KEMBAR78
PCI Security Requirements - secure coding | PPTX
Haitham Raik, profile picture
Uploaded byHaitham Raik
1,307 views

PCI Security Requirements - secure coding

This document summarizes key PCI security requirements related to common web application vulnerabilities. It discusses requirements around proper error handling, cross-site scripting, injection flaws, malicious file execution, direct object references, and other issues. For each vulnerability, it provides definitions, examples, and recommendations for implementing controls like input validation, output encoding, prepared statements, and access control to help secure applications and protect cardholder data.

PCI Security Requirements Haitham Raik
Agenda  Overview  Information leakage and improper error handling  Cross Site Scripting (XSS)  Injection Flaws  Malicious File Execution  Insecure Direct Object References  Cross Site Request Forgery (CSRF)  Failure to Restrict URL Access  Broken Authentication and Session Management
Overview  PCI DSS is a security standard that includes requirements for:  security management,  policies,  procedures,  network architecture,  software design and other critical protective measures  PCI DSS purpose: to help the organizations to protect customer account data.  This session doesn‟t cover all the security requirements.  This session covers only what has impact on our code.
Information Leakage and improper error handling  Definition: Providing too much information to the user when an error occurs.  Examples:  An error message with too much detail  Stack trace  Failed SQL statement  Functions that produce different error messages/codes based upon different inputs  Invalid username  Invalid password
Information Leakage and improper error handling Protection  Write detailed error information to secure Log.  Configure an exception handler in the web.xml for all un-handled exceptions <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page>  Always give generic error;  “The username/password is not correct”.  “Merchant Authentication Failed”
Cross Site Scripting (XSS)  XSS: Describes the act of embedding malicious HTML/JavaScript code in dynamically generated pages based on invalidated input from untrustworthy sources.
Cross Site Scripting (XSS)  XSS is the most common vulnerability  XSS impact:  Data on a page can be stolen and sent anywhere.  Your Website behavior can be altered.  Types of XSS  Reflected XSS; reflects user input (manipulate user input) out.writeln(“You input is:”+request.getParamter(“userInput”))  Stored XSS; attackers script is stored on server (e.g. blogs) out.writeln(“Comment: ”+blog.comment);
Cross Site Scripting (XSS) Protection  Input Validation; Checking each input for validity  Accept known good:  Accept valid input types.  Accept valid input lengths.  Accept valid input patterns; e.g., phone pattern.  Reject known bad  Reject input values with bad characters and patterns; for example: <script>  Sanitize  Rather than accept or reject input, change the input to an acceptable format.  Set the HTTPOnly flag on your session cookie  Cookie with this flag cannot be accessed through client script
Cross-Site Scripting (XSS) Protection  Output Escaping (Encoding): is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.  HTML Escape: <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>  (&  &amp;) (<  &lt;) (>  &gt;) (“  &quot;) („  &#x27; ) (/  &#x2F;)  Attribute Escape: <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div>  Javascript Escape: <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script>  CSS Escape  URL Escape: <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
Cross-Site Scripting (XSS) Protection  Input Validation using ESAPI: boolean isValidFirstName = ESAPI.validator().isValidInput("FirstName", request.getParameter("FirstName"), "FirstNameRegex", 255, false);  Sanitize using AntiSamy import org.owasp.validator.html.*; Policy policy = Policy.getInstance(POLICY_FILE_LOCATION); AntiSamy as = new AntiSamy(); CleanResults cr = as.scan(dirtyInput, policy); MyUserDAO.storeUserProfile(cr.getCleanHTML());
Cross-Site Scripting (XSS) Protection  Set HttpOnly  Before Servlet v3: response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");  Servlet v3: <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>  Output Escaping using ESAPI: <p>Hello, <%=name%></p> //performing output encoding for the HTML context String <p>Hello, <%=ESAPI.encoder().encodeForHTML(name)%></p>
Injection Flaws  Definition: Attacker modifies a query/command that is executed by target interpreter  Injection applies to:  SQL injection  XPATH injection  LDAP injection
Injection Flaws  SQL Injection:  SQL Statement for Authentication: StringsqlString = "SELECT * FROM users WHERE fullname = '" + form.getFullName() + "' AND password = '" + form.getPassword() + "'";  User Input: Case 1: full name: Haitham, password: 123pass Result: SELECT * FROM users WHERE username = „Haitham' AND password = '123pass' Case 2: full name: Ala' Ahmad, password: 123pass Result: SELECT * FROM users WHERE username = 'Ala' Ahmad' AND password = „13pass' Case 3: full name: blah, password: ' OR '1' = '1 Result: SELECT * FROM users WHERE username = 'blah' AND password = '' OR '1' = '1'
