This document provides an overview and recommendations for securing Java web applications against the OWASP Top 10 security risks. It discusses each risk like cross-site scripting, injection flaws, malicious file execution, insecure direct object references, cross-site request forgery, information leakage, broken authentication, insecure cryptographic storage, and insecure communications. For each risk, it provides examples of how the risk could occur and recommendations for prevention, such as input validation, output encoding, secure configuration, access control, and use of SSL.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Xebia Knowledge Exchange - Owasp Top Ten
1. www.xebia.fr / blog.xebia.fr
OWASP Security Top Ten
OWASP top ten and Java protections
Cyrille Le Clerc
cleclerc@xebia.fr
Tuesday, November 24, 2009
2. OWASP Security Top Ten
This presentation is based on
OWASP Top 10 For Java EE
The Ten Most Critical Web Application Security
Vulnerabilities For Java Enterprise Applications
http://www.owasp.org/index.php/Top_10_2007
2
Tuesday, November 24, 2009
4. Cross Site Scripting (XSS)
What ?
Subset of HTML injections
Data provided by malicious users are rendered in web pages and
execute scripts
Goal ?
Hijack user session, steal user data, deface web site, etc
Sample
lastName:
4
Cyrille "><script ... />
Tuesday, November 24, 2009
5. Cross Site Scripting (XSS)
How to prevent it ?
Input Validation : JSR 303 Bean Validation
5
public class Person {
@Size(min = 1, max = 256)
private String lastName;
@Size(max = 256)
@Pattern(regexp = ".+@.+.[a-z]+")
private String email;
...
}
@Controller("/person")
public class PersonController {
@RequestMapping(method=RequestMethod.POST)
public void save(@Valid Person person) {
// ...
}
}
Bean
C
ontroller
Tuesday, November 24, 2009
6. Cross Site Scripting (XSS)
How to prevent it ?
HTML output escaping
JSTL
Expression language danger DO NOT ESCAPE !!!
Spring MVC
» Global escaping
» Page level
6
<h2>Welcome <c:out value="${person.lastName}" /></h2>
<web-app>
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
...
</web-app>
JSP
EL
does
N
O
T
escape
!!!
<h2>Welcome ${person.lastName} NOT ESCAPED !!!</h2>
<spring:htmlEscape defaultHtmlEscape="true" />
Tuesday, November 24, 2009
7. Cross Site Scripting (XSS)
How to prevent it ?
Use HTTP Only cookies
Cookies not accessible via javascript
Introduced with Servlet 3.0
Since Tomcat 6.0.20 for session cookies
Manual workaround
7
<Context useHttpOnly="true">
...
</Context>
cookie.setHttpOnly(true);
response.setHeader("set-cookie", "foo=" + bar + "; HttpOnly");
N
o
w
eb.xm
l
configuration
for
JSESSIO
N
ID
Tuesday, November 24, 2009
8. Cross Site Scripting (XSS)
How to prevent it ?
Do not use blacklist validation but blacklist
Forbidden : <script>, <img>
Prefer wiki/forum white list style: [img], [url], [strong]
8
Tuesday, November 24, 2009
10. Injection Flaws
What ?
Malicious data provided by user to read or modify sensitive data
Types of injection : SQL, Hibernate Query Language (HQL), LDAP,
XPath, XQuery, XSLT, HTML, XML, OS command injection, HTTP
requests, and many more
Goal ?
Create, modify, delete, read data
Sample
lastName:
10
Cyrille "; INSERT INTO MONEY_TRANSFER ...
Tuesday, November 24, 2009
11. Injection Flaws
How to prevent it ?
Input validation
XSD with regular expression, min and max values, etc
JSR 303 Bean Validation
11
Tuesday, November 24, 2009
12. Injection Flaws
How to prevent it ?
Use strongly typed parameterized query API
JDBC
JPA
HTTP
XML
XPath :-(
12
Element lastNameElt = doc.createElement("lastName");
lastNameElt.appendChild(doc.createTextNode(lastName));
GetMethod getMethod = new GetMethod("/findPerson");
getMethod.setQueryString(new NameValuePair[]{new NameValuePair("lastName", lastName)});
query.setParameter("lastName", lastName);
preparedStatement.setString(1, lastName);
Tuesday, November 24, 2009
13. Injection Flaws
How to prevent it ?
