2013 06-27-securecoding-en - jug pch

Secure Coding for Java (an introduc3on)Java User Group Poitou-‐Charentes (Niort)

27 Juin 2013

Sébas3en [email protected] Leader OWASP France

Friday, June 28, 13

mailto:[email protected]


http://www.google.fr/#q=sebastien gioria

‣OWASP France Leader & Founder & Evangelist

‣Innovation & Technology @ Advens

Twitter :@SPoint / @OWASP_France

2

‣Application Security group leader for the CLUSIF

‣Proud father of youngs kids trying to hack my digital life.

Ne vous inquietez pas c’est le seul slide en anglais, par contre il y aura des trucs d’écrits partout en bas...

Friday, June 28, 13

http://www.google.fr/#

http://www.google.fr/#

ForeWords

• This is a presenta,on made from my own experience with some company using OWASP materials.

• Only the documents from OWASP wiki are OWASP officials (see hEps://www.owasp.org)

• Some extracts come from document I wrote as OWASP leader, this is why you could find it elsewhere.

5

Friday, June 28, 13

https://www.owasp.org

https://www.owasp.org

• Applica,on Security :–where we are (no bullshit)–where we are (hopefully) going ?

• Using OWASP materials to secure code• Secure Coding principles

Agenda

Friday, June 28, 13

Introduc3on

5

Friday, June 28, 13

Why Applica0on Security ?

64

Friday, June 28, 13


64

Your Application

been Hacked

Friday, June 28, 13


64

Your Application

been Hacked YES

Friday, June 28, 13


64

Your Application

been Hacked

NO

YES

Friday, June 28, 13


64

Your Application

will be Hacked ;)

Your Application

been Hacked

NO

YES

Friday, June 28, 13


64

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

YES

Friday, June 28, 13


64

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Friday, June 28, 13


6

Let Me take you on the right way 4

Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Friday, June 28, 13


6

My Application will be hacked !


Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

Friday, June 28, 13


6

My Application will be hacked !


Your Application

will be Hacked ;)

Your Application

been Hacked

YES

NO

NO

YES

NextStep

Friday, June 28, 13

We are living in a Digital environment, in a Connected World

vMost of websites vulnerable to aTacks

vImportant % of web-‐based Business (Services, Online Store, Self-‐care, Telcos, SCADA, ...)


Age of An0virus Age of Network Security

Age of Applica0on Security

7

Friday, June 28, 13

Consequences of bad or no security

–IdenPty theQ–Hardware theQ–IT downPme –Bad Media coverage–Financials loss–Customers loss–Legals/business penalty

8

Friday, June 28, 13

What Verizon (PCI-‐DSS company) said ?

© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13


© Verizon 2012

9

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

© Verizon 2012

Verizon Study

10

Friday, June 28, 13

Verizon study

11© Verizon 2012

Friday, June 28, 13

Verizon study

11© Verizon 2012

Friday, June 28, 13

12(c) WhiteHatSecurity 2013

Friday, June 28, 13


Friday, June 28, 13


Friday, June 28, 13


Friday, June 28, 13

What you CIO Said : I got a Firewall !

27

Friday, June 28, 13

What your business user said : I have SSL based Web Site

28

Friday, June 28, 13

What your business user said : only the hacker can aMack my website

• Tools are more and more simples.

• Try a simple request on google website on SQL InjecPon and look at it.

• An aEack on a Web Server cost 100$/200$ per day on the underground market.

29

Friday, June 28, 13

What your user said : a vulnerability on internal ApplicaPon is not criPcal.

• No, The web is anywhere, and CSRF, HTML5 CORS and more can make this complete destrucPve

• Be aware and share this : • AJAX doing a lot of things without you

• Be aware and share this : • HTML5 will come with “nice” user funcPonality , but with big impact on security (WebSocket, CORS, ...)

30

Friday, June 28, 13

But I do Security tesPng !