Injection Flaws  XPATH Injection  XML file: <?xml version="1.0" encoding="utf-8"?> <employees> <employee id="AS1" firstname="John" salary=“100"/> <employee id="AS2" firstname=“Adam“ salary=“200"/> </employees>  XPATH expression: String exp = “/employees/employee[@id=„”+form.getEID()+”']” User Input: Emp_ID=„ or '1'='1 Result: /employees/employee[@id=„„ or '1'='1']
Injection Flaws Protection  SQL Injection Protection using:  Use prepared statements/parameterized queries (don‟t use concatenation while building the SQL stmt) String stmt = “select * from emp where id=?”; PreparedStatement pstmt = con.prepareStatement(stmt); pstmt.setString(1, empId);  Use stored procedures  SQL Escape using ESAPI Codec ORACLE_CODEC = new OracleCodec(); String query = "SELECT name FROM users WHERE id = "+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, userId)+ " AND date_created >= '"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, date)+ "'"; myStmt = conn.createStatement(query);
Injection Flaws Protection  Hibernate Injection Protection  Use named parameters  Use Criteria API
Injection Flaws Protection  XPATH Injection Protection  User input must not contain any of the following characters: ( ) = ' [ ] : , * / WHITESPACE  XPATH Injection protection using ESAPI String exp = “/employees/employee[@id=„”+ ESAPI.encoder().encodeForXPath(form.getEID())+ ”']”
Malicious File Execution  Definition: occurs when attacker's files are executed or processed by the web server.  Expected Threats:  Malicious file (e.g., script) can be executed on the application server  Access to a configuration file  Override a configuration file  Fill up the filesystem  This happen when  Filename is accepted from the user without validation  File is uploaded without validation
Malicious File Execution  Example:  Code Snippet // get the absolute file path on the server's filesystem String dir = servlet.getServletContext().getRealPath("/ebanking") // get input file name String file = request.getParameter(“file”); // Create a new File instance from pathname string File f = new File((dir + "" + file).replaceAll("", "/")); User Input: ../../web.xml Result: it will allow access to web server configuration file
Malicious File Execution Protection  Filename Validation  File Type Validation  Size Validation  Don‟t allow the user to influence the final filename.  Upload files to a destination outside of the web application directory
Malicious File Execution Protection  Filename and file type validation using ESAPI ESAPI.validator().isValidFileName("upload", filename, allowedExtensions, false));  Size Validation using Commons-FileUpload: ServletFileUpload upload = new ServletFileUpload(factory); upload.setSizeMax(maxBytes);
Direct Object References (DOR)  DOR occurs when a developer exposes a reference to an internal implementation:  Object  File or Directory  Database record  Attacker can manipulate object references to access other objects without authorization.  For Example:  URL (or form parameter) to my banking account is: /accounts/viewDetail?id=3540  What will happen if I changed this to  /accounts/viewDetail?id=3541
Direct Object References (DOR) Protection  Avoid exposing direct object references  Use Indirect Object References  Verify Authorization to all referenced objects
Direct Object References (DOR) Protection  Indirect Object Reference using ESAPI //create ESAPI random access reference map AccessReferenceMap map = new RandomAccessReferenceMap(); //get indirect reference using direct reference String indirectReference = map.addDirectReference(obj.getId()); //set indirect reference for each object - requires your app object to have this method obj.setIndirectReference(indirectReference); // Store the map in the session
Direct Object References (DOR) Protection  Verify Authorization  For example:  Before: select * from accounts where accNum = ?  After: select * from accounts where accNum = ? And userId = ?
Direct Object References (DOR) Protection  Authorization vs Indirect object reference  Authorization:  May require an extra DB hit  Exposes actual ID  Indirect object reference  May not require an extra DB hit  Hides actual ID  Requires a bit of extra coding and some extra information  Not very popular
Cross Site Request Forgery (CSRF)  CSRF: forces logged-in victim to send a request to a vulnerable web application, which then performs action on behalf of the victim.  Sample CSRF Scenario:  A hacker posts to a blog containing an image tag (blog site allows XSS) <img src=“http://www.yourbank.com/transfer?to_acc=hacker_acc_ num&amount=1000”/>  User logs into yourbank.com (session is active for user)  User visits the blog (without logging from yourbank.com)  Loading the image will send request to the bank site  The bank will transfer the user‟s money to hacker‟s account
Cross Site Request Forgery (CSRF) Protection  Make sure there are no XSS vulnerabilities in your application; refer to XSS protection slides.  Do not use GET requests to perform transactional operations.  Javascript can be used to create auto submit POST forms.  Check the referrer header. Shows where the request originated  This is optional and the user can disable it.  For sensitive transactions, re-authenticate.  Add a confirmation page.
