Securing Java Web Applications
An introduction Jonas Flesch
Index• Spring Security
• Passwords
• Sql Injection
• JSTL
• Client sent content
• Stacktraces
• Test
• Legal issues
STEP 1Use Spring Security!!
Spring Security
• Authentication
.formLogin()
.loginPage("/login") .loginProcessingUrl("/authenticate") .failureUrl("/login?error=true") .usernameParameter("username") .passwordParameter("password") .permitAll();
Spring Security
• Authorization
@Controller@Secured(Roles.ROLE_ADMINISTRATOR) @RequestMapping(UserController.BASE_URL) public class UserController extends BaseController {
Spring Security
• Cross Site Request Forgery Token
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Spring Security• Good practices headers
Step 2Passwords
Passwords• Store it using a strong salted hash
• Bcrypt
• Never send it by e-mail or store it in plain text
• Protect user creation/password recovery forms with captcha
• Recaptcha when possible
• JCaptcha second choice
Step 3SQL Injection
SQL Injection
• Always use SQL Parameters:
@SqlUpdate("UPDATE User ug " + " SET DsEmail = :dsEmail" + " WHERE idUser = :idUser")
Step 4Use JSTL carefully
JSTL• Wrong: <input type="hidden" name="uuid" value="${UUID}"/>
• Correct: <input type="hidden" name="uuid" value="<c:out value=“${UUID}”/>"/>
• Why? <input type="hidden" name="uuid" value=“”><script>alert(1)</script>”/>”/>
• c:out escapes the string with html entities like <
Step 5Never trust content from the
client
Never trust content from the client
• Never use file names from uploads
• Use UUID as filename when saving to the hard drive
• Put a file size limit
• Endless uploads can crash the server
• Validations made on Javascript should be done again in the server
Step 6Hide the stacktraces!!!
Hide the stack traces• Evil user can discover:
• Frameworks/versions
• Paths
• Pieces of code/details of implementation
• Solution:
• Spring MVC @ControllerAdvice @ExceptionHandler
• Web.xml error-page
Step 7Test it!
Test• OWASP ZAP
• Automated testing
• Every error found is important
• Use the proxy in every functionality
• Can be integrated to the Continuous Integration
• Evil user in the scenarios
• Automate it too!
Step 8Legal issues
Legal issues• Privacy police
• Terms of Use
• Age validation
• Copied images/logotypes
• Personal Data storage (document number, birth date, etc)
• Classified disclosure
Jonas Flesch [email protected]