KEMBAR78
java2days 2014: Attacking JavaEE Application Servers | PPTX
Martin Toshev, profile picture
Uploaded byMartin Toshev
PPTX, PDF2,760 views

java2days 2014: Attacking JavaEE Application Servers

The document discusses attacking Java EE application servers by exploring various attack vectors and strategies. It outlines how attacks could originate externally, from within the application server itself, or from deployed applications. It then discusses tools that can be used to exploit vulnerabilities and recommends secure coding practices like applying patches, implementing proper security configurations, and performing testing to harden applications and servers against attacks.

Downloaded 75 times
Attacking JavaEE Application Servers Martin Toshev
Bulgarian Java Users Group (BG JUG): https://groups.google.com/forum/#!forum/bg-jug http://java-bg.org/
Agenda • Attack vectors • Strategies and tools • Secure coding and deployment
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack could be originating: • externally • from the application server itself • from an application
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An external attack can: o exploit directly remote services exposed by the JavaEE application server o exploit another remotely accessible process running in the OS
Attack Vectors • An external attack can: o exploit input for applications deployed in the Java EE Server (such as input validation attacks, SQL injection, XSS …)
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack can: o originate from a malicious application running in the same OS • Administrators do not always install from trusted sources or check against MD5 checksums …
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack originating from the application server can: • be crafted by modifying the codebase and rebuilding the application server • be achieved more easily by targeting open-source application servers such as Glassfish and Wildfly
Attack Vectors … Administrators do not always install JavaEE application servers from trusted sources or check against MD5 checksums … … which makes this type of attacks a real scenario
Attack Vectors OS Java EE Application Server war/ear war/ear
Attack Vectors • An attack originating from an application can be performed due to: o misconfigured security during deployment o intentional malicious code inside the application
Attack Vectors (scenario 1: misconfigured security in the app) … leads to opening holes in the Java EE security model
Attack Vectors (scenario 1: misconfigured security in the app) Application server war (with missing security configuration) ear (with missing security configuration)
Attack Vectors Java EE Security Model in a nutshell: Application server war • roles • role ear mappings • users • roles • role mappings • groups • realms JDBC realm file realm
Attack Vectors Java EE Security Model in a nutshell: 1. initial request is made 2. server authenticates the client using an authentication mechanism 3. URL authorization based on info from deployment descriptors or from annotations in source code is done 4. In case an EJB method is invoked the EJB container checks the appropriate permissions based on user roles (the web container delegates information about the user and its roles to the EJB container)
Attack Vectors Example: import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; ... @DeclareRoles({"MANAGER", "EMPLOYEE", "ADMIN"}) @Stateless public class PaymentServiceImpl implements PaymentService { // Jim: temporarily commented for testing purposes // TODO: uncomment before deployment on PROD // @RolesAllowed("MANAGER") public void increaseSalary(User employee, int ammount) { … }
Attack Vectors (scenario 2: malicious code in the app) … can be made possible due to misconfiguration of the Java SE security model of the application server
Attack Vectors (scenario 2: malicious code in the app) Application server war (with malicious code) ear (with malicious code)
Attack Vectors Java SE Security Model in a nutshell: Application server war • invokes ear restricted operation • performs permission checks • invokes restricted operation security.policy
Strategies and Tools (external) Try to exploit services exposed by the OS or the application server (such as JMX) Vulnerability databases such as SecurityFocus, osvdb and nvd and application server changelogs are valuable sources of information
Strategies and Tools Tools: o network scanners - Nmap, SATAN, Nessus, GFI LANguard, TripWire, SuperScan o remote system administration - Back Office, ProRat o vulnerability scanners - metasploit, w3af, Nexpose o MITM on the local network - Ettercap
Strategies and Tools … This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password …
Strategies and Tools … Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers … Affected versions: 6.1, 7.0, 8.1, 9.0, 9.1, 9.2, 10.0
Strategies and Tools … Earlier community editions of JBoss allow you to use default authentication to the JMX server running on the server (shutting down the server via JMX is made possible to attackers) - CVE- 2013-4810 … Affected versions: 4x, 5x
Strategies and Tools (ear/war) • craft malicious code that bypasses code reviews and code analysis tools (and possibly open a "back-door" in the application server)
Strategies and Tools (ear/war) • make use of techniques for: o initialization of classes based on loadable services or configuration files o AOP weaving o servlet filters o annotation processors
Strategies and Tools Tools: … write your own …
Secure Coding and Deployment • The OS: • secure the environment of your application server • always patch your OS with latest updates
Secure Coding and Deployment • The application server: • check that application server comes from a trusted source (compare against true MD5 checksum) • disable unused services when installing application servers
Secure Coding and Deployment • The application server: • always enable encryption for the remote services exposed by the application server • check the documentation of your application server on the default security manager and security policy enabled by the application server
Secure Coding and Deployment • The application server: • if necessary define proper security policy and define additional access control checks for the applications being deployed • always apply security patches to your application server installation
Secure Coding and Deployment • The ear/war: • allow minimum set of permissions to roles in the application context • follow best security practices as defined by the Secure Coding Guidelines for Java SE
Secure Coding and Deployment • The ear/war: • perform static & dynamic code analysis in order to find possible bugs or resource leaks (that may lead to implicit DoS) • do not leave behind test/unused URLs
Secure Coding and Deployment • The ear/war: • perform in-container security policy tests (e.g. using Cactus or Arquillian frameworks …) • perform in-container resource consumption tests
Go ahead and try to find leaks … 9.0.0.Alpha1 4.1 12.1.3
Thank you
References Java EE 7 tutorial part X: Security https://docs.oracle.com/javaee/7/tutorial/doc/ Java Platform, Enterprise Edition (JavaEE) Specification, v7 http://download.oracle.com/otndocs/jcp/java_ee-7-fr-eval-spec/ index.html
References Back door into JavaEE application servers macaron.googlecode.com/files/en-macaron.pdf OWASP Top 10 for JavaEE https://www.owasp.org/images/8/89/OWASP_Top_10_2007 _for_JEE.pdf Attacking Jboss like a boss https://www.defcon.org/images/defcon-18/dc-18- presentations/Krpata/DEFCON-18-Krpata-Attacking- JBoss.pdf
References Oracle Security Alert for CVE-2008-3257 http://www.oracle.com/technetwork/middleware/ias/downlo ads/alert-cve2008-3257-088842.html Securing a WebLogic Server deployment https://docs.oracle.com/cd/E13222_01/wls/docs61/security/ lockdown.html Whitepaper on Jboss exploitation http://securityxploded.com/JBoss%20Whitepaper.pdf
References Java Security Overview (white paper) http://www.oracle.com/technetwork/java/js-white-paper- 149932.pdf Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/sec urity/spec/security-spec.doc.html Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform- Security-Implementation/dp/0201787911
References Java Security, 2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide -139067.html#0
References Java 2 Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/sec urity/index.html
References Core Java Security: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/intr ojps.htm#CHDCEJGH

More Related Content

PPT
Security Testing
byKiran Kumar
 
PPTX
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PPT
香港六合彩
bybaoyin
 
PPTX
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
PPTX
Kali linux useful tools
bymilad mahdavi
 
PPTX
Platform Security IRL: Busting Buzzwords & Building Better
byEqual Experts
 
Security Testing
byKiran Kumar
 
Hack through Injections
byNazar Tymoshyk, CEH, Ph.D.
 
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
香港六合彩
bybaoyin
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
byAleksandar Bozinovski
 
Kali linux useful tools
bymilad mahdavi
 
Platform Security IRL: Busting Buzzwords & Building Better
byEqual Experts
 

What's hot

PDF
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
PDF
Secure coding-guidelines
byTrupti Shiralkar, CISSP
 
PPTX
Cloud Security vs Security in the Cloud
byTjylen Veselyj
 
PDF
Attques web
byTarek MOHAMED
 
PPTX
Web applications security conference slides
byBassam Al-Khatib
 
PDF
Testing Web Application Security
byTed Husted
 
PPTX
Owasp
bypenetration Tester
 
PPTX
Application Security-Understanding The Horizon
byLalit Kale
 
PPTX
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
byCodemotion
 
PDF
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
byNetSPI
 
PDF
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
byLionel Briand
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
Os Command Injection Attack
byRaghav Bisht
 
PPT
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPT
Sandboxing (Distributed computing)
bySri Prasanna
 
PDF
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
PPT
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
byBraindev Kyiv
 
PPTX
Reversing & Malware Analysis Training Part 13 - Future Roadmap
bysecurityxploded
 
PPT
Whittaker How To Break Software Security - SoftTest Ireland
byDavid O'Dowd
 
PDF
Session2-Application Threat Modeling
byzakieh alizadeh
 
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
Secure coding-guidelines
byTrupti Shiralkar, CISSP
 
Cloud Security vs Security in the Cloud
byTjylen Veselyj
 
Attques web
byTarek MOHAMED
 
Web applications security conference slides
byBassam Al-Khatib
 
Testing Web Application Security
byTed Husted
 
Owasp
bypenetration Tester
 
Application Security-Understanding The Horizon
byLalit Kale
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
byCodemotion
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
byNetSPI
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
byLionel Briand
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
Os Command Injection Attack
byRaghav Bisht
 
Vulnerability manager v1.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Sandboxing (Distributed computing)
bySri Prasanna
 
Secure Coding in C/C++
byDan-Claudiu Dragoș
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
byBraindev Kyiv
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
bysecurityxploded
 
Whittaker How To Break Software Security - SoftTest Ireland
byDavid O'Dowd
 
Session2-Application Threat Modeling
byzakieh alizadeh
 

Similar to java2days 2014: Attacking JavaEE Application Servers

PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
PDF
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
PDF
Securing Java in the Server Room
byTim Ellison
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PPTX
Web security
byPadam Banthia
 
PDF
OWASP Top 10 2007 for JavaEE
byMagno Logan
 
PDF
Java Application Development Vulnerabilities
byNarola Infotech
 
PPTX
(java2days) The Anatomy of Java Vulnerabilities
bySteve Poole
 
PPTX
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
PPTX
J2ee seminar
bySahil Kukreja
 
PPT
Session 8 Tp8
byphanleson
 
PDF
Java EE Services
byAbdalla Mahmoud
 
PPT
7) packaging and deployment
bytechbed
 
PPTX
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
PPTX
Advance java1.1
byPrince Soni
 
PDF
t r
byelectronicmingle01
 
PPTX
Java ee 8 + security overview
byRudy De Busscher
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PPT
Websphere on z/OS and RACF security
byMichael Erichsen
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
Securing Java in the Server Room
byTim Ellison
 
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
Web security
byPadam Banthia
 
OWASP Top 10 2007 for JavaEE
byMagno Logan
 
Java Application Development Vulnerabilities
byNarola Infotech
 
(java2days) The Anatomy of Java Vulnerabilities
bySteve Poole
 
Java application security the hard way - a workshop for the serious developer
bySteve Poole
 
J2ee seminar
bySahil Kukreja
 
Session 8 Tp8
byphanleson
 
Java EE Services
byAbdalla Mahmoud
 
7) packaging and deployment
bytechbed
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
byIBM Security
 
