Professional Documents
Culture Documents
Security Threats
and
Counter Measures
Sang Shin
sang.shin@sun.com
www.javapassion.com
Java Technology Evangelist
Sun Microsystems, Inc.
. 3
. 4
Source: http://www.vnunet.com/news/1152521
Source: www.owasp.org
. 5
. 7
. 8
. 9
. 10
. 11
The problem here is that the price is being grabbed directly from the request input
(req.getParameter(“price”)).
. 13
Rather than getting the price from the request, the solution is to get the price from the
database, flagging an error if it does not match what’s on the page. This is accomplished
with the call “skuManager.getPrice(sku)”
• OWASP’s WebScarab
> By submitting unexpected values in HTTP requests
and viewing the web application’s responses, you
can identify places where tainted parameters are
used
• Stinger HTTP request validation engine
(stinger.sourceforge.net)
> Developed by OWASP for J2EE environments
. 14
• Insecure ID's
• Forced browsing pass access control checking
• Path traversal
• File permissions
. 16
* Insecure Id’s – Most web sites use some form of id, key, or index as a
way to reference users, roles, content, objects, or functions. If an
attacker can guess these id’s, and the supplied values are not validated
to ensure the
Exact File are authorized for the
Name current user, the attacker can
11/11/07 Page 16
exercise the access control scheme freely to see what they can access.
Web applications should not rely on the secrecy of any id’s for
protection.
* Forced Browsing Past Access Control Checks – many sites require
users to pass certain checks before being granted access to certain
URLs that are typically ‘deeper’ down in the site. These checks must not
be bypassable by a user that simply skips over the page with the
security check.
* Path Traversal – This attack involves providing relative path
information (e.g., “../../target_dir/target_file”) as part of a request for
information. Such attacks try to access files that are normally not
directly accessible by anyone, or would otherwise be denied if requested
directly. Such attacks can be submitted in URLs as well as any other
input that ultimately accesses a file (i.e., system calls and shell
commands).
* File Permissions – Many web and application servers rely on access
control lists provided by the file system of the underlying platform. Even
if almost all data is stored on backend servers, there are always files
stored locally on the web and application server that should not be
publicly accessible, particularly configuration files, default files, and
scripts that are installed on most web and application servers. Only files
that are specifically intended to be presented to web users should be
marked as readable using the OS’s permissions mechanism, most
directories should not be readable, and very few files, if any, should be
marked executable.
* Client Side Caching – Many users access web applications from shared
computers located in libraries, schools, airports, and other public
access points. Browsers frequently cache web pages that can be
accessed by attackers to gain access to otherwise inaccessible parts of
. 17
. 19
Notice that the Cookie is stored with the plain-text userid of the
logged in user. In this example, the application that expects to
share a cookie with this system (shown on the next slide), will
find theExact File Namestored in plain text.
cookie 11/11/07 Page 20
#3: Broken Account/Session
Management (Server Example—SSO)
public void doGet(HttpServletRequest req,…) {
// Get user name
Cookie[] cookies = req.Cookies();
for (i=0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
if (cookie.getName().equals(“ssoCookie”)) {
String userId = cookie.getValue();
HttpSession session = req.getSession();
session.setAttribute(“userId”,userId);
} // end if
} // end for
} // end doGet
. 21
Here, the user is set from a plain-text cookie that was passed by
the client. Obviously, that cookie could have been spoofed.
Exact File Name 11/11/07 Page 21
#3: Safe Account/Session
Management (Client Solution—SSO)
public void doGet(HttpServletRequest req,…) {
// Get user name
String userId = req.getRemoteUser();
// Encrypt the User ID before passing it
// to the client as part of a cookie.
encryptedUserId = Encrypter.encrypt(userId);
Cookie ssoCookie =
new Cookie(“userid”,encrypteduserId);
ssoCookie.setPath(“/”);
ssoCookie.setDomain(“cisco.com”);
response.addCookie(ssoCookie);
… . 22
. 23
Here, the user is first decrypted before being accepted as the user’s identity. Obviously, if
the cookie doesn’t decrypt to a valid value (checked by the “isValid” method), it won’t
allow the user’s cookie to be set properly, which is a good security check.
. 26
. 27
. 28
. 30
The flaw here is that the values are taken directly from the
request and placed into the database, with no input validation or
sanitizing.
Exact File Name 11/11/07 Page 32
#4: Cross-Site Scripting (Solution)
private static String stripEvilChars(String evilInput) {
Pattern evilChars = Pattern.compile(“[^a-zA-Z0-9]”);
return evilChars.matcher(evilInput).replaceAll(“”);
}
protected void doPost(HttpServletRequest req, HttpServletResponse res) {
// Do vigorous input validation
String title = stripEvilChars(req.getParameter(“TITLE”));
String message = stripEvilChars(req.getParameter(“MESSAGE”));
try {
connection = DatabaseUtilities.makeConnection(s);
PreparedStatement statement =
connection.prepareStatement
(“INSERT INTO messages VALUES(?,?)”);
statement.setString(1,title);
statement.setString(2,message);
statement.executeUpdate();
} catch (Exception e) {
…
} // end catch
} // end doPost
. 33
To fix this, add the “stripEvilChars” method that uses JDK 1.4’s
pattern matching with regular expressions.
Exact File Name 11/11/07 Page 33
Cross Site
Scripting Demo
J.
. 36
J.
. 40
J.
. 41
. 42
. 43
. 44
. 45
For those calls that you must still employ, such as calls to backend
databases, you must carefully validate the data provided to ensure that it
does not contain any malicious content. You can also structure many
requests in a manner that ensures that all supplied parameters are
treated as data, rather than potentially executable content. The use of
stored procedures or prepared statements will provide significant
protection, ensuring that supplied input is treated as data. These
measures will reduce, but not completely eliminate the risk involved in
these external calls. You still must always validate such input to make
sure it meets the expectations of the application in question.
. 46
. 48
J.
. 50
. 51
. 52
. 54
. 55
. 56
The flaw here is that we are showing the entire stack trace to the user, which will certainly
help them in future attacks.
To fix this, log the stack trace to the system logs, but only show a generic error message
to the user.
. 60
. 62
. 63
. 65
. 67
J.
. 70
. 71
. 72
. 73
isAdmin = true;
try {
codeWhichMayFail();
isAdmin = isUserInRole( “Administrator” );
}
catch (Exception ex) {
log.write(ex.toString());
}
. 74
. 76
. 78
. 79
. 81
Sang Shin
sang.shin@sun.com
www.javapassion.com
Java Technology Evangelist
Sun Microsystems, Inc.