securing your grails app - beyond authentication & authorization
DESCRIPTION
Application security is not a concern that we can ignore. Vulnerabilities come from various angles, but it is important to stay aware and vigilant so we can recognize and thwart threats.TRANSCRIPT
Thistalkismeanttodiscusssecurityissuesinthespiritofhelpingthosewhobuildsystemsmakestable,secure
webapplications.
HappyPathEasiestthingpossibleMVP
Nounauthorizedaccess.HardenedTested
Grandma'scatphotosYourblogStaticcontent
BankingHealthinformation
GovernmentBigbusiness
Paymentsystems
$$$oflosspotentialOfficeSpaceLossofconsumerconfidence
RestorethebackupMaybeafewcommentslost
sincelastbackupNoanimalswereharmed
Grandmacriesforaminute
(butverify)
Non-profitgroupNamingborrowedCheckouttheirrecommendations
#1issueontheweb
"SELECT*FROMaccountsWHEREcustID='"+params.id+"'"
http://example.com/app/accountView?id='or'1'='1
Stringhql="""fromAccountHolderwhereusername='$username'andpassword='$password'"""
defrow=AccountTransaction.executeQuery(hql)
admin'ANDsubstring(password,0,1)==char(64)AND'1'='1
http://security.stackexchange.com/questions/24265/hql-injection-example
Orbettertestedsanitizationtools
Grails1.3.7(pre1.3.8)
classMyDomainObject{defSpringSecurityService...}
“cpimg.png./archive/$filename”.execute()
log.info“userbenignsaid${message}”
http://example.com/thing/action?message=[ERROR]Adminpasswordhasexpired!!OHCRAPHELP
deftransfer(Transfertfr){Depositd=newDeposit(amount:tfr.amt)d.save()
Withdrawalw=newWithdrawal(amount:tfr.amt,description:tfr.desc)w.save()}
http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
UnencryptedtransportsAccountsignupForgotpasswordPasswordhintexposureInsecureSSO
xkcd.com/936/
reviewText="""ExcellentProduct</div><iframesrc="myadnetwork.com/pwnage.html"/><h1>InjectedDOM</h1><divclass='review'>Goodwork"""
view.gsp(codec=none)
<divclass='review'>${reviewText}</div>
Defaultcodec=HTMLnowCarefulwhendoingyourownTagLibsAntiSamy
Directexecution
eval()window.execScript()/function()/setInterval()/setTimeout()script.src(),iframe.src()
document.write(),document.writeln()elem.innerHTML=dangerelem.outerHTML=dangerelem.setAttribute(“dangerousattribute”,danger)
CookiesinsomebrowsersLocalStorageReverseJavaScriptShellsStackedMore..
https://example.com/account/123
https://example.com/account/999
FiltersACLPermissions
OwnershiplevelcheckingAuthorization
...forexample
socat-vtcp-listen:8080,forktcp:localhost:80
Poorsalting
Notshowingthelinksdoesn'tmeanitisprotectedAssumingauserisloggedindoesn'tmeantheyshouldhaveaccesstoeverything
<imgsrc="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#"width="0"height="0"/>
URLMappingsallowedMethods
AppleSSLissueOSX/iOS