REST Security with JAX-RS

JavaOne 2013

• Frank Kim– SANS Institute

• Curriculum Lead, Application Security• Author, Secure Coding in Java

About

2

3

Outline

• Authentication• Encryption• Validation• Wrap Up

4

Authentication

• Process of establishing and verifying an identity• Can be based on three factors

– Something you know– Something you have– Something you are

5

Java EE Authentication

• Configuration in web.xml 1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>Example</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 </web-resource-collection> 6 7 <auth-constraint> 8 <role-name>user</role-name> 9 <role-name>admin</role-name>10 </auth-constraint>11 </security-constraint>1213 <login-config>14 <auth-method>FORM</auth-method>15 <form-login-config>16 <form-login-page>/login.jsp</form-login-page>17 <form-error-page>/loginerror.jsp</form-error-page>18 </form-login-config>19 </login-config>

6

JAX-RS SecurityContext

• getAuthenticationScheme()– Returns String authentication scheme used to protect

the resource– BASIC, FORM, CLIENT_CERT

• getUserPrincipal()– Returns Principal object containing the username

• isUserInRole(String role)– Returns a boolean indicating if the user has the specified

logical role

7

Photo Sharing SiteDemo

8

Photo Sharing Site API

http://www.sparklr.com:8080/sparklr2/photos?&format=json

{ "photos" : [ { "id":"1" , "name":"photo1.jpg" } , { "id":"3" , "name":"photo3.jpg" } , { "id":"5" , "name":"photo5.jpg" }] }

9

Issues

• Userid/password authentication is fine – If the API is used only by your site

• But what if your API needs to be used by– Other web apps– Mobile apps– Native apps

• Do you want these apps to– Have your password?– Have full access to your account?

10

11

OAuth

• Way to authenticate a service– Valet key metaphor coined by Eran Hammer-Lahav

• Authorization token with limited rights– You agree which rights are granted– You can revoke rights at any time– Can gracefully upgrade rights if needed

12

OAuth Roles

User

Client

Server- Person using the app- Also known as the "resource owner"

- Photo printing service called Tonr

- Photo sharing service called Sparklr- Also known as the "resource server"

13

Simplified OAuth Flow

User

Client

Server1) You log in to Tonr

- Photo printing service called Tonr

- Photo sharing service called Sparklr

2) Tonr needs pictures to print and redirects you to Sparklr's log in page

3) You log in to Sparklr directly

14

Simplified OAuth Flow

User

Client

Server6) You are happy printing and viewing your pictures

- Photo printing service called Tonr

- Photo sharing service called Sparklr

5) Tonr stores the "access token" with your account

4) Sparklr returns an OAuth "access token"

15

Photo Printing SiteDemo

16

Detailed OAuth Flow

1) Via browser: Tonr starts OAuth process– Once you click the "Authorize" button

http://www.sparklr.com:8080/sparklr2/oauth/authorize?

client_id=tonr&redirect_uri=http://www.tonr.com:8080/

tonr2/sparklr/photos&

response_type=code&

scope=read write&state=92G53T

17

Detailed OAuth Flow

1) Via browser: Tonr starts OAuth process– Once you click the "Authorize" button

http://www.sparklr.com:8080/sparklr2/oauth/authorize?

client_id=tonr&redirect_uri=http://www.tonr.com:8080/

tonr2/sparklr/photos&

response_type=code&

scope=read write&state=92G53T

18

Detailed OAuth Flow

2) Via browser: Sparklr redirects back to Tonr

http://www.tonr.com:8080/tonr2/sparklr/photos?

code=cOuBX6&state=92G53T

19

Detailed OAuth Flow

3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password

Request:POST /sparklr2/oauth/token HTTP/1.1Authorization: Basic dG9ucjpzZWNyZXQ=

grant_type=authorization_code&code=cOuBX6&redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos

Response:{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb","token_type":"bearer","expires_in":"42528","scope":"read write"}

20

Detailed OAuth Flow

3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password

Request:POST /sparklr2/oauth/token HTTP/1.1Authorization: Basic dG9ucjpzZWNyZXQ=

grant_type=authorization_code&code=cOuBX6&redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos

Response:{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb","token_type":"bearer","expires_in":"42528","scope":"read write"}

21

Detailed OAuth Flow

3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password

Request:POST /sparklr2/oauth/token HTTP/1.1Authorization: Basic dG9ucjpzZWNyZXQ=

grant_type=authorization_code&code=cOuBX6&redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos

Response:{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb","token_type":"bearer","expires_in":"42528","scope":"read write"}

22

Detailed OAuth Flow

3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password

Request:POST /sparklr2/oauth/token HTTP/1.1Authorization: Basic dG9ucjpzZWNyZXQ=

grant_type=authorization_code&code=cOuBX6&redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos

Response:{"access_token":"5881ce86-3ed0-4427-8a6b-42aef1068dfb","token_type":"bearer","expires_in":"42528","scope":"read write"}

