How to hack and secure your Java web applications

Transcription

1 How to hack and secure your Java web applications Sebastien Deleersnyder Board Member OWASP

2 Speaker s qualifications 5 years developer experience 8 years information security experience Lead application security Telindus, Belgacom ICT Belgian OWASP chapter founder OWASP board member 2

3 Overall Presentation Goal It is easy to hack Java web applications! so is securing them (with a little OWASP help)

4 OWASP?

5 OWASP The Open Web Application Security Project (OWASP) International not-for-profit charitable Open Source organization funded primarily by volunteers time, OWASP Memberships, and OWASP Conference fees Participation in OWASP is free and open to all 5

6 OWASP Mission to make application security "visible," so that people and organizations can make informed decisions about application security risks 6

7 OWASP Resources and Community Documentation (Wiki and Books) Code Review, Testing, Building, Legal, more Code Projects Defensive, Offensive (Test tools), Education, Process, more Chapters Over 130 and growing Conferences Major and minor events all around the world

8 9 8

9 130+ Chapters Worldwide 9

10 Hacking Java web applications

11 XSS? 11

12 XSS? 11

13 XSS? 11

14 XSS? 11

15 XSS? XSS = Cross-site Scripting 11

16 XSS? XSS = Cross-site Scripting Web application vulnerability 11

17 XSS? XSS = Cross-site Scripting Web application vulnerability Injection of code into web pages viewed by others 11

18 XSS? XSS = Cross-site Scripting Web application vulnerability Injection of code into web pages viewed by others XSS = new buffer overflow Javascript = new Shell Code 11

19 How is this possible? DATA CODE! Injected XSS (Stored) Blog comment, profile update, guestbook, Reflected XSS (Links!) Search result, error page, 12

20 DEMO XSS WebGoat + Firefox

21 Reality Check XSS on Italian Bank Inject IFRAME Login form from Taiwan Works over SSL! 14

22 XSS In 7 major Dutch Online Banks (яoиald) Postbank ABN AMRO SNS bank Fortis banking Delta Lloyd banking Spaarbeleg banking Insinger de Beaufort banking 15 Source: 0x com

23 SQLi? The ability to inject SQL commands into the database engine through an existing application 17 16

24 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16

25 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16

26 SQLi? The ability to inject SQL commands into the database engine through an existing application Database 17 16

27 DEMO SQLi WebGoat + WebScarab + Firefox

28 Reality Check MLSGear SQLi names, addresses, credit and debit card data, and passwords of an unknown number of people (169 New Hampshire residents) exposed 40 million credit cards from CardSystems, Inc Hackers Take Down Pennsylvania Government RIAA web site cleared An SQL injection Mass Robot Infamous Russian malware gang used SQL injection to penetrate US government sites Tucson, Arizona police web site defaced using SQL injection 18

29 Fixes XSS SQLi Input validation Output encoding Input validation Parameterized queries Least privilege 19

30 Securing Java web applications

31 OWASP Top 10 The Ten Most Critical Web Application Security Vulnerabilities 2007 Release A great start, but not a standard 21

32 Key Application Security Vulnerabilities A1: Cross Site Scripting (XSS) A2: Injection Flaws A3: Malicious File Execution A4: Insecure Direct Object Reference A8: Insecure Cryptographic Storage A7: Broken Authentication and Session A6: Information Leakage and Improper Error A5: Cross Site Request Forgery (CSRF) A9: Insecure Communications A10: Failure to Restrict URL Access 22

33 The Big 4 Documentation Projects Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

34 The Guide Complements OWASP Top p Book Free and open source Gnu Free Doc License Many contributors Apps and web services Most platforms Examples are J2EE, ASP.NET, and PHP Comprehensive Project Leader and Editor Andrew van der Stock,

35 Each Topic Includes Basic Information (like OWASP T10) How to Determine If You Are Vulnerable How to Protect Yourself Adds Objectives Environments Affected Relevant COBIT Topics Theory Best Practices Misconceptions Code Snippets - even Java

36 Testing Guide v2: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors 26

37 What Is the OWASP Testing Guide? Testing Principles Testing Process Custom Web Applications Black Box Testing Grey Box Testing Risk and Reporting Appendix: Testing Tools Appendix: Fuzz Vectors Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing 27