17

Security Tes3ng

Coding

Friday, June 28, 13

Majors OWASP publications you can use

All are on the wiki https://www.owasp.orgAll are under GPL or friendly licensesMajors publications you can use to secure

your projects/SDLC

Building Guide

Code Review Guide Testing Guide

Application Security Desk Reference (ASDR)

Top10 reference this 3 guides

Ø OWASP Top10Ø Auditor/Testing GuideØ Code Review GuideØ Building GuideØ Application Security Verification

Standard (ASVS)Ø Secure Coding Practices

12

Friday, June 28, 13

http://www.owasp.org

http://www.owasp.org

Friday, June 28, 13

Learn

Friday, June 28, 13

Learn

Friday, June 28, 13

Learn Contract

Friday, June 28, 13

Learn Contract

Friday, June 28, 13

Learn Contract Design

Friday, June 28, 13


Friday, June 28, 13


Build

Friday, June 28, 13


Build

Friday, June 28, 13

Learn Contract

Test

Design

Build

Friday, June 28, 13

Learn Contract

Test

Design

Build

Friday, June 28, 13

Learn Contract

Test

Design

Build Progress

Friday, June 28, 13

Learn Contract

Test

Design

Build Progress

Friday, June 28, 13

OWASP Applica,on Security Verifica,on Standard

20

Friday, June 28, 13

What is ASVS ?

• A standard that provides a basis for the verificaPon of web applicaPons applicaPon-‐independent.

• A standard life-‐cycle model independent.• A standard that define requirements that can be applied across applicaPons without special interpretaPon. 43

Friday, June 28, 13

What are ASVS responses ?

• How much trust can be placed in a web applicaPon?

•What features should be built into security controls?

• How do I acquire a web applicaPon that is verified to have a certain range in coverage and level of rigor?

Friday, June 28, 13

ASVS secure controls requirements

Security AreaLevel

1A

Level

1B

Level

2A

Level

2BLevel 3 Level 4

V1 – Security Architecture Verification Requirements 1 1 2 2 4 5

V2 – Authentication Verification Requirements 3 2 9 13 13 14

V3 – Session Management Verification Requirements 4 1 6 7 8 9

V4 – Access Control Verification Requirements 5 1 12 13 14 15

V5 – Input Validation Verification Requirements 3 1 5 7 8 9

V6 – Output Encoding/Escaping Verification Requirements 0 1 2 8 9 10

V7 – Cryptography Verification Requirements 0 0 2 8 9 10

V8 – Error Handling and Logging Verification Requirements 1 1 2 8 8 9

V9 – Data Protection Verification Requirements 1 1 2 3 4 4

V10 – Communication Security Verification Requirements 1 0 3 6 8 8

V11 – HTTP Security Verification Requirements 3 3 6 6 7 7

V12 – Security Configuration Verification Requirements 0 0 0 2 3 4

V13 – Malicious Code Search Verification Requirements 0 0 0 0 0 5

V14 – Internal Security Verification Requirements 0 0 0 0 1 3

Totals 22 12 51 83 96 112

23

Friday, June 28, 13

But ASVS stand for VerificaPon ?

• ASVS just said funcPonals needs for controls. • You should use it as a Secure Coding Policy.

★Don’t be medium(ASVS Level1/2), just target excellence (ASVS Level 4)

24

Friday, June 28, 13

Using ASVS as a secure coding policy

• ASVS : Verify that all password fields do not echo the user’s password when it is entered.➡All Password fields must be define as HTML password fields and must not echo user password.

➡All login forms must include autocomplete=off tag

• ASVS : Verify that all input validaPon is performed on the server side. ➡Performs all input valida,on on the server. Nothing in the browser

25

Friday, June 28, 13

Posi,ve aatude

Nega0ve

The tester shall search for XSS holesPosi0ve

Verify that the applica0on performs input valida0on and output encoding on all user input

See: hTp://www.owasp.org/index.php/XSS_(Cross_Site_Scrip0ng)_Preven0on_Cheat_Sheet

56

Friday, June 28, 13

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet




OWASP Secure Coding Prac3ces

27

Friday, June 28, 13

OWASP Secure Coding PracPces

• Small document (only 9 pages)• Could be use as an simple checklist for your policy.

• Could be use together with ASVS or alone.•More technical and deeper approach than ASVS .

•Wrote and use by Boeing :)

28

Friday, June 28, 13

Secure Coding PracPces Contents

• Input ValidaPon• Output Encoding• AuthenPcaPon and Password Management

• Session Management• Access Control• Cryptographic PracPces• Error Handling and Logging

• Data ProtecPon• CommunicaPon Security• System ConfiguraPon• Database Security• File Management• Memory Management• General Coding PracPces

29

Friday, June 28, 13

Now the torture room

30

Friday, June 28, 13

(extracts from OWASP Secure Coding Prac0ces/OWASP CheatSheets OWASP

ASVS, ...)

Let talk Secure Coding now

31

Friday, June 28, 13

Some secures principles to follow

32

•Deep defense of applica,on is mandatory • Following less privileges is the best soluPon• Segregate duty more that user think➡Remember that applica,on need to answer user needs and not security pleasure.

Friday, June 28, 13

Deep defense of a Web Applica0on (example)

70

Firewall

Applica0onWeb Apps

SGBDApp ServerWebServer

Browser

User auth

Input Validation

Secure configuration

Good crash mecanisms

• Critical data transport protection

• Preventing session and ID theft

Critical data protectionsLogs/Audit of transactions

Authorisation and

authentication

Authorisation and authentication

Critical data protectionsPreventing parameters thefts

Friday, June 28, 13

Fail securely

• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause

34

Friday, June 28, 13

Fail securely

• Don’t give user technical details of the error/crash.• Clean state or use objects in catch clause

34

Friday, June 28, 13

Don’t try to make obscure things

72

Friday, June 28, 13


72

GEOPORTAIL

Friday, June 28, 13


72

Friday, June 28, 13


72

GOOGLE MAPS

Friday, June 28, 13

• ObfuscaPon is not the soluPon• There is someone in the matrix who will send you evil data

• Be evil ! • Protect area with filter is the best soluPon

36

Friday, June 28, 13

Controls

• Controls need :–to be simple–to be used correctly–funcPonal–present in every part of the applicaPon

74

Bad understanding of a control result of unused it by developers and application will be vulnerable.

Friday, June 28, 13

Minimals controls to have

• You must have at least this components in your applicaPon : –AuthenPcaPon–AuthorizaPon–Logging and audit–Secure Storage–Secure transport–Secure input and output manipulaPon of data

75

Friday, June 28, 13

Authen3ca3on

39

Friday, June 28, 13

Implement good passwd strategy

• Password length-‐ Categorize applicaPons :

• Important : at least 6 characters• Cri0cal : at least 8 characters and perhaps mul0-‐factors authen0ca0on

• High Cri0cal : at least 14 characters and mul0-‐factors authen0ca0on

• Password strength-‐ Implement passwd complexity with previous categories

• at least : 1 upper, 1 lower, 1 digit, 1 special• don’t allow dic0onnary passwd• don’t allow con0nuous characters

40

Friday, June 28, 13

Implement good passwd strategy

•Let the user choose it•Force the user to change it regulary, and add no reuse capability.

•Don’t allow too much “I forgot my passwd”•Don’t allow change of passwd without user approval; require actual passwd from the user and more for high cri0cal.

•Add sleep strategy !•Add detec3on of misuse strategy !•Don’t store passwd in clear !!!!! use hash !

41

Friday, June 28, 13

MulP-‐Factor authenPcaPon

•Passwds are bad•Passwds are guessable•MulP-‐factor combine:

–something you have (token, mobile, ...)–something you know (details about you, passwd, ...)–somePme, something you are (biometrics)–Use it for high criPcal applicaPons.

42

Friday, June 28, 13

Implement good global strategy

• Ask second authenPcaPon for criPcal transacPons (with mulP-‐factor auth...)

• Force authenPcaPon to be in TLS/SSL• Regenerate Session ID aQer authenPcaPon• Force Session ID to be “secure”• LimiPng forgoEen passwd,change of login/passwd

43

Friday, June 28, 13

How to do ?

• Authen0cate all pages but not public pages (login, logout, help, ....)

• Don’t allow more than one authen0ca0on mecanism• Authen3cate on the SERVER• Simply send back “user or passwd mismatch” and nothing else aker a failed authen0ca0on.

• Logged all failed and all correct authen0ca0on• Aker each authen0ca0on give the user the last status of his authen0ca0on.

44

Friday, June 28, 13

• Good Regex for a passwd complexity :

• Good Storage of password with SALT

45

(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$

import java.security.MessageDigest;

public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}

Friday, June 28, 13

Session Management

46

Friday, June 28, 13

Session

• Use Default Java Framework Generator• Use other name than the default name of the Framework (rename JSESSIONID...)

• Force transport of ID authenPcaPon on SSL/TLS.• Don’t allow Session ID in URL !• If using cookie :

– Secure Cookie– HTTPOnly Cookie – LimiPng path + domain–Max Age and expiraPon

47

Friday, June 28, 13

Session tricky

• AutomaPc expiraPon–categorize applicaPons :

• default : 1 hour• cri0cal (some transac0on) : 20mns• high cri0cal (financials or account impact) : 5mns

• Renew Session ID aQer any privilege change• Don’t allow simultaneous logon • Add Session AEack DetecPon

• add in-‐session 0ps : ip of session, other random number, ...

48

Friday, June 28, 13

Browser defenses

• Bind JavaScript events to close session –on window.close()–on window.stop()–on window.blur()–on window.home()

• Use Javascripts Pmer to automaPc close session in high criPcal applicaPons

• Disable WebBrowser Cross-‐tab Session if possible...(bad user experiences....)– If you use cookie, this is not possible !!!!

49

Friday, June 28, 13

50

<session-‐config> <cookie-‐config> <http-‐only>true</http-‐only> <secure>true</secure> </cookie-‐config></session-‐config>

Using Servlet 3.0 ?

Friday, June 28, 13

Access Controls

107

Friday, June 28, 13

Remember

Friday, June 28, 13

Remember

(1)Without access control, you can’t control the user in your applica,on

Friday, June 28, 13

Remember

(1)Without access control, you can’t control the user in your applica,on

(2)All client inputs are EVIL

Friday, June 28, 13

Authen0ca0on & Authoriza0on

• Two Levels of authenPcaPon and authorizaPon are needed–In the ApplicaPon–In infrastructure

Table A

Table B

Connexion Table A + duty ARole A

Role B

SGBDApp Server

Connexion Table B + Duty B

Friday, June 28, 13

AuthorizaPon

• Have in mind the rule : –Nothing by default

• Centralize all authorizaPon code on the SERVER• If client state are mandatory, use encrypPon and integrity checking on the server side to catch state tampering.

• Limit number of transacPons per user at a interval Pme.

54

Friday, June 28, 13

AuthorizaPon

• Enforce :– protec0on of URL to authorized account only– protec0on of func0on to authorized account only– protec0on of file access to authorized account only

• Applica0on need to terminate session when authoriza0on failed.

• Split administra0ve and user authoriza0on• Enforce dormant account :

– loss privileges.– “disable account”– alerts

55

Friday, June 28, 13

Valida3on of Data

56

Friday, June 28, 13

Input ValidaPon

• Ensure all data validaPon are done on THE SERVER.–If you do something on client side we can said you do “painPng”

• Classify your data :–Trusted Data –Untrusted Data

• Conduct trusted path.• Centralize your data validaPon• Use correct parametrize query when exists (SQL)

57

Friday, June 28, 13

Border validaPon

• Consider validaPng data along all the entry points of your ApplicaPon border

58

Friday, June 28, 13

Input ValidaPon

• Use proper characters set for all input• Encode all data to the same character set before doing anything <=>Canonicalize

• Reject all not validated datas• Validate data :

–expected type (convert as soon as possible to Java Types)–expected range–expected length–expected values–expected “white list” if possible

59

Friday, June 28, 13

Input ValidaPon

• Be careful of using “hazardous” characters (ex: <>’,”!(+)&\ %.)

• Add specific validaPon :–check for null bytes (%00)–check for new lines (%0D, %0A, \n, \r, ...)–check for dot-‐dot-‐slashes (../)

60

Friday, June 28, 13

Be careful of encoding for specific valida0on...

URL%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%58%53%53%29%3b%3c%2f%73%63%72%69%70%74%3e%0a

HTML<script>alert(XSS);</script>

UTF-8%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff54%uff08%uff38%uff33%uff33%uff09%u003c%u2215%uff53%uff43%uff52%uff49%uff50%uff54%u003

One space ?< s c r i p t > a l e r t ( X S S ) ; < / s c r i p t >

<script>alert(XSS);</script>

Friday, June 28, 13

Validate Datas

124

Friday, June 28, 13

SQL => bad

125

Friday, June 28, 13

SQL => bad

125

Friday, June 28, 13

SQL => bad

125

Friday, June 28, 13

SQL => a liEle bit beEer

126

Friday, June 28, 13

List results = entityManager.createQuery("Select order from Orders order where order.id = " + orderId).getResultList();List results = entityManager.createNativeQuery("Select * from Books where author = " + author).getResultList();int resultCode = entityManager.createNativeQuery("Delete from Cart where itemId = " + itemId).executeUpdate();

JPA/EnPty

65

Friday, June 28, 13


JPA/EnPty

65

Friday, June 28, 13


JPA/EnPty

65

/* positional parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = ?1");List results = jpqlQuery.setParameter(1, "123-‐ADB-‐567-‐QTWYTFDL").getResultList();

Friday, June 28, 13


JPA/EnPty

65


/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();

Friday, June 28, 13


JPA/EnPty

65


/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();

Friday, June 28, 13


JPA/EnPty

65


/* Native SQL */Query sqlQuery = entityManager.createNativeQuery("Select * from Books where author = ?", Book.class);List results = sqlQuery.setParameter(1, "Charles Dickens").getResultList();

/* named query in JPQL -‐ Query named "myCart" being "Select c from Cart c where c.itemId = :itemId" */Query jpqlQuery = entityManager.createNamedQuery("myCart");List results = jpqlQuery.setParameter("itemId", "item-‐id-‐0001").getResultList();/* named parameter in JPQL */Query jpqlQuery = entityManager.createQuery("Select emp from Employees emp where emp.incentive > :incentive");List results = jpqlQuery.setParameter("incentive", new Long(10000)).getResultList();

Friday, June 28, 13

XML => bad

127

Friday, June 28, 13

XML => bad

127

Friday, June 28, 13

XML => ValidaPng via regexp/white list

128

Friday, June 28, 13

BeEer, a XML schema

<xs:schema xmlns:xs="hTp://www.w3.org/2001/XMLSchema">

<xs:element name="item">

<xs:complexType>

<xs:sequence>

<xs:element name="descrip0on" type="xs:string"/>

<xs:element name="price" type="xs:decimal"/>

<xs:element name="quan0ty" type="xs:integer"/>

</xs:sequence>

</xs:complexType>

</xs:element>

</xs:schema>

Friday, June 28, 13

XML => XML Parser validaPon

Friday, June 28, 13

LDAP => bad

131

Friday, June 28, 13

LDAP => bad

131

Friday, June 28, 13

LDAP => beEer

132

Friday, June 28, 13

Using OWASP ESAPI

72

Friday, June 28, 13

Output Encoding

73

Friday, June 28, 13

Output encoding

• It’s a Defense in depth mechanism• Encode ON THE SERVER• Centralize the encoder funcPons• SaniPze all data send to the client

–HTMLEncode is a minimum but did not work on all cases

74

Friday, June 28, 13

Essai 1 => bad

137

Friday, June 28, 13

Essai 1 => bad

137

Friday, June 28, 13

Essai 2 => it’s bad, but beTer than nothing

138

Friday, June 28, 13

Essai 2 => it’s bad, but beTer than nothing

138

Friday, June 28, 13

A good soluPon with a robust SaniPzer :)

139

Friday, June 28, 13

Error Logging

78

Friday, June 28, 13

Error Handling

Your Applica3on will crash !• Catch all excep0ons without excep0on (remember the null pointer excep0on !)– Clean all excep0on code of sensi0ve datas– Don’t give user any details about crash, just said “It’s a crash, try again later”

• Logs are sensi0ve, you MUST PROTECT THEM• Log :

– input valida0on failures– authen0ca0on request; especially failures– access control failures– systems excep0ons– administra0ve func0onality– crypto failures– invalid/expired session token access

79

Friday, June 28, 13

Logging/Errors

• Split your logs with categories, examples : –Access–Error–Debug–Audit

• Use log4j for standard logging

80

Friday, June 28, 13

Log4J Example

81

import com.sec.dev;

// Import log4j classes. import org.apache.log4j.Logger; import org.apache.log4j.BasicConfigurator;

public class SecLogger {

// Define a static logger variable so that it references the // Logger instance named "MyApp". static Logger logger = Logger.getLogger(MyApp.class);

public static void main(String[] args) {

// Set up a simple configuration that logs on the console. BasicConfigurator.configure();

logger.setLevel(Level.DEBUG); // optional if log4j.properties file not used // Possible levels: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL

logger.info("Entering application."); Bar bar = new Bar(); bar.doIt(); logger.info("Exiting application."); } }

Friday, June 28, 13

Bad handling of ExcepPon

144

Friday, June 28, 13

Bad handling of ExcepPon

144

Friday, June 28, 13

Good Housecleaning

83

try { SensitiveData sensitiveData = new SensitiveData (“4242424242424242”); out = new PrintWriter(new FileWriter("OutFile.txt")); //Do Stuff….} catch (IOException e) { if ( sensitiveData != null ) {

sensitiveData.set(“0000000000000000”); }

logger.log ("IO exception ", e.getMessage());

} catch (Exception e) { if ( sensitiveData != null ) {

sensitiveData.set(“0000000000000000”); }logger.log ("Error occurred!”, e.getMessage());

} finally { if ( sensitiveData != null ) {

sensitiveData.set(“0000000000000000”); } if (out != null) {

out.close(); // RELEASE RESOURCES } }

Friday, June 28, 13

BeEer handling of excepPon and error

145<error-‐page> <excepPon-‐type>java.lang.Throwable</excepPon-‐type> <locaPon>/error.jsp</locaPon> </error-‐page>

Friday, June 28, 13

Data Protec3on

85

Friday, June 28, 13

Data protecPon

• Protect sensiPve datas, don’t store them in clear.• Store sensiPve datas in trusted systems• Don’t use GET request for sensiPve data.• Disable client site caching

86

Friday, June 28, 13

Disable Client Side caching

87

import javax.servlet.*;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.Date;

public class CacheControlFilter implements Filter {

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

HttpServletResponse resp = (HttpServletResponse) response; resp.setHeader("Expires", "Tue, 03 Jul 2001 06:00:00 GMT"); resp.setHeader("Last-‐Modified", new Date().toString()); resp.setHeader("Cache-‐Control", "no-‐store, no-‐cache, must-‐revalidate, max-‐age=0, post-‐check=0, pre-‐check=0"); resp.setHeader("Pragma", "no-‐cache");

chain.doFilter(request, response); }

}

<filter> <filter-‐name>SetCacheControl</filter-‐name> <filter-‐class>com.sec.dev.cacheControlFilter</filter-‐class></filter> <filter-‐mapping> <filter-‐name>SetCacheControl</filter-‐name><url-‐pattern>/*</url-‐pattern></filter-‐mapping>

web.xml

Friday, June 28, 13

http://web.xml

http://web.xml

Access to FileSystem

88

Friday, June 28, 13

Absolute Path is bad

151

Friday, June 28, 13


151

Friday, June 28, 13


151

Friday, June 28, 13

Canonicalisa,on is good

90

Friday, June 28, 13

Secure Communica3ons

91

Friday, June 28, 13

Secure CommunicaPons

• Use TLS/SSL :–at least SSL v3.0/TLS 1.0–minimum of 128bits encrypPon–use secure crypto : AES is good

• Don’t expose criPcal data in the URL• Failed SSL/TLS communicaPons should not fall back to insecure

• Validate cerPficate when used• Protect all page, not just logon page !

92

Friday, June 28, 13

Force TLS/SSL Response

• Use HTTP Strict Transport Security (HSTS).–Available on some browsers (not IE)–draQ IETF : hEp://tools.iew.org/html/draQ-‐iew-‐websec-‐strict-‐transport-‐sec-‐04

93

HttpServletResponse ...;response.setHeader("Strict-‐Transport-‐Security", "max-‐age=7776000; includeSubdomains");

Friday, June 28, 13

http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-04




ConfiguraPon

94

• Review all properPes, configuraPon files• Be careful of default passwords...• Remove, and not just de-‐acPvate, unused funcPons/modules

• Use sandbox system when available :

Be careful of Java Signed code who execute with more privileges !

Friday, June 28, 13

Now you can protect against him

95

Friday, June 28, 13

NEWS

A BLOG

A PODCAST

MEMBERSHIPS

MAILING LISTS

A NEWSLETTER

APPLE APP STORE

VIDEO TUTORIALS

TRAINING SESSIONS

SOCIAL NETWORKING

96On est aussi des humains, et on peut boire un coup tout simplement

Friday, June 28, 13

Dates

• AppSec Research Europe 2013 : 20/23 Aout – Hambourg – Allemagne

• Octobre 2013 : OSSIR PARIS–OWASP Top10 2013; quoi de neuf ?

• OWASP Benelux : 28/29 Novembre 2013

97Un tour des JUG est prévu en France, si vous en connaissez un dans le coin...

Friday, June 28, 13

Soutenir l’OWASP

• Différentes soluPons : –Membre Individuel : 50 $–Membre Entreprise : 5000 $–DonaPon Libre

• Soutenir uniquement le chapitre France :–Single MeePng supporter

• Nous offrir une salle de mee0ng ! • Par0ciper par un talk ou autre ! • Dona0on simple

–Local Chapter supporter : • 500 $ à 2000 $

98

Friday, June 28, 13

Prochains meePngs

• Septembre 2013 –Salle : Mozilla Center Paris–Speaker :

• Security on Firefox OS• A définir

• Novembre 2013–Salle : a définir–Speaker : a définir

Septembre s’annonce merveilleux avec plein d’annonces en tout genre....

Friday, June 28, 13

License

100Si vous avez tout suivi vous connaissez le prochain slide....

@SPoint

[email protected]

Friday, June 28, 13



Date post:	10-May-2015
Category:	Technology
Upload:	sebastien-gioria
View:	1,989 times
Download:	1 times