23

Detailed OAuth Flow

4) Via "Client": Tonr gets pictures from Sparklr

All Requests include:Authorization: Bearer 5881ce86-3ed0-4427-8a6b-42aef1068dfb

24

When to Use OAuth

• Use OAuth for consuming APIs from– Third-party web apps– Mobile apps– Native apps

• Don't need to use OAuth– If API is only consumed by the user within the

same web app– If APIs are only consumed server to server

25

Benefits

• No passwords shared between web apps• No passwords stored on mobile devices• Limits impact of security incidents

– If Tonr gets hacked Sparklr revokes OAuth access– If Sparklr gets hacked you change your Sparklr

password but don't have to do anything on Tonr– If you lose your mobile device you revoke the

access Sparklr gave to the Tonr mobile app

26

OAuth VersionsVersion Comments

1.0 - Has a security flaw related to session fixation- Don’t use it

1.0a - Stable and well understood- Uses a signature to exchange credentials and signs every request- Signatures are more of a pain than it seems

2.0 - Spec is final with good support

27

OAuth 2.0Authorization Grant Types

Grant Type Description

Authorization Code - Optimized for confidential clients- Uses a authorization code from the Server- User doesn't see the access token

Implicit Grant - Optimized for script heavy web apps- Does not use an authorization code from the Server- User can see the access token

Resource Owner Password Credentials

- Use in cases where the User trusts the Client- Exposes User credentials to the Client

Client Credentials - Client gets an access token based on Client credentials only

28

OAuth 2.0 Access Token Types

• Bearer– Large random token– Need SSL to protect it in transit– Server needs to store it securely hashed like a user

password• Mac

– Uses a nonce to prevent replay– Does not require SSL– OAuth 1.0 only supported a mac type token

29

Outline

• Authentication• Encryption• Validation• Wrap Up

30

Session Hijacking

Public WiFi Network

mybank.com

Victim

Attacker

Internet

1) Victim goes to mybank.com via HTTP

31

Session Hijacking

Public WiFi Network

mybank.com

Victim

Attacker

Internet

2) Attacker sniffs the public wifi network andsteals the JSESSIONID

32

Session Hijacking

Public WiFi Network

mybank.com

Victim

Attacker

Internet

3) Attacker uses the stolen JSESSIONIDto access the victim's session

33

Enable SSL in web.xml

1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>Example</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 </web-resource-collection> 6 7 ... 8 9 <user-data-constraint>10 <transport-guarantee>11 CONFIDENTIAL12 </transport-guarantee>13 </user-data-constraint>14 </security-constraint>

34

JAX-RS SecurityContext

• iSecure()– Returns a boolean indicating whether the

request was made via HTTPS

35

Secure Flag

• Ensures that the Cookie is only sent via SSL• Configure in web.xml as of Servlet 3.0

<session-config>   <cookie-config>     <secure>true</secure>   </cookie-config></session-config>

• ProgrammaticallyCookie cookie = new Cookie("mycookie", "test");cookie.setSecure(true);

36

Strict-Transport-Security

• Tells browser to only talk to the server via HTTPS– First time your site accessed via HTTPS and the header is

used the browser stores the certificate info– Subsequent requests to HTTP automatically use HTTPS

• Supported browsers– Implemented in Firefox and Chrome– Defined in RFC 6797

Strict-Transport-Security: max-age=seconds [;

includeSubdomains]

37

Outline

• Authentication• Encryption• Validation• Wrap Up

38

Restrict Input

• Restrict to POST– Use @POST annotation

• Restrict the Content-Type– Use @Consumes({MediaType.APPLICATION_JSON})– Invalid Content-Type results in HTTP 415 Unsupported Media Type

• Restrict to Ajax if applicable– Check X-Requested-With:XMLHttpRequest header

• Restrict response types– Check Accept header for valid response types

39

Cross-Site Request Forgery (CSRF)

Victim browser

mybank.com

1) Victim signs on to mybank

2) Victim visitsattacker.com

3) Page containsCSRF code

4) Browser sendsthe request to mybank<form action=https://mybank.com/transfer.jsp

method=POST> <input name=recipient value=attacker> <input name=amount value=1000></form><script>document.forms[0].submit()</script>

POST /transfer.jsp HTTP/1.1Cookie: <mybank authentication cookie>recipient=attacker&amount=1000

attacker.com

40

CSRF and OAuth 2.0

• How can an attacker use CSRF to take over your account?– Many sites allow logins from third-party identity

providers like Facebook– Many identity providers use OAuth– Attacker can automatically associate your account

with an attacker controlled Facebook account

41

OAuth CSRF Research

• Accounts at many sites could be taken over using OAuth CSRF– Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest,

Groupon, Foursquare, SlideShare, Kickstarter, and others

• Research by Rich Lundeen– http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-

can-use-to-take-over-accounts

• Prior research by Stephen Sclafani– http://stephensclafani.com/2011/04/06/oauth-2-0-csrf-vulnerability

42

OAuth CSRF Attack Flow

1) Create attacker controlled Facebook account2) Victim is signed on to provider account (i.e.

