Securing java web applications

Securing Java Web Applications

An introduction Jonas Flesch

me@jonasflesch.com

Index• Spring Security

• Passwords

• Sql Injection

• JSTL

• Client sent content

• Stacktraces

• Test

• Legal issues

STEP 1Use Spring Security!!

Spring Security

• Authentication

.formLogin()

.loginPage("/login") .loginProcessingUrl("/authenticate") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll();

Spring Security

• Authorization

@Controller@Secured(Roles.ROLE_ADMINISTRATOR) @RequestMapping(UserController.BASE_URL) public class UserController extends BaseController {

Spring Security

• Cross Site Request Forgery Token

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

Spring Security• Good practices headers

Step 2Passwords

Passwords• Store it using a strong salted hash

• Bcrypt

• Never send it by e-mail or store it in plain text

• Protect user creation/password recovery forms with captcha

• Recaptcha when possible

• JCaptcha second choice

Step 3SQL Injection

SQL Injection

• Always use SQL Parameters:

@SqlUpdate("UPDATE User ug " + " SET DsEmail = :dsEmail" + " WHERE idUser = :idUser")

Step 4Use JSTL carefully

JSTL• Wrong: <input type="hidden" name="uuid" value="${UUID}"/>

• Correct: <input type="hidden" name="uuid" value="<c:out value=“${UUID}”/>"/>

• Why? <input type="hidden" name="uuid" value=“”><script>alert(1)</script>”/>”/>

• c:out escapes the string with html entities like &lt;

Step 5Never trust content from the

client

Never trust content from the client

• Never use file names from uploads

• Use UUID as filename when saving to the hard drive

• Put a file size limit

• Endless uploads can crash the server

• Validations made on Javascript should be done again in the server

Step 6Hide the stacktraces!!!

Hide the stack traces• Evil user can discover:

• Frameworks/versions

• Paths

• Pieces of code/details of implementation

• Solution:

• Spring MVC @ControllerAdvice @ExceptionHandler

• Web.xml error-page

Step 7Test it!

Test• OWASP ZAP

• Automated testing

• Every error found is important

• Use the proxy in every functionality

• Can be integrated to the Continuous Integration

• Evil user in the scenarios

• Automate it too!

Step 8Legal issues

Legal issues• Privacy police

• Terms of Use

• Age validation

• Copied images/logotypes

• Personal Data storage (document number, birth date, etc)

• Classified disclosure

Jonas Flesch me@jonasflesch.com