Cross Site Request Forgery (CSRF) Protection  Insert custom random tokens into every form and URL  Generate CSRF token  Store user in http session  On any form/URL add the token as a parameter/hidden field.  On the server, check the submitted token matches the token form.  On logout, the CSRF token is removed.
Cross Site Request Forgery (CSRF) Protection  Do not use GET requests public void doGet(HttpServletRequest req, HttpServletResponse resp) { throw new Exception(“Invalid operation”); }  Check the referrer header using HTTPServletRequest: String referer = request.getHeader(“Referer”); if (referer != null && referer != “our trusted link”) { session.invalidate(); throw new Exception(); }
Cross Site Request Forgery (CSRF) Protection  Implementing CSRF tokens using ESAPI // To generate CSRF token String csrfToken = ESAPI.randomizer().getRandomString(8, DefaultEncoder.CHAR_ALPHANUMERICS); // After user authentication, add token to user‟s session request.getSession().setAttribute(“csrfToken”, csrfToken); // To Validate a Token; this code can be added a filter String requestToken = request.getParameter(“csrfToken”); String sessionToken = session.getAttribute(“csrfToken”); if (!requestToken.equals(sessionToken)) { throw new Exception(“Invalid CSRF Token”); }
Cross Site Request Forgery (CSRF) Protection // At logout, delete the session which removes its content HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); }  Implementing CSRF tokens using CSRFGuard project via ServletFilters  Tokens are automatically generated, managed, verified, and inserted  Copy Owasp.CsrfGuard.jar file to your application‟s classpath  Declate CsrfGuard in web.xml  Configure the Owasp.CsrfGuard.properties file as you see fit
Failure to Restrict URL Access  Attacker, who is an authorized user, simply changes the URL to a privileged page.  URL is not protected with authorization.  Just because your URL is hard to guess, doesn‟t mean it can‟t be found!  Example:  “hidden” URLs rendered only to admins /admin/adduser.do  Attacker can find unprotected URLs  Test pages deployed in production  “hidden” files such as system reports
Failure to Restrict URL Access Protection  Create Access Control Matrix for your Application: Function 1 Function 2 Function 3 PG Admin Read, write Read, Write Read, Write Acquirer Admin Read Read, Write Read, Write  Access Control Matrix shouldReadeasily configured Bank Admin be Read,  For each request, ensure that the userWrite is authorized to access that function.  Block access to all file types that your application should never serve  Put all your UI files under /WEB-INF
Broken Authentication & Session Management  Flaws in this area most frequently involve the failure to protect credentials and session tokens through their lifecycle  If this issue is not properly addressed, many issues arise:  Account hijacked  Credentials stolen  Privacy violation
Broken Authentication & Session Management Protection  Use the build-in session management  Utilize SSL / TLS Session identifier  With regards to authentication:  Use a single authentication point  Invalidate the HttpSession before login and after login to prevent session fixation  Make sure logout function invalidate the session  Add a session time-out  Do not expose any session identifiers in URLs or logs  Check the old password when the user changes to a new password
Broken Authentication & Session Management Protection  Prevent brute force attacks by limiting the number of attempts  Destroy session if Referrer is suspicious (see CSRF)  Regenerate session if remote IP changed  Regenerate session if user agent changed
Broken Authentication & Session Management Protection  Invalidate Session: request.getSession(false).invalidate();  Session Timeout:  Programmatically: session.setMaxInactiveInterval(20*60);  Using web.xml: <web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
Broken Authentication & Session Management Protection  Regenerate session if remote IP changed String preRemoteIP = session.getAttribute(“RemoteIP”); String remoteIP = request.getRemoteAddr(); if (!preRemoteIP.equals(remoteIP)) {//read atts session.invalidate(); } session = request.getSession(true);//write atts String preRemoteIP = session.getAttribute(“RemoteIP”); String remoteIP = request.getRemoteAddr(); if (!preRemoteIP.equals(remoteIP)) { HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities(); esapiHTTPUtilities.setCurrentHTTP(request, response); esapiHTTPUtilities.changeSessionIdentifier(); }
Broken Authentication & Session Management Protection  Regenerate session if user agent changed String preUserAgent = session.getAttribute(“UserAgent”); String userAgent = request.getHeader("user-agent"); if (! preUserAgent.equals(userAgent)) { HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities(); esapiHTTPUtilities.setCurrentHTTP(request, response); esapiHTTPUtilities.changeSessionIdentifier(); }
 What is Next?

More Related Content

PPTX
PCI security requirements secure coding and code review 2014
byHaitham Raik
 
PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
PDF
S8-Session Managment
byzakieh alizadeh
 
PDF
Web application security (eng)
byAnatoliy Okhotnikov
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
PPTX
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
PPT
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PCI security requirements secure coding and code review 2014
byHaitham Raik
 
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
S8-Session Managment
byzakieh alizadeh
 
Web application security (eng)
byAnatoliy Okhotnikov
 
Owasp top 10_openwest_2019
bySean Jackson
 
OWASP Khartoum Top 10 A3 - 6th meeting
byOWASP Khartoum
 
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 

What's hot

ODP
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
PDF
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
byJayasree Veliyath
 
PDF
2013 OWASP Top 10
bybilcorry
 
PPTX
Owasp webgoat
byZakaria SMAHI
 
PPT
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PDF
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
byAlexandre Morgaut
 
PPTX
OWASP Top 10 Proactive Controls
byKaty Anton
 
PDF
S5-Authorization
byzakieh alizadeh
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PPTX
OWASP top 10-2013
bytmd800
 
PPTX
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
PDF
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
PPT
Secure code practices
byHina Rawal
 
PDF
Attques web
byTarek MOHAMED
 
PDF
Top 10 Web Application vulnerabilities
byTerrance Medina
 
PPTX
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
Top 10 Web Security Vulnerabilities
byCarol McDonald
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
byJayasree Veliyath
 
2013 OWASP Top 10
bybilcorry
 
Owasp webgoat
byZakaria SMAHI
 
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
Owasp top 10 2013
byEdouard de Lansalut
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
byAlexandre Morgaut
 
OWASP Top 10 Proactive Controls
byKaty Anton
 
S5-Authorization
byzakieh alizadeh
 
Session4-Authentication
byzakieh alizadeh
 
OWASP top 10-2013
bytmd800
 
Owasp top 10_-_2010 presentation
byIslam Azeddine Mennouchi
 
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
Secure code practices
byHina Rawal
 
Attques web
byTarek MOHAMED
 
Top 10 Web Application vulnerabilities
byTerrance Medina
 
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 

Viewers also liked

PPT
Presentation1
bygueste24727
 
PPTX
3
byMaria del Carmen Santana Pastor
 
DOC
A insolvência e o direito dos trabalhadores
byPaulo Susano
 
PDF
Írások kapásból - Orbán Viktor és a székely Berde Mózsa
byNagy Attila (Mihai)
 
PPTX
sunu
bysesildemircioglu
 
PPTX
Economia y politica alimentaria
byalejandrovalladareslopez
 
PPTX
Economia politica-alimentaria-2 Diana laura cortez quiroz
byyosehlim96
 
PDF
Повышение конкуренции на рынке труда: как остаться востребованным специалисто...
byCisco Russia
 
PPTX
my ppt IMP
bypooja sabarinathan
 
PDF
SM-Twittometro KEIKO FUJIMORI
bySoluciones & Consultoría de Marketing
 
PDF
Changing active to passive voice
byJoey Fontanilla Valdriz
 
PPTX
Bioq, da lactaçao
bycamila felix
 
Presentation1
bygueste24727
 
3
byMaria del Carmen Santana Pastor
 
A insolvência e o direito dos trabalhadores
byPaulo Susano
 
Írások kapásból - Orbán Viktor és a székely Berde Mózsa
byNagy Attila (Mihai)
 
sunu
bysesildemircioglu
 
Economia y politica alimentaria
byalejandrovalladareslopez
 
Economia politica-alimentaria-2 Diana laura cortez quiroz
byyosehlim96
 
Повышение конкуренции на рынке труда: как остаться востребованным специалисто...
byCisco Russia
 
my ppt IMP
bypooja sabarinathan
 
SM-Twittometro KEIKO FUJIMORI
bySoluciones & Consultoría de Marketing
 
Changing active to passive voice
byJoey Fontanilla Valdriz
 
Bioq, da lactaçao
bycamila felix
 

Similar to PCI Security Requirements - secure coding

DOC
Attackers Vs Programmers
byrobin_bene
 
PPTX
Owasp first5 presentation
byAshwini Paranjpe
 
PPTX
Owasp first5 presentation
byowasp-pune
 
PPTX
Top web apps security vulnerabilities
byAleksandar Bozinovski
 
PPTX
Hacking 101 (Session 2)
byNitroxis Sprl
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PDF
Owasp top 10 vulnerabilities 2013
byVishrut Sharma
 
PPT
Secure development
byAhmed Gamil
 
PPTX
Hacking 101 3
byNitroxis Sprl
 
PPTX
Secure Dot Net Programming
byAdam Getchell
 
PDF
Java EE Web Security By Example: Frank Kim
byjaxconf
 
PPTX
Owasp Top 10 2017
bySamsonMuoki
 
PDF
Problems with parameters b sides-msp
byMike Saunders
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
PPT
Web Apps Security
byVictor Bucutea
 
PPTX
Security For Application Development
by6502programmer
 
PDF
Security Awareness
byLucas Hendrich
 
PDF
Owasp Top 10
byGaurav Narwani
 
PDF
Xebia Knowledge Exchange - Owasp Top Ten
byPublicis Sapient Engineering
 
PDF
OWASP Top 10
byArthur Shvetsov
 
Attackers Vs Programmers
byrobin_bene
 
Owasp first5 presentation
byAshwini Paranjpe
 
Owasp first5 presentation
byowasp-pune
 
Top web apps security vulnerabilities
byAleksandar Bozinovski
 
Hacking 101 (Session 2)
byNitroxis Sprl
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Owasp top 10 vulnerabilities 2013
byVishrut Sharma
 
Secure development
byAhmed Gamil
 
Hacking 101 3
byNitroxis Sprl
 
Secure Dot Net Programming
byAdam Getchell
 
Java EE Web Security By Example: Frank Kim
byjaxconf
 
Owasp Top 10 2017
bySamsonMuoki
 
Problems with parameters b sides-msp
byMike Saunders
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
Web Apps Security
byVictor Bucutea
 
Security For Application Development
by6502programmer
 
Security Awareness
byLucas Hendrich
 
Owasp Top 10
byGaurav Narwani
 
Xebia Knowledge Exchange - Owasp Top Ten
byPublicis Sapient Engineering
 
OWASP Top 10
byArthur Shvetsov
 

More from Haitham Raik

PDF
History of Software Architecture
byHaitham Raik
 
PPTX
Unified Microservices Patterns List
byHaitham Raik
 
PPTX
GIT In Detail
byHaitham Raik
 
PPTX
Advanced Hibernate V2
byHaitham Raik
 
PPTX
Red hat linux essentials
byHaitham Raik
 
PPT
Object Oriented Analysis and Design with UML2 part2
byHaitham Raik
 
PPT
Object Oriented Analysis and Design with UML2 part1
byHaitham Raik
 
DOC
IBM OOAD Part1 Summary
byHaitham Raik
 
PPT
JEE5 New Features
byHaitham Raik
 
PPT
JMX
byHaitham Raik
 
PPT
Advanced Hibernate
byHaitham Raik
 
History of Software Architecture
byHaitham Raik
 
Unified Microservices Patterns List
byHaitham Raik
 
GIT In Detail
byHaitham Raik
 
Advanced Hibernate V2
byHaitham Raik
 
Red hat linux essentials
byHaitham Raik
 
Object Oriented Analysis and Design with UML2 part2
byHaitham Raik
 
Object Oriented Analysis and Design with UML2 part1
byHaitham Raik
 
IBM OOAD Part1 Summary
byHaitham Raik
 
JEE5 New Features
byHaitham Raik
 
JMX
byHaitham Raik
 
Advanced Hibernate
byHaitham Raik
 

Recently uploaded

PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 

PCI Security Requirements - secure coding

  • 1.
  • 2.
    Agenda  Overview  Information leakage and improper error handling  Cross Site Scripting (XSS)  Injection Flaws  Malicious File Execution  Insecure Direct Object References  Cross Site Request Forgery (CSRF)  Failure to Restrict URL Access  Broken Authentication and Session Management
  • 3.
    Overview  PCI DSS is a security standard that includes requirements for:  security management,  policies,  procedures,  network architecture,  software design and other critical protective measures  PCI DSS purpose: to help the organizations to protect customer account data.  This session doesn‟t cover all the security requirements.  This session covers only what has impact on our code.
  • 4.
    Information Leakage andimproper error handling  Definition: Providing too much information to the user when an error occurs.  Examples:  An error message with too much detail  Stack trace  Failed SQL statement  Functions that produce different error messages/codes based upon different inputs  Invalid username  Invalid password
  • 5.
    Information Leakage andimproper error handling Protection  Write detailed error information to secure Log.  Configure an exception handler in the web.xml for all un-handled exceptions <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page>  Always give generic error;  “The username/password is not correct”.  “Merchant Authentication Failed”
  • 6.
    Cross Site Scripting(XSS)  XSS: Describes the act of embedding malicious HTML/JavaScript code in dynamically generated pages based on invalidated input from untrustworthy sources.
  • 7.
    Cross Site Scripting(XSS)  XSS is the most common vulnerability  XSS impact:  Data on a page can be stolen and sent anywhere.  Your Website behavior can be altered.  Types of XSS  Reflected XSS; reflects user input (manipulate user input) out.writeln(“You input is:”+request.getParamter(“userInput”))  Stored XSS; attackers script is stored on server (e.g. blogs) out.writeln(“Comment: ”+blog.comment);
  • 8.
    Cross Site Scripting(XSS) Protection  Input Validation; Checking each input for validity  Accept known good:  Accept valid input types.  Accept valid input lengths.  Accept valid input patterns; e.g., phone pattern.  Reject known bad  Reject input values with bad characters and patterns; for example: <script>  Sanitize  Rather than accept or reject input, change the input to an acceptable format.  Set the HTTPOnly flag on your session cookie  Cookie with this flag cannot be accessed through client script
  • 9.
    Cross-Site Scripting (XSS)Protection  Output Escaping (Encoding): is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.  HTML Escape: <body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body>  (&  &amp;) (<  &lt;) (>  &gt;) (“  &quot;) („  &#x27; ) (/  &#x2F;)  Attribute Escape: <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div>  Javascript Escape: <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script>  CSS Escape  URL Escape: <a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
  • 10.
    Cross-Site Scripting (XSS)Protection  Input Validation using ESAPI: boolean isValidFirstName = ESAPI.validator().isValidInput("FirstName", request.getParameter("FirstName"), "FirstNameRegex", 255, false);  Sanitize using AntiSamy import org.owasp.validator.html.*; Policy policy = Policy.getInstance(POLICY_FILE_LOCATION); AntiSamy as = new AntiSamy(); CleanResults cr = as.scan(dirtyInput, policy); MyUserDAO.storeUserProfile(cr.getCleanHTML());
  • 11.
    Cross-Site Scripting (XSS)Protection  Set HttpOnly  Before Servlet v3: response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");  Servlet v3: <session-config> <cookie-config> <http-only>true</http-only> </cookie-config> <session-config>  Output Escaping using ESAPI: <p>Hello, <%=name%></p> //performing output encoding for the HTML context String <p>Hello, <%=ESAPI.encoder().encodeForHTML(name)%></p>
  • 12.
    Injection Flaws  Definition: Attacker modifies a query/command that is executed by target interpreter  Injection applies to:  SQL injection  XPATH injection  LDAP injection
  • 13.
    Injection Flaws  SQL Injection:  SQL Statement for Authentication: StringsqlString = "SELECT * FROM users WHERE fullname = '" + form.getFullName() + "' AND password = '" + form.getPassword() + "'";  User Input: Case 1: full name: Haitham, password: 123pass Result: SELECT * FROM users WHERE username = „Haitham' AND password = '123pass' Case 2: full name: Ala' Ahmad, password: 123pass Result: SELECT * FROM users WHERE username = 'Ala' Ahmad' AND password = „13pass' Case 3: full name: blah, password: ' OR '1' = '1 Result: SELECT * FROM users WHERE username = 'blah' AND password = '' OR '1' = '1'
  • 14.
    Injection Flaws  XPATH Injection  XML file: <?xml version="1.0" encoding="utf-8"?> <employees> <employee id="AS1" firstname="John" salary=“100"/> <employee id="AS2" firstname=“Adam“ salary=“200"/> </employees>  XPATH expression: String exp = “/employees/employee[@id=„”+form.getEID()+”']” User Input: Emp_ID=„ or '1'='1 Result: /employees/employee[@id=„„ or '1'='1']
  • 15.
    Injection Flaws Protection  SQL Injection Protection using:  Use prepared statements/parameterized queries (don‟t use concatenation while building the SQL stmt) String stmt = “select * from emp where id=?”; PreparedStatement pstmt = con.prepareStatement(stmt); pstmt.setString(1, empId);  Use stored procedures  SQL Escape using ESAPI Codec ORACLE_CODEC = new OracleCodec(); String query = "SELECT name FROM users WHERE id = "+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, userId)+ " AND date_created >= '"+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, date)+ "'"; myStmt = conn.createStatement(query);
  • 16.
    Injection Flaws Protection  Hibernate Injection Protection  Use named parameters  Use Criteria API
  • 17.
    Injection Flaws Protection  XPATH Injection Protection  User input must not contain any of the following characters: ( ) = ' [ ] : , * / WHITESPACE  XPATH Injection protection using ESAPI String exp = “/employees/employee[@id=„”+ ESAPI.encoder().encodeForXPath(form.getEID())+ ”']”
  • 18.
    Malicious File Execution  Definition: occurs when attacker's files are executed or processed by the web server.  Expected Threats:  Malicious file (e.g., script) can be executed on the application server  Access to a configuration file  Override a configuration file  Fill up the filesystem  This happen when  Filename is accepted from the user without validation  File is uploaded without validation
  • 19.
    Malicious File Execution  Example:  Code Snippet // get the absolute file path on the server's filesystem String dir = servlet.getServletContext().getRealPath("/ebanking") // get input file name String file = request.getParameter(“file”); // Create a new File instance from pathname string File f = new File((dir + "" + file).replaceAll("", "/")); User Input: ../../web.xml Result: it will allow access to web server configuration file
  • 20.
    Malicious File ExecutionProtection  Filename Validation  File Type Validation  Size Validation  Don‟t allow the user to influence the final filename.  Upload files to a destination outside of the web application directory
  • 21.
    Malicious File ExecutionProtection  Filename and file type validation using ESAPI ESAPI.validator().isValidFileName("upload", filename, allowedExtensions, false));  Size Validation using Commons-FileUpload: ServletFileUpload upload = new ServletFileUpload(factory); upload.setSizeMax(maxBytes);
  • 22.
    Direct Object References(DOR)  DOR occurs when a developer exposes a reference to an internal implementation:  Object  File or Directory  Database record  Attacker can manipulate object references to access other objects without authorization.  For Example:  URL (or form parameter) to my banking account is: /accounts/viewDetail?id=3540  What will happen if I changed this to  /accounts/viewDetail?id=3541
  • 23.
    Direct Object References(DOR) Protection  Avoid exposing direct object references  Use Indirect Object References  Verify Authorization to all referenced objects
  • 24.
    Direct Object References(DOR) Protection  Indirect Object Reference using ESAPI //create ESAPI random access reference map AccessReferenceMap map = new RandomAccessReferenceMap(); //get indirect reference using direct reference String indirectReference = map.addDirectReference(obj.getId()); //set indirect reference for each object - requires your app object to have this method obj.setIndirectReference(indirectReference); // Store the map in the session
  • 25.
    Direct Object References(DOR) Protection  Verify Authorization  For example:  Before: select * from accounts where accNum = ?  After: select * from accounts where accNum = ? And userId = ?
  • 26.
    Direct Object References(DOR) Protection  Authorization vs Indirect object reference  Authorization:  May require an extra DB hit  Exposes actual ID  Indirect object reference  May not require an extra DB hit  Hides actual ID  Requires a bit of extra coding and some extra information  Not very popular
  • 27.
    Cross Site RequestForgery (CSRF)  CSRF: forces logged-in victim to send a request to a vulnerable web application, which then performs action on behalf of the victim.  Sample CSRF Scenario:  A hacker posts to a blog containing an image tag (blog site allows XSS) <img src=“http://www.yourbank.com/transfer?to_acc=hacker_acc_ num&amount=1000”/>  User logs into yourbank.com (session is active for user)  User visits the blog (without logging from yourbank.com)  Loading the image will send request to the bank site  The bank will transfer the user‟s money to hacker‟s account
  • 28.
    Cross Site RequestForgery (CSRF) Protection  Make sure there are no XSS vulnerabilities in your application; refer to XSS protection slides.  Do not use GET requests to perform transactional operations.  Javascript can be used to create auto submit POST forms.  Check the referrer header. Shows where the request originated  This is optional and the user can disable it.  For sensitive transactions, re-authenticate.  Add a confirmation page.
  • 29.
    Cross Site RequestForgery (CSRF) Protection  Insert custom random tokens into every form and URL  Generate CSRF token  Store user in http session  On any form/URL add the token as a parameter/hidden field.  On the server, check the submitted token matches the token form.  On logout, the CSRF token is removed.
  • 30.
    Cross Site RequestForgery (CSRF) Protection  Do not use GET requests public void doGet(HttpServletRequest req, HttpServletResponse resp) { throw new Exception(“Invalid operation”); }  Check the referrer header using HTTPServletRequest: String referer = request.getHeader(“Referer”); if (referer != null && referer != “our trusted link”) { session.invalidate(); throw new Exception(); }
  • 31.
    Cross Site RequestForgery (CSRF) Protection  Implementing CSRF tokens using ESAPI // To generate CSRF token String csrfToken = ESAPI.randomizer().getRandomString(8, DefaultEncoder.CHAR_ALPHANUMERICS); // After user authentication, add token to user‟s session request.getSession().setAttribute(“csrfToken”, csrfToken); // To Validate a Token; this code can be added a filter String requestToken = request.getParameter(“csrfToken”); String sessionToken = session.getAttribute(“csrfToken”); if (!requestToken.equals(sessionToken)) { throw new Exception(“Invalid CSRF Token”); }
  • 32.
    Cross Site RequestForgery (CSRF) Protection // At logout, delete the session which removes its content HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); }  Implementing CSRF tokens using CSRFGuard project via ServletFilters  Tokens are automatically generated, managed, verified, and inserted  Copy Owasp.CsrfGuard.jar file to your application‟s classpath  Declate CsrfGuard in web.xml  Configure the Owasp.CsrfGuard.properties file as you see fit
  • 33.
    Failure to RestrictURL Access  Attacker, who is an authorized user, simply changes the URL to a privileged page.  URL is not protected with authorization.  Just because your URL is hard to guess, doesn‟t mean it can‟t be found!  Example:  “hidden” URLs rendered only to admins /admin/adduser.do  Attacker can find unprotected URLs  Test pages deployed in production  “hidden” files such as system reports
  • 34.
    Failure to RestrictURL Access Protection  Create Access Control Matrix for your Application: Function 1 Function 2 Function 3 PG Admin Read, write Read, Write Read, Write Acquirer Admin Read Read, Write Read, Write  Access Control Matrix shouldReadeasily configured Bank Admin be Read,  For each request, ensure that the userWrite is authorized to access that function.  Block access to all file types that your application should never serve  Put all your UI files under /WEB-INF
  • 35.
    Broken Authentication &Session Management  Flaws in this area most frequently involve the failure to protect credentials and session tokens through their lifecycle  If this issue is not properly addressed, many issues arise:  Account hijacked  Credentials stolen  Privacy violation
  • 36.
    Broken Authentication &Session Management Protection  Use the build-in session management  Utilize SSL / TLS Session identifier  With regards to authentication:  Use a single authentication point  Invalidate the HttpSession before login and after login to prevent session fixation  Make sure logout function invalidate the session  Add a session time-out  Do not expose any session identifiers in URLs or logs  Check the old password when the user changes to a new password
  • 37.
    Broken Authentication &Session Management Protection  Prevent brute force attacks by limiting the number of attempts  Destroy session if Referrer is suspicious (see CSRF)  Regenerate session if remote IP changed  Regenerate session if user agent changed
  • 38.
    Broken Authentication &Session Management Protection  Invalidate Session: request.getSession(false).invalidate();  Session Timeout:  Programmatically: session.setMaxInactiveInterval(20*60);  Using web.xml: <web-app ...> <session-config> <session-timeout>20</session-timeout> </session-config> </web-app>
  • 39.
    Broken Authentication &Session Management Protection  Regenerate session if remote IP changed String preRemoteIP = session.getAttribute(“RemoteIP”); String remoteIP = request.getRemoteAddr(); if (!preRemoteIP.equals(remoteIP)) {//read atts session.invalidate(); } session = request.getSession(true);//write atts String preRemoteIP = session.getAttribute(“RemoteIP”); String remoteIP = request.getRemoteAddr(); if (!preRemoteIP.equals(remoteIP)) { HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities(); esapiHTTPUtilities.setCurrentHTTP(request, response); esapiHTTPUtilities.changeSessionIdentifier(); }
  • 40.
    Broken Authentication &Session Management Protection  Regenerate session if user agent changed String preUserAgent = session.getAttribute(“UserAgent”); String userAgent = request.getHeader("user-agent"); if (! preUserAgent.equals(userAgent)) { HTTPUtilities esapiHTTPUtilities = ESAPI.httpUtilities(); esapiHTTPUtilities.setCurrentHTTP(request, response); esapiHTTPUtilities.changeSessionIdentifier(); }
  • 41.
    What is Next?

Editor's Notes

  • #5 Showing the same error message with different codes is another type of leaking the information
  • #6 Secure Log means, only authorized people can see its content
  • #9 HttpOnly is not supported by safari
  • #11 ESAPI is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications
  • #13 XSS and Injection flaws are similar in the concept; XSS for browsers while injection for data sources
  • #14 Case 1: no problemsCase 2: SQL ExceptionCase 3: user is authenticated
  • #15 Returns all the employees
  • #16 JDBC driver escape the dangers characters
  • #22 isValidFileName(String context, String input, List&lt;String&gt; allowedExtensions, boolean allowNull) 
  • #25 To Fetch the direct reference using the indirect reference use:map.getDirectReference()setIndirectReference can be supported by using a super class for all the entities
  • #37 Session hijacking: - Predictable session key  use Build-in Session management to generate random and v. long key - Session Fixation Regenerate session id after login - Sniffing:  use Https - Steal the session key (XSS)  refer to XSS