KEMBAR78
Secure Coding for Java - An Introduction | PDF
Secure	
  Coding	
  for	
  Java	
  (an	
  introduc3on)
Java	
  User	
  Group	
  Poitou-­‐Charentes	
  (Niort)
27	
  Juin	
  2013
Sébas3en	
  Gioria
Sebas0en.Gioria@owasp.org
Chapter	
  Leader	
  OWASP	
  France
Friday, June 28, 13
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder &
Evangelist
‣Innovation & Technology @ Advens
Twitter :@SPoint / @OWASP_France
2
‣Application Security group leader for the
CLUSIF
‣Proud father of youngs kids trying to hack my
digital life.
Ne	
  vous	
  inquietez	
  pas	
  c’est	
  le	
  seul	
  slide	
  en	
  anglais,	
  par	
  contre	
  il	
  y	
  aura	
  des	
  trucs	
  d’écrits	
  partout	
  en	
  bas...
Friday, June 28, 13
ForeWords
• This	
  is	
  a	
  presenta,on	
  made	
  from	
  my	
  own	
  
experience	
  with	
  some	
  company	
  using	
  
OWASP	
  materials.
• Only	
  the	
  documents	
  from	
  OWASP	
  wiki	
  are	
  
OWASP	
  officials	
  (see	
  hEps://www.owasp.org)
• Some	
  extracts	
  come	
  from	
  document	
  I	
  wrote	
  
as	
  OWASP	
  leader,	
  this	
  is	
  why	
  you	
  could	
  find	
  it	
  
elsewhere.
5
Friday, June 28, 13
• Applica,on	
  Security	
  :
–where	
  we	
  are	
  (no	
  bullshit)
–where	
  we	
  are	
  (hopefully)	
  
going	
  ?
• Using	
  OWASP	
  materials	
  to	
  
secure	
  code
• Secure	
  Coding	
  principles
Agenda
Friday, June 28, 13
Introduc3on
5
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
been Hacked
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why	
  Applica0on	
  Security	
  ?
6
My Application will be
hacked !
Let Me take
you on the
right way
Your
Application
will be
Hacked ;)
Your
Application
been Hacked
YES
NO
NO
YES
Next
Step
Friday, June 28, 13
We	
  are	
  living	
  in	
  a	
  Digital	
  environment,	
  in	
  a	
  Connected	
  World
vMost	
  of	
  websites	
  vulnerable	
  to	
  aTacks
vImportant	
   %	
  of	
  web-­‐based	
   Business	
  (Services,	
  Online	
   Store,	
  Self-­‐care,	
  Telcos,	
  
SCADA,	
  ...)
Why	
  Applica0on	
  Security	
  ?	
  
Age	
  of	
  An0virus
Age	
  of	
  
Network	
  Security
Age	
  of	
  
Applica0on	
  Security
7
Friday, June 28, 13
Consequences	
  of	
  bad	
  or	
  no	
  security
–IdenPty	
  theQ
–Hardware	
  theQ
–IT	
  downPme	
  
–Bad	
  Media	
  coverage
–Financials	
  loss
–Customers	
  loss
–Legals/business	
  penalty	
  
8
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
What	
  Verizon	
  (PCI-­‐DSS	
  company)	
  
said	
  ?
©	
  Verizon	
  2012
9
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
©	
  Verizon	
  2012
Verizon	
  Study
10
Friday, June 28, 13
Verizon	
  study	
  
11
©	
  Verizon	
  2012
Friday, June 28, 13
Verizon	
  study	
  
11
©	
  Verizon	
  2012
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
12
(c)	
  WhiteHatSecurity	
  2013
Friday, June 28, 13
What	
  you	
  CIO	
  Said	
  :	
  I	
  got	
  a	
  Firewall	
  !	
  
27
Friday, June 28, 13
What	
  your	
  business	
  user	
  said	
  :	
  I	
  
have	
  SSL	
  based	
  Web	
  Site
28
Friday, June 28, 13
What	
  your	
  business	
  user	
  said	
  :	
  only	
  the	
  
hacker	
  can	
  aMack	
  my	
  website
• Tools	
  are	
  more	
  and	
  
more	
  simples.
• Try	
  a	
  simple	
  request	
  
on	
  google	
  website	
  on	
  
SQL	
  InjecPon	
  and	
  
look	
  at	
  it.
• An	
  aEack	
  on	
  a	
  Web	
  
Server	
  cost	
  100$/
200$	
  per	
  day	
  on	
  the	
  
underground	
  market.
29
Friday, June 28, 13
What	
  your	
  user	
  said	
  :	
  a	
  vulnerability	
  on	
  
internal	
  ApplicaPon	
  is	
  not	
  criPcal.
• No,	
  The	
  web	
  is	
  anywhere,	
  and	
  CSRF,	
  HTML5	
  CORS	
  
and	
  more	
  can	
  make	
  this	
  complete	
  destrucPve
• Be	
  aware	
  and	
  share	
  this	
  :	
  
• AJAX	
  doing	
  a	
  lot	
  of	
  things	
  without	
  you
• Be	
  aware	
  and	
  share	
  this	
  :	
  
• 	
  HTML5	
  will	
  come	
  with	
  “nice”	
  user	
  funcPonality	
  ,	
  but	
  with	
  
big	
  impact	
  on	
  security	
  (WebSocket,	
  CORS,	
  ...)
30
Friday, June 28, 13
But	
  I	
  do	
  Security	
  tesPng	
  !	
  
17
Security	
  Tes3ng
Coding
Friday, June 28, 13
Majors OWASP
publications you can use
All are on the wiki https://www.owasp.org
All are under GPL or friendly licenses
Majors publications you can use to secure
your projects/SDLC
Building
Guide
Code Review
Guide
Testing Guide
Application Security Desk Reference (ASDR)
Top10 reference this 3 guides
Ø OWASP Top10
Ø Auditor/Testing Guide
Ø Code Review Guide
Ø Building Guide
Ø Application Security Verification
Standard (ASVS)
Ø Secure Coding Practices
12
Friday, June 28, 13
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
OWASP	
  Applica,on	
  Security	
  Verifica,on	
  Standard
20
Friday, June 28, 13
What	
  is	
  ASVS	
  ?
• A	
  standard	
  that	
  provides	
  a	
  basis	
  for	
  the	
  
verificaPon	
  of	
  web	
  applicaPons	
  applicaPon-­‐
independent.
• A	
  standard	
  life-­‐cycle	
  model	
  independent.
• A	
  standard	
  that	
  define	
  requirements	
  that	
  can	
  be	
  
applied	
  across	
  applicaPons	
  without	
  special	
  
interpretaPon. 43
Friday, June 28, 13
What	
  are	
  ASVS	
  responses	
  ?
• How	
  much	
  trust	
  can	
  be	
  placed	
  in	
  a	
  web	
  
applicaPon?
• What	
  features	
  should	
  be	
  built	
  into	
  security	
  
controls?
• How	
  do	
  I	
  acquire	
  a	
  web	
  applicaPon	
  that	
  is	
  
verified	
  to	
  have	
  a	
  certain	
  range	
  in	
  coverage	
  
and	
  level	
  of	
  rigor?
Friday, June 28, 13
ASVS	
  secure	
  controls	
  
requirements
Security Area
Level
1A
Level
1B
Level
2A
Level
2B
Level 3 Level 4
V1 – Security Architecture Verification Requirements 1 1 2 2 4 5
V2 – Authentication Verification Requirements 3 2 9 13 13 14
V3 – Session Management Verification Requirements 4 1 6 7 8 9
V4 – Access Control Verification Requirements 5 1 12 13 14 15
V5 – Input Validation Verification Requirements 3 1 5 7 8 9
V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10
V7 – Cryptography Verification Requirements 0 0 2 8 9 10
V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9
V9 – Data Protection Verification Requirements 1 1 2 3 4 4
V10 – Communication Security Verification Requirements 1 0 3 6 8 8
V11 – HTTP Security Verification Requirements 3 3 6 6 7 7
V12 – Security Configuration Verification Requirements 0 0 0 2 3 4
V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5
V14 – Internal Security Verification Requirements 0 0 0 0 1 3
Totals 22 12 51 83 96 112
23
Friday, June 28, 13
But	
  ASVS	
  stand	
  for	
  VerificaPon	
  ?
• ASVS	
  just	
  said	
  funcPonals	
  needs	
  for	
  controls.	
  
• You	
  should	
  use	
  it	
  as	
  a	
  Secure	
  Coding	
  Policy.
★Don’t	
  be	
  medium(ASVS	
  Level1/2),	
  just	
  
target	
  excellence	
  (ASVS	
  Level	
  4)
24
Friday, June 28, 13
Using	
  ASVS	
  as	
  a	
  secure	
  coding	
  
policy
• ASVS	
  :	
  Verify	
  that	
  all	
  password	
  fields	
  do	
  not	
  
echo	
  the	
  user’s	
  password	
  when	
  it	
  is	
  entered.
➡All	
  Password	
  fields	
  must	
  be	
  define	
  as	
  HTML	
  
password	
  fields	
  and	
  must	
  not	
  echo	
  user	
  password.	
  
➡All	
  login	
  forms	
  must	
  include	
  autocomplete=off	
  tag	
  
• ASVS	
  :	
  Verify	
  that	
  all	
  input	
  validaPon	
  is	
  
performed	
  on	
  the	
  server	
  side.	
  
➡Performs	
  all	
  input	
  valida,on	
  on	
  the	
  server.	
  
Nothing	
  in	
  the	
  browser
25
Friday, June 28, 13
Posi,ve	
  aatude
Nega0ve
The	
  tester	
  shall	
  search	
  for	
  XSS	
  holes
Posi0ve
Verify	
  that	
  the	
  applica0on	
  performs	
  input	
  valida0on	
  and	
  output	
  encoding	
  on	
  
all	
  user	
  input
	
 See:	
  hTp://www.owasp.org/index.php/
XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet
56
Friday, June 28, 13
OWASP	
  Secure	
  Coding	
  Prac3ces
27
Friday, June 28, 13
OWASP	
  Secure	
  Coding	
  PracPces
• Small	
  document	
  (only	
  9	
  pages)
• Could	
  be	
  use	
  as	
  an	
  simple	
  checklist	
  for	
  your	
  
policy.
• Could	
  be	
  use	
  together	
  with	
  ASVS	
  or	
  alone.
• More	
  technical	
  and	
  deeper	
  approach	
  than	
  
ASVS	
  .
• Wrote	
  and	
  use	
  by	
  Boeing	
  :)
28
Friday, June 28, 13
Secure	
  Coding	
  PracPces	
  Contents
• Input	
  ValidaPon
• Output	
  Encoding
• AuthenPcaPon	
  and	
  
Password	
  Management
• Session	
  Management
• Access	
  Control
• Cryptographic	
  PracPces
• Error	
  Handling	
  and	
  Logging
• Data	
  ProtecPon
• CommunicaPon	
  Security
• System	
  ConfiguraPon
• Database	
  Security
• File	
  Management
• Memory	
  Management
• General	
  Coding	
  PracPces
29
Friday, June 28, 13
Now	
  the	
  torture	
  room
30
Friday, June 28, 13
(extracts	
  from	
  OWASP	
  Secure	
  Coding	
  
Prac0ces/OWASP	
  CheatSheets	
  OWASP	
  
ASVS,	
  ...)
Let	
  talk	
  Secure	
  Coding	
  now
31
Friday, June 28, 13
Some	
  secures	
  principles	
  to	
  follow
32
•Deep	
  defense	
  of	
  applica,on	
  is	
  mandatory	
  
• Following	
  less	
  privileges	
  is	
  the	
  best	
  soluPon
• Segregate	
  duty	
  more	
  that	
  user	
  think
➡Remember	
  that	
  applica,on	
  need	
  to	
  answer	
  
user	
  needs	
  and	
  not	
  security	
  pleasure.
Friday, June 28, 13
Deep	
  defense	
  of	
  a	
  Web	
  Applica0on	
  (example)
70
Fi
re
w
all
Applica0onWeb	
  Apps
SGBDApp ServerWeb
Server
Browser
User auth
Input
Validation
Secure
configuration
Good crash mecanisms
• Critical data transport
protection
• Preventing session and ID
theft
Critical data protections
Logs/Audit of
transactions
Authorisation
and
authentication
Authorisation and
authentication
Critical data protectionsPreventing parameters
thefts
Friday, June 28, 13
Fail	
  securely
• Don’t	
  give	
  user	
  technical	
  details	
  of	
  the	
  error/crash.
• Clean	
  state	
  or	
  use	
  objects	
  in	
  catch	
  clause
34
Friday, June 28, 13
Fail	
  securely
• Don’t	
  give	
  user	
  technical	
  details	
  of	
  the	
  error/crash.
• Clean	
  state	
  or	
  use	
  objects	
  in	
  catch	
  clause
34
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
GEOPORTAIL
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
Friday, June 28, 13
Don’t	
  try	
  to	
  make	
  obscure	
  things
72
GOOGLE MAPS
Friday, June 28, 13
• ObfuscaPon	
  is	
  not	
  the	
  soluPon
• There	
  is	
  someone	
  in	
  the	
  matrix	
  who	
  will	
  send	
  you	
  
evil	
  data
• Be	
  evil	
  !	
  
• Protect	
  area	
  with	
  filter	
  is	
  the	
  best	
  soluPon
36
Friday, June 28, 13
Controls
• Controls	
  need	
  :
–to	
  be	
  simple
–to	
  be	
  used	
  correctly
–funcPonal
–present	
  in	
  every	
  part	
  of	
  the	
  applicaPon
74
Bad understanding of a control result of unused
it by developers and application will be
vulnerable.
Friday, June 28, 13
Minimals	
  controls	
  to	
  have
• You	
  must	
  have	
  at	
  least	
  this	
  components	
  in	
  
your	
  applicaPon	
  :	
  
–AuthenPcaPon
–AuthorizaPon
–Logging	
  and	
  audit
–Secure	
  Storage
–Secure	
  transport
–Secure	
  input	
  and	
  output	
  manipulaPon	
  of	
  data
75
Friday, June 28, 13
Authen3ca3on
39
Friday, June 28, 13
Implement	
  good	
  passwd	
  strategy
• Password	
  length
-­‐ Categorize	
  applicaPons	
  :	
  
• Important	
  :	
  at	
  least	
  6	
  characters
• Cri0cal	
  :	
  at	
  least	
  8	
  characters	
  and	
  perhaps	
  mul0-­‐factors	
  
authen0ca0on
• High	
  Cri0cal	
  :	
  at	
  least	
  14	
  characters	
  and	
  mul0-­‐factors	
  
authen0ca0on
• Password	
  strength
-­‐ Implement	
  passwd	
  complexity	
  with	
  previous	
  categories
• at	
  least	
  :	
  1	
  upper,	
  1	
  lower,	
  1	
  digit,	
  1	
  special
• don’t	
  allow	
  dic0onnary	
  passwd
• don’t	
  allow	
  con0nuous	
  characters
40
Friday, June 28, 13
Implement	
  good	
  passwd	
  strategy
•Let	
  the	
  user	
  choose	
  it
•Force	
  the	
  user	
  to	
  change	
  it	
  regulary,	
  and	
  add	
  no	
  
reuse	
  capability.
•Don’t	
  allow	
  too	
  much	
  “I	
  forgot	
  my	
  passwd”
•Don’t	
  allow	
  change	
  of	
  passwd	
  without	
  user	
  
approval;	
  require	
  actual	
  passwd	
  from	
  the	
  user	
  and	
  
more	
  for	
  high	
  cri0cal.
•Add	
  sleep	
  strategy	
  !
•Add	
  detec3on	
  of	
  misuse	
  strategy	
  !
•Don’t	
  store	
  passwd	
  in	
  clear	
  !!!!!	
  use	
  hash	
  !
41
Friday, June 28, 13
MulP-­‐Factor	
  authenPcaPon
•Passwds	
  are	
  bad
•Passwds	
  are	
  guessable
•MulP-­‐factor	
  combine:	
  
–something	
  you	
  have	
  (token,	
  mobile,	
  ...)
–something	
  you	
  know	
  (details	
  about	
  you,	
  passwd,	
  ...)
–somePme,	
  something	
  you	
  are	
  (biometrics)
–Use	
  it	
  for	
  high	
  criPcal	
  applicaPons.
42
Friday, June 28, 13
Implement	
  good	
  global	
  strategy
• Ask	
  second	
  authenPcaPon	
  for	
  criPcal	
  
transacPons	
  (with	
  mulP-­‐factor	
  auth...)
• Force	
  authenPcaPon	
  to	
  be	
  in	
  TLS/SSL
• Regenerate	
  Session	
  ID	
  aQer	
  authenPcaPon
• Force	
  Session	
  ID	
  to	
  be	
  “secure”
• LimiPng	
  forgoEen	
  passwd,change	
  of	
  login/
passwd	
  	
  
43
Friday, June 28, 13
How	
  to	
  do	
  ?	
  
• Authen0cate	
  all	
  pages	
  but	
  not	
  public	
  pages	
  (login,	
  
logout,	
  help,	
  ....)
• Don’t	
  allow	
  more	
  than	
  one	
  authen0ca0on	
  
mecanism
• Authen3cate	
  on	
  the	
  SERVER
• Simply	
  send	
  back	
  “user	
  or	
  passwd	
  mismatch”	
  and	
  	
  
nothing	
  else	
  aker	
  a	
  failed	
  authen0ca0on.
• Logged	
  all	
  failed	
  and	
  all	
  correct	
  authen0ca0on
• Aker	
  each	
  authen0ca0on	
  give	
  the	
  user	
  the	
  last	
  
status	
  of	
  his	
  authen0ca0on.	
  
44
Friday, June 28, 13
• Good	
  Regex	
  for	
  a	
  passwd	
  complexity	
  :	
  
• Good	
  Storage	
  of	
  	
  password	
  with	
  SALT
45
(?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-256");
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
Friday, June 28, 13
Session	
  Management
46
Friday, June 28, 13
Session	
  
• Use	
  Default	
  Java	
  Framework	
  Generator
• Use	
  other	
  name	
  than	
  the	
  default	
  name	
  of	
  the	
  
Framework	
  (rename	
  JSESSIONID...)
• Force	
  transport	
  of	
  ID	
  authenPcaPon	
  on	
  SSL/TLS.
• Don’t	
  allow	
  Session	
  ID	
  in	
  URL	
  !
• If	
  using	
  cookie	
  :	
  
– Secure	
  Cookie
– HTTPOnly	
  Cookie	
  
– LimiPng	
  path	
  +	
  domain
– Max	
  Age	
  and	
  expiraPon
47
Friday, June 28, 13
Session	
  tricky
• AutomaPc	
  expiraPon
–categorize	
  applicaPons	
  :
• default	
  :	
  1	
  hour
• cri0cal	
  (some	
  transac0on)	
  :	
  20mns
• high	
  cri0cal	
  (financials	
  or	
  account	
  impact)	
  :	
  5mns	
  
• Renew	
  Session	
  ID	
  aQer	
  any	
  privilege	
  change
• Don’t	
  allow	
  simultaneous	
  logon	
  
• Add	
  Session	
  AEack	
  DetecPon
• add	
  in-­‐session	
  0ps	
  :	
  ip	
  of	
  session,	
  other	
  random	
  number,	
  ...
48
Friday, June 28, 13
Browser	
  defenses
• Bind	
  JavaScript	
  events	
  to	
  close	
  session	
  
–on	
  window.close()
–on	
  window.stop()
–on	
  window.blur()
–on	
  window.home()
• Use	
  Javascripts	
  Pmer	
  to	
  automaPc	
  close	
  session	
  
in	
  high	
  criPcal	
  applicaPons
• Disable	
  WebBrowser	
  Cross-­‐tab	
  Session	
  if	
  
possible...(bad	
  user	
  experiences....)
–If	
  you	
  use	
  cookie,	
  this	
  is	
  not	
  possible	
  	
  !!!!
49
Friday, June 28, 13
50
<session-­‐config>
	
  	
  <cookie-­‐config>
	
  	
  	
  	
  <http-­‐only>true</http-­‐only>
	
  	
  	
  	
  <secure>true</secure>
	
  	
  </cookie-­‐config>
</session-­‐config>
Using	
  Servlet	
  3.0	
  ?
Friday, June 28, 13
 Access	
  Controls
107
Friday, June 28, 13
Remember
Friday, June 28, 13
Remember
(1)Without	
  access	
  control,	
  you	
  can’t	
  control	
  
the	
  user	
  in	
  your	
  applica,on
Friday, June 28, 13
Remember
(1)Without	
  access	
  control,	
  you	
  can’t	
  control	
  
the	
  user	
  in	
  your	
  applica,on
(2)All	
  client	
  inputs	
  are	
  EVIL
Friday, June 28, 13
Authen0ca0on	
  &	
  Authoriza0on
• Two	
  Levels	
  of	
  authenPcaPon	
  and	
  authorizaPon	
  
are	
  needed
–In	
  the	
  ApplicaPon
–In	
  infrastructure
Table	
  A
Table	
  B
Connexion Table A + duty A
Role	
  A
Role	
  B
SGBDApp Server
Connexion Table B + Duty B
Friday, June 28, 13
AuthorizaPon
• Have	
  in	
  mind	
  the	
  rule	
  :	
  
–Nothing	
  	
  by	
  default
• Centralize	
  all	
  authorizaPon	
  code	
  on	
  the	
  SERVER
• If	
  client	
  state	
  are	
  mandatory,	
  use	
  encrypPon	
  and	
  
integrity	
  checking	
  on	
  the	
  server	
  side	
  to	
  catch	
  
state	
  tampering.	
  
• Limit	
  number	
  of	
  transacPons	
  per	
  user	
  at	
  a	
  interval	
  
Pme.
54
Friday, June 28, 13
AuthorizaPon
• Enforce	
  :
– protec0on	
  of	
  URL	
  to	
  authorized	
  account	
  only
– protec0on	
  of	
  func0on	
  to	
  authorized	
  account	
  only
– protec0on	
  of	
  file	
  access	
  to	
  authorized	
  account	
  only
• Applica0on	
  need	
  to	
  terminate	
  session	
  when	
  authoriza0on	
  
failed.
• Split	
  administra0ve	
  and	
  user	
  authoriza0on
• Enforce	
  dormant	
  account	
  :
– loss	
  privileges.
– “disable	
  account”
– alerts
55
Friday, June 28, 13
Valida3on	
  of	
  Data
56
Friday, June 28, 13
Input	
  ValidaPon
• Ensure	
  all	
  data	
  validaPon	
  are	
  done	
  on	
  THE	
  SERVER.
–If	
  you	
  do	
  something	
  on	
  client	
  side	
  we	
  can	
  said	
  you	
  do	
  
“painPng”
• Classify	
  your	
  data	
  :
–Trusted	
  Data	
  
–Untrusted	
  Data
• Conduct	
  trusted	
  path.
• Centralize	
  your	
  data	
  validaPon
• Use	
  correct	
  parametrize	
  query	
  when	
  exists	
  (SQL)
57
Friday, June 28, 13
Border	
  validaPon
• Consider	
  validaPng	
  data	
  along	
  all	
  the	
  entry	
  points	
  
of	
  your	
  ApplicaPon	
  border
58
Friday, June 28, 13
Input	
  ValidaPon
• Use	
  proper	
  characters	
  set	
  for	
  all	
  input
• Encode	
  all	
  data	
  to	
  the	
  same	
  character	
  set	
  before	
  
doing	
  anything	
  <=>Canonicalize
• Reject	
  all	
  not	
  validated	
  datas
• Validate	
  data	
  	
  :
–expected	
  type	
  (convert	
  as	
  soon	
  as	
  possible	
  to	
  Java	
  Types)
–expected	
  range
–expected	
  length
–expected	
  values
–expected	
  “white	
  list”	
  if	
  possible
59
Friday, June 28, 13
Input	
  ValidaPon
• Be	
  careful	
  of	
  using	
  “hazardous”	
  characters	
  (ex:	
  <>’,”!
(+)&	
  %.)
• Add	
  specific	
  validaPon	
  :
–check	
  for	
  null	
  bytes	
  (%00)
–check	
  for	
  new	
  lines	
  (%0D,	
  %0A,	
  n,	
  r,	
  ...)
–check	
  for	
  dot-­‐dot-­‐slashes	
  (../)	
  
60
Friday, June 28, 13
Be	
  careful	
  of	
  encoding	
  for	
  specific	
  
valida0on...
URL
%3c%73%63%72%69%70%74%3e%61%6c
%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e
%0a
HTML
&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x7
2;&#x74;&#x28;&#x58;&#x53;&#x53;&#x29;&#x3b;&#x3c;&#x2f;&#x73;&#x63;&#x
72;&#x69;&#x70;&#x74;&#x3e;&#x0a;
UTF-8
%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c
%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c
%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003
One space ?
< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >
<script>alert(XSS);</script>
Friday, June 28, 13
Validate	
  Datas
124
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  bad
125
Friday, June 28, 13
SQL	
  =>	
  a	
  liEle	
  bit	
  beEer
126
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
/*	
  positional	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  ?1");
List	
  results	
  =	
  jpqlQuery.setParameter(1,	
  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList();
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
/*	
  positional	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  ?1");
List	
  results	
  =	
  jpqlQuery.setParameter(1,	
  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList();
/*	
  named	
  query	
  in	
  JPQL	
  -­‐	
  Query	
  named	
  "myCart"	
  being	
  "Select	
  c	
  from	
  Cart	
  c	
  where	
  c.itemId	
  =	
  :itemId"	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createNamedQuery("myCart");
List	
  results	
  =	
  jpqlQuery.setParameter("itemId",	
  "item-­‐id-­‐0001").getResultList();
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
/*	
  positional	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  ?1");
List	
  results	
  =	
  jpqlQuery.setParameter(1,	
  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList();
/*	
  named	
  query	
  in	
  JPQL	
  -­‐	
  Query	
  named	
  "myCart"	
  being	
  "Select	
  c	
  from	
  Cart	
  c	
  where	
  c.itemId	
  =	
  :itemId"	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createNamedQuery("myCart");
List	
  results	
  =	
  jpqlQuery.setParameter("itemId",	
  "item-­‐id-­‐0001").getResultList();
/*	
  named	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  emp	
  from	
  Employees	
  emp	
  where	
  emp.incentive	
  >	
  :incentive");
List	
  results	
  =	
  jpqlQuery.setParameter("incentive",	
  new	
  Long(10000)).getResultList();
Friday, June 28, 13
List	
  results	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  "	
  +	
  orderId).getResultList();
List	
  results	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  "	
  +	
  author).getResultList();
int	
  resultCode	
  =	
  entityManager.createNativeQuery("Delete	
  from	
  Cart	
  where	
  itemId	
  =	
  "	
  +	
  itemId).executeUpdate();
JPA/EnPty	
  
65
/*	
  positional	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  order	
  from	
  Orders	
  order	
  where	
  order.id	
  =	
  ?1");
List	
  results	
  =	
  jpqlQuery.setParameter(1,	
  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList();
/*	
  Native	
  SQL	
  */
Query	
  sqlQuery	
  =	
  entityManager.createNativeQuery("Select	
  *	
  from	
  Books	
  where	
  author	
  =	
  ?",	
  Book.class);
List	
  results	
  =	
  sqlQuery.setParameter(1,	
  "Charles	
  Dickens").getResultList();
/*	
  named	
  query	
  in	
  JPQL	
  -­‐	
  Query	
  named	
  "myCart"	
  being	
  "Select	
  c	
  from	
  Cart	
  c	
  where	
  c.itemId	
  =	
  :itemId"	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createNamedQuery("myCart");
List	
  results	
  =	
  jpqlQuery.setParameter("itemId",	
  "item-­‐id-­‐0001").getResultList();
/*	
  named	
  parameter	
  in	
  JPQL	
  */
Query	
  jpqlQuery	
  =	
  entityManager.createQuery("Select	
  emp	
  from	
  Employees	
  emp	
  where	
  emp.incentive	
  >	
  :incentive");
List	
  results	
  =	
  jpqlQuery.setParameter("incentive",	
  new	
  Long(10000)).getResultList();
Friday, June 28, 13
XML	
  =>	
  bad
127
Friday, June 28, 13
XML	
  =>	
  bad
127
Friday, June 28, 13
XML	
  =>	
  ValidaPng	
  via	
  regexp/white	
  
list
128
Friday, June 28, 13
BeEer,	
  a	
  XML	
  schema
<xs:schema	
  xmlns:xs="hTp://www.w3.org/2001/XMLSchema">	
  
<xs:element	
  name="item">	
  
	
   <xs:complexType>	
  
	
   	
   <xs:sequence>	
  
	
   	
   	
   <xs:element	
  name="descrip0on"	
  type="xs:string"/>	
  
	
   	
   	
   <xs:element	
  name="price"	
  type="xs:decimal"/>	
  
	
   	
   	
   <xs:element	
  name="quan0ty"	
  type="xs:integer"/>	
  
	
   	
   </xs:sequence>	
  
	
   </xs:complexType>
	
  </xs:element>	
  
</xs:schema>	
  
Friday, June 28, 13
XML	
  =>	
  XML	
  Parser	
  validaPon
Friday, June 28, 13
LDAP	
  =>	
  bad
131
Friday, June 28, 13
LDAP	
  =>	
  bad
131
Friday, June 28, 13
LDAP	
  =>	
  beEer
132
Friday, June 28, 13
Using	
  OWASP	
  ESAPI
72
Friday, June 28, 13
Output	
  Encoding
73
Friday, June 28, 13
Output	
  encoding
• It’s	
  a	
  Defense	
  in	
  depth	
  mechanism
• Encode	
  ON	
  THE	
  SERVER
• Centralize	
  the	
  encoder	
  funcPons
• SaniPze	
  all	
  data	
  send	
  to	
  the	
  client	
  
–HTMLEncode	
  is	
  a	
  minimum	
  but	
  did	
  not	
  work	
  on	
  all	
  
cases
74
Friday, June 28, 13
Essai	
  1	
  =>	
  bad
137
Friday, June 28, 13
Essai	
  1	
  =>	
  bad
137
Friday, June 28, 13
Essai	
  2	
  =>	
  it’s	
  bad,	
  but	
  beTer	
  than	
  
nothing
138
Friday, June 28, 13
Essai	
  2	
  =>	
  it’s	
  bad,	
  but	
  beTer	
  than	
  
nothing
138
Friday, June 28, 13
A	
  good	
  soluPon	
  with	
  a	
  robust	
  
SaniPzer	
  :)
139
Friday, June 28, 13
Error	
  Logging
78
Friday, June 28, 13
Error	
  Handling
Your	
  Applica3on	
  will	
  crash	
  !
• Catch	
  all	
  excep0ons	
  without	
  excep0on	
  (remember	
  the	
  null	
  pointer	
  
excep0on	
  !)
– Clean	
  all	
  excep0on	
  code	
  of	
  sensi0ve	
  datas
– Don’t	
  give	
  user	
  any	
  details	
  about	
  crash,	
  just	
  said	
  “It’s	
  a	
  crash,	
  try	
  again	
  later”
• Logs	
  are	
  sensi0ve,	
  you	
  MUST	
  PROTECT	
  THEM
• Log	
  :	
  
– input	
  valida0on	
  failures
– authen0ca0on	
  request;	
  especially	
  failures
– access	
  control	
  failures
– systems	
  excep0ons
– administra0ve	
  func0onality
– crypto	
  failures
– invalid/expired	
  session	
  token	
  access
79
Friday, June 28, 13
Logging/Errors
• Split	
  your	
  logs	
  with	
  categories,	
  examples	
  :	
  
–Access
–Error
–Debug
–Audit
• Use	
  log4j	
  for	
  standard	
  logging
80
Friday, June 28, 13
Log4J	
  Example
81
import com.sec.dev;
// Import log4j classes.
import org.apache.log4j.Logger;
import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the
// Logger instance named "MyApp".
static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console.
BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used
// Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application.");
Bar bar = new Bar();
bar.doIt();
logger.info("Exiting application.");
}
}
Friday, June 28, 13
Bad	
  handling	
  of	
  ExcepPon
144
Friday, June 28, 13
Bad	
  handling	
  of	
  ExcepPon
144
Friday, June 28, 13
Good	
  Housecleaning
83
try {
SensitiveData sensitiveData = new SensitiveData (“4242424242424242”);
out = new PrintWriter(new FileWriter("OutFile.txt"));
//Do Stuff….
} catch (IOException e) {
if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”);
}
logger.log ("IO exception ", e.getMessage());
} catch (Exception e) {
if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”);
}
logger.log ("Error occurred!”, e.getMessage());
}
finally {
if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”);
}
if (out != null) {
out.close(); // RELEASE RESOURCES
}
}
Friday, June 28, 13
BeEer	
  handling	
  of	
  excepPon	
  and	
  
error
145
<error-­‐page>
	
  	
  	
  <excepPon-­‐type>java.lang.Throwable</
excepPon-­‐type>
	
  	
  	
  <locaPon>/error.jsp</locaPon>
	
  </error-­‐page>
Friday, June 28, 13
Data	
  Protec3on
85
Friday, June 28, 13
Data	
  protecPon
• Protect	
  sensiPve	
  datas,	
  	
  don’t	
  store	
  them	
  in	
  clear.
• Store	
  sensiPve	
  datas	
  in	
  trusted	
  systems
• Don’t	
  use	
  GET	
  request	
  for	
  sensiPve	
  data.
• Disable	
  client	
  site	
  caching
86
Friday, June 28, 13
Disable	
  Client	
  Side	
  caching
87
import	
  javax.servlet.*;
import	
  javax.servlet.http.HttpServletResponse;
import	
  java.io.IOException;
import	
  java.util.Date;
public	
  class	
  CacheControlFilter	
  implements	
  Filter	
  {
	
  	
  	
  	
  public	
  void	
  doFilter(ServletRequest	
  request,	
  ServletResponse	
  response,
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  FilterChain	
  chain)	
  throws	
  IOException,	
  ServletException	
  {
	
  	
  	
  	
  	
  	
  	
  	
  HttpServletResponse	
  resp	
  =	
  (HttpServletResponse)	
  response;
	
  	
  	
  	
  	
  	
  	
  	
  resp.setHeader("Expires",	
  "Tue,	
  03	
  Jul	
  2001	
  06:00:00	
  GMT");
	
  	
  	
  	
  	
  	
  	
  	
  resp.setHeader("Last-­‐Modified",	
  new	
  Date().toString());
	
  	
  	
  	
  	
  	
  	
  	
  resp.setHeader("Cache-­‐Control",	
  "no-­‐store,	
  no-­‐cache,	
  must-­‐revalidate,	
  max-­‐age=0,	
  post-­‐check=0,	
  pre-­‐check=0");
	
  	
  	
  	
  	
  	
  	
  	
  resp.setHeader("Pragma",	
  "no-­‐cache");
	
  	
  	
  	
  	
  	
  	
  	
  chain.doFilter(request,	
  response);
	
  	
  	
  	
  }
}
<filter>
	
  	
  	
  	
  <filter-­‐name>SetCacheControl</filter-­‐name>
	
  	
  	
  	
  <filter-­‐class>com.sec.dev.cacheControlFilter</filter-­‐class>
</filter>	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  
<filter-­‐mapping>
	
  	
  	
  	
  <filter-­‐name>SetCacheControl</filter-­‐name>
<url-­‐pattern>/*</url-­‐pattern>
</filter-­‐mapping>
web.xml
Friday, June 28, 13
Access	
  to	
  FileSystem
88
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Absolute	
  Path	
  is	
  bad
151
Friday, June 28, 13
Canonicalisa,on	
  is	
  good
90
Friday, June 28, 13
Secure	
  Communica3ons
91
Friday, June 28, 13
Secure	
  CommunicaPons
• Use	
  TLS/SSL	
  :
–at	
  least	
  SSL	
  v3.0/TLS	
  1.0
–minimum	
  of	
  128bits	
  encrypPon
–use	
  secure	
  crypto	
  :	
  AES	
  is	
  good
• Don’t	
  expose	
  criPcal	
  data	
  in	
  the	
  URL
• Failed	
  SSL/TLS	
  communicaPons	
  should	
  not	
  fall	
  
back	
  to	
  insecure
• Validate	
  cerPficate	
  when	
  used
• Protect	
  all	
  page,	
  not	
  just	
  logon	
  page	
  !
92
Friday, June 28, 13
Force	
  TLS/SSL	
  Response
• Use	
  HTTP	
  Strict	
  Transport	
  Security	
  (HSTS).
–Available	
  on	
  some	
  browsers	
  (not	
  IE)
–draQ	
  IETF	
  :	
  hEp://tools.iew.org/html/draQ-­‐iew-­‐websec-­‐
strict-­‐transport-­‐sec-­‐04
93
HttpServletResponse	
  ...;
response.setHeader("Strict-­‐Transport-­‐Security",	
  "max-­‐age=7776000;	
  
includeSubdomains");
Friday, June 28, 13
ConfiguraPon
94
• Review	
  all	
  properPes,	
  configuraPon	
  files
• Be	
  careful	
  of	
  default	
  passwords...
• Remove,	
  and	
  not	
  just	
  de-­‐acPvate,	
  unused	
  
funcPons/modules
• Use	
  sandbox	
  system	
  when	
  available	
  :
Be	
  careful	
  of	
  Java	
  Signed	
  code	
  who	
  
execute	
  with	
  more	
  privileges	
  !
Friday, June 28, 13
Now	
  you	
  can	
  protect	
  against	
  him
95
Friday, June 28, 13
 NEWS
A	
  BLOG
A	
  PODCAST
MEMBERSHIPS
MAILING	
  LISTS
A	
  NEWSLETTER
APPLE	
  APP	
  STORE
VIDEO	
  TUTORIALS
TRAINING	
  SESSIONS
SOCIAL	
  NETWORKING
96
On	
  est	
  aussi	
  des	
  humains,	
  et	
  on	
  peut	
  boire	
  un	
  coup	
  tout	
  simplement
Friday, June 28, 13
Dates
• AppSec	
  Research	
  Europe	
  2013	
  :	
  20/23	
  Aout	
  –	
  
Hambourg	
  –	
  Allemagne
• Octobre	
  2013	
  :	
  OSSIR	
  PARIS
–OWASP	
  Top10	
  2013;	
  quoi	
  de	
  neuf	
  ?
• 	
  OWASP	
  Benelux	
  :	
  28/29	
  Novembre	
  2013
97
Un	
  tour	
  des	
  JUG	
  est	
  prévu	
  en	
  France,	
  si	
  vous	
  en	
  connaissez	
  un	
  dans	
  le	
  coin...
Friday, June 28, 13
Soutenir	
  l’OWASP
• Différentes	
  soluPons	
  :	
  
–Membre	
  Individuel	
  :	
  50	
  $
–Membre	
  Entreprise	
  :	
  5000	
  $
–DonaPon	
  Libre
• Soutenir	
  uniquement	
  	
  le	
  chapitre	
  France	
  :
–Single	
  MeePng	
  supporter	
  
• Nous	
  offrir	
  une	
  salle	
  de	
  mee0ng	
  !	
  
• Par0ciper	
  par	
  un	
  talk	
  ou	
  autre	
  !	
  
• Dona0on	
  simple	
  
–Local	
  Chapter	
  supporter	
  :	
  
• 500	
  $	
  à	
  2000	
  $	
   98
Friday, June 28, 13
Prochains	
  meePngs
• Septembre	
  2013	
  
–Salle	
  :	
  Mozilla	
  Center	
  Paris
–Speaker	
  :	
  
• Security	
  on	
  Firefox	
  OS
• A	
  définir
• Novembre	
  2013
–Salle	
  :	
  a	
  définir
–Speaker	
  :	
  a	
  définir
Septembre	
  s’annonce	
  merveilleux	
  avec	
  plein	
  d’annonces	
  en	
  tout	
  genre....
Friday, June 28, 13
License
100
Si	
  vous	
  avez	
  tout	
  suivi	
  vous	
  connaissez	
  le	
  prochain	
  slide....
@SPoint
sebas0en.gioria@owasp.org
Friday, June 28, 13

Secure Coding for Java - An Introduction

  • 1.
    Secure  Coding  for  Java  (an  introduc3on) Java  User  Group  Poitou-­‐Charentes  (Niort) 27  Juin  2013 Sébas3en  Gioria Sebas0en.Gioria@owasp.org Chapter  Leader  OWASP  France Friday, June 28, 13
  • 2.
    http://www.google.fr/#q=sebastien gioria ‣OWASP FranceLeader & Founder & Evangelist ‣Innovation & Technology @ Advens Twitter :@SPoint / @OWASP_France 2 ‣Application Security group leader for the CLUSIF ‣Proud father of youngs kids trying to hack my digital life. Ne  vous  inquietez  pas  c’est  le  seul  slide  en  anglais,  par  contre  il  y  aura  des  trucs  d’écrits  partout  en  bas... Friday, June 28, 13
  • 3.
    ForeWords • This  is  a  presenta,on  made  from  my  own   experience  with  some  company  using   OWASP  materials. • Only  the  documents  from  OWASP  wiki  are   OWASP  officials  (see  hEps://www.owasp.org) • Some  extracts  come  from  document  I  wrote   as  OWASP  leader,  this  is  why  you  could  find  it   elsewhere. 5 Friday, June 28, 13
  • 4.
    • Applica,on  Security  : –where  we  are  (no  bullshit) –where  we  are  (hopefully)   going  ? • Using  OWASP  materials  to   secure  code • Secure  Coding  principles Agenda Friday, June 28, 13
  • 5.
  • 6.
    Why  Applica0on  Security  ? 6 Friday, June 28, 13
  • 7.
    Why  Applica0on  Security  ? 6 Your Application been Hacked Friday, June 28, 13
  • 8.
    Why  Applica0on  Security  ? 6 Your Application been Hacked YES Friday, June 28, 13
  • 9.
    Why  Applica0on  Security  ? 6 Your Application been Hacked NO YES Friday, June 28, 13
  • 10.
    Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked NO YES Friday, June 28, 13
  • 11.
    Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO YES Friday, June 28, 13
  • 12.
    Why  Applica0on  Security  ? 6 Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 13.
    Why  Applica0on  Security  ? 6 Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 14.
    Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Friday, June 28, 13
  • 15.
    Why  Applica0on  Security  ? 6 My Application will be hacked ! Let Me take you on the right way Your Application will be Hacked ;) Your Application been Hacked YES NO NO YES Next Step Friday, June 28, 13
  • 16.
    We  are  living  in  a  Digital  environment,  in  a  Connected  World vMost  of  websites  vulnerable  to  aTacks vImportant   %  of  web-­‐based   Business  (Services,  Online   Store,  Self-­‐care,  Telcos,   SCADA,  ...) Why  Applica0on  Security  ?   Age  of  An0virus Age  of   Network  Security Age  of   Applica0on  Security 7 Friday, June 28, 13
  • 17.
    Consequences  of  bad  or  no  security –IdenPty  theQ –Hardware  theQ –IT  downPme   –Bad  Media  coverage –Financials  loss –Customers  loss –Legals/business  penalty   8 Friday, June 28, 13
  • 18.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 19.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 20.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 21.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 22.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 23.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 24.
    What  Verizon  (PCI-­‐DSS  company)   said  ? ©  Verizon  2012 9 Friday, June 28, 13
  • 25.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 26.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 27.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 28.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 29.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 30.
    ©  Verizon  2012 Verizon  Study 10 Friday, June 28, 13
  • 31.
    Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  • 32.
    Verizon  study   11 ©  Verizon  2012 Friday, June 28, 13
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
    What  you  CIO  Said  :  I  got  a  Firewall  !   27 Friday, June 28, 13
  • 38.
    What  your  business  user  said  :  I   have  SSL  based  Web  Site 28 Friday, June 28, 13
  • 39.
    What  your  business  user  said  :  only  the   hacker  can  aMack  my  website • Tools  are  more  and   more  simples. • Try  a  simple  request   on  google  website  on   SQL  InjecPon  and   look  at  it. • An  aEack  on  a  Web   Server  cost  100$/ 200$  per  day  on  the   underground  market. 29 Friday, June 28, 13
  • 40.
    What  your  user  said  :  a  vulnerability  on   internal  ApplicaPon  is  not  criPcal. • No,  The  web  is  anywhere,  and  CSRF,  HTML5  CORS   and  more  can  make  this  complete  destrucPve • Be  aware  and  share  this  :   • AJAX  doing  a  lot  of  things  without  you • Be  aware  and  share  this  :   •  HTML5  will  come  with  “nice”  user  funcPonality  ,  but  with   big  impact  on  security  (WebSocket,  CORS,  ...) 30 Friday, June 28, 13
  • 41.
    But  I  do  Security  tesPng  !   17 Security  Tes3ng Coding Friday, June 28, 13
  • 42.
    Majors OWASP publications youcan use All are on the wiki https://www.owasp.org All are under GPL or friendly licenses Majors publications you can use to secure your projects/SDLC Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR) Top10 reference this 3 guides Ø OWASP Top10 Ø Auditor/Testing Guide Ø Code Review Guide Ø Building Guide Ø Application Security Verification Standard (ASVS) Ø Secure Coding Practices 12 Friday, June 28, 13
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
    OWASP  Applica,on  Security  Verifica,on  Standard 20 Friday, June 28, 13
  • 57.
    What  is  ASVS  ? • A  standard  that  provides  a  basis  for  the   verificaPon  of  web  applicaPons  applicaPon-­‐ independent. • A  standard  life-­‐cycle  model  independent. • A  standard  that  define  requirements  that  can  be   applied  across  applicaPons  without  special   interpretaPon. 43 Friday, June 28, 13
  • 58.
    What  are  ASVS  responses  ? • How  much  trust  can  be  placed  in  a  web   applicaPon? • What  features  should  be  built  into  security   controls? • How  do  I  acquire  a  web  applicaPon  that  is   verified  to  have  a  certain  range  in  coverage   and  level  of  rigor? Friday, June 28, 13
  • 59.
    ASVS  secure  controls   requirements Security Area Level 1A Level 1B Level 2A Level 2B Level 3 Level 4 V1 – Security Architecture Verification Requirements 1 1 2 2 4 5 V2 – Authentication Verification Requirements 3 2 9 13 13 14 V3 – Session Management Verification Requirements 4 1 6 7 8 9 V4 – Access Control Verification Requirements 5 1 12 13 14 15 V5 – Input Validation Verification Requirements 3 1 5 7 8 9 V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10 V7 – Cryptography Verification Requirements 0 0 2 8 9 10 V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9 V9 – Data Protection Verification Requirements 1 1 2 3 4 4 V10 – Communication Security Verification Requirements 1 0 3 6 8 8 V11 – HTTP Security Verification Requirements 3 3 6 6 7 7 V12 – Security Configuration Verification Requirements 0 0 0 2 3 4 V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5 V14 – Internal Security Verification Requirements 0 0 0 0 1 3 Totals 22 12 51 83 96 112 23 Friday, June 28, 13
  • 60.
    But  ASVS  stand  for  VerificaPon  ? • ASVS  just  said  funcPonals  needs  for  controls.   • You  should  use  it  as  a  Secure  Coding  Policy. ★Don’t  be  medium(ASVS  Level1/2),  just   target  excellence  (ASVS  Level  4) 24 Friday, June 28, 13
  • 61.
    Using  ASVS  as  a  secure  coding   policy • ASVS  :  Verify  that  all  password  fields  do  not   echo  the  user’s  password  when  it  is  entered. ➡All  Password  fields  must  be  define  as  HTML   password  fields  and  must  not  echo  user  password.   ➡All  login  forms  must  include  autocomplete=off  tag   • ASVS  :  Verify  that  all  input  validaPon  is   performed  on  the  server  side.   ➡Performs  all  input  valida,on  on  the  server.   Nothing  in  the  browser 25 Friday, June 28, 13
  • 62.
    Posi,ve  aatude Nega0ve The  tester  shall  search  for  XSS  holes Posi0ve Verify  that  the  applica0on  performs  input  valida0on  and  output  encoding  on   all  user  input See:  hTp://www.owasp.org/index.php/ XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet 56 Friday, June 28, 13
  • 63.
    OWASP  Secure  Coding  Prac3ces 27 Friday, June 28, 13
  • 64.
    OWASP  Secure  Coding  PracPces • Small  document  (only  9  pages) • Could  be  use  as  an  simple  checklist  for  your   policy. • Could  be  use  together  with  ASVS  or  alone. • More  technical  and  deeper  approach  than   ASVS  . • Wrote  and  use  by  Boeing  :) 28 Friday, June 28, 13
  • 65.
    Secure  Coding  PracPces  Contents • Input  ValidaPon • Output  Encoding • AuthenPcaPon  and   Password  Management • Session  Management • Access  Control • Cryptographic  PracPces • Error  Handling  and  Logging • Data  ProtecPon • CommunicaPon  Security • System  ConfiguraPon • Database  Security • File  Management • Memory  Management • General  Coding  PracPces 29 Friday, June 28, 13
  • 66.
    Now  the  torture  room 30 Friday, June 28, 13
  • 67.
    (extracts  from  OWASP  Secure  Coding   Prac0ces/OWASP  CheatSheets  OWASP   ASVS,  ...) Let  talk  Secure  Coding  now 31 Friday, June 28, 13
  • 68.
    Some  secures  principles  to  follow 32 •Deep  defense  of  applica,on  is  mandatory   • Following  less  privileges  is  the  best  soluPon • Segregate  duty  more  that  user  think ➡Remember  that  applica,on  need  to  answer   user  needs  and  not  security  pleasure. Friday, June 28, 13
  • 69.
    Deep  defense  of  a  Web  Applica0on  (example) 70 Fi re w all Applica0onWeb  Apps SGBDApp ServerWeb Server Browser User auth Input Validation Secure configuration Good crash mecanisms • Critical data transport protection • Preventing session and ID theft Critical data protections Logs/Audit of transactions Authorisation and authentication Authorisation and authentication Critical data protectionsPreventing parameters thefts Friday, June 28, 13
  • 70.
    Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  • 71.
    Fail  securely • Don’t  give  user  technical  details  of  the  error/crash. • Clean  state  or  use  objects  in  catch  clause 34 Friday, June 28, 13
  • 72.
    Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  • 73.
    Don’t  try  to  make  obscure  things 72 GEOPORTAIL Friday, June 28, 13
  • 74.
    Don’t  try  to  make  obscure  things 72 Friday, June 28, 13
  • 75.
    Don’t  try  to  make  obscure  things 72 GOOGLE MAPS Friday, June 28, 13
  • 76.
    • ObfuscaPon  is  not  the  soluPon • There  is  someone  in  the  matrix  who  will  send  you   evil  data • Be  evil  !   • Protect  area  with  filter  is  the  best  soluPon 36 Friday, June 28, 13
  • 77.
    Controls • Controls  need  : –to  be  simple –to  be  used  correctly –funcPonal –present  in  every  part  of  the  applicaPon 74 Bad understanding of a control result of unused it by developers and application will be vulnerable. Friday, June 28, 13
  • 78.
    Minimals  controls  to  have • You  must  have  at  least  this  components  in   your  applicaPon  :   –AuthenPcaPon –AuthorizaPon –Logging  and  audit –Secure  Storage –Secure  transport –Secure  input  and  output  manipulaPon  of  data 75 Friday, June 28, 13
  • 79.
  • 80.
    Implement  good  passwd  strategy • Password  length -­‐ Categorize  applicaPons  :   • Important  :  at  least  6  characters • Cri0cal  :  at  least  8  characters  and  perhaps  mul0-­‐factors   authen0ca0on • High  Cri0cal  :  at  least  14  characters  and  mul0-­‐factors   authen0ca0on • Password  strength -­‐ Implement  passwd  complexity  with  previous  categories • at  least  :  1  upper,  1  lower,  1  digit,  1  special • don’t  allow  dic0onnary  passwd • don’t  allow  con0nuous  characters 40 Friday, June 28, 13
  • 81.
    Implement  good  passwd  strategy •Let  the  user  choose  it •Force  the  user  to  change  it  regulary,  and  add  no   reuse  capability. •Don’t  allow  too  much  “I  forgot  my  passwd” •Don’t  allow  change  of  passwd  without  user   approval;  require  actual  passwd  from  the  user  and   more  for  high  cri0cal. •Add  sleep  strategy  ! •Add  detec3on  of  misuse  strategy  ! •Don’t  store  passwd  in  clear  !!!!!  use  hash  ! 41 Friday, June 28, 13
  • 82.
    MulP-­‐Factor  authenPcaPon •Passwds  are  bad •Passwds  are  guessable •MulP-­‐factor  combine:   –something  you  have  (token,  mobile,  ...) –something  you  know  (details  about  you,  passwd,  ...) –somePme,  something  you  are  (biometrics) –Use  it  for  high  criPcal  applicaPons. 42 Friday, June 28, 13
  • 83.
    Implement  good  global  strategy • Ask  second  authenPcaPon  for  criPcal   transacPons  (with  mulP-­‐factor  auth...) • Force  authenPcaPon  to  be  in  TLS/SSL • Regenerate  Session  ID  aQer  authenPcaPon • Force  Session  ID  to  be  “secure” • LimiPng  forgoEen  passwd,change  of  login/ passwd     43 Friday, June 28, 13
  • 84.
    How  to  do  ?   • Authen0cate  all  pages  but  not  public  pages  (login,   logout,  help,  ....) • Don’t  allow  more  than  one  authen0ca0on   mecanism • Authen3cate  on  the  SERVER • Simply  send  back  “user  or  passwd  mismatch”  and     nothing  else  aker  a  failed  authen0ca0on. • Logged  all  failed  and  all  correct  authen0ca0on • Aker  each  authen0ca0on  give  the  user  the  last   status  of  his  authen0ca0on.   44 Friday, June 28, 13
  • 85.
    • Good  Regex  for  a  passwd  complexity  :   • Good  Storage  of    password  with  SALT 45 (?=^.{8,30}$)(?=.*d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ import java.security.MessageDigest; public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8")); } Friday, June 28, 13
  • 86.
  • 87.
    Session   • Use  Default  Java  Framework  Generator • Use  other  name  than  the  default  name  of  the   Framework  (rename  JSESSIONID...) • Force  transport  of  ID  authenPcaPon  on  SSL/TLS. • Don’t  allow  Session  ID  in  URL  ! • If  using  cookie  :   – Secure  Cookie – HTTPOnly  Cookie   – LimiPng  path  +  domain – Max  Age  and  expiraPon 47 Friday, June 28, 13
  • 88.
    Session  tricky • AutomaPc  expiraPon –categorize  applicaPons  : • default  :  1  hour • cri0cal  (some  transac0on)  :  20mns • high  cri0cal  (financials  or  account  impact)  :  5mns   • Renew  Session  ID  aQer  any  privilege  change • Don’t  allow  simultaneous  logon   • Add  Session  AEack  DetecPon • add  in-­‐session  0ps  :  ip  of  session,  other  random  number,  ... 48 Friday, June 28, 13
  • 89.
    Browser  defenses • Bind  JavaScript  events  to  close  session   –on  window.close() –on  window.stop() –on  window.blur() –on  window.home() • Use  Javascripts  Pmer  to  automaPc  close  session   in  high  criPcal  applicaPons • Disable  WebBrowser  Cross-­‐tab  Session  if   possible...(bad  user  experiences....) –If  you  use  cookie,  this  is  not  possible    !!!! 49 Friday, June 28, 13
  • 90.
    50 <session-­‐config>    <cookie-­‐config>        <http-­‐only>true</http-­‐only>        <secure>true</secure>    </cookie-­‐config> </session-­‐config> Using  Servlet  3.0  ? Friday, June 28, 13
  • 91.
  • 92.
  • 93.
    Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on Friday, June 28, 13
  • 94.
    Remember (1)Without  access  control,  you  can’t  control   the  user  in  your  applica,on (2)All  client  inputs  are  EVIL Friday, June 28, 13
  • 95.
    Authen0ca0on  &  Authoriza0on •Two  Levels  of  authenPcaPon  and  authorizaPon   are  needed –In  the  ApplicaPon –In  infrastructure Table  A Table  B Connexion Table A + duty A Role  A Role  B SGBDApp Server Connexion Table B + Duty B Friday, June 28, 13
  • 96.
    AuthorizaPon • Have  in  mind  the  rule  :   –Nothing    by  default • Centralize  all  authorizaPon  code  on  the  SERVER • If  client  state  are  mandatory,  use  encrypPon  and   integrity  checking  on  the  server  side  to  catch   state  tampering.   • Limit  number  of  transacPons  per  user  at  a  interval   Pme. 54 Friday, June 28, 13
  • 97.
    AuthorizaPon • Enforce  : –protec0on  of  URL  to  authorized  account  only – protec0on  of  func0on  to  authorized  account  only – protec0on  of  file  access  to  authorized  account  only • Applica0on  need  to  terminate  session  when  authoriza0on   failed. • Split  administra0ve  and  user  authoriza0on • Enforce  dormant  account  : – loss  privileges. – “disable  account” – alerts 55 Friday, June 28, 13
  • 98.
  • 99.
    Input  ValidaPon • Ensure  all  data  validaPon  are  done  on  THE  SERVER. –If  you  do  something  on  client  side  we  can  said  you  do   “painPng” • Classify  your  data  : –Trusted  Data   –Untrusted  Data • Conduct  trusted  path. • Centralize  your  data  validaPon • Use  correct  parametrize  query  when  exists  (SQL) 57 Friday, June 28, 13
  • 100.
    Border  validaPon • Consider  validaPng  data  along  all  the  entry  points   of  your  ApplicaPon  border 58 Friday, June 28, 13
  • 101.
    Input  ValidaPon • Use  proper  characters  set  for  all  input • Encode  all  data  to  the  same  character  set  before   doing  anything  <=>Canonicalize • Reject  all  not  validated  datas • Validate  data    : –expected  type  (convert  as  soon  as  possible  to  Java  Types) –expected  range –expected  length –expected  values –expected  “white  list”  if  possible 59 Friday, June 28, 13
  • 102.
    Input  ValidaPon • Be  careful  of  using  “hazardous”  characters  (ex:  <>’,”! (+)&  %.) • Add  specific  validaPon  : –check  for  null  bytes  (%00) –check  for  new  lines  (%0D,  %0A,  n,  r,  ...) –check  for  dot-­‐dot-­‐slashes  (../)   60 Friday, June 28, 13
  • 103.
    Be  careful  of  encoding  for  specific   valida0on... URL %3c%73%63%72%69%70%74%3e%61%6c %65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e %0a HTML &#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x7 2;&#x74;&#x28;&#x58;&#x53;&#x53;&#x29;&#x3b;&#x3c;&#x2f;&#x73;&#x63;&#x 72;&#x69;&#x70;&#x74;&#x3e;&#x0a; UTF-8 %u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c %uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c %u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003 One space ? < s c r i p t > a l e r t ( X S S ) ; < / s c r i p t > <script>alert(XSS);</script> Friday, June 28, 13
  • 104.
  • 105.
  • 106.
  • 107.
  • 108.
    SQL  =>  a  liEle  bit  beEer 126 Friday, June 28, 13
  • 109.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  • 110.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 Friday, June 28, 13
  • 111.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); Friday, June 28, 13
  • 112.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); Friday, June 28, 13
  • 113.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  • 114.
    List  results  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  "  +  orderId).getResultList(); List  results  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  "  +  author).getResultList(); int  resultCode  =  entityManager.createNativeQuery("Delete  from  Cart  where  itemId  =  "  +  itemId).executeUpdate(); JPA/EnPty   65 /*  positional  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  order  from  Orders  order  where  order.id  =  ?1"); List  results  =  jpqlQuery.setParameter(1,  "123-­‐ADB-­‐567-­‐QTWYTFDL").getResultList(); /*  Native  SQL  */ Query  sqlQuery  =  entityManager.createNativeQuery("Select  *  from  Books  where  author  =  ?",  Book.class); List  results  =  sqlQuery.setParameter(1,  "Charles  Dickens").getResultList(); /*  named  query  in  JPQL  -­‐  Query  named  "myCart"  being  "Select  c  from  Cart  c  where  c.itemId  =  :itemId"  */ Query  jpqlQuery  =  entityManager.createNamedQuery("myCart"); List  results  =  jpqlQuery.setParameter("itemId",  "item-­‐id-­‐0001").getResultList(); /*  named  parameter  in  JPQL  */ Query  jpqlQuery  =  entityManager.createQuery("Select  emp  from  Employees  emp  where  emp.incentive  >  :incentive"); List  results  =  jpqlQuery.setParameter("incentive",  new  Long(10000)).getResultList(); Friday, June 28, 13
  • 115.
  • 116.
  • 117.
    XML  =>  ValidaPng  via  regexp/white   list 128 Friday, June 28, 13
  • 118.
    BeEer,  a  XML  schema <xs:schema  xmlns:xs="hTp://www.w3.org/2001/XMLSchema">   <xs:element  name="item">     <xs:complexType>       <xs:sequence>         <xs:element  name="descrip0on"  type="xs:string"/>         <xs:element  name="price"  type="xs:decimal"/>         <xs:element  name="quan0ty"  type="xs:integer"/>       </xs:sequence>     </xs:complexType>  </xs:element>   </xs:schema>   Friday, June 28, 13
  • 119.
    XML  =>  XML  Parser  validaPon Friday, June 28, 13
  • 120.
  • 121.
  • 122.
  • 123.
  • 124.
  • 125.
    Output  encoding • It’s  a  Defense  in  depth  mechanism • Encode  ON  THE  SERVER • Centralize  the  encoder  funcPons • SaniPze  all  data  send  to  the  client   –HTMLEncode  is  a  minimum  but  did  not  work  on  all   cases 74 Friday, June 28, 13
  • 126.
    Essai  1  =>  bad 137 Friday, June 28, 13
  • 127.
    Essai  1  =>  bad 137 Friday, June 28, 13
  • 128.
    Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  • 129.
    Essai  2  =>  it’s  bad,  but  beTer  than   nothing 138 Friday, June 28, 13
  • 130.
    A  good  soluPon  with  a  robust   SaniPzer  :) 139 Friday, June 28, 13
  • 131.
  • 132.
    Error  Handling Your  Applica3on  will  crash  ! • Catch  all  excep0ons  without  excep0on  (remember  the  null  pointer   excep0on  !) – Clean  all  excep0on  code  of  sensi0ve  datas – Don’t  give  user  any  details  about  crash,  just  said  “It’s  a  crash,  try  again  later” • Logs  are  sensi0ve,  you  MUST  PROTECT  THEM • Log  :   – input  valida0on  failures – authen0ca0on  request;  especially  failures – access  control  failures – systems  excep0ons – administra0ve  func0onality – crypto  failures – invalid/expired  session  token  access 79 Friday, June 28, 13
  • 133.
    Logging/Errors • Split  your  logs  with  categories,  examples  :   –Access –Error –Debug –Audit • Use  log4j  for  standard  logging 80 Friday, June 28, 13
  • 134.
    Log4J  Example 81 import com.sec.dev; //Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator; public class SecLogger { // Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class); public static void main(String[] args) { // Set up a simple configuration that logs on the console. BasicConfigurator.configure(); logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } } Friday, June 28, 13
  • 135.
    Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  • 136.
    Bad  handling  of  ExcepPon 144 Friday, June 28, 13
  • 137.
    Good  Housecleaning 83 try { SensitiveDatasensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff…. } catch (IOException e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("IO exception ", e.getMessage()); } catch (Exception e) { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } logger.log ("Error occurred!”, e.getMessage()); } finally { if ( sensitiveData != null ) { sensitiveData.set(“0000000000000000”); } if (out != null) { out.close(); // RELEASE RESOURCES } } Friday, June 28, 13
  • 138.
    BeEer  handling  of  excepPon  and   error 145 <error-­‐page>      <excepPon-­‐type>java.lang.Throwable</ excepPon-­‐type>      <locaPon>/error.jsp</locaPon>  </error-­‐page> Friday, June 28, 13
  • 139.
  • 140.
    Data  protecPon • Protect  sensiPve  datas,    don’t  store  them  in  clear. • Store  sensiPve  datas  in  trusted  systems • Don’t  use  GET  request  for  sensiPve  data. • Disable  client  site  caching 86 Friday, June 28, 13
  • 141.
    Disable  Client  Side  caching 87 import  javax.servlet.*; import  javax.servlet.http.HttpServletResponse; import  java.io.IOException; import  java.util.Date; public  class  CacheControlFilter  implements  Filter  {        public  void  doFilter(ServletRequest  request,  ServletResponse  response,                                                  FilterChain  chain)  throws  IOException,  ServletException  {                HttpServletResponse  resp  =  (HttpServletResponse)  response;                resp.setHeader("Expires",  "Tue,  03  Jul  2001  06:00:00  GMT");                resp.setHeader("Last-­‐Modified",  new  Date().toString());                resp.setHeader("Cache-­‐Control",  "no-­‐store,  no-­‐cache,  must-­‐revalidate,  max-­‐age=0,  post-­‐check=0,  pre-­‐check=0");                resp.setHeader("Pragma",  "no-­‐cache");                chain.doFilter(request,  response);        } } <filter>        <filter-­‐name>SetCacheControl</filter-­‐name>        <filter-­‐class>com.sec.dev.cacheControlFilter</filter-­‐class> </filter>                                               <filter-­‐mapping>        <filter-­‐name>SetCacheControl</filter-­‐name> <url-­‐pattern>/*</url-­‐pattern> </filter-­‐mapping> web.xml Friday, June 28, 13
  • 142.
  • 143.
    Absolute  Path  is  bad 151 Friday, June 28, 13
  • 144.
    Absolute  Path  is  bad 151 Friday, June 28, 13
  • 145.
    Absolute  Path  is  bad 151 Friday, June 28, 13
  • 146.
  • 147.
  • 148.
    Secure  CommunicaPons • Use  TLS/SSL  : –at  least  SSL  v3.0/TLS  1.0 –minimum  of  128bits  encrypPon –use  secure  crypto  :  AES  is  good • Don’t  expose  criPcal  data  in  the  URL • Failed  SSL/TLS  communicaPons  should  not  fall   back  to  insecure • Validate  cerPficate  when  used • Protect  all  page,  not  just  logon  page  ! 92 Friday, June 28, 13
  • 149.
    Force  TLS/SSL  Response •Use  HTTP  Strict  Transport  Security  (HSTS). –Available  on  some  browsers  (not  IE) –draQ  IETF  :  hEp://tools.iew.org/html/draQ-­‐iew-­‐websec-­‐ strict-­‐transport-­‐sec-­‐04 93 HttpServletResponse  ...; response.setHeader("Strict-­‐Transport-­‐Security",  "max-­‐age=7776000;   includeSubdomains"); Friday, June 28, 13
  • 150.
    ConfiguraPon 94 • Review  all  properPes,  configuraPon  files • Be  careful  of  default  passwords... • Remove,  and  not  just  de-­‐acPvate,  unused   funcPons/modules • Use  sandbox  system  when  available  : Be  careful  of  Java  Signed  code  who   execute  with  more  privileges  ! Friday, June 28, 13
  • 151.
    Now  you  can  protect  against  him 95 Friday, June 28, 13
  • 152.
     NEWS A  BLOG A  PODCAST MEMBERSHIPS MAILING  LISTS A  NEWSLETTER APPLE  APP  STORE VIDEO  TUTORIALS TRAINING  SESSIONS SOCIAL  NETWORKING 96 On  est  aussi  des  humains,  et  on  peut  boire  un  coup  tout  simplement Friday, June 28, 13
  • 153.
    Dates • AppSec  Research  Europe  2013  :  20/23  Aout  –   Hambourg  –  Allemagne • Octobre  2013  :  OSSIR  PARIS –OWASP  Top10  2013;  quoi  de  neuf  ? •  OWASP  Benelux  :  28/29  Novembre  2013 97 Un  tour  des  JUG  est  prévu  en  France,  si  vous  en  connaissez  un  dans  le  coin... Friday, June 28, 13
  • 154.
    Soutenir  l’OWASP • Différentes  soluPons  :   –Membre  Individuel  :  50  $ –Membre  Entreprise  :  5000  $ –DonaPon  Libre • Soutenir  uniquement    le  chapitre  France  : –Single  MeePng  supporter   • Nous  offrir  une  salle  de  mee0ng  !   • Par0ciper  par  un  talk  ou  autre  !   • Dona0on  simple   –Local  Chapter  supporter  :   • 500  $  à  2000  $   98 Friday, June 28, 13
  • 155.
    Prochains  meePngs • Septembre  2013   –Salle  :  Mozilla  Center  Paris –Speaker  :   • Security  on  Firefox  OS • A  définir • Novembre  2013 –Salle  :  a  définir –Speaker  :  a  définir Septembre  s’annonce  merveilleux  avec  plein  d’annonces  en  tout  genre.... Friday, June 28, 13
  • 156.
    License 100 Si  vous  avez  tout  suivi  vous  connaissez  le  prochain  slide.... @SPoint sebas0en.gioria@owasp.org Friday, June 28, 13