Securing java web applications
-
Upload
jonas-elias-flesch -
Category
Software
-
view
43 -
download
2
Transcript of Securing java web applications
![Page 1: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/1.jpg)
Securing Java Web Applications
An introduction Jonas Flesch
![Page 2: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/2.jpg)
Index• Spring Security
• Passwords
• Sql Injection
• JSTL
• Client sent content
• Stacktraces
• Test
• Legal issues
![Page 3: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/3.jpg)
STEP 1Use Spring Security!!
![Page 4: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/4.jpg)
Spring Security
• Authentication
.formLogin()
.loginPage("/login") .loginProcessingUrl("/authenticate") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll();
![Page 5: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/5.jpg)
Spring Security
• Authorization
@Controller@Secured(Roles.ROLE_ADMINISTRATOR) @RequestMapping(UserController.BASE_URL) public class UserController extends BaseController {
![Page 6: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/6.jpg)
Spring Security
• Cross Site Request Forgery Token
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
![Page 7: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/7.jpg)
Spring Security• Good practices headers
![Page 8: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/8.jpg)
Step 2Passwords
![Page 9: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/9.jpg)
Passwords• Store it using a strong salted hash
• Bcrypt
• Never send it by e-mail or store it in plain text
• Protect user creation/password recovery forms with captcha
• Recaptcha when possible
• JCaptcha second choice
![Page 10: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/10.jpg)
Step 3SQL Injection
![Page 11: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/11.jpg)
SQL Injection
• Always use SQL Parameters:
@SqlUpdate("UPDATE User ug " + " SET DsEmail = :dsEmail" + " WHERE idUser = :idUser")
![Page 12: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/12.jpg)
Step 4Use JSTL carefully
![Page 13: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/13.jpg)
JSTL• Wrong: <input type="hidden" name="uuid" value="${UUID}"/>
• Correct: <input type="hidden" name="uuid" value="<c:out value=“${UUID}”/>"/>
• Why? <input type="hidden" name="uuid" value=“”><script>alert(1)</script>”/>”/>
• c:out escapes the string with html entities like <
![Page 14: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/14.jpg)
Step 5Never trust content from the
client
![Page 15: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/15.jpg)
Never trust content from the client
• Never use file names from uploads
• Use UUID as filename when saving to the hard drive
• Put a file size limit
• Endless uploads can crash the server
• Validations made on Javascript should be done again in the server
![Page 16: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/16.jpg)
Step 6Hide the stacktraces!!!
![Page 17: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/17.jpg)
![Page 18: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/18.jpg)
Hide the stack traces• Evil user can discover:
• Frameworks/versions
• Paths
• Pieces of code/details of implementation
• Solution:
• Spring MVC @ControllerAdvice @ExceptionHandler
• Web.xml error-page
![Page 19: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/19.jpg)
Step 7Test it!
![Page 20: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/20.jpg)
Test• OWASP ZAP
• Automated testing
• Every error found is important
• Use the proxy in every functionality
• Can be integrated to the Continuous Integration
• Evil user in the scenarios
• Automate it too!
![Page 21: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/21.jpg)
Step 8Legal issues
![Page 22: Securing java web applications](https://reader034.fdocuments.net/reader034/viewer/2022042716/55c55ff0bb61ebbf1b8b468b/html5/thumbnails/22.jpg)
Legal issues• Privacy police
• Terms of Use
• Age validation
• Copied images/logotypes
• Personal Data storage (document number, birth date, etc)
• Classified disclosure