Download - Secure Coding for Java - An introduction
Secure Coding for Java (an introduc3on)Java User Group Poitou-‐Charentes (Niort)
27 Juin 2013
Sébas3en [email protected] Leader OWASP France
Friday, June 28, 13
http://www.google.fr/#q=sebastien gioria
‣OWASP France Leader & Founder & Evangelist
‣Innovation & Technology @ Advens
Twitter :@SPoint / @OWASP_France
2
‣Application Security group leader for the CLUSIF
‣Proud father of youngs kids trying to hack my digital life.
Ne vous inquietez pas c’est le seul slide en anglais, par contre il y aura des trucs d’écrits partout en bas...
Friday, June 28, 13
ForeWords
• This is a presenta,on made from my own experience with some company using OWASP materials.
• Only the documents from OWASP wiki are OWASP officials (see hEps://www.owasp.org)
• Some extracts come from document I wrote as OWASP leader, this is why you could find it elsewhere.
5
Friday, June 28, 13
• Applica,on Security :–where we are (no bullshit)–where we are (hopefully) going ?
• Using OWASP materials to secure code• Secure Coding principles
Agenda
Friday, June 28, 13
Introduc3on
5
Friday, June 28, 13
Why Applica0on Security ?
64
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
been Hacked
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
been Hacked YES
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
been Hacked
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
64
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
6
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
6
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
Friday, June 28, 13
Why Applica0on Security ?
6
My Application will be hacked !
Let Me take you on the right way 4
Your Application
will be Hacked ;)
Your Application
been Hacked
YES
NO
NO
YES
NextStep
Friday, June 28, 13
We are living in a Digital environment, in a Connected World
vMost of websites vulnerable to aTacks
vImportant % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)
Why Applica0on Security ?
Age of An0virus Age of Network Security
Age of Applica0on Security
7
Friday, June 28, 13
Consequences of bad or no security
–IdenPty theQ–Hardware theQ–IT downPme –Bad Media coverage–Financials loss–Customers loss–Legals/business penalty
8
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
What Verizon (PCI-‐DSS company) said ?
© Verizon 2012
9
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
© Verizon 2012
Verizon Study
10
Friday, June 28, 13
Verizon study
11© Verizon 2012
Friday, June 28, 13
Verizon study
11© Verizon 2012
Friday, June 28, 13
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
12(c) WhiteHatSecurity 2013
Friday, June 28, 13
What you CIO Said : I got a Firewall !
27
Friday, June 28, 13
What your business user said : I have SSL based Web Site
28
Friday, June 28, 13
What your business user said : only the hacker can aMack my website
• Tools are more and more simples.
• Try a simple request on google website on SQL InjecPon and look at it.
• An aEack on a Web Server cost 100$/200$ per day on the underground market.
29
Friday, June 28, 13
What your user said : a vulnerability on internal ApplicaPon is not criPcal.
• No, The web is anywhere, and CSRF, HTML5 CORS and more can make this complete destrucPve
• Be aware and share this : • AJAX doing a lot of things without you
• Be aware and share this : • HTML5 will come with “nice” user funcPonality , but with big impact on security (WebSocket, CORS, ...)
30
Friday, June 28, 13
But I do Security tesPng !
17
Security Tes3ng
Coding
Friday, June 28, 13
Majors OWASP publications you can use
All are on the wiki https://www.owasp.orgAll are under GPL or friendly licensesMajors publications you can use to secure
your projects/SDLC
Building Guide
Code Review Guide Testing Guide
Application Security Desk Reference (ASDR)
Top10 reference this 3 guides
Ø OWASP Top10Ø Auditor/Testing GuideØ Code Review GuideØ Building GuideØ Application Security Verification
Standard (ASVS)Ø Secure Coding Practices
12
Friday, June 28, 13
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
Learn Contract
Test
Design
Build Progress
Friday, June 28, 13
OWASP Applica,on Security Verifica,on Standard
20
Friday, June 28, 13
What is ASVS ?
• A standard that provides a basis for the verificaPon of web applicaPons applicaPon-‐independent.
• A standard life-‐cycle model independent.• A standard that define requirements that can be applied across applicaPons without special interpretaPon. 43
Friday, June 28, 13
What are ASVS responses ?
• How much trust can be placed in a web applicaPon?
•What features should be built into security controls?
• How do I acquire a web applicaPon that is verified to have a certain range in coverage and level of rigor?
Friday, June 28, 13
ASVS secure controls requirements
Security AreaLevel
1A
Level
1B
Level
2A
Level
2BLevel 3 Level 4
V1 – Security Architecture Verification Requirements 1 1 2 2 4 5
V2 – Authentication Verification Requirements 3 2 9 13 13 14
V3 – Session Management Verification Requirements 4 1 6 7 8 9
V4 – Access Control Verification Requirements 5 1 12 13 14 15
V5 – Input Validation Verification Requirements 3 1 5 7 8 9
V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10
V7 – Cryptography Verification Requirements 0 0 2 8 9 10
V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9
V9 – Data Protection Verification Requirements 1 1 2 3 4 4
V10 – Communication Security Verification Requirements 1 0 3 6 8 8
V11 – HTTP Security Verification Requirements 3 3 6 6 7 7
V12 – Security Configuration Verification Requirements 0 0 0 2 3 4
V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5
V14 – Internal Security Verification Requirements 0 0 0 0 1 3
Totals 22 12 51 83 96 112
23
Friday, June 28, 13
But ASVS stand for VerificaPon ?
• ASVS just said funcPonals needs for controls. • You should use it as a Secure Coding Policy.
★Don’t be medium(ASVS Level1/2), just target excellence (ASVS Level 4)
24
Friday, June 28, 13
Using ASVS as a secure coding policy
• ASVS : Verify that all password fields do not echo the user’s password when it is entered.➡All Password fields must be define as HTML password fields and must not echo user password.
➡All login forms must include autocomplete=off tag
• ASVS : Verify that all input validaPon is performed on the server side. ➡Performs all input valida,on on the server. Nothing in the browser
25
Friday, June 28, 13
Posi,ve aatude
Nega0ve
The tester shall search for XSS holesPosi0ve
Verify that the applica0on performs input valida0on and output encoding on all user input
See: hTp://www.owasp.org/index.php/XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet
56
Friday, June 28, 13
OWASP Secure Coding Prac3ces
27
Friday, June 28, 13
OWASP Secure Coding PracPces
• Small document (only 9 pages)• Could be use as an simple checklist for your policy.
• Could be use together with ASVS or alone.•More technical and deeper approach than ASVS .
•Wrote and use by Boeing :)
28
Friday, June 28, 13
Secure Coding PracPces Contents
• Input ValidaPon• Output Encoding• AuthenPcaPon and Password Management
• Session Management• Access Control• Cryptographic PracPces• Error Handling and Logging
• Data ProtecPon• CommunicaPon Security• System ConfiguraPon• Database Security• File Management• Memory Management• General Coding PracPces
29
Friday, June 28, 13
Now the torture room
30
Friday, June 28, 13
(extracts from OWASP Secure Coding Prac0ces/OWASP CheatSheets OWASP
ASVS, ...)
Let talk Secure Coding now
31
Friday, June 28, 13
Some secures principles to follow
32
•Deep defense of applica,on is mandatory • Following less privileges is the best soluPon• Segregate duty more that user think➡Remember that applica,on need to answer user needs and not security pleasure.
Friday, June 28, 13
Deep defense of a Web Applica0on (example)
70
Firewall
Applica0onWeb Apps
SGBDApp ServerWebServer
Browser
User auth
Input Validation
Secure configuration
Good crash mecanisms
• Critical data transport protection
• Preventing session and ID theft
Critical data protectionsLogs/Audit of transactions
Authorisation and
authentication
Authorisation and authentication
Critical data protectionsPreventing parameters thefts
Friday, June 28, 13
Fail securely
• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause
34
Friday, June 28, 13
Fail securely
• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause
34
Friday, June 28, 13
Don’t try to make obscure things
72
Friday, June 28, 13
Don’t try to make obscure things
72
GEOPORTAIL
Friday, June 28, 13
Don’t try to make obscure things
72
Friday, June 28, 13
Don’t try to make obscure things
72
GOOGLE MAPS
Friday, June 28, 13
• ObfuscaPon is not the soluPon• There is someone in the matrix who will send you evil data
• Be evil ! • Protect area with filter is the best soluPon
36
Friday, June 28, 13
Controls
• Controls need :–to be simple–to be used correctly–funcPonal–present in every part of the applicaPon
74
Bad understanding of a control result of unused it by developers and application will be vulnerable.
Friday, June 28, 13
Minimals controls to have
• You must have at least this components in your applicaPon : –AuthenPcaPon–AuthorizaPon–Logging and audit–Secure Storage–Secure transport–Secure input and output manipulaPon of data
75
Friday, June 28, 13
Authen3ca3on
39
Friday, June 28, 13
Implement good passwd strategy
• Password length-‐ Categorize applicaPons :
• Important : at least 6 characters• Cri0cal : at least 8 characters and perhaps mul0-‐factors authen0ca0on
• High Cri0cal : at least 14 characters and mul0-‐factors authen0ca0on
• Password strength-‐ Implement passwd complexity with previous categories
• at least : 1 upper, 1 lower, 1 digit, 1 special• don’t allow dic0onnary passwd• don’t allow con0nuous characters
40
Friday, June 28, 13
Implement good passwd strategy
•Let the user choose it•Force the user to change it regulary, and add no reuse capability.
•Don’t allow too much “I forgot my passwd”•Don’t allow change of passwd without user approval; require actual passwd from the user and more for high cri0cal.
•Add sleep strategy !•Add detec3on of misuse strategy !•Don’t store passwd in clear !!!!! use hash !
41
Friday, June 28, 13
MulP-‐Factor authenPcaPon
•Passwds are bad•Passwds are guessable•MulP-‐factor combine:
–something you have (token, mobile, ...)–something you know (details about you, passwd, ...)–somePme, something you are (biometrics)–Use it for high criPcal applicaPons.
42
Friday, June 28, 13
Implement good global strategy
• Ask second authenPcaPon for criPcal transacPons (with mulP-‐factor auth...)
• Force authenPcaPon to be in TLS/SSL• Regenerate Session ID aQer authenPcaPon• Force Session ID to be “secure”• LimiPng forgoEen passwd,change of login/passwd
43
Friday, June 28, 13
How to do ?
• Authen0cate all pages but not public pages (login, logout, help, ....)
• Don’t allow more than one authen0ca0on mecanism• Authen3cate on the SERVER• Simply send back “user or passwd mismatch” and nothing else aker a failed authen0ca0on.
• Logged all failed and all correct authen0ca0on• Aker each authen0ca0on give the user the last status of his authen0ca0on.
44
Friday, June 28, 13
• Good Regex for a passwd complexity :
• Good Storage of password with SALT
45
(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
Friday, June 28, 13
Session Management
46
Friday, June 28, 13
Session
• Use Default Java Framework Generator• Use other name than the default name of the Framework (rename JSESSIONID...)
• Force transport of ID authenPcaPon on SSL/TLS.• Don’t allow Session ID in URL !• If using cookie :
– Secure Cookie– HTTPOnly Cookie – LimiPng path + domain–Max Age and expiraPon
47
Friday, June 28, 13
Session tricky
• AutomaPc expiraPon–categorize applicaPons :
• default : 1 hour• cri0cal (some transac0on) : 20mns• high cri0cal (financials or account impact) : 5mns
• Renew Session ID aQer any privilege change• Don’t allow simultaneous logon • Add Session AEack DetecPon
• add in-‐session 0ps : ip of session, other random number, ...
48
Friday, June 28, 13
Browser defenses
• Bind JavaScript events to close session –on window.close()–on window.stop()–on window.blur()–on window.home()
• Use Javascripts Pmer to automaPc close session in high criPcal applicaPons
• Disable WebBrowser Cross-‐tab Session if possible...(bad user experiences....)– If you use cookie, this is not possible !!!!
49
Friday, June 28, 13
50
<session-‐config> <cookie-‐config> <http-‐only>true</http-‐only> <secure>true</secure> </cookie-‐config></session-‐config>
Using Servlet 3.0 ?
Friday, June 28, 13
Access Controls
107
Friday, June 28, 13
Remember
Friday, June 28, 13
Remember
(1)Without access control, you can’t control the user in your applica,on
Friday, June 28, 13
Remember
(1)Without access control, you can’t control the user in your applica,on
(2)All client inputs are EVIL
Friday, June 28, 13
Authen0ca0on & Authoriza0on
• Two Levels of authenPcaPon and authorizaPon are needed–In the ApplicaPon–In infrastructure
Table A
Table B
Connexion Table A + duty ARole A
Role B
SGBDApp Server
Connexion Table B + Duty B
Friday, June 28, 13
AuthorizaPon
• Have in mind the rule : –Nothing by default
• Centralize all authorizaPon code on the SERVER• If client state are mandatory, use encrypPon and integrity checking on the server side to catch state tampering.
• Limit number of transacPons per user at a interval Pme.
54
Friday, June 28, 13
AuthorizaPon
• Enforce :– protec0on of URL to authorized account only– protec0on of func0on to authorized account only– protec0on of file access to authorized account only
• Applica0on need to terminate session when authoriza0on failed.
• Split administra0ve and user authoriza0on• Enforce dormant account :
– loss privileges.– “disable account”– alerts
55
Friday, June 28, 13
Valida3on of Data
56
Friday, June 28, 13
Input ValidaPon
• Ensure all data validaPon are done on THE SERVER.–If you do something on client side we can said you do “painPng”
• Classify your data :–Trusted Data –Untrusted Data
• Conduct trusted path.• Centralize your data validaPon• Use correct parametrize query when exists (SQL)
57
Friday, June 28, 13
Border validaPon
• Consider validaPng data along all the entry points of your ApplicaPon border
58
Friday, June 28, 13
Input ValidaPon
• Use proper characters set for all input• Encode all data to the same character set before doing anything <=>Canonicalize
• Reject all not validated datas• Validate data :
–expected type (convert as soon as possible to Java Types)–expected range–expected length–expected values–expected “white list” if possible
59
Friday, June 28, 13
Input ValidaPon
• Be careful of using “hazardous” characters (ex: <>’,”!(+)&\ %.)
• Add specific validaPon :–check for null bytes (%00)–check for new lines (%0D, %0A, \n, \r, ...)–check for dot-‐dot-‐slashes (../)
60
Friday, June 28, 13
Be careful of encoding for specific valida0on...
URL%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e%0a
HTML<script>alert(XSS);</script>

UTF-8%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003
One space ?< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >
<script>alert(XSS);</script>
Friday, June 28, 13
Validate Datas
124
Friday, June 28, 13
SQL => bad
125
Friday, June 28, 13
SQL => bad
125
Friday, June 28, 13
SQL => bad
125
Friday, June 28, 13
SQL => a liEle bit beEer
126
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();
Friday, June 28, 13
List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();
JPA/EnPty
65
/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();
/* Native SQL */Query sqlQuery = entityManager.createNativeQuery("Select * from Books where author = ?", Book.class);List results = sqlQuery.setParameter(1, "Charles Dickens").getResultList();
/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();
Friday, June 28, 13
XML => bad
127
Friday, June 28, 13
XML => bad
127
Friday, June 28, 13
XML => ValidaPng via regexp/white list
128
Friday, June 28, 13
BeEer, a XML schema
<xs:schema xmlns:xs="hTp://www.w3.org/2001/XMLSchema">
<xs:element name="item">
<xs:complexType>
<xs:sequence>
<xs:element name="descrip0on" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="quan0ty" type="xs:integer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Friday, June 28, 13
XML => XML Parser validaPon
Friday, June 28, 13
LDAP => bad
131
Friday, June 28, 13
LDAP => bad
131
Friday, June 28, 13
LDAP => beEer
132
Friday, June 28, 13
Using OWASP ESAPI
72
Friday, June 28, 13
Output Encoding
73
Friday, June 28, 13
Output encoding
• It’s a Defense in depth mechanism• Encode ON THE SERVER• Centralize the encoder funcPons• SaniPze all data send to the client
–HTMLEncode is a minimum but did not work on all cases
74
Friday, June 28, 13
Essai 1 => bad
137
Friday, June 28, 13
Essai 1 => bad
137
Friday, June 28, 13
Essai 2 => it’s bad, but beTer than nothing
138
Friday, June 28, 13
Essai 2 => it’s bad, but beTer than nothing
138
Friday, June 28, 13
A good soluPon with a robust SaniPzer :)
139
Friday, June 28, 13
Error Logging
78
Friday, June 28, 13
Error Handling
Your Applica3on will crash !• Catch all excep0ons without excep0on (remember the null pointer excep0on !)– Clean all excep0on code of sensi0ve datas– Don’t give user any details about crash, just said “It’s a crash, try again later”
• Logs are sensi0ve, you MUST PROTECT THEM• Log :
– input valida0on failures– authen0ca0on request; especially failures– access control failures– systems excep0ons– administra0ve func0onality– crypto failures– invalid/expired session token access
79
Friday, June 28, 13
Logging/Errors
• Split your logs with categories, examples : –Access–Error–Debug–Audit
• Use log4j for standard logging
80
Friday, June 28, 13
Log4J Example
81
import com.sec.dev;
// Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator;
public class SecLogger {
// Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class);
public static void main(String[] args) {
// Set up a simple configuration that logs on the console. BasicConfigurator.configure();
logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL
logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } }
Friday, June 28, 13
Bad handling of ExcepPon
144
Friday, June 28, 13
Bad handling of ExcepPon
144
Friday, June 28, 13
Good Housecleaning
83
try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff….} catch (IOException e) { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); }
logger.log ("IO exception ", e.getMessage());
} catch (Exception e) { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); }logger.log ("Error occurred!”, e.getMessage());
} finally { if ( sensitiveData != null ) {
sensitiveData.set(“0000000000000000”); } if (out != null) {
out.close(); // RELEASE RESOURCES } }
Friday, June 28, 13
BeEer handling of excepPon and error
145<error-‐page> <excepPon-‐type>java.lang.Throwable</excepPon-‐type> <locaPon>/error.jsp</locaPon> </error-‐page>
Friday, June 28, 13
Data Protec3on
85
Friday, June 28, 13
Data protecPon
• Protect sensiPve datas, don’t store them in clear.• Store sensiPve datas in trusted systems• Don’t use GET request for sensiPve data.• Disable client site caching
86
Friday, June 28, 13
Disable Client Side caching
87
import javax.servlet.*;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.Date;
public class CacheControlFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT"); resp.setHeader("Last-‐Modified", new Date().toString()); resp.setHeader("Cache-‐Control", "no-‐store, no-‐cache, must-‐revalidate, max-‐age=0, post-‐check=0, pre-‐check=0"); resp.setHeader("Pragma", "no-‐cache");
chain.doFilter(request, response); }
}
<filter> <filter-‐name>SetCacheControl</filter-‐name> <filter-‐class>com.sec.dev.cacheControlFilter</filter-‐class></filter> <filter-‐mapping> <filter-‐name>SetCacheControl</filter-‐name><url-‐pattern>/*</url-‐pattern></filter-‐mapping>
web.xml
Friday, June 28, 13
Access to FileSystem
88
Friday, June 28, 13
Absolute Path is bad
151
Friday, June 28, 13
Absolute Path is bad
151
Friday, June 28, 13
Absolute Path is bad
151
Friday, June 28, 13
Canonicalisa,on is good
90
Friday, June 28, 13
Secure Communica3ons
91
Friday, June 28, 13
Secure CommunicaPons
• Use TLS/SSL :–at least SSL v3.0/TLS 1.0–minimum of 128bits encrypPon–use secure crypto : AES is good
• Don’t expose criPcal data in the URL• Failed SSL/TLS communicaPons should not fall back to insecure
• Validate cerPficate when used• Protect all page, not just logon page !
92
Friday, June 28, 13
Force TLS/SSL Response
• Use HTTP Strict Transport Security (HSTS).–Available on some browsers (not IE)–draQ IETF : hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐strict-‐transport-‐sec-‐04
93
HttpServletResponse ...;response.setHeader("Strict-‐Transport-‐Security", "max-‐age=7776000; includeSubdomains");
Friday, June 28, 13
ConfiguraPon
94
• Review all properPes, configuraPon files• Be careful of default passwords...• Remove, and not just de-‐acPvate, unused funcPons/modules
• Use sandbox system when available :
Be careful of Java Signed code who execute with more privileges !
Friday, June 28, 13
Now you can protect against him
95
Friday, June 28, 13
NEWS
A BLOG
A PODCAST
MEMBERSHIPS
MAILING LISTS
A NEWSLETTER
APPLE APP STORE
VIDEO TUTORIALS
TRAINING SESSIONS
SOCIAL NETWORKING
96On est aussi des humains, et on peut boire un coup tout simplement
Friday, June 28, 13
Dates
• AppSec Research Europe 2013 : 20/23 Aout – Hambourg – Allemagne
• Octobre 2013 : OSSIR PARIS–OWASP Top10 2013; quoi de neuf ?
• OWASP Benelux : 28/29 Novembre 2013
97Un tour des JUG est prévu en France, si vous en connaissez un dans le coin...
Friday, June 28, 13
Soutenir l’OWASP
• Différentes soluPons : –Membre Individuel : 50 $–Membre Entreprise : 5000 $–DonaPon Libre
• Soutenir uniquement le chapitre France :–Single MeePng supporter
• Nous offrir une salle de mee0ng ! • Par0ciper par un talk ou autre ! • Dona0on simple
–Local Chapter supporter : • 500 $ à 2000 $
98
Friday, June 28, 13
Prochains meePngs
• Septembre 2013 –Salle : Mozilla Center Paris–Speaker :
• Security on Firefox OS• A définir
• Novembre 2013–Salle : a définir–Speaker : a définir
Septembre s’annonce merveilleux avec plein d’annonces en tout genre....
Friday, June 28, 13
License
100Si vous avez tout suivi vous connaissez le prochain slide....
@SPoint
Friday, June 28, 13