Professional Documents
Culture Documents
Security
by
Example
SANS
AppSec
2014
About
Frank
Kim
SANS
Ins?tute
Curriculum
Lead,
Applica?on
Security
Author,
Secure
Coding
in
Java
Outline
Authen?ca?on
Encryp?on
Valida?on
Wrap
Up
Authen?ca?on
Process
of
establishing
and
verifying
an
iden?ty
Can
be
based
on
three
factors
Something
you
know
Something
you
have
Something
you
are
Java
EE
Authen?ca?on
Congura?on
in
web.xml
!
1 <security-constraint>!
2
<web-resource-collection>!
3
<web-resource-name>Example</web-resource-name>!
4
<url-pattern>/*</url-pattern>!
5
</web-resource-collection>!
6!
7
<auth-constraint>!
8
<role-name>user</role-name>!
9
<role-name>admin</role-name>!
10
</auth-constraint>!
11 </security-constraint>!
12!
13 <login-config>!
14
<auth-method>FORM</auth-method>!
15
<form-login-config>!
16
<form-login-page>/login.jsp</form-login-page>!
17
<form-error-page>/loginerror.jsp</form-error-page>!
18
</form-login-config>!
19 </login-config>!
JAX-RS
SecurityContext!
getAuthenticationScheme()!
Returns
String
authen?ca?on
scheme
used
to
protect
the
resource
BASIC,
FORM,
CLIENT_CERT
getUserPrincipal()!
Returns
Principal
object
containing
the
username
isUserInRole(String role)!
Returns
a
boolean
indica?ng
if
the
user
has
the
specied
logical
role
!
, "name":"photo1.jpg" } , !
, "name":"photo3.jpg" } , !
, "name":"photo5.jpg" }] !
Issues
Userid/password
authen?ca?on
is
ne
If
the
API
is
used
only
by
your
site
10
OAuth
Way
to
authen?cate
a
service
Valet
key
metaphor
coined
by
Eran
Hammer-Lahav
11
OAuth
Roles
Client
User
-
Person
using
the
app
-
Also
known
as
the
"resource
owner"
Server
12
User
1)
You
log
in
to
Tonr
Server
User
6)
You
are
happy
prin<ng
and
viewing
your
pictures
Server
15
16
17
18
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
19
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
20
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
21
Response:
{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb",
"token_type":"bearer","expires_in":"42528",
"scope":"read write"}
22
23
Benets
No
passwords
shared
between
web
apps
No
passwords
stored
on
mobile
devices
Limits
impact
of
security
incidents
If
Tonr
gets
hacked
Sparklr
revokes
OAuth
access
If
Sparklr
gets
hacked
you
change
your
Sparklr
password
but
don't
have
to
do
anything
on
Tonr
If
you
lose
your
mobile
device
you
revoke
the
access
Sparklr
gave
to
the
Tonr
mobile
app
25
OAuth
Versions
Version
1.0
1.0a
2.0
Comments
-
Has
a
security
aw
related
to
session
xa?on
-
Dont
use
it
-
Stable
and
well
understood
-
Uses
a
signature
to
exchange
creden?als
and
signs
every
request
-
Signatures
are
more
of
a
pain
than
it
seems
-
Spec
is
nal
with
good
support
26
OAuth
2.0
Authoriza?on
Grant
Types
Grant
Type
Descrip<on
Authoriza?on Code
Implicit Grant
Client Creden?als
27
OAuth
2.0
Access
Token
Types
Bearer
Large
random
token
Need
SSL
to
protect
it
in
transit
Server
needs
to
store
it
securely
like
a
user
password
Mac
Uses
a
nonce
to
prevent
replay
Does
not
require
SSL
OAuth
1.0
only
supported
a
mac
type
token
28
Outline
Authen?ca?on
Encryp?on
Valida?on
Wrap
Up
29
Session
Hijacking
mybank.com
Vic?m
Internet"
A]acker
30
Session
Hijacking
mybank.com
Vic?m
Internet"
A]acker
31
Session
Hijacking
mybank.com
Vic?m
Internet"
A]acker
32
33
JAX-RS
SecurityContext!
iSecure()!
