Real World Java Web Security Java User Group Karlsruhe Dominik - - PowerPoint PPT Presentation

real world java web security
SMART_READER_LITE
LIVE PREVIEW

Real World Java Web Security Java User Group Karlsruhe Dominik - - PowerPoint PPT Presentation

Dec 20, 2022 38 likes •746 views

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security before

slide-1
SLIDE 1

Real World Java Web Security

Dominik Schadow | bridgingIT

Java User Group Karlsruhe

slide-2
SLIDE 2

… architecture while coding? … architecture before coding? Who thinks about …

slide-3
SLIDE 3

… security while coding? … security before coding? Who thinks about …

slide-4
SLIDE 4

(1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

OWASP TOP 10 2013

slide-5
SLIDE 5

Software that is secure by design

Know the web application Know all external entities Identify all data flows Identify all risks

slide-6
SLIDE 6

Threat model

slide-7
SLIDE 7

Avoid design flaws

slide-8
SLIDE 8
slide-9
SLIDE 9

Fight the identified threats

slide-10
SLIDE 10

Maintain all threat models

slide-11
SLIDE 11

Instrument the Browser

slide-12
SLIDE 12

Defense in Depth

slide-13
SLIDE 13

Force HTTPS

slide-14
SLIDE 14

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

slide-15
SLIDE 15

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

slide-16
SLIDE 16

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

slide-17
SLIDE 17

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

slide-18
SLIDE 18

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

slide-19
SLIDE 19

@WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926;includeSubDomains"); chain.doFilter(req, response); } // … }

slide-20
SLIDE 20

Prevent framing

slide-21
SLIDE 21

response.addHeader( "X-Frame-Options", "DENY" );

slide-22
SLIDE 22

response.addHeader( "X-Frame-Options", "DENY" );

slide-23
SLIDE 23

response.addHeader( "X-Frame-Options", "DENY" );

slide-24
SLIDE 24

response.addHeader( "X-Frame-Options", "SAME-ORIGIN" );

slide-25
SLIDE 25

response.addHeader( "X-Frame-Options", "ALLOW-FROM http://www.safe.de" );

slide-26
SLIDE 26

Prevent Cross-Site Scripting

slide-27
SLIDE 27

response.addHeader( "Content-Security-Policy", "default-src 'self'" );

slide-28
SLIDE 28

response.addHeader( "Content-Security-Policy", "default-src 'self'" );

slide-29
SLIDE 29

response.addHeader( "Content-Security-Policy", "default-src 'self'" );

slide-30
SLIDE 30

Content Security Policy Directives

default-src

  • bject-src

script-src default if specific directive is not set Sources in object, embed or applet tags Script sources (includes XSLT) connect-src font-src frame-src img-src media-src style-src XMLHttpRequest, WebSocket, … Font sources Sources embeddable as frames Image sources Video and audio sources CSS sources (does not include XSLT)

www.w3.org/TR/CSP

slide-31
SLIDE 31

response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

slide-32
SLIDE 32

response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

slide-33
SLIDE 33

Violation Report

{ "document-uri":"http://.../reporting.jsp? name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", „referrer“:"http://www.sample.com/security-header/ index.jsp", "blocked-uri":"self", "violated-directive":"default-src http://www.sample.com", "source-file":"http://.../reporting.jsp?
 name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "script-sample":"alert('XSS')", "line-number":10 }

slide-34
SLIDE 34

Content Security Policy Level 2

www.w3.org/TR/CSP2

Replaces frame-src Form targets to send data to Allowed plug-ins (their MIME type) Referrer URL exposed to others Load resource in restricted sandbox child-src form-action plugin-types referrer sandbox Allow resource frame embedding Obsoletes X-Frame-Options header (De-)activate user agent XSS heuristics Obsoletes X-XSS-Protection header frame-ancestors reflected-xss

slide-35
SLIDE 35

response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

slide-36
SLIDE 36

response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39

Demo

slide-40
SLIDE 40

And now?

slide-41
SLIDE 41

OWASP TOP 10 Proactive Controls

(1) Parameterize Queries (2) Encode Data (3) Validate All Inputs (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (10) Design and Architect Security in (1) Parameterize Queries (2) Encode Data (3) Validate All Inputs (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (10) Design and Architect Security in

Threat Modeling

slide-42
SLIDE 42

Leverage Security Features of Frameworks and Security Libraries

slide-43
SLIDE 43

Use it!

slide-44
SLIDE 44

Spring Security (Java config) adds headers automatically

X-Content-Type-Options Cache-Control X-Frame-Options HTTP Strict Transport Security X-XSS-Protection

slide-45
SLIDE 45

Frameworks and libraries decline

slide-46
SLIDE 46
slide-47
SLIDE 47

<reporting> <plugins><plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.3.1</version> <reportSets> <reportSet> <reports> <report>aggregate</report> </reports> </reportSet> </reportSets> </plugin></plugins> </reporting>

slide-48
SLIDE 48
slide-49
SLIDE 49
slide-50
SLIDE 50

Implement Appropriate Access Controls Establish Identity and Authentication Controls

slide-51
SLIDE 51

Standardized building blocks

slide-52
SLIDE 52

User usually receives a session id when visiting web application

4E01EF46D8446D1C 10CB5C08EDA69DD1

slide-53
SLIDE 53

Demo

slide-54
SLIDE 54

Protect Data and Privacy

slide-55
SLIDE 55
slide-56
SLIDE 56

Slow down brute force attacks

slide-57
SLIDE 57

PBKDF2 Iterations against brute force attacks Available in plain Java

slide-58
SLIDE 58

Demo

slide-59
SLIDE 59

bcrypt Iterations against brute force attacks Integrated in Spring Security

slide-60
SLIDE 60

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

slide-61
SLIDE 61

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

slide-62
SLIDE 62

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

slide-63
SLIDE 63

@Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

slide-64
SLIDE 64

scrypt Memory against brute force attacks Best protection against dictionary attacks

slide-65
SLIDE 65

Summary

slide-66
SLIDE 66

Plan security with threat modeling

slide-67
SLIDE 67

Think (like an attacker) during implementation

slide-68
SLIDE 68

Keep 3rd party libraries up-to-date

slide-69
SLIDE 69

Enjoy secure programming

slide-70
SLIDE 70

dominik.schadow@bridging-it.de 
 www.bridging-it.de

Demo Projects
 github.com/dschadow/JavaSecurity Microsoft Threat Modeling Tool 
 www.microsoft.com/en-us/sdl/adopt/ threatmodeling.aspx OWASP Dependency Check
 www.owasp.org/index.php/ OWASP_Dependency_Check OWASP TOP 10
 www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project OWASP TOP 10 Proactive Controls
 www.owasp.org/index.php/ OWASP_Proactive_Controls Recx Security Analyser
 www.recx.co.uk/products/chromeplugin.php Spring Security
 projects.spring.io/spring-security Pictures
 www.dreamstime.com

Königstraße 42
 70173 Stuttgart Blog blog.dominikschadow.de
 Twitter @dschadow

Jobs@bridgingIT www.bridging-it.de/java