Slides from my talk at DevoxxBE 2018

1. 10 MISTAKES HACKERS WANT
YOU TO MAKE
JOE KUTNER

2. HELLO
JOE KUTNER
▸ @codefinger
▸ Java Language Owner

3. Security is hard

4. Security is an
asymmetric problem

5. SECURITY IS LIKE A RUBIK'S CUBE

7. #1 #2
#3 #4 #5
#6 #7
#8 #9
#10

8. USING DEPENDENCIES
WITH KNOWN
VULNERABILITIES
MISTAKE #1

9. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
▸ More than 70% of real-world attacks exploit a known
vulnerability for which a fix is available but has not yet
been applied
http://www.verizonenterprise.com/verizon-insights-lab/dbir/

12. Equifax has been intensely investigating the scope of the intrusion with the
assistance of a leading, independent cybersecurity firm to determine what
information was accessed and who has been impacted. We know that
criminals exploited a U.S. website application vulnerability. The vulnerability
was Apache Struts CVE-2017-5638. We continue to work with law
enforcement as part of our criminal investigation, and have shared indicators
of compromise with law enforcement.
Equifax Statement
IT WAS CVE-2017-5638
https://help.equifax.com/s/article/What-was-the-vulnerability

13. MARCH 10, 2017
https://nvd.nist.gov/vuln/detail/CVE-2017-5638

14. HOW IT HAPPENED...
TIMELINE (2017)
▸ March 6:
CVE-2017-5638 (S2-045) discovered
▸ March 7:
Struts 2.3.32 and 2.5.10.1 released with a fix
▸ May to July:
Equifax says hackers gained unauthorized access to its data
▸ July 29:
Equifax discovers the hack and immediately stops the intrusion
▸ September 7:
Equifax officially alerts the public

15. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
THE EQUIFAX HACK WAS A WAKE-UP CALL!
▸ If a vulnerability was discovered in one of the frameworks you
use, would you know about it?

16. CVE-2017-8046
"SPRING BREAK"

18. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
AUTOMATE DEPENDENCY MANAGEMENT
Versions Plugin

19. USING DEPENDENCIES WITH KNOWN VULNERABILITIES
$ mvn versions:display-parent-updates
...
[INFO] The parent project has a newer version:
[INFO] org.springframework.boot:spring-boot-starter-parent
1.5.6.RELEASE -> 2.0.1.RELEASE
$ mvn versions:update-parent
...
[INFO] Updating parent from 1.5.6.RELEASE to 2.0.1.RELEASE

20. NOT GOOD
ENOUGH

21. USING DEPENDENCIES WITH KNOWN VULNERABILITIES

23. STILL NOT GOOD
ENOUGH

24. https://snyk.io
Continuous Vulnerability
Detection & Resolution

29. THIS IS GOOD

30. KNOW YOUR DEPENDENCIES
TAKE ACTION!
1. Automate: mvn versions:update-parent
2. Generate dependency reports
3. Use dependency monitoring: https://snyk.io
4. Watch NVD feeds: https://nvd.nist.gov/

31. UNSANITIZED
USER INPUT
MISTAKE #2

33. UNSANITIZED USER INPUT
SIZE MATTERS

34. UNSANITIZED USER INPUT
TYPES OF INPUT
▸ Username and Password
▸ Request body
▸ Request headers
▸ Query params

35. UNSANITIZED USER INPUT
SOLUTIONS:
▸ Prepared Statements
▸ JSR 303 Annotations
▸ @Size
▸ @Max
▸ @NotBlank

36. UNSANITIZED USER INPUT
{
"name" : "Bob",
"age" : 13,
"other" : {
"type" : "student"
}
}

37. UNSANITIZED USER INPUT
{
"id": 124,
"obj" : [ "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
{
"transletBytecodes" : [ "AAIAZQ==" ],
"transletName" : "a.b",
"outputProperties" : { }
}
]
}

39. UNSANITIZED USER INPUT
SOLUTIONS:
▸ JSON Schema Validation
▸ https://github.com/everit-org/json-schema
▸ https://github.com/java-json-tools/json-schema-validator

40. UNSANITIZED USER INPUT

42. UNSANITIZED USER INPUT
TAKE ACTION!
1. Treat user input like a nuclear bomb
2. Use JSON Schema for your inputs
3. Validate JSON payloads with a Filter

43. UNSANITIZED USER INPUT
BUT REMEMBER...
▸ Input validation is a defensive layer to limit what input a user
may submit into an application, it’s often not a layer you can
depend on.
▸ You can build a completely secure web application and skip all
input validation... but I don't recommend it.

44. UNSAFE REGEX
MISTAKE #3

45. UNSAFE REGEX
(a|aa)+
"aaaaaaaaaaaaaaaaaaaaaaaa!"

46. UNSANITIZED USER INPUT
REGEX DENIAL-OF-SERVICE
▸ Occurs when regular expressions are authored in such a way
that the time it takes to compute the regular expression grows
exponentially related to input size.
▸ Attackers can exploit such a vulnerability to cause a denial of
service in your application by sending a relatively tiny amount
of data and forcing your application to consume a huge
number of server cycles in validating it.