Advance java1.1
byPrince Soni
 
t r
byelectronicmingle01
 
Java ee 8 + security overview
byRudy De Busscher
 
Application Security Guide for Beginners
byCheckmarx
 
Websphere on z/OS and RACF security
byMichael Erichsen
 

More from Martin Toshev

PPTX
Building highly scalable data pipelines with Apache Spark
byMartin Toshev
 
PPTX
Big data processing with Apache Spark and Oracle Database
byMartin Toshev
 
PPT
Jdk 10 sneak peek
byMartin Toshev
 
PPT
Semantic Technology In Oracle Database 12c
byMartin Toshev
 
PPTX
Practical security In a modular world
byMartin Toshev
 
PPT
Java 9 Security Enhancements in Practice
byMartin Toshev
 
PPTX
Java 9 sneak peek
byMartin Toshev
 
PPTX
Writing Stored Procedures in Oracle RDBMS
byMartin Toshev
 
PPTX
Spring RabbitMQ
byMartin Toshev
 
PPTX
Security Architecture of the Java platform
byMartin Toshev
 
PPTX
Oracle Database 12c Attack Vectors
byMartin Toshev
 
PPTX
JVM++: The Graal VM
byMartin Toshev
 
PPTX
RxJS vs RxJava: Intro
byMartin Toshev
 
PPTX
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
PPTX
Spring RabbitMQ
byMartin Toshev
 
PPTX
Writing Stored Procedures with Oracle Database 12c
byMartin Toshev
 
PDF
Concurrency Utilities in Java 8
byMartin Toshev
 
PPTX
The RabbitMQ Message Broker
byMartin Toshev
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
PPTX
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
byMartin Toshev
 
Building highly scalable data pipelines with Apache Spark
byMartin Toshev
 
Big data processing with Apache Spark and Oracle Database
byMartin Toshev
 
Jdk 10 sneak peek
byMartin Toshev
 
Semantic Technology In Oracle Database 12c
byMartin Toshev
 
Practical security In a modular world
byMartin Toshev
 
Java 9 Security Enhancements in Practice
byMartin Toshev
 
Java 9 sneak peek
byMartin Toshev
 
Writing Stored Procedures in Oracle RDBMS
byMartin Toshev
 
Spring RabbitMQ
byMartin Toshev
 
Security Architecture of the Java platform
byMartin Toshev
 
Oracle Database 12c Attack Vectors
byMartin Toshev
 
JVM++: The Graal VM
byMartin Toshev
 
RxJS vs RxJava: Intro
byMartin Toshev
 
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
Spring RabbitMQ
byMartin Toshev
 
Writing Stored Procedures with Oracle Database 12c
byMartin Toshev
 
Concurrency Utilities in Java 8
byMartin Toshev
 
The RabbitMQ Message Broker
byMartin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
Modularity of The Java Platform Javaday (http://javaday.org.ua/)
byMartin Toshev
 

Recently uploaded

PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PPT
preliminaries, concepts of programming languages
bymjmansoori54
 
PDF
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
PDF
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
PDF
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
PDF
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
PDF
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
PPTX
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
PPTX
Financial Literacy for Software Developers
byBalanathanVirupasan
 
PPSX
Domain Centered Architecture for complex business domains
byRob Vens
 
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PPT
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
PDF
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
PDF
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
DOCX
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
PPTX
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
PPTX
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
preliminaries, concepts of programming languages
bymjmansoori54
 
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
Financial Literacy for Software Developers
byBalanathanVirupasan
 
Domain Centered Architecture for complex business domains
byRob Vens
 
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
SAP ERP Training For Senior Managers.ppt
byBalanathanVirupasan
 
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
byAlin Voinea
 
Standardization of open-source software ISO/IEC 5230:2020 and ISO/IEC 18974:2...
byShane Coughlan
 

java2days 2014: Attacking JavaEE Application Servers

  • 1.
    Attacking JavaEE Application Servers Martin Toshev
  • 2.
    Bulgarian Java UsersGroup (BG JUG): https://groups.google.com/forum/#!forum/bg-jug http://java-bg.org/
  • 3.
    Agenda • Attackvectors • Strategies and tools • Secure coding and deployment
  • 4.
    Attack Vectors OS Java EE Application Server war/ear war/ear
  • 5.
    Attack Vectors •An attack could be originating: • externally • from the application server itself • from an application
  • 6.
    Attack Vectors OS Java EE Application Server war/ear war/ear
  • 7.
    Attack Vectors •An external attack can: o exploit directly remote services exposed by the JavaEE application server o exploit another remotely accessible process running in the OS
  • 8.
    Attack Vectors •An external attack can: o exploit input for applications deployed in the Java EE Server (such as input validation attacks, SQL injection, XSS …)
  • 9.
    Attack Vectors OS Java EE Application Server war/ear war/ear
  • 10.
    Attack Vectors •An attack can: o originate from a malicious application running in the same OS • Administrators do not always install from trusted sources or check against MD5 checksums …
  • 11.
    Attack Vectors OS Java EE Application Server war/ear war/ear
  • 12.
    Attack Vectors •An attack originating from the application server can: • be crafted by modifying the codebase and rebuilding the application server • be achieved more easily by targeting open-source application servers such as Glassfish and Wildfly
  • 13.
    Attack Vectors …Administrators do not always install JavaEE application servers from trusted sources or check against MD5 checksums … … which makes this type of attacks a real scenario
  • 14.
    Attack Vectors OS Java EE Application Server war/ear war/ear
  • 15.
    Attack Vectors •An attack originating from an application can be performed due to: o misconfigured security during deployment o intentional malicious code inside the application
  • 16.
    Attack Vectors (scenario1: misconfigured security in the app) … leads to opening holes in the Java EE security model
  • 17.
    Attack Vectors (scenario1: misconfigured security in the app) Application server war (with missing security configuration) ear (with missing security configuration)
  • 18.
    Attack Vectors JavaEE Security Model in a nutshell: Application server war • roles • role ear mappings • users • roles • role mappings • groups • realms JDBC realm file realm
  • 19.
    Attack Vectors JavaEE Security Model in a nutshell: 1. initial request is made 2. server authenticates the client using an authentication mechanism 3. URL authorization based on info from deployment descriptors or from annotations in source code is done 4. In case an EJB method is invoked the EJB container checks the appropriate permissions based on user roles (the web container delegates information about the user and its roles to the EJB container)
  • 20.
    Attack Vectors Example: import javax.annotation.security.DeclareRoles; import javax.annotation.security.RolesAllowed; ... @DeclareRoles({"MANAGER", "EMPLOYEE", "ADMIN"}) @Stateless public class PaymentServiceImpl implements PaymentService { // Jim: temporarily commented for testing purposes // TODO: uncomment before deployment on PROD // @RolesAllowed("MANAGER") public void increaseSalary(User employee, int ammount) { … }
  • 21.
    Attack Vectors (scenario2: malicious code in the app) … can be made possible due to misconfiguration of the Java SE security model of the application server
  • 22.
    Attack Vectors (scenario2: malicious code in the app) Application server war (with malicious code) ear (with malicious code)
  • 23.
    Attack Vectors JavaSE Security Model in a nutshell: Application server war • invokes ear restricted operation • performs permission checks • invokes restricted operation security.policy
  • 24.
    Strategies and Tools (external) Try to exploit services exposed by the OS or the application server (such as JMX) Vulnerability databases such as SecurityFocus, osvdb and nvd and application server changelogs are valuable sources of information
  • 25.
    Strategies and Tools Tools: o network scanners - Nmap, SATAN, Nessus, GFI LANguard, TripWire, SuperScan o remote system administration - Back Office, ProRat o vulnerability scanners - metasploit, w3af, Nexpose o MITM on the local network - Ettercap
  • 26.
    Strategies and Tools … This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password …
  • 27.
