web application security and modern frameworks
DESCRIPTION
Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.TRANSCRIPT
Platinum Sponsor
Kim Leppänen & Leif Åstrand
Web Application Security and Modern Frameworks
Disclaimer: Highly technical content ahead. Participating in this lecture might change your perspective towards the security of your application. In some cases, listening to this presentation might cause symptoms such as raised awareness of security and general interest towards web application security.
<script language="javascript">!if ( prompt("Enter password") == "supersecret" ) {!! document.location.href = "secret.html";!}!</script>
OWASP Top 10Open Web Application Security Project
Rich Internet Applications
Client Server
UI logic Business logic
DB
GWT
DOM
Client Server
UI logic
Business logic
DB
Vaadin
DOM
Handled by the framework
A1: Injection
Username demouser
Password ************
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘“ + request.getParameter(“username”) + “‘ AND!
! ! password=‘“ + request.getParameter(“password”) + “‘“;
!
!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser‘ AND!
! ! password=‘secretpass‘“;
// username = demouser!
// password = secretpass
// username = demouser’ --!
// password = secretpass!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser’--‘ AND!
! ! password=‘secretpass‘“;
GWT !
• N/A
Vaadin !• N/A
Web frameworks can help
A2: Broken Authentication and Session Management
Session ID fixation !
Exposure of session ID !
Exposing user credentials
GWT !
• N/A
Vaadin !• Helper for changing
session id
Web frameworks can help
A3: Cross-Site Scripting (XSS)
Demo: auction application
GWT !• setText • SafeHtml
Vaadin !• setHtmlContent
Allowed(false) • Beware of tooltips
(setDescription)
Web frameworks can help
Other things to keep in mind
The XSS filter evasion cheat sheet
Context is king
Consider using Markdown
A4: Insecure Direct Object References
GWT !• Not so much, since
this is mostly a server-side thing
• Can be hard to realize the problem since requests are “invisible”
Vaadin !• All ids are
generated values that the server uses to find the right object when needed
Web frameworks can help
A5: Security Misconfiguration
GWT !• N/A
Vaadin !• productionMode =
true
Web frameworks can help
A6: Sensitive Data Exposure
Keep in mind
Avoid handling sensitive data, e.g. credit card numbers
Salt and hash passwords
Use SSL, no excuses!
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery (CSRF)
Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?account=4059820-440198&amount=130,00
http://your.bank/transfer?account=4059820-440198&amount=130,00
<img src=“
“ />
Creative commons - http://www.flickr.com/photos/esparta/367002402/
You’ve got mail
Creative Commons - http://www.flickr.com/photos/8058853@N06/2685196800/
Your bank
Rogue bank
Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?account=4059820-440198&amount=130,00 &token=ab8342d8943nkg34iung3o9j
GWT !• GWT-RPC:
XsrfTokenService and/or HasRpcToken
• RequestFactory: Make your own RequestTransport
Vaadin !• Secured out of the
box
Web frameworks can help
A9: Using Components with Known Vulnerabilities
How do you know whether
they are vulnerable?
A10: Unvalidated Redirects and Forwards
<a href=”http://myapp.com?redirect=example.com/evil"> Open app </a>!
Very quick conclusion
Questions? !? [email protected]