jsf security
DESCRIPTION
SOURCE Seattle 2011 - Krishna RajaTRANSCRIPT
© 2011 Security Compass inc. 1
JSF Security
© 2011 Security Compass inc. 2
Validated Input
24c;--
<script>
abcd
JSF Input Validation
© 2011 Security Compass inc. 3
<%@ taglib
uri="http://myfaces.apache.org/tomahawk"
prefix="t" %>
<h:outputLabel for="zip1" value="Zip"/>
<t:inputText value="#{order.zipCode}"
id="zip1">
<t:validateRegExpr pattern="\d{5}"
message="ZIP Code must be 5 digits"/>
</t:inputText>
MyFaces: validateRegExpr Tag
Using Apache Tomahawk tag library
© 2011 Security Compass inc. 4
<html ...
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:t="http://myfaces.apache.org/tomahawk">
<h:inputText type="text" id="val“
value="#{SimpleBean.val}" required="true">
<t:validateRegExpr pattern="[a-zA-Z]{1,100}"
/>
</h:inputText>
Facelets Implementation
Demo: Facelets validation
© 2011 Security Compass inc. 6
xmlns:mj=http://mojarra.dev.java.net/mojarra_ext
<h:inputText type="text" id="val“
value="#{SimpleBean.val}" required="true">
<mj:regexValidator
pattern="[a-zA-Z]{1,50}"/>
</h:inputText>
Mojarra Validators
There also exists: <mj:creditCardValidator/>
© 2011 Security Compass inc. 7
• Part of JSF 2.0 core tag library
• Can leverage: – <f:validateLength …/>
– <f:validateLongRange …/>
– <f:validateDoubleRange …/>
– <f:validateRegex pattern=“…”/>
JSF 2.0 Validators
Demo: JSF 2.0 Validators
© 2011 Security Compass inc. 9
• Validation in Action Controller
– Validation tied closely to biz logic
– Dependence between different fields
• Custom validation methods
– More complex validation (i.e. built-in JSF validator doesn’t suit your need)
Other JSF Validation Techniques
© 2011 Security Compass inc. 10
<script>alert('xss')
< > (')
Output Encoding in JSF
© 2011 Security Compass inc. 11
<h:outputText value="#{param.name}"/>
<h:outputFormat value=“#{param.name}”/>
<h:outputText> & <h:outputFormat>
escape attribute is set to “true” by default
© 2011 Security Compass inc. 12
<ui:define name="body">
This will safely encode as an HTML element
in a Facelet:
<h:outputText value="#{SimpleBean.val}">
</h:outputText>
</ui:define>
Output encoding with Facelets
EL expression is automatically encoded
© 2011 Security Compass inc. 13
• <h:outputText> and <h:outputFormat> cannot be used safely within:
– HTML attribute
– JavaScript or CSS
• Similar problem with: Facelets ${bean.name}
But there’s a problem …
© 2011 Security Compass inc. 14
• Some tags can lead to XSS
• Never use user-supplied data with:
– <a4j:loadScript>
– <a4j:loadStyle>
– <rich:componentControl>
• Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth>
Problems with RichFaces
© 2011 Security Compass inc. 15
<p>
<input type="text“
value="${esapi:encodeForHTMLAttribute(dangerous)}"/>
</p>
<p>
<script language="javascript">
var str=${esapi:encodeForJavaScript(dangerous)};
</script>
</p>
Solution: OWASP ESAPI EL
Demo: ESAPI encoding
Page Level Authorization
© 2011 Security Compass inc. 18
• Interface that provides access control for
– URLs
– Business functions
– Data services & files
• Contains:
– assertAuthorizedForURL(String URL)
ESAPI AccessController
Demo: AccessController
Defending Against CSRF
Anti-CSRF tokens
© 2011 Security Compass inc. 21
• javax.faces.STATE_SAVING_METHOD
– Can save and restore state of the view between requests to server
What about JSF “view state”?
STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ???
© 2011 Security Compass inc. 22
• Recently discovered exploit against CBC-mode encryption with PKCS#5 padding
• Incorrect padding can result in java.crypto.BadPaddingException
• Can use to decrypt STATE_SAVING_METHOD
Problem: Padding Oracle Attack
© 2011 Security Compass inc. 23
• Version 3 recently released!
• Library that injects per-session or per-request tokens into HTML
• Can use 2 strategies to inject token:
– JavaScript DOM Manipulation
– JSP Tag Library
Solution: OWASP CSRF Guard
Demo: Anti-CSRF Tokens