Stack Exchange)3) Lure victim into visiting an evil site with

OAuth CSRF code– CSRF code sends OAuth authorization request

4) Attacker's Facebook account now controls victim provider account

43Image from http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts

Linking Stack Exchange with an Evil Facebook Account

44

CSRF Protection

• Spec defines a "state" parameter that must be included in the redirect to the Client– Value must be non-guessable and tied to session

Client sends "state" to Server:http://www.sparklr.com:8080/sparklr2/oauth/authorize?

client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/

tonr2/sparklr/photos&

response_type=code&

scope=read write&state=92G53T

Server sends "state" back to Client after authorization:http://www.tonr.com:8080/tonr2/sparklr/photos?

code=cOuBX6&state=92G53T

45

OAuth CSRF ProtectionDemo

46

OWASP 1-Liner

• Deliberately vulnerable application– Intended for demos and training– Created by John Wilander @johnwilander

• More information at– https://www.owasp.org/index.php/OWASP_1-

Liner

47

JSON CSRFDemo

48

Normal JSON Message

{"id":0,"nickName":"John", "oneLiner":"I LOVE Java!", "timestamp":"2013-05-27T17:04:23"}

49

Forged JSON Message

{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": "20111006"}//=dummy

50

CSRF Attack Form<form id="target" method="POST"action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" enctype="text/plain" style="visibility:hidden">

<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": "20111006"}//' value="dummy" />

<input type="submit" value="Go" /></form>

51

CSRF Attack Form<form id="target" method="POST"action="https://local.1-liner.org:8444/ws/vulnerable/oneliners" enctype="text/plain" style="visibility:hidden">

<input type="text" name='{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": "20111006"}//' value="dummy" />

<input type="submit" value="Go" /></form>

52

Forged JSON Message

{"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": "20111006"}//=dummy

53

CSRF Defense

• Must include something random in the request– Use an anti-CSRF token

• OWASP CSRFGuard– Written by Eric Sheridan @eric_sheridan– Can inject anti-CSRF token using

• JSP Tag library - for manual, fine grained protection• JavaScript DOM manipulation - for automated protection

requiring minimal effort

– Filter that intercepts requests and validates tokens

54

CSRFGuard JSP Tags

• Tags for token name and value<form name="test1" action="protect.html"> <input type="text" name="text" value="text"/> <input type="submit" name="submit" value="submit"/> <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/> </form>

• Tag for name/value pair (delimited with "=")<a href="protect.html?<csrf:token/>">protect.html</a>

• Convenience tags for forms and links as well<csrf:form> and <csrf:a>

Examples from https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

55

CSRFGuard DOM Manipulation

• Include JavaScript in every page that needs CSRF protection<script src="/securish/JavaScriptServlet"></script>

• JavaScript used to hook the open and send methodsXMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open;

XMLHttpRequest.prototype.open = function(method, url, async, user, pass) {

// store a copy of the target URL

this.url = url;

this._open.apply(this, arguments);

}

XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send;

XMLHttpRequest.prototype.send = function(data) {

if(this.onsend != null) {

// call custom onsend method to modify the request

this.onsend.apply(this, arguments);

}

this._send.apply(this, arguments);

}

56

Protecting XHR Requests

• CSRFGuard sends two HTTP headersXMLHttpRequest.prototype.onsend = function(data) { if(isValidUrl(this.url)) {

this.setRequestHeader("X-Requested-With", "OWASP CSRFGuard Project")

this.setRequestHeader("OWASP_CSRFTOKEN", "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV"); }};

57

JSON CSRF ProtectionDemo

58

Outline

• Authentication• Encryption• Validation• Wrap Up

59

Summary

• Authentication Can use userid/password for services consumed by your

app Use OAuth for third-party web apps and mobile apps

• Encryption Use SSL Use Secure flag Use Strict-Transport-Security header

• Validation Restrict input Protect your apps against CSRF

Frank Kimfkim@sans.org

@sansappsec

Thanks!

62

References• JAX-RS 2.0

– http://jcp.org/en/jsr/detail?id=339– https://jax-rs-spec.java.net/nonav/2.0/apidocs

• OAuth 2.0 Specification– http://tools.ietf.org/html/rfc6749– http://oauth.net

• Spring Security OAuth– http://www.springsource.org/spring-security-oauth

• OAuth: The Big Picture– http://pages.apigee.com/oauth-big-picture-ebook.html

• OAuth CSRF issues– http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts– http://stephensclafani.com/2011/04/06/oauth-2-0-csrf-vulnerability

• OWASP 1-Liner– https://www.owasp.org/index.php/OWASP_1-Liner

• CSRFGuard– https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project– http://ericsheridan.blogspot.com/2010/12/how-csrfguard-protects-ajax.html