tighten your security and privacy
DESCRIPTION
Presentation “Tighten your Security and Privacy“ by Lars Krapf at CQCON2013 in Basel on 19 and 20 June 2013.TRANSCRIPT
![Page 1: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/1.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Tighten your Security and PrivacyLars Krapf | Security Researcher
1
![Page 2: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/2.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
About me
Lars Krapf <[email protected]>
MSc ETH C.S. (Information Security)
Joined Bidule in 1997
Security Researcher (AEM)
2
![Page 3: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/3.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Outline
Cross-site scripting (XSS)
– Definition
– XSS in the AEM context
– Prevention
loginAdministrative & Friends
– Risks & Threats
– Identifying Security Issues
– Conclusions
3
![Page 4: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/4.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Cross-Site Scripting
4
![Page 5: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/5.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
What is Cross-Site scripting?
Web-application security vulnerability
Often underrated
Injection problem
– Same channel used for data and logic
Abuse browser trust
– Circumvent same-origin policy
– HTTPS will not save you
Most web-applications affected
5
![Page 6: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/6.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Types of Vulnerabilities
Reflected (non-persistent) XSS
– Most common
– Data from client is displayed back directly
– Typically delivered via email or a neutral site
Stored (Persistent) XSS
– Malicious content stored in DB
e.g. Forum post, Profile information, Logfile
– Usually higher impact
DOM based XSS
6
![Page 7: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/7.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
XSS and AEM
Most frequent security bug
– 500+ Issues in JIRA
– Pentest-report contained ~70% XSS bugs
– Large amount of scripts affected
Difficult challenge
– XSS vs SSS
– Customers want HTML paragraph
– DAM
– Can we trust our authors?
7
![Page 8: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/8.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Attack Vectors
● Request parameters
● URL components
(Path, Selectors, Extension, Suffix, Hash)
● HTTP Headers
● Cookies
● Repository
– Content
– Configuration properties
– Node names / path
(Problem: JCR special characters)
● Log-files
● Filenames
![Page 9: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/9.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Types of Attackers
Anonymous User
– Usually not able to store content
– Can forge a link and send it to other users / authors (reflected XSS)
– Almost impossible to trace
Authenticated User
– Can store content / profile information
– Largest impact → Critical
Author
– Has read-write access to /content
– Has to be trusted to certain extent
– Good traceability
9
![Page 10: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/10.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
XSS Risks
Manipulate content
Execute scripts
Steal cookies
Clickjacking
Phishing
10
![Page 11: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/11.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Author vs. Publish
Author
– Attack WEM functionality
– Must be authenticated to access/store content
– Access to Workflows
– Security/Functionality trade-off
Publish
– Large audience
– Weak authentication (or even anonymous)
→ Critical Risk
11
![Page 12: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/12.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
AEM XSS Philosophy
→ Allow all input – Encode all output→ Encode at the very end→ Don't think too much→ Never do it yourself
12
![Page 13: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/13.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
How can we prevent XSS?
Serverside: XSSAPI (AntiSamy), Taglib, JSON-Writer
Clientside: escape(), _g.XSS.getXSSValue()
Cookie Security
Additional measures (e.g. password dialog, hashing)
Browser Security
13
![Page 14: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/14.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
XSSAPI: Methods
14
// Validators public Integer getValidInteger(String integer, int defaultValue);public String getValidDimension(String dimension, String defaultValue);public String getValidHref(String url);
// Encoderspublic String encodeForHTML(String source);public String encodeForHTMLAttr(String source);public String encodeForXML(String source);public String encodeForXMLAttr(String source);public String encodeForJSString(String source);
// Filterspublic String filterHTML(String source);
// JCR based URL mappingpublic XSSAPI getRequestSpecificAPI(SlingHttpServletRequest request);public XSSAPI getResourceResolverSpecificAPI(ResourceResolver resourceResolver);
com.adobe.granite.xssprotection.XSSAPI
![Page 15: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/15.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
AntiSamy configuration
XML configuration file (/libs/cq/xssprotection/config.xml)
Can be overlayed in /apps
Should be adapted to project-specific needs
15
![Page 16: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/16.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
References: Cross-Site Scripting
XSS Cheat Sheet https://wiki.day.com/content/wiki/Dev/Communique/Security/OwaspTopTen/wiki:attachments/xss_cheat_sheet.pdf
OWASP XSS: https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
OWASP AntiSamy: https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
XSSAPI JavaDoc: http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/xss/XSSAPI.html
16
![Page 17: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/17.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
loginAdministrative & Friends
17
![Page 18: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/18.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
loginAdministrative & Friends
Sling API
– SlingRepository.loginAdministrative
– ResourceResolverFactory.getAdministrativeResourceResolver
– ResourceResolverFactory.getAdministrativeResourceProvider
JCR API
– Session.impersonate
Custom API and Services
– Exposing resources, adaptables or data with admin session
18
![Page 19: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/19.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Risks & Threats
● General
– Circumventing access control
– Trust boundary violation
– Privilege escalation
● Effects on Read
– Information disclosure
– Privacy violations
– SQL/XPath injections
● Effects on Write
– Content manipulation
– Changing access control
– Creating or modifying executable content
– Access to web console
– File system access
– Access to runtime
![Page 20: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/20.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Identifying Security Issues
Request Handling
– Admin session used in servlets and scripts
– Usage of API/Services that use admin session
– Mixing different sessions
– Combination with● missing path normalization● missing property validation / restriction● missing node type structure that would help enforcing
constraints
20
![Page 21: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/21.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Identifying Security Issues
Services and API
– API definition forces the use of admin session
– Implementation makes use of admin session● Reading or writing data with admin● Objects bound to admin session● Mixing different sessions
– Caching Issues
– Admin session fields
21
![Page 22: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/22.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Identifying Security Issues
Content Structure
– Data model requires use of admin session
– Data containers such as e.g.● storing backup information● collecting status information● tracking
– Structure created by services without proper ACL setup
22
![Page 23: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/23.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Conclusions
Request Handling
– Servlets and scripts consistently use the request session:● a single session processes one request● no admin session is used
– Understand the nature of services and API used
– Review access paths of scripts/servlets
– Security risks associated with the input parameters● normalize and verify paths● don't write arbitrary properties / nodes● think about potential exploits
23
![Page 24: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/24.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Conclusions
Services and API design
– Consider security requirements at an early stage
– Design API/Services such that implementation is possible without admin session
– Use a dedicated user with limited permissions
→ Sling Service Authentication
– Don't mix different sessions
– Don't access caches with different sessions
24
![Page 25: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/25.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Conclusions
Content Modeling
– Security requirements drive the content structure, such that● managing access control “feels natural”● access control is enforces by the repository and not by the
application– Verify that content has proper permission setup
– Make use of node types to enforce contstraints and limit risk of 'public' write
25
![Page 26: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/26.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
References: loginAdministrative & Friends
Wiki
https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends.html
CheckList
https://wiki.day.com/content/wiki/Users/anchela/loginAdministrative&Friends/checklist.html
Security FAQ:
https://wiki.day.com/content/wiki/Dev/Communique/Security/SecurityFAQ.html
26
![Page 27: Tighten your Security and Privacy](https://reader033.vdocuments.mx/reader033/viewer/2022052301/554dd982b4c905d10e8b4f87/html5/thumbnails/27.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.