Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Similar documents
Securing Apache Tomcat for your environment. Mark Thomas March 2009

Introducing Apache Tomcat 7

Securing ArcGIS Services

COPYRIGHTED MATERIAL

TIBCO Cloud Integration Security Overview

Security Enhancements in Informatica 9.6.x

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Bank Infrastructure - Video - 1

Solutions Business Manager Web Application Security Assessment

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Java.. servlets and. murach's TRAINING & REFERENCE 2ND EDITION. Joel Murach Andrea Steelman. IlB MIKE MURACH & ASSOCIATES, INC.

Scan Report Executive Summary

Secure Application Development. OWASP September 28, The OWASP Foundation

Your Turn to Hack the OWASP Top 10!

Going Without CPU Patches on Oracle E-Business Suite 11i?

Let s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted.

Application security : going quicker

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

COMP9321 Web Application Engineering

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Web Application Whitepaper

Evaluation Criteria for Web Application Firewalls

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

epldt Web Builder Security March 2017

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

COMP9321 Web Application Engineering

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Red Hat JBoss Web Server 3

Evaluating the Security Risks of Static vs. Dynamic Websites

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Protect your apps and your customers against application layer attacks

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Scan Report Executive Summary

Securing ArcGIS Server Services An Introduction

PCI DSS Compliance. White Paper Parallels Remote Application Server

EasyCrypt passes an independent security audit

Certified Secure Web Application Engineer

Project and Portfolio Management Center

Integrigy Consulting Overview

Application Layer Security

TomcatCon London 2017 Clustering Mark Thomas

CSWAE Certified Secure Web Application Engineer

DreamFactory Security Guide

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Host Website from Home Anonymously

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Strategic Infrastructure Security

C1: Define Security Requirements

10 FOCUS AREAS FOR BREACH PREVENTION

Combating Common Web App Authentication Threats

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Configuring User Defined Patterns

Network Security and Cryptography. 2 September Marking Scheme

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

AppSpider Enterprise. Getting Started Guide

1 About Web Security. What is application security? So what can happen? see [?]

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Certified Secure Web Application Security Test Checklist

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Information Security Policy

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Penetration Testing


Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

CIS Apache Tomcat 7 Benchmark

SDR Guide to Complete the SDR

HPE Project and Portfolio Management Center

IEEE Sec Dev Conference

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Open XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -

A (sample) computerized system for publishing the daily currency exchange rates

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Development*Process*for*Secure* So2ware

InterCall Virtual Environments and Webcasting

OWASP TOP 10. By: Ilia

Web Application Vulnerabilities: OWASP Top 10 Revisited

Test Harness for Web Application Attacks

Sichere Software vom Java-Entwickler

Transcription:

Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Introductions Apache Tomcat committer and PMC member Tomcat Security Team member Apache Software Foundation (ASF) Member ASF Security Team member SpringSource Security Team lead Also contribute to: Commons POOL, Commons DBCP, Commons Daemon, Apache Infrastructure 2

Agenda Background Threats Keeping up to date Operating system Tomcat Passwords in configuration files Web applications Policy & Process 3

Background There is no one right security configuration Security always requires trade-offs Don't assess systems in isolation Remember: Confidentiality Availability Integrity Tomcat is reasonably secure by default Tomcat can't protect against a fundamentally insecure web application 4

Threats Rarely receive reports of threats / attacks in the wild Last instance was June/July 2008 Multiple reports of 'rouge' web applications Provided shell access to server via a JSP Infection traced to weak passwords on internet facing manager application Why was the manager application publicly accessible? Why were the passwords so weak? Why were the brute-force attacks not prevented? 5

Threats (cont.) More likely to see availability issues Application bugs Performance issues Downtime for maintenance / upgrades Impact is likely to be lower than for a security breach Slow trickle of vulnerabilities reported by security researchers CVE-2008-5515 RequestDispatcher directory traversal CVE-2009-0033 mod_jk DOS via HTTP headers 6

Keeping up to date Tomcat Announcements mailing list announce-subscribe@tomcat.apache.org Very low traffic (9 messages in three months) Every release Every security vulnerability Other sources of information bugtraq, full-disclosure, ASF announcements list 7

Operating system Standard advice applies Do not run Tomcat as root Use a user with the minimum necessary permissions Listening on privileged ports JSVC from Commons Daemon Front using Apache httpd Use iptables to map ports 8