48. KNOW YOUR DEPENDENCIES
TAKE ACTION!

49. UNSAFE REGEX
$ java -jar saferegex.jar "(a|aa)+"
Testing: (a|aa)+
More than 10000 samples found.
***
This expression is vulnerable.
Sample input: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab

50. FAILURE TO PREVENT
ABUSIVE REQUESTS
MISTAKE #4

51. ABUSIVE REQUESTS
SOLUTIONS:
▸ Throttle by IP
▸ Sometimes by user-agent, and other headers
▸ Blacklist

52. RATE-LIMITING
Bucket4j
▸ Use token bucket algorithm for rate-limiting
▸ Support for clustering (via JSR 107)
▸ Highly configurable bandwidths
▸ Both synchronous and asynchronous API
▸ Use by JHipster API Gateway

53. pom.xml
RATE-LIMITING
Bucket4j

54. application.yml
RATE-LIMITING
Bucket4j

56. MISCONFIGURING
SPRING-SECURITY
MISTAKE #5

58. "We identified security
vulnerabilities in the
suggested code
of accepted answers
[on Stackoverflow.com]"

59. MISCONFIGURING SPRING-SECURITY
COMMON CHALLENGES
▸ Overzealous antMatchers with permitAll
▸ Invocation order between HttpSecurity methods
▸ Converting from XML-based to Java-based configurations
▸ Implicit constraints are not documented

60. MISCONFIGURING SPRING-SECURITY
SUB-TEXT
▸ Don't trust people on the Internet

61. SECRETS IN YOUR
SOURCE CODE
MISTAKE #6

63. "...the codebase could be
made open source at any
moment, without
compromising any
credentials."

64. SECRETS IN YOUR SOURCE CODE
TAKE ACTION!
▸ Environment variables
▸ Spring Cloud Config
▸ Hashicorp Vault

65. ALLOWING HTTP
REQUESTS
MISTAKE #7

66. ALLOWING HTTP REQUESTS
DISABLE HTTP IN SPRING

67. ALLOWING HTTP REQUESTS

68. DISABLING
CERTIFICATE CHECKING
MISTAKE #8

69. DISABLING CERTIFICATE CHECKING
HAVE YOU SEEN THIS EXCEPTION?
Exception in thread "main" javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: signature check failed
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
... 20 more
Caused by: java.security.cert.CertPathValidatorException: signature check faile
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMa
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPath
... 26 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.j
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
... 31 more

70. DISABLING CERTIFICATE CHECKING
ADD THE CERT TO YOUR TRUSTSTORE
$ keytool -keystore <truststore file> -alias <alias>
-import -file <certfilename>.cert

72. DISABLING CERTIFICATE CHECKING
TAKE ACTION
▸ Don't trust people on the Internet
▸ Use HTTPS everywhere
▸ Validate certificates with EnvKeyStore

73. LACK OF INTRUSION
DETECTION
MISTAKE #9

74. LOGGING

75. WHAT TO LOG?
▸ Logins (Successful and Failed)
▸ Logouts
▸ Password changes
▸ User profile changes
▸ Password reset
▸ User de-registration
▸ Authorization failures
▸ Changes to access levels
▸ Operational activities
(backups)
▸ Input validation failures
▸ Any sensitive operation

76. WHAT NOT TO LOG
▸ Session ID (hash instead)
▸ Passwords
▸ Anything sensitive

77. WHAT NOT TO LOG
▸ In 2012, Radu Dragusin discovered a log file on a public IEEE
FTP server that contained more than 100,000 usernames and
passwords
▸ Google, Apple, Microsoft, Oracle, IBM

78. IN ADDITION TO INFO, WARN, DEBUG, ETC
HOW TO LOG
▸ SECURITY_SUCCESS
▸ SECURITY_FAILURE
▸ SECURITY_AUDIT

79. USE CUSTOM MARKERS
LOGBACK
log.warn(SecurityMarkers.SECURITY_AUDIT,
"Anonymous account access. Forwarding to login");
log.error(SecurityMarkers.SECURITY_FAILURE,
"Unauthorized user {} attempted admin access",
user.getUsername());

80. DETECTION

81. APP LAYER INTRUSION DETECTION
▸ Traditional intrusion detection systems focus on attacks below
the HTTP layer
▸ They do not provide context within the application
environment

82. OWASP APP SENSOR PROJECT
▸ Detect and respond to attacks from within the application

83. http://www.appsensor.org/

84. WEB APP APPSENSOR
Events
Response

85. WEB APP APPSENSOR
HEY, THIS
LOOKS WEIRD
NAH, IT'S
COOL

86. WEB APP APPSENSOR
LOOKS LIKE
AN ATTACK!
OK, I'LL
BLOCK THAT
USER
HEY, THIS
LOOKS WEIRD

87. WEB APP APPSENSOR
Event
Event
Event
Attack!
Response
Action

88. @Path("/accounts") public class AccountViewHandler {
@Inject
AppSensorClient ids;
@GET @Path("/view") Account findAccount(@QueryParam("id") String id)
throws NotAuthorizedException {
User user = UserContext.getCurrentUser();
if (!user.isAuthorized(Data.Account, id)) {
Event event = new Event(
new User(
user.getUsername()),
DetectionPoints.BRUTE_FORCE_ACCOUNT);
ids.addEvent(event);
throw new NotAuthorizedException(
"Not authorized to access this account.");
}
Account account = accountDao.find(id);
return account;
}
}

90. TAKE ACTION
INTRUSION DETECTION
▸ Log all security related actions
▸ Except secrets
▸ Monitor your logs
▸ Add Detection Points
▸ React to Detection Point Triggers

91. YOU!
MISTAKE #10

92. YOU
HUMAN ERROR
▸ Not using Two-Factor Auth
▸ Leaving Your Laptop Unlocked
▸ Reusing Passwords

93. REVIEW
10 MISTAKES HACKERS WANT YOU TO MAKE
▸ Using dependencies with
known vulnerabilities
▸ Unsanitized user input
▸ Unsafe regex
▸ Failure to prevent abusive
requests
▸ Misconfigure Spring Security?
▸ Allowing HTTP requests
▸ Disabling certificate checking
▸ Secrets in source code
▸ Lack of intrusion detection
▸ You!

95. GOODBYE
THANK YOU
▸ @codefinger