Returns
a
boolean
indica?ng
whether
the
request
was
made
via
HTTPS
34
Secure
Flag
Ensures
that
the
Cookie
is
only
sent
via
SSL
Congure
in
web.xml
as
of
Servlet
3.0
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>!
Programma?cally
Cookie cookie = new Cookie("mycookie", "test");!
cookie.setSecure(true);!
35
Strict-Transport-Security
Tells
browser
to
only
talk
to
the
server
via
HTTPS
First
?me
your
site
accessed
via
HTTPS
and
the
header
is
used
the
browser
stores
the
cer?cate
info
Subsequent
requests
to
HTTP
automa?cally
use
HTTPS
Supported
browsers
Implemented
in
Firefox
and
Chrome
Dened
in
RFC
6797
Strict-Transport-Security:max-age=seconds
! ! ! ! ! ! ! ! ! [; includeSubdomains]!
36
Outline
Authen?ca?on
Encryp?on
Valida?on
Wrap
Up
37
Restrict
Input
Restrict
to
POST
Use
@POST
annota?on
2)
Vic?m
visits
a]acker.com
3)
Page
contains
CSRF
code
<form
ac?on=h]ps://mybank.com/transfer.jsp
method=POST>
<input
name=recipient
value=a]acker>
<input
name=amount
value=1000>
</form>
<script>document.forms[0].submit()</script>
mybank.com
4)
Browser
sends
the
request
to
mybank
POST
/transfer.jsp
HTTP/1.1
Cookie:
<mybank
authen?ca?on
cookie>
recipient=a]acker&amount=1000
39
40
41
43
CSRF
Protec?on
Spec
denes
a
"state"
parameter
that
must
be
included
in
the
redirect
to
the
Client
Value
must
be
non-guessable
and
?ed
to
session
45
OWASP
1-Liner
Deliberately
vulnerable
applica?on
Intended
for
demos
and
training
Created
by
John
Wilander
@johnwilander
More
informa?on
at
h]ps://www.owasp.org/index.php/OWASP_1-
Liner
46
JSON
CSRF
Demo
47
48
49
50
51
52
CSRF
Defense
Must
include
something
random
in
the
request
Use
an
an?-CSRF
token
OWASP
CSRFGuard
Wri]en
by
Eric
Sheridan
@eric_sheridan
Can
inject
an?-CSRF
token
using
JSP
Tag
library
-
for
manual,
ne
grained
protec?on
JavaScript
DOM
manipula?on
-
for
automated
protec?on
requiring
minimal
eort
54
55
56
57
Outline
Authen?ca?on
Encryp?on
Valida?on
Wrap
Up
58
Summary
Authen?ca?on
Encryp?on
Use
SSL
Use
Secure
ag
Use
Strict-Transport-Security
header
Valida?on
Restrict
input
Protect
your
apps
against
CSRF
59
Thanks!
Frank
Kim
wim@sans.org
@sansappsec
References
JAX-RS
2.0
h]p://jcp.org/en/jsr/detail?id=339
h]ps://jax-rs-spec.java.net/nonav/2.0/apidocs
h]p://tools.iey.org/html/rfc6749
h]p://oauth.net
h]p://www.springsource.org/spring-security-oauth
h]p://pages.apigee.com/oauth-big-picture-ebook.html
h]p://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts
h]p://stephensclafani.com/2011/04/06/oauth-2-0-csrf-vulnerability
OWASP 1-Liner
h]ps://www.owasp.org/index.php/OWASP_1-Liner
CSRFGuard
h]ps://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
h]p://ericsheridan.blogspot.com/2010/12/how-csrfguard-protects-ajax.html
62