASP Foundation
http://www.owasp.org
• Price related hidden fields, CSS visibility –
perform server side validation
• Cross Site Request Forgery (CSRF)
• Sensitive Information Disclosure via Client-
Side Storage and Comments
• Hardcoded domain in HTML
• HTML5: Form validation turned off
• Password Submission using GET method
5
HTML
6. The OWASP Foundation
http://www.owasp.org
• Selects, radio buttons, and checkboxes
Wrong Approach
<input type="radio" name="acctNo"
value="455712341234">Gold Card
<input type="radio" name="acctNo"
value="455712341235">Platinum Card
String acctNo = getParameter('acctNo');
String sql = "SELECT acctBal FROM accounts
WHERE acctNo = '?'"; 6
HTML
7. The OWASP Foundation
http://www.owasp.org
Right Approach
<input type="radio" name="acctIndex"
value="1" />Gold Credit Card
<input type="radio" name="acctIndex"
value="2" />Platinum Credit Card
String acctNo =
acct.getCardNumber(getParameter('acctIndex'))
String sql = "SELECT acctBal FROM accounts
WHERE acct_id = '?' AND acctNo ='?'";
7
HTML
8. The OWASP Foundation
http://www.owasp.org
• Display of passwords in form, Autocomplete
• Don’t populate password in form
<input name="password"
type="password" value="<%=pass%>" />
8
HTML
9. The OWASP Foundation
http://www.owasp.org
• Ajax Hijacking
• Cross Site Scripting: DOM, Poor validation
• Dynamic code evaluation: Code, Script
Injection, Unsafe XMLHTTPRequest – eval
• Open Redirect
• Path Manipulation – dot dot slash attack
• Obfuscate Client Side JavaScript. Remember
the jQuery.min, jQuery.dev versions
9
JavaScript
10. The OWASP Foundation
http://www.owasp.org
• jQuery
Unsafe usage
var txtAlertMsg = "Hello World: ";
var txtUserInput =
"test<script>alert(1)</script>";
$("#message").html( txtAlertMsg +"" +
txtUserInput + "");
Safe usage (use text, not html)
$("#userInput").text(
"test<script>alert(1)</script>"); <-- treat
user input as text 10
JavaScript
11. The OWASP Foundation
http://www.owasp.org
• Use of =, != for null comparison
• Ignoring exception – try & catch
• Persistent Cross Site Scripting
• Use parameterized statements, validate
input before string concatenation in dynamic
SQL’s in stored procedures
• Avoid xp_cmdshell
• Never store passwords in plaintext
11
SQL
12. The OWASP Foundation
http://www.owasp.org
• Use stored procedures to abstract
data access and allow for the
removal of permissions to the base
tables in the database
12
SQL
13. The OWASP Foundation
http://www.owasp.org
• The Java libraries (java.lang, java.util etc, often
referred to as the Java API) are themselves written
in Java, although methods marked as native. The
Sun JVM is written in C, JVM running on your
machine is a platform-dependent executable and
hence could have been originally written in any
language. The Oracle JVM (HotSpot) is written in
the C++ programming language. Java Compiler
provided By Oracle is written in JAVA itself. Many
Java vulnerabilities are really C vulnerabilities that
occur in an implementation of Java.
13
About Java
14. The OWASP Foundation
http://www.owasp.org
• Secure data types – char[], GuardedString
• Zip Bombs
private static final int LINE_LIMIT = 1000000;
int totalLinesRead = 0;
while ((s = reader.readLine()) != null) {
doSomethingWithLine(s);
totalLinesRead++;
if (totalLinesRead > LINE_LIMIT) {
throw new Exception("File being read is too big.");
}
}
14
Java
15. The OWASP Foundation
http://www.owasp.org
• Do not ignore values returned by methods.
private void deleteFile()
{
File tempFile = new File(tempFileName);
if (tempFile.exists()) {
if (!tempFile.delete()) {
// handle failure to delete the
file
}
}
}
15
Java
16. The OWASP Foundation
http://www.owasp.org
• Release resources in all cases. The try-with-
resource syntax introduced in Java SE 7
automatically handles the release of many
resource types.
try (final InputStream in =
Files.newInputStream(path)) {
handler.handle(new
BufferedInputStream(in));
}
16
Java - DOS
17. The OWASP Foundation
http://www.owasp.org
• Billion laughs attack - XML entity expansion
causes an XML document to grow
dramatically during parsing.
DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSI
NG, true);
DocumentBuilder parser = dbf.newDocumentBuilder();
parser.parse(xmlfile);
17
Java
18. The OWASP Foundation
http://www.owasp.org
• Add security wrapper around native method
calls – use JNI defensively
• Make public static fields final
• java.lang.SecurityManager – policy
• In Struts deny direct jsp access explicitly
• Use SecureRandom for PRNG, 128 bit length
SecureRandom random = new
SecureRandom();
byte bytes[] = new byte[20];
random.nextBytes(bytes);
18
Java
19. The OWASP Foundation
http://www.owasp.org
• JSP Source code disclosure
• Non-Final classes let an attacker extend a
class in a malicious manner
• Packages are by default open, not sealed,
which means a rogue class can be added to
your package
• Check uploaded file header than just
extension alone
https://www.owasp.org/images/0/08/OWASP_S
CP_Quick_Reference_Guide_v2.pdf
19
Java
20. The OWASP Foundation
http://www.owasp.org
• Override the clone method to make classes
unclonable unless required. Cloning allows
an attacker to instantiate a class without
running any of the class constructors.
20
Java Cloning
21. The OWASP Foundation
http://www.owasp.org
• Define the following method in each of your
classes:
public final Object clone() throws
java.lang.CloneNotSupportedException {
throw new
java.lang.CloneNotSupportedException();
}
21
Java Cloning
22. The OWASP Foundation
http://www.owasp.org
• If a clone is required, one can make one’s
clone method immune to overriding by using
the final keyword:
public final Object clone() throws
java.lang.CloneNotSupportedException {
return super.clone();
}
22
Java Cloning
23. The OWASP Foundation
http://www.owasp.org
• Unfavour serialization of objects containing
sensitive information – transient fields
private final void
writeObject(ObjectOutputStream out)
throws java.io.IOException {
throw new java.io.IOException("Object cannot
be serialized");
}
23
Java Serialization
24. The OWASP Foundation
http://www.owasp.org
• Prevent deserialization of objects containing
sensitive information
private final void
readObject(ObjectInputStream in)
throws java.io.IOException {
throw new java.io.IOException("Class cannot
be deserialized");
}
24
Java Deserialization
25. The OWASP Foundation
http://www.owasp.org
• deny access by default
isAdmin = false;
try {
codeWhichMayFail();
isAdmin = isUserInRole(“Administrator”);
}
catch (Exception ex) {
log.write(ex.toString());
}
25
Java
27. The OWASP Foundation
http://www.owasp.org
• Response splitting allows an attacker to take
control of the response body by adding extra
CRLFs into headers
String author = request.getParameter(AUTHOR_PARAM);
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
27
Response Splitting
28. The OWASP Foundation
http://www.owasp.org
If an attacker submits a malicious string, such as “Rajesh
PrnHTTP/1.1 200 OKrn...", then the HTTP response would
be split into two responses of the following form:
HTTP/1.1 200 OK
...
Set-Cookie: author=Rajesh P
HTTP/1.1 200 OK
...
Clearly, the second response is completely controlled by the
attacker and can be constructed with any header and body
content desired.
Response Splitting
30. The OWASP Foundation
http://www.owasp.org
• How to Identify new vulnerability disclosures
in Java? – NVD, CVE
• Always remove older versions of Java on
devices while updating to the new secure
version
30
Miscellaneous
31. The OWASP Foundation
http://www.owasp.org
The OWASP Enterprise
Security API
Custom Enterprise Web Application
Enterprise Security API
Authenticator
User
AccessController
AccessReferenceMap
Validator
Encoder
HTTPUtilities
Encryptor
EncryptedProperties
Randomizer
ExceptionHandling
Logger
IntrusionDetector
SecurityConfiguration
Existing Enterprise Security Services/Libraries
31
33. The OWASP Foundation
http://www.owasp.org
OWASP Top Ten
Coverage
33
OWASP Top Ten
A1. Cross Site Scripting (XSS)
A2. Injection Flaws
A3. Malicious File Execution
A4. Insecure Direct Object Reference
A5. Cross Site Request Forgery (CSRF)
A6. Leakage and Improper Error Handling
A7. Broken Authentication and Sessions
A8. Insecure Cryptographic Storage
A9. Insecure Communications
A10. Failure to Restrict URL Access
OWASP ESAPI
Validator, Encoder
Encoder
HTTPUtilities (upload)
AccessReferenceMap
User (csrftoken)
EnterpriseSecurityException, HTTPUtils
Authenticator, User, HTTPUtils
Encryptor
HTTPUtilities (secure cookie, channel)
AccessController
34. The OWASP Foundation
http://www.owasp.org
• Disgruntled staff
• Unintentional program execution
• Identify Training need, Certification
• Urgent and Frequent patches
• Selection of Third Party Libraries
• “Drive by” attacks, such as side
effects or direct consequences of a
virus, worm or Trojan attack
34
Why Static
Code Analysis