    Strategies and Tools … Unfortunately, the person(s) who published this vulnerability and associated exploit codes didn't contact Oracle before publicly disclosing this issue. This means that the vulnerability was made public before providing Oracle an opportunity to develop an appropriate fix for this issue and notify its customers … Affected versions: 6.1, 7.0, 8.1, 9.0, 9.1, 9.2, 10.0
  • 28.
    Strategies and Tools … Earlier community editions of JBoss allow you to use default authentication to the JMX server running on the server (shutting down the server via JMX is made possible to attackers) - CVE- 2013-4810 … Affected versions: 4x, 5x
  • 29.
    Strategies and Tools (ear/war) • craft malicious code that bypasses code reviews and code analysis tools (and possibly open a "back-door" in the application server)
  • 30.
    Strategies and Tools (ear/war) • make use of techniques for: o initialization of classes based on loadable services or configuration files o AOP weaving o servlet filters o annotation processors
  • 31.
    Strategies and Tools Tools: … write your own …
  • 32.
    Secure Coding andDeployment • The OS: • secure the environment of your application server • always patch your OS with latest updates
  • 33.
    Secure Coding andDeployment • The application server: • check that application server comes from a trusted source (compare against true MD5 checksum) • disable unused services when installing application servers
  • 34.
    Secure Coding andDeployment • The application server: • always enable encryption for the remote services exposed by the application server • check the documentation of your application server on the default security manager and security policy enabled by the application server
  • 35.
    Secure Coding andDeployment • The application server: • if necessary define proper security policy and define additional access control checks for the applications being deployed • always apply security patches to your application server installation
  • 36.
    Secure Coding andDeployment • The ear/war: • allow minimum set of permissions to roles in the application context • follow best security practices as defined by the Secure Coding Guidelines for Java SE
  • 37.
    Secure Coding andDeployment • The ear/war: • perform static & dynamic code analysis in order to find possible bugs or resource leaks (that may lead to implicit DoS) • do not leave behind test/unused URLs
  • 38.
    Secure Coding andDeployment • The ear/war: • perform in-container security policy tests (e.g. using Cactus or Arquillian frameworks …) • perform in-container resource consumption tests
  • 39.
    Go ahead andtry to find leaks … 9.0.0.Alpha1 4.1 12.1.3
  • 40.
  • 41.
    References Java EE7 tutorial part X: Security https://docs.oracle.com/javaee/7/tutorial/doc/ Java Platform, Enterprise Edition (JavaEE) Specification, v7 http://download.oracle.com/otndocs/jcp/java_ee-7-fr-eval-spec/ index.html
  • 42.
    References Back doorinto JavaEE application servers macaron.googlecode.com/files/en-macaron.pdf OWASP Top 10 for JavaEE https://www.owasp.org/images/8/89/OWASP_Top_10_2007 _for_JEE.pdf Attacking Jboss like a boss https://www.defcon.org/images/defcon-18/dc-18- presentations/Krpata/DEFCON-18-Krpata-Attacking- JBoss.pdf
  • 43.
    References Oracle SecurityAlert for CVE-2008-3257 http://www.oracle.com/technetwork/middleware/ias/downlo ads/alert-cve2008-3257-088842.html Securing a WebLogic Server deployment https://docs.oracle.com/cd/E13222_01/wls/docs61/security/ lockdown.html Whitepaper on Jboss exploitation http://securityxploded.com/JBoss%20Whitepaper.pdf
  • 44.
    References Java SecurityOverview (white paper) http://www.oracle.com/technetwork/java/js-white-paper- 149932.pdf Java SE Platform Security Architecture Spec http://docs.oracle.com/javase/7/docs/technotes/guides/sec urity/spec/security-spec.doc.html Inside Java 2 Platform Security, 2nd edition http://www.amazon.com/Inside-Java%C2%BF-Platform- Security-Implementation/dp/0201787911
  • 45.
    References Java Security,2nd edition, Scott Oaks http://shop.oreilly.com/product/9780596001575.do Securing Java, Gary McGraw, Ed Felden http://www.securingjava.com Secure Coding Guidelines for Java SE http://www.oracle.com/technetwork/java/seccodeguide -139067.html#0
  • 46.
    References Java 2Network Security http://www.amazon.com/JAVA-Network-Security-2nd- Edition/dp/0130155926 Java Security Documentation http://docs.oracle.com/javase/8/docs/technotes/guides/sec urity/index.html
  • 47.
    References Core JavaSecurity: Class Loaders, Security Managers and Encryption http://www.informit.com/articles/article.aspx?p=1187967 Overview of Java Security Models http://docs.oracle.com/cd/E12839_01/core.1111/e10043/intr ojps.htm#CHDCEJGH