tomcat webapp security jason brittain software architect, mulesoft co-author, tomcat: the definitive...
TRANSCRIPT
Tomcat Webapp SecurityJason BrittainSoftware Architect, MulesoftCo-author, Tomcat: The Definitive Guide
HTTP Request Model Vulnerabilities Request Parameters
- XSS
- CSRF
- HTML Injection
- SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering
How to Write Secure Webapps
Use only HTTPS and disable small key length ciphers Distrust and sanitize allall input from the client Filter for CSRF (Enable the CsrfPreventionFilter) Filter for XSS (Enable the BadInputFilter)
http://www.sf.net/projects/catnip Generally secure Tomcat Enable the Tomcat security manager and customize
catalina.policy
Scanning Tools and Remediation
Tools Process
Scanning Tools and Remediation (cont)
Commercial scanning tools:
- IBM Rational AppScan
- HP WebInspect
- Acunetix Web Vulnerability Scanner Open Source:
- Ratproxy
Scanning Tools and Remediation (cont)
Process for removing vulnerabilities:
1. Scan
2. Investigate Reported Vulnerabilities
3. Fix vulnerability
4. Goto 1.
HTTP Caching and Security
Browser Cache Proxy Cache// Standard HTTP 1.1 cache disabling header.
httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate");
// Set IE extended HTTP 1.1 no-cache headers.
httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0");
// Tell proxy caches not to cache this resource.
httpResponse.addHeader("Cache-Control", "proxy-revalidate");
// Standard HTTP 1.0 cache disabling header.
httpResponse.setHeader("Pragma", "no-cache");
// Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server.
httpResponse.setDateHeader("Expires", 0);
Use HTTPS
Configure Your Webapp to Require HTTPS Disable Insecure Key Lengths / Ciphers Use v6.0.24 and Higher sessionCacheSize and sessionTimeout
Configuring for HTTPS-onlyConfigure your HTTPS connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="450" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS”
keystoreFile="conf/keystore" keystorePass="shhhh"
proxyHost="10.1.1.1" proxyPort="443"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.)Configure your HTTP connector to redirect to HTTPS:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyHost="10.1.1.1" proxyPort="80"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.)In your webapp's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>NonSecureConnectionOk</web-resource-name>
<url-pattern>*.ico</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Configuring HTTPS
Disable “weak” encryption:
<Connector ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, ...”>
See http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
Connector Hardening
<Server port="-1"port="-1" shutdown="SHUTDOWN"> Max Post Size Max Http Header Size Max Threads
Java Security Manager
Prevents your webapp from: Reading/writing arbitrary files Making network connections Instantiating/using arbitrary Java packages & classes Etc.
To effectively use it you must:
- Write custom permissions rules
- Debug permissions issues
- Test exhaustively
.. it's not for everyone!
Webapp File Permissions
- Tomcat needs these readable, but not writable
- Don't write files in your webapp tree
Tomcat File Permissions
CIS: Apache Tomcat Security
http://www.cisecurity.org/benchmarks.html
In general:
- Start with the whole tree read only
- conf/Catalinaconf/Catalina and conf/Catalina/localhost must be read/write
- temp/ work/ and logs/ need to be read/write
- webapps/ needs to be read/write, but not webapp dirs
Monitor for Announced Vulnerabilities
Tomcat project security vulnerabilities page:
http://tomcat.apache.org/security.html
Upgrade when there is a fix!
Additional Resources
MuleSoft Tcat Server
http://www.mulesoft.com/tcat-server-enterprise-tomcat-application-server
TLS Renegotiation Extension and Vulnerability
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
Web App Scanners Miss Half of Vulnerabilities
http://news.slashdot.org/story/10/02/06/1933211/Web-App-Scanners-Miss-Half-of-Vulnerabilities?art_pos=5
Turning XSS Into Clickjacking
http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking
Q&AThanks!