Upload File

java security mythen - berlin expert days · xss stored! xss reflected! xss browser executes ......

  • Home
  • Documents
  • Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework
33
Java Security Myths Dominik Schadow b ridgingIT Berlin Expert Days, 03.04.2014

Upload: others

Post on 25-May-2020

39 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Java Security Myths

Dominik Schadow!bridgingIT

Berlin Expert Days, 03.04.2014

Page 2: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Secure Communication!Cross-Site Scripting!Cross-Site Request Forgery

Page 3: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Secure Communication

Page 4: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

HTTPS after log-in form is enough

Page 5: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Log-in form manipulation and interception

Page 6: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

HTTP Strict Transport Security Header (HSTS)protected void doPost(HttpServletRequest request, ! HttpServletResponse response) {! response.setHeader("Strict-Transport-Security",! "max-age=2592000; includeSubDomains");

Page 7: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

HSTS policy requires browser support

Chrome Firefox Opera

Internet Explorer Safari

Page 8: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Cross-Site Scripting (XSS)

Page 9: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

XSS - what?

Page 10: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

DOM Based!XSS

Stored!XSS

Reflected!XSS

Browser executes code from attacker

Page 11: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Modern frameworks automatically provide protection

Page 12: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

<h:selectOneMenu/>

<h:outputText/>

JavaServer Faces automatically escape all output

Page 13: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

XSS in action

Page 14: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Don‘t take framework security for granted

Page 15: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Don‘t regard your code and libraries as separate units

Page 16: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Always update third party libraries

Page 17: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Verify your dependencies are up-to-date

OWASP Dependency Check

Maven

Page 18: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Input validate, output escape

Page 19: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Use escaping libraries with security focus

OWASP Java Encoder * Coverity Security Library!

OWASP HTML Sanitizer

Page 20: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Intercepting proxy to avoid validation when testing

Page 21: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Cross-Site Request Forgery (CSRF)

Page 22: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

CSRF - what?

Page 23: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

POST forms protect from CSRF

Page 24: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

1

2 3

protected void doGet(request, response)

<img src="Servlet-URL?name=ATTACK">

4

Page 25: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Replace GET with POST requests

protected void doPost(request, response)

<img src="Servlet-URL?name=ATTACK">

<form method="post" action="MyServlet">

Page 26: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Add more dynamic with XMLHttpRequest

Page 27: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

JavaScript may submit POST forms

protected void doPost(request, response)

<form method="post" action="MyServlet">

var request = new XMLHttpRequest();!request.open("POST", "Servlet-URL");!request.send("name=ATTACK");

Page 28: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Add hidden anti CSRF forgery token to each form

Page 29: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

CSRF in action

Page 30: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Intranet applications are safe

Page 31: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Superduper Firewall

CSRF attacks don‘t stop at firewalls

Page 32: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Developers make the difference

Page 33: Java Security Mythen - Berlin Expert Days · XSS Stored! XSS Reflected! XSS Browser executes ... JavaServer Faces automatically escape all output. XSS in action. Don‘t take framework

Dominik Schadow!

BridgingIT GmbH Königstraße 42 70173 Stuttgart

[email protected] www.bridging-it.de !

Blog blog.dominikschadow.deTwitter/ADN @dschadow

Demo Projects github.com/dschadow/JavaSecurityMyths!

Coverity Security Library github.com/coverity/coverity-security-library!

JSF Escaping Bugjava.net/jira/browse/JAVASERVERFACES-2747!

OWASP HTML Sanitizer www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project!

OWASP Java Encoder www.owasp.org/index.php/OWASP_Java_Encoder_Project!

OWASP Dependency Checkwww.owasp.org/index.php/OWASP_Dependency_Check!

OWASP Zed Attack Proxy www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project!

Pictures www.dreamstime.com www.istockphoto.com

mailto:[email protected]
http://www.bridging-it.de
http://blog.xml-sicherheit.de

Shibuya xss lt

Xss a fondo

XSS Documentation

Introduction to XSS attacks - ENSIMAG...Web based vulnerabilities XSS - Cross-Site scripting Reflected XSS / type 1 attack 12 12[IBM 2002] Cross-site scripting Fabien Duchene, Karim

DOM-based XSS

Seamless Linking to Your App...Custom URL schemes Let apps communicate with each other Don‘t always map to your app Don‘t work without your app installed Don‘t protect users‘

XSS Injection Vulnerabilities

Is XSS Solvable?

Why I don‘t like camping

CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29

XSS ATACKS

Don‘t be such a scientist annotated

XSS Theory

Xss attacks

XSS Remediation

Encontrando Vulnerabilidades XSS

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015

XSS Without Browser

Chuyên đề XSS

XSS Vulnerabilities

Complete xss walkthrough

Stylish XSS

Don‘t threat me, it makes me cold!

XSS Lightning talk

Universal XSS via IE8s XSS Filters - Black Hat | Home

Evolution Xss

XSS Desvendado

XSS Defense

XSS Complete Guide

PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •

Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS

„Don‘t say it ‘s impossible , rather say you don‘t know how to do it yet .“

Grails vs XSS: Defending Grails against XSS attacks

XSS - brutelogic.com.brbrutelogic.com.br/docs/XSS-FTW.pdf · Agenda Fast Intro to XSS Dangers of XSS Virtual Defacement LSD - Leakage, Spying and Deceiving Account Stealing Memory

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect