Securing Your Grails App - Beyond Authentication & Authorization

Post on 02-Jul-2015

717 Views

Category:

Software

0 Downloads

Preview:

Click to see full reader

DESCRIPTION

Application security is not a concern that we can ignore. Vulnerabilities come from various angles, but it is important to stay aware and vigilant so we can recognize and thwart threats.

Transcript

ColinHarringtonPrincipalConsultant

colin.harrington@objectpartners.com

@ColinHarrington

Thistalkismeanttodiscusssecurityissuesinthespiritofhelpingthosewhobuildsystemsmakestable,secure

webapplications.

HappyPathEasiestthingpossibleMVP

Nounauthorizedaccess.HardenedTested

Grandma'scatphotosYourblogStaticcontent

BankingHealthinformation

GovernmentBigbusiness

Paymentsystems

$$$oflosspotentialOfficeSpaceLossofconsumerconfidence

RestorethebackupMaybeafewcommentslost

sincelastbackupNoanimalswereharmed

Grandmacriesforaminute

(butverify)

Non-profitgroupNamingborrowedCheckouttheirrecommendations

#1issueontheweb

"SELECT*FROMaccountsWHEREcustID='"+params.id+"'"

http://example.com/app/accountView?id='or'1'='1

Stringhql="""fromAccountHolderwhereusername='$username'andpassword='$password'"""

defrow=AccountTransaction.executeQuery(hql)

admin'ANDsubstring(password,0,1)==char(64)AND'1'='1

http://security.stackexchange.com/questions/24265/hql-injection-example

Orbettertestedsanitizationtools

Grails1.3.7(pre1.3.8)

classMyDomainObject{defSpringSecurityService...}

“cpimg.png./archive/$filename”.execute()

log.info“userbenignsaid${message}”

http://example.com/thing/action?message=[ERROR]Adminpasswordhasexpired!!OHCRAPHELP

deftransfer(Transfertfr){Depositd=newDeposit(amount:tfr.amt)d.save()

Withdrawalw=newWithdrawal(amount:tfr.amt,description:tfr.desc)w.save()}

http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii

UnencryptedtransportsAccountsignupForgotpasswordPasswordhintexposureInsecureSSO

xkcd.com/936/

reviewText="""ExcellentProduct</div><iframesrc="myadnetwork.com/pwnage.html"/><h1>InjectedDOM</h1><divclass='review'>Goodwork"""

view.gsp(codec=none)

<divclass='review'>${reviewText}</div>

Defaultcodec=HTMLnowCarefulwhendoingyourownTagLibsAntiSamy

Directexecution

eval()window.execScript()/function()/setInterval()/setTimeout()script.src(),iframe.src()

document.write(),document.writeln()elem.innerHTML=dangerelem.outerHTML=dangerelem.setAttribute(“dangerousattribute”,danger)

CookiesinsomebrowsersLocalStorageReverseJavaScriptShellsStackedMore..

https://example.com/account/123

https://example.com/account/999

FiltersACLPermissions

OwnershiplevelcheckingAuthorization

...forexample

socat-vtcp-listen:8080,forktcp:localhost:80

Poorsalting

Notshowingthelinksdoesn'tmeanitisprotectedAssumingauserisloggedindoesn'tmeantheyshouldhaveaccesstoeverything

<imgsrc="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#"width="0"height="0"/>

URLMappingsallowedMethods

AppleSSLissueOSX/iOS

top related

Grails workshops
Software
Grails Plugins
Technology
Grails Transactions
Technology
grails framework
Technology
Framework Grails...Framework Grails ...
Documents
Grails lucenecacherdfperformance
Documents
Grails Overview
Documents
Grails Portal
Documents
Grails vs XSS: Defending Grails against XSS attacks
Technology
Securing Grails Applications
Automotive
Grails im Überblick und in der Praxis · 2019-10-21 ·...
Documents
Manual Grails
Documents
¿Qué ofrece Autentia? · • grails create-app Demo •.....
Documents
Groovy And Grails - Chariot...
Documents
Migrating from Grails 2 to Grails 3
Technology
Grails Acl
Documents