Operating system (cont.) Does the tomcat user need to be able to anything more than read files? Modify start-up scripts? Modify configuration files? Add new web applications? OS level firewall Block everything by default and then allow the bare minimum Outgoing http requests (often used by malicious software) 9

Tomcat: Deployment Host settings autodeploy deployonstartup deployxml How much do you trust your web applications? If you don t, you should be using a security manager 10

Tomcat: SecurityManager Runs all web applications in a sandbox catalina.policy file controls what each web application is permitted to do e.g.: File & network access Calling System.exit() Not widely used Not tested as thoroughly Prior to Tomcat 6.0.21 (not yet released) several EL failures with a security manager Likely to break your web application 11

Tomcat: Logging Enable the AccessLogValve If using Tomcat behind a reverse proxy (httpd, IIS, etc) enable access logging there too Useful diagnostics tool, not just for security breaches Usually configured per Host but can be configured at Engine or Context level if preferred 12

Tomcat: Manager application If you don't need it, don't deploy it If you do need it: Limit access to known IP addresses Use strong passwords Don't browse untrusted sites whilst logged in to the manager application Log off (close your browser) when you are done Use a lock-out realm (see realm slides) The same guidelines apply for any administrative application 13

Tomcat: Realms Tomcat provides a number of Realm implementations Don't use: MemoryRealm JDBCRealm Be careful with the JAASRealm That leaves: UserDatabaseRealm JNDIRealm DataSourceRealm 14

Tomcat: Realms (cont.) UserDatabaseRealm Replacement for MemoryRealm Based on tomcat-users.xml Convoluted to update user database (via JMX) Good for small numbers of fairly static users DataSourceRealm Replacement for the JDBCRealm JNDIRealm Effectively single threaded 15

Tomcat: Realms (cont.) Issues with all of the Realms Allow unlimited authentication attempts You could only have one Realm per Engine, Host or Context Unlimited authentication attempts permit brute force attacks Made attacks in June 2008 easier Introduced LockOut realm to address this Additional benefit was the creation of the CombinedRealm that allows multiple Realms to be used together 16

Tomcat: System properties org.apache.catalina. STRICT_SERVLET_COMPLIANCE Will add a character encoding header when calling getwriter() - reduces exposure to UTF-7 XSS org.apache.coyote. USE_CUSTOM_STATUS_MSG_IN_HEADER Ensure ISO-8859-1 encoding 17

Tomcat: Miscellaneous Disable shutdown port <Server port= -1 /> Do connectors have to listen on all interfaces? <Connector address= /> Pros and cons of advertising server version <Connector server= Apache-Coyote/1.1 /> 18

Tomcat: Passwords server.xml or context.xml Why is the password in plain text? Tomcat needs the plain text password to connect to the external resource Encrypting the password means Tomcat would need a decryption key back to the original problem Consider the risks Remote information disclosure Is the password usable remotely? If yes, why? Local information disclosure There are likely to be bigger issues to worry about 19

Tomcat: Passwords (cont.) There are potential solutions Enter password at Tomcat start Requires custom code Password still in memory Tomcat restart requires manual intervention Encode the password Requires custom code Encoding is not encryption May prevent some accidental disclosures 20

Webapps: Authentication BASIC & FORM Must use SSL DIGEST SSL not required CLIENT-CERT Already using SSL Session identifier (Cookie or URL parameter also needs protection) Don't switch back to HTTP from HTTPS once user has been authenticated 21

Webapps: SSL Be careful when moving from http to https When using a transport guarantee: HTTP request (inc body) sent in clear to Tomcat HTTP request headers parsed Request mapped to context Transport guarantee identified HTTP redirect (302) issued to https HTTP request resent over https HTTP response sent over https The request is sent in the clear 22

Webapps: context.xml Protect session cookies <Context usehttponly= true /> Will default to true from Tomcat 7.0.x onwards Permitting cross-context request dispatching <Context crosscontext= true /> Permitting symlinks has security side-effects <Context allowlinking= true /> Allow access to Tomcat internals <Context privileged= true /> 23

Webapps: Miscellaneous Invoker Servlet Bypasses security constraints XSS, SQL injection etc. Don't trust user input Protection needs to be in the application 24

Policy & Process Review your logs Access logs Application logs Tomcat logs System (eg firewall) logs What do you do if you find an attempted attack? What do you do if you find a successful attack? What do you do if a Tomcat vulnerability is announced? 25

Questions? markt@apache.org users@tomcat.apache.org http://people.apache.org/~markt/presentations mark.thomas@springsource.com http://www.springsource.com/webinars 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback