Post on 14-Nov-2014
description
OWASP Top 10 and Java EE security in practice
Masoud Kalali, @MasoudKalaliPrincipal Software Engineer, ORACLE
Agenda
• Introduction• The Top 10 Most Critical Web Application
Security Risks• QA
Java EE 6 & GlassFish
glassfish.org
Motivation for this talk
• Seen a lot• Providing a starting point• Sharing something• Making you aware
The Top 10 Most Critical Web Application Security Risks
A1: InjectionA1: Injection A2: Cross-Site Scripting (XSS)A2: Cross-Site Scripting (XSS)
A2: Broken Authentication
and Session Management
A2: Broken Authentication
and Session Management
A4: Insecure Direct Object References
A4: Insecure Direct Object References
A6: Sensitive Data ExposureA6: Sensitive
Data ExposureA5: Security
MisconfigurationA5: Security
Misconfiguration
A7: Missing Function Level Access Control
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery
(CSRF)
A8: Cross-Site Request Forgery
(CSRF)
A9: Using Components with Known
Vulnerabilities
A9: Using Components with Known
Vulnerabilities
A10: Unvalidated
Redirects and Forwards
A10: Unvalidated
Redirects and Forwards
Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)Source: http://owasptop10.googlecode.comAka OWASP Top-10*
What is OWASP?• Open Web Application Security Project• Improving the security of (web) application software
– Not-for-profit organization since 2001– Raise interest in secure development
• Documents– Top 10– Cheat Sheets– Development Guides
• Solutions– Enterprise Security API (ESAPI)– WebScarab– WebGoat
A1 - Injection
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
What is it?
• Sending unintended data to applications• Manipulating and reading Data stores
(e.g. DB, LDAP, File System, etc.)• Java EE 6 affected:
– UI technology of choice– Database access (JPA, JDBC)– File System API– etc.
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
How to spot it!String customerId= request.getParameter("customerId") String query = "SELECT balance FROM customer_data WHERE customer_id = " + customerId; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); }
String customerId = "x'; DROP TABLE members; --"; // user-input
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Prevent Injection
• Sanitize the input• Escape/Quotesafe the input, e.g. use ESAPI • Use bound parameters (the PREPARED
statement)• Limit database permissions and segregate users• Configure error reporting, e.g use OWASP
LAPSE+ Static Code Analysis Tool
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Prevent Injection, Sample
String customerId = request.getParameter("customerId"); //white list validation and encodingString escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(), customerId );
String query = "SELECT balance FROM customer_data WHERE customer_id = " + escapedCustomerId;...
//OR
String query = "SELECT balance FROM customer_data WHERE customer_id = ? ";//using pstmt or stmt with encoded/validate input parametersPreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, customerId); ResultSet results = pstmt.executeQuery( );
A2 - Broken Authentication and Session Management
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
What is it?• Container Security vs. own solution• Session Binding / Session Renewal• Passwords
– Strength (length/complexity)– Plain text passwords (http/https)– Recovery mechanisms
• Number of factors used for authentication
• Java EE 6 affected:– JAAS / JASPIC– Filter / PhaseListener– Container and Web-App configuration
How to spot it
• Authentication over http• Custom security filter • Not using Container Functionality• No password strength requirements• No HttpSession binding• Way of saving Passwords • Not testing security
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Best Practices
• Use Container Managed Security!• Go with provided Standard Realms and
LoginModules whenever possible• Invalidate session and all relevant bits when logged out• If you need custom ones: Test them extremely
carefully!• Use transport layer encryption (TLS/SSL) for
authentication, credentials transport• Review and adopt OWASP’s ASVS(Application Security
Verification Standard)
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
A3 - Cross-Site Scripting (XSS)
What is it?
• Inject malicious code into user interfaces• Get access to browser information
– E.g. javascript:alert(document.cookie)• Steal user’s session, steal sensitive data• Rewrite web page or parts• Redirect user to phishing or malware site• Java EE 6 affected:
– UI technology of choice (e.g. JSF, JSP)
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
How to spot it
• Anywhere that untrusted data is used as one of the following in outgoing response:– HTML element’s attributes– JavaScript variables– CSS values– Etc.
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
(String) page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
Prevent
• Sanitize the input. E.g. use OWASP AntiSamy or OWASP Java HTML Sanitizer, etc.
• Escape untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL)
• Use Cookie flags:– httpOnly (prevents XSS access)
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
A4 – Insecure Direct Object References
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
What is it?
• Exposing secure objects without defense.• Accessing domain objects with their PK. E.g.
https://you.com/user/1 => https://you.com/user/21
• Opening opportunities for intruders• Information hiding on the client• Parameter value tampering
• Java EE 6 affected:– All layers– Especially data access
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
How to spot it
• Direct user input to object mapping• No verification on user input (defenseless)• Data separation for users (tenants)• Request mode access for data (RUD)• Query constraints
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Best Practices
• Use AccessReferenceMaps
• Use data-driven security• Validate object references• Always Perform additional data authorization
on the view
http://app?file=1
http://app?id=7d3J93http://app?id=9182374
http://app?file=Report123.xls
A5 - Security Misconfiguration
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
What is it?• Applies to
– Operating System– Application Server– Databases– Additional Services– Frameworks– Developed Code– Etc.
• Includes (beside _many_ others)– All security relevant configuration– Missing Patches– Default accounts
Worst Practices• Network interfaces/sockets access control• Relaxed File system access control• Using any defaults like:
– Passwords: Admin, master password– Network interface binding: Listening on 0.0.0.0– Certificates: Self signed certificate
• Using a not hardened OS!• Not using segregated user for the service• Not restricting GlassFish/Server component specific
user nor enabling security manager
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Policy Files location
• Global Policy File: java.home/jre/lib/security/java.policy
• User Policy File: user.home/.java.policy• Domain Policy File:
domain.home/config/server.policy • Application Policy File:
domain.home/generated/policy/<app.name>/<module.name>/granted.policy
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Review the *.policy files
• Policy files precedence order• Remove unused grants• Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain.
• Document your changes!
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Running GlassFish in a Secure Environment• Use the latest version (3.1.2.2)• Enable secure admin (TLS/https)• Use password aliasing• Enable security manager and put forth a proper
security policy file design
http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.htmlhttp://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
A6 - Sensitive Data Exposure
What is it?
• Sensitive data kept unprotected• Sensitive data exposed to wrong persons• Could be:
– Passwords– Financial/Health care data– Credit cards
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Worst Practices
• Storing sensitive data unencrypted• Storing comparative data unhashed
(passwords/security question answer…)• Keeping clear text copies of encrypted data• Not keeping the keys/passwords well guarded• caching/autocomplete on pages with sensitive
data
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Worst Practice
• Using basic/form authentication without SSL• Not using HTTPS for pages with private information• Using default self signed certificate• Storing unencrypted cookies• Not setting cookies to be securely transmitted
Cookie.setSecure(true)• Forgetting about the rest of the
infrastructure
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Prevention• Identify sensitive data• Wisely encrypt sensitive data
– On every level (application, appserver, db)– with the right algorithm, as strong as possible but not more!– with the right mechanism, e.g scrypt and bcrypt
• Don’t keep clear text copies• To decrypt and view clear text should be restricted to
authorized personnel• Keep the keys as protected as possible• Keep offsite encrypted backups in addition to on-site
copies
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Best Practice
• Use TLS on all connections with sensitive data
• Individually encrypt messages • Sign messages before transmission• Use standard strong algorithms • Use proven mechanisms when sufficient
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Java EE
• Group the resources in regard to transport sensitivity using web-resource-collection
• Use user-data-constraint as widely as you need for data integrity and encryption needs
• Ensure that login/logout pages (in case of form auth-type) are protected by <transport-guarantee>CONFIDENTIAL</transport-guarantee>
• Secure cookies transmission
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
GlassFish
• Protect the keystore• Protect GlassFish accounts
– Use aliasing to protect the password and keep the master password safe to protect the aliases
• Use digest authentication/hashed password storage
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
GlassFish
• Install the right server certificates to be used by SSL listeners
• Properly configure HTTPS listener/s (set the right keystore)
• Properly configure the ORB over SSL listeners if needed (set the right keystore)
• Enable auditing under Security and access log under HTTP Service
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
A7 - Missing functional access control
What is it?
• Presentation layer access control is not enough!
