Upload File

java jwts for csrf prevention and microservices

14
JWTs for CSRF and Microservices

Upload: remy-champion

Post on 12-Jan-2017

262 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Java JWTs for CSRF Prevention and Microservices

JWTsfor

CSRF and Microservices

Page 2: Java JWTs for CSRF Prevention and Microservices

Welcome! • Agenda

• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)

• Claire HunsakerVP of Marketing

• Micah SilvermanJava Developer Evangelist

Page 3: Java JWTs for CSRF Prevention and Microservices

Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance

Page 4: Java JWTs for CSRF Prevention and Microservices

Stormpath User Management

User Data

User Workflows Google ID

Your ApplicationsApplication SDK

Application SDK

Application SDK

ID Integrations

Facebook

Active Directory

SAML

Page 5: Java JWTs for CSRF Prevention and Microservices

Let’s talk about CSRF!

Page 6: Java JWTs for CSRF Prevention and Microservices

encodeSecret =

"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="

computeHMACSHA256(

header + "." + payload,

base64DecodeToByteArray(encodedSecret)

)

Signature Computation Pseudo-code

Page 7: Java JWTs for CSRF Prevention and Microservices

JWTSecret Anti-Patterns

Page 8: Java JWTs for CSRF Prevention and Microservices

.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

Short but not Sweet

Page 9: Java JWTs for CSRF Prevention and Microservices

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS256,

b64EncodedSecret.getBytes("UTF-8")

)

You’re Doing it Wrong

Page 10: Java JWTs for CSRF Prevention and Microservices

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS512,

TextCodec.BASE64.decode(b64EncodedSecret)

)

Supersize that Secret!

Page 11: Java JWTs for CSRF Prevention and Microservices

"Microservices are awesome, but they're not free."

- Les Hazlewood, Stormpath CTO

Page 12: Java JWTs for CSRF Prevention and Microservices

Monolithic SOA

AuthenticationServiceAuthorizationServiceApplicationService

OrganizationServiceDirectoryServiceAccountServiceGroupService

DatabaseInfrastructure

Page 13: Java JWTs for CSRF Prevention and Microservices

Microservices

DatabaseInfrastructure

GroupServiceAccountService

AuthenticationService AuthorizationService

ApplicationService OrganizationService DirectoryService

Page 14: Java JWTs for CSRF Prevention and Microservices

Resources• Repos used in today’s preso:

○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-

tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -

bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?

○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath

[email protected]


REST API Security: OAuth 2.0, JWTs, and More!

Csrf change dns

JWTs and JOSE in a flash

CSRF: Yeah, it still works… CON 17/DEF CON 17 presentations/DE… · CSRF: Yeah, it still works… • A common argument from vendors / developers who don’t want to fix CSRF vulns

WEB SECURITY: XSS & CSRF - University Of Maryland · XSS & CSRF CMSC 414 FEB 22 2018. Cross-Site Request Forgery (CSRF) URLs with side-effects

Csrf protector

CSRF Bouncing

CSRF and XSS - wiki.elvis.science

Bypassing CSRF Protections...CSRF, Double-Submit Cookie, csurf, AngularJS Created Date 3/31/2017 6:15:48 PM

Dissecting CSRF Attacks & Defenses - Mike Shema - CSRF Lab.pdfDissecting CSRF Attacks & Defenses Mike Shema October 16, 2013. Cross Site Request Forgery Identifying the confused, session-riding

NEUROPSYCHOLOGICAL CHANGES FOLLOWING - CSRF

Cross-site Request Forgery (CSRF) Attacks

Building Secure User Interfaces With JWTs

Web Security: Session management and CSRF

Microservices: Aren't Microservices Just SOA?

Csrf not all defenses are created equal

TIBCO JasperReports Server Installation Guidetomcat> ThedirectorywhereApacheTomcatisinstalled ... mv./WEB-INF/csrf/Websphere.jrs.csrfguard.properties./WEB-INF/csrf ... \Jaspersoft\jasperreports-server

JAW: Studying Client-side CSRF with Hybrid Property Graphs and … · 2021. 5. 16. · Client-side CSRF is a new category of CSRF vulnerability where the adversary can trick the client-side

Microservices - NYS Forum Home cb..1.pdf · Agenda Technology What are Microservices? Characteristics of Microservices Microservices and SOA Challenges Strategy Adoption –Microservices

The three faces of CSRF - uni-passau.de fileThe three faces of CSRF DeepSec 2007 ... The targets of such requests are not restricted by the SOP ... CSRF (I)

PHP Security Crash Course - 3 - CSRF

Neat tricks to bypass CSRF-protection

Tamper Data: CSRF examined toolsmith

OWASP CSRF Protector_Minhaz

JWTs in Java for CSRF and Microservices

Building Secure User Interfaces With JWTs (JSON Web Tokens)

JWTS-10JF Table Saw Manual

Advanced CSRF and Stateless Anti-CSRF - OWASP · Advanced CSRF and Stateless Anti-CSRF. Frontend developer at Svenska Handelsbanken Researcher in application security ... RIA & …

Cross-site Request Forgery (CSRF)

CSRF is dead - stephenreescarter.net€¦ · Browser rejects CSRF cookie when visiting mysite.com CSRF Cookie defaults to SameSite=Lax and is rejected by the browser due to the cross-site

MICROSERVICES. MICROSERVICES CON WSo2. · PDF file1 Microservices. icroservices on So2 Sunqu 2016 WhitePaper MICROSERVICES. MICROSERVICES CON WSo2. por Julio Cejas - IT Advisor SUNQU

Tamper Data: CSRF examined - HolisticInfoSec

Csrf not-all-defenses-are-created-equal

Introduction to CSRF Attacks & Defense

Csrf final