Java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session 1703 1 How to Attack Java™ 2 Platform, Enterprise Edition (J2EE) Applications Jeff Williams.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Servlets and a little bit of Web Services Russell Beale.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
Web Security Overview Lohika ASC team 2009
OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CSC 2720 Building Web Applications Web Application Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COMP 321 Week 7. Overview HTML and HTTP Basics Dynamic Web Content ServletsMVC Tomcat in Eclipse Demonstration Lab 7-1 Introduction.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Web Applications Testing By Jamie Rougvie Supported by.
Crash Course in Web Hacking
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Web2.0 Secure Development Practice Bruce Xia
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
HTTP protocol Java Servlets. HTTP protocol Web system communicates with end-user via HTTP protocol HTTP protocol methods: GET, POST, HEAD, PUT, OPTIONS,
PHP Security Ryan Dunn Jason Pack. Outline PHP Overview PHP Overview Common Security Issues Common Security Issues Advanced Security Issues Advanced Security.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session How to Attack Java™ 2 Platform, Enterprise Edition (J2EE) Applications Jeff Williams CEO, Aspect SecurityChair, OWASP Foundation

| 2004 JavaOne SM Conference | Session Goal of Your Talk Learn how hackers attempt to trick your code into doing bad things for them. Bulletproof Code

| 2004 JavaOne SM Conference | Session Warning Using these techniques without permission is illegal. Knowledge is Power By viewing this Birds of a Feather session (hereinafter “The Session”), I agree to refrain from the use of the techniques presented herein without first obtaining documented permission. I further agree to hold the presenter (hereinafter “Jeff”) harmless for any and all damage that may or may not result from the use of the knowledge in The Session. Any further use of the material presented in The Session is subject to all local laws and customs, and may be…

| 2004 JavaOne SM Conference | Session Agenda Network Security Is Irrelevant A Tool for Attacking Testing J2EE Apps Cross