• Not using “Deny All” by default• Related to A4 – Insecure Direct Object
References
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Worst Practice
• Using home-grown security features instead of container provided ones
• Assuming people wont know some URLs to try them
• Assuming no one would misuse the extra permission and access they have
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Java EE 6
• What you do to prevent, A4 plus:– Use Container security (security-constraint)– Use programmatic login of Java EE 6 if needed.– Properly configure security realms– Accurately map roles to principal/groups (auth-
constraint / security-role-mapping)– Only allow supported/required HTTP methods– Accurately Categorize the URL patterns and permit
the relevant roles for each
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Best Practices
• Any non-public URL should be protected• Use container authentication/authorization
features or extend on top of them• If not enough use proven frameworks/
products to protect the resources• If user can get /getpic?id=1x118uf it does not
mean you should show /getpic?id=1x22ug
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
A8 - Cross Site Request Forgery (CSRF)
What is it?
• Basically a capture-replay attack• Malicious code executes functions on your
behalf while being authenticated• Deep links make this easier
• JavaEE 6 affected:– UI technology of choice
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
How to spot it
• Predictable URLs (for logged-in) users• No random secret tokens processing (CSRF
Token)• No double check on different stages of a multi-
step operation
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Best Practices
• Add Unpredictability (tokens)– Hidden Field, Single-Use URLs– Request or Session Scope
• CSRFPreventionForm (JSF 1.2 & 2)http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html
• Use OWASP ESAPIhttp://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
48
A9 - Using Components with Known Vulnerabilities
What is it?
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
– Using commercial off the shelve components and frameworks
– Hard to track list of vulnerabilities– Hard to track fix versions– Late or sometimes no news about the flaws
Worst Practices
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
– Using non well stablished frameworks and components, specially in security services.
– Do not following the release train and list of changes, or announcements mailing lists, etc.
– Ignoring security fixes because of update expense– Staying with dead project because of replacing
refactoring costs
Java EE 6
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
– Stay with Application server certified components, e.g OS, frameworks, libraries, external services, etc as long as possible
– If staying with same major or dot release, ensure applying all patches, specially security fixes.
– Only use well known and established frameworks with proven records
A10 - Unvalidate Redirects and Forwards
What is it?
• Redirecting to another URL computed by user provided parameters
• Forward to another URL computed by user provided parameters
http://www.java.net/external?url=http://www.adam-bien.com/roller/abien/entry/conveniently_transactionally_and_legally_starting
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Worst Practices
• Not to validate/verify the target with user’s access level before doing the forward
• Not using a proper access control mechanism (e.g container managed and proper security-constraint )
• Redirecting to a user provided parameter, e.g to an external website
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Java EE 6
• Don’t use redirect or forward as much as possible• Accurately verify/validate the target URL before
forwarding or redirecting• Redirects are safe when using container managed
authentication/authorization properly• Forwards happen without authentication and thus
requires triple check to prevent unauthorized access.
A1: Injecti
on
A1: Injecti
on
A2: Cross-Site
Scripting
(XSS)
A2: Cross-Site
Scripting
(XSS)
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A3: Broke
n Authenticati
on and
Session
Manageme
nt
A4: Insecure
Direct Objec
t References
A4: Insecure
Direct Objec
t References
A5: Cross Site
Request
Forgery
(CSRF)
A5: Cross Site
Request
Forgery
(CSRF)
A6: Securi
ty Misconfiguration
A6: Securi
ty Misconfiguration
A7: Failure to
Restrict
URL Acces
s
A7: Failure to
Restrict
URL Acces
s
A8: Insecure
Cryptograp
hic Stora
ge
A8: Insecure
Cryptograp
hic Stora
ge
A9: Insufficient Transport
Layer Protection
A9: Insufficient Transport
Layer Protection
A10: Unvalidated Redirects and
Forwards
A10: Unvalidated Redirects and
Forwards
Galleria Project
https://bitbucket.org/VineetReynolds/java-ee-6-galleria/
Security isn‘t all candy..
… but you will love it in the end!
CC picture reference• http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/• http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/• http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/• http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/• http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/• http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/• http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/• http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/• http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/• http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/• http://www.flickr.com/photos/zen/4494845/sizes/o/in/photostream/
60