38 How the Guide helps securing applications Testers A structured approach to the testing activities A checklist to be followed A learning and training tool Organisations A tool to understand web vulnerabilities and their impact A way to check the quality of security tests More generally, the Testing Guide aims to provide a pen-testing standard that creates a 'common ground' between the testing groups and its customers. This will raise the overall quality and understanding of this kind of activity and therefore the general level of security of our applications 28

39 OWASP Java Project Produce materials that show J2EE architects, developers and deployers how to deal with most common application security problems throughout the lifecycle. 29

40 J2EE Security for developers 2.1 Noteworthy Frameworks 2.2 Java Security Basics 2.3 Input Validation Overview 2.4 Input Validation 2.5 Authentication 2.6 Session Management 2.7 Authorization 2.8 Encryption o Preventing SQL Injection in Java 2.9 Error Handling & Logging o Preventing LDAP Injection in 2.10 JavaWeb Services Security o XPATH Injection 2.11 Code Analysis Tools o Miscellaneous Injection Attacks 30

41 Tools Best known OWASP Tools WebGoat WebScarab Exhaustive list: Tools

42 Tools At Best 45% Coverage 5,00 MITRE found that all application security tool vendors claims put together cover only 45% of the known vulnerability types (over 600 in CWE) Not Covered 55,00 They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

43 ESAPI Using security controls is different from building All the security guidelines, courses, tutorials, websites, books, etc are all mixed up because everyone builds their own controls Most developers shouldn t build security controls When to use a control How to use a control Why to use a control (maybe) Most enterprises need the same set of calls 33

44 The OWASP Enterprise Security API Cus Ent Authentic User AccessCo AccessRef Validator Encoder HTTPUtiliti Encryptor Encrypted Randomiz Exception Logger IntrusionD SecurityC Existing Enterprise Security Services/Libraries 34

45 Coverage OWASP Top Ten A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController

46 Create Your ESAPI Implementation Your Security Services Wrap your existing libraries and services Extend and customize your ESAPI implementation Fill in gaps with the reference implementation Your Coding Guideline Tailor the ESAPI coding guidelines Retrofit ESAPI patterns to existing code 36

47 Want More? OWASP.NET Project OWASP ASDR Project OWASP AntiSamy Project OWASP AppSec FAQ Project OWASP Application Security Assessment Standards Project OWASP Application Security Metrics Project OWASP Application Security Requirements Project OWASP CAL9000 Project OWASP CLASP Project OWASP CSRFGuard Project OWASP CSRFTester Project OWASP Career Development Project OWASP Certification Criteria Project OWASP Certification Project OWASP Code Review Project OWASP Communications Project OWASP DirBuster Project OWASP Education Project OWASP Encoding Project OWASP Enterprise Security API OWASP Flash Security Project OWASP Guide Project OWASP Honeycomb Project OWASP Insecure Web App Project OWASP Interceptor Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project OWASP JBroFuzz OWASP Java Project OWASP LAPSE Project OWASP Legal Project OWASP Live CD Project OWASP Logging Project OWASP Orizon Project OWASP PHP Project OWASP Pantera Web Assessment Studio Project OWASP SASAP Project OWASP SQLiX Project OWASP SWAAT Project OWASP Sprajax Project OWASP Testing Project OWASP Tools Project OWASP Top Ten Project OWASP Validation Project OWASP WASS Project OWASP WSFuzzer Project OWASP Web Services Security Project OWASP WebGoat Project OWASP WebScarab Project OWASP XML Security Gateway Evaluation Criteria Project OWASP on the Move Project 37

48 OWASP Projects Are Alive!

49 SDLC & OWASP Guidelines OWASP Framework 39

50 OWASP near you

51 56 videos - 40 h 41

52 Upcoming Conferences Colorado Mar 2009 AppSecUS DC Oct 2009 Dublin Jun 2009 Italy Feb 2009 AppSecEU Poland May 2009 Gold Coast Feb

53 Belgium Chapter Meetings Local Mailing List Presentations & Groups Open forum for discussion Meet fellow InfoSec professionals & developers Create (Web)AppSec awareness Local projects?

54 Subscribe to Chapter mailing list Post your (Web)AppSec questions Keep up to date! Get OWASP news letters Contribute to discussions! 44

55 Concluding statement YOU are part of the solution

56 Q&A

57 Thanks for your attention!