If not, use escaping libraries very cautiously !!!
HTML
Javascript
HTTP
XML
Don’t use simple escaping functions !
13
"<lastName>" + StringEscapeUtils.escapeXml(lastName) + "</lastName>";
"/findPerson?" + URLEncoder.encode(lastName, "UTF-8");
"lastName = ‘" + StringEscapeUtils.escapeJavaScript(lastName) + "’;";
"<h2> Hello " + StringEscapeUtils.escapeHtml(lastName) + " </h2>";
Caution !
StringUtils.replaceChars(lastName, "’", "’’");
Tuesday, November 24, 2009
14. Injection Flaws
How to prevent it ?
Don’t use dynamic queries at all !
14
JPA
2
C
riteria
API
if (StringUtils.isNotEmpty(lastName)) {
jpaQl += " lastName like '" + lastName + "'";
}
Map<String, Object> parameters = new HashMap<String, Object>();
if (StringUtils.isNotEmpty(lastName)) {
jpaQl += " lastName like :lastName ";
parameters.put("lastName", lastName);
}
Query query = entityManager.createQuery(jpaQl);
for (Entry<String, Object> parameter : parameters.entrySet()) {
query.setParameter(parameter.getKey(), parameter.getValue());
}
if (StringUtils.isNotEmpty(lastName)) {
criteria.add(Restrictions.like("lastName", lastName));
}
JPA
1
Q
uery
API
Tuesday, November 24, 2009
15. Injection Flaws
How to prevent it ?
Enforce least privileges
Don’t be root
Limit database access to Data Manipulation Language
Limit file system access
Use firewalls to enter-from / go-to the Internet
15
Tuesday, November 24, 2009
17. Malicious File Execution
What ?
Malicious file or file path provided by users access files
Goal ?
Read or modify sensitive data
Remotely execute files (rootkits, etc)
Sample
pictureName:
17
../../WEB-INF/web.xml
Tuesday, November 24, 2009
18. Malicious File Execution
How to prevent it ?
Don’t build file path from user provided data
Don’t execute commands with user provided data
Use an indirection identifier to users
Use firewalls to prevent servers to connect to outside sites
18
String picturesFolder = servletContext.getRealPath("/pictures") ;
String pictureName = request.getParameter("pictureName");
File picture = new File((picturesFolder + "/" + pictureName));
Runtime.getRuntime().exec("imageprocessor " + request.getParameter("pictureName"));
Tuesday, November 24, 2009
20. Insecure Direct Object Reference
What ?
Transmit user forgeable identifiers without controlling them server side
Goal ?
Create, modify, delete, read other user’s data
Sample
20
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="32" />
...
</form>
</body><html>
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, req.getParameter("id"));
Tuesday, November 24, 2009
21. Insecure Direct Object Reference
How to prevent it ?
Input identifier validation
reject wildcards (“10%20”)
Add server side identifiers
Control access permissions
See Spring Security
21
Criteria criteria = session.createCriteria(ShoppingCart.class);
criteria.add(Restrictions.like("id", request.getParameter("id")));
criteria.add(Restrictions.like("clientId", request.getRemoteUser()));
ShoppingCart shoppingCart = (ShoppingCart) criteria.uniqueResult();
Tuesday, November 24, 2009
22. Insecure Direct Object Reference
How to prevent it ?
Use server side indirection with generated random
See org.owasp.esapi.AccessReferenceMap
22
String indirectId = request.getParameter("id");
String id = accessReferenceMap.getDirectReference(indirectId);
ShoppingCart shoppingCart = entityManager.find(ShoppingCart.class, id);
String indirectId = accessReferenceMap.getIndirectReference(shoppingCart.getId());
<html><body>
<form name="shoppingCart">
<input name="id" type="hidden" value="${indirectId}" />
...
</form>
</body><html>
Tuesday, November 24, 2009
24. Cross Site Request Forgery (CSRF)
What ?
Assume that the user is logged to another web site and send a
malicious request
Ajax web sites are very exposed !
Goal ?
Perform operations without asking the user
Sample
24
http://mybank.com/transfer.do?amount=100000&recipientAccount=12345
Tuesday, November 24, 2009
25. Cross Site Request Forgery (CSRF)
How to prevent it ?
Ensure that no XSS vulnerability exists in your
application
Use a random token in sensitive forms
Spring Web Flow and Struts 2 provide such random token mechanisms
Re-authenticate user for sensitive operations
25
<form action="/transfer.do">
<input name="token" type="hidden" value="14689423257893257" />
<input name="amount" />
...
</form>
Tuesday, November 24, 2009
27. Information Leakage and Improper Exception Handling
What ?
Sensitive code details given to hackers
Usually done raising exceptions
Goal ?
Discover code details to discover vulnerabilities
27
Tuesday, November 24, 2009
29. Information Leakage and Improper Exception Handling
How to prevent it ?
Avoid detailed error messages
Beware of development mode messages !
web.xml
Tomcat
29
<web-app>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/empty-error-page.jsp</location>
</error-page>
...
</web-app>
<Server ...>
<Service ...>
<Engine ...>
<Host
errorReportValveClass="com.mycie.tomcat.EmptyErrorReportValve"
...>
...
</Host>
</Engine>
</Service>
</Server>
Tuesday, November 24, 2009
30. Information Leakage and Improper Exception Handling
How to prevent it ?
Don’t display stack traces in Soap Faults
Sanitize GUI error messages
Sample : “Invalid login or password”
30
Tuesday, November 24, 2009
32. Broken Authentication and Session Management
What ?
Web authentication and session handling have many tricks
Goal ?
Hijack user session
32
Tuesday, November 24, 2009
33. Broken Authentication and Session Management
How to prevent it ?
Log session initiation and sensitive data access
Remote Ip, time, login, sensitive data & operation accessed
Use a log4j dedicated non over-written output file
Use out of the box session and authentication
mechanisms
Don’t create your own cookies
Look at Spring Security
33
#Audit
log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.audit.datePattern='-'yyyyMMdd
log4j.appender.audit.file=audit.log
log4j.appender.audit.layout=org.apache.log4j.EnhancedPatternLayout
log4j.appender.audit.layout.conversionPattern=%m %throwable{short}n
log4j.logger.com.mycompany.audit.Audit=INFO, audit
log4j.additivity.com.mycompany.audit.Audit=false
Tuesday, November 24, 2009
34. Broken Authentication and Session Management
How to prevent it ?
Use SSL and random token for authentication pages
including login page display
Regenerate a new session on successful authentication
Use Http Only session cookies, don’t use URL rewriting
based session handling
Prevent brute force attacks using timeouts or locking
password on authentication failures
Don’t store clear text password, consider SSHA
34
Tuesday, November 24, 2009
35. Broken Authentication and Session Management
How to prevent it ?
Use a timeout period
Remember Me cookies must be invalidated on password
change (see Spring Security)
Beware not to write password in log files
Server generated passwords (lost password, etc) must
be valid only once
Be able to distinguish SSL communications
35
Tuesday, November 24, 2009
36. Broken Authentication and Session Management
How to prevent it ?
For server to server communication, use remote ip
control in addition to password validation
36
Tuesday, November 24, 2009
41. Insecure Communications
What ?
Unsecure communications are easy to hack
Goal ?
Steal sensitive data, hijack user session
41
Tuesday, November 24, 2009
42. Insecure Communications
How to prevent it ?
Use SSL with the Servlet API
42
request.isSecure()
<web-app ...>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted web services</web-resource-name>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
</web-app>
Tuesday, November 24, 2009
43. Insecure Communications
How to prevent it ?
Use SSL with Spring Security
43
<beans ...>
<sec:http auto-config="true">
<sec:intercept-url
pattern="/services/**"
requires-channel="https"
access="IS_AUTHENTICATED_FULLY" />
</sec:http>
</beans>
Tuesday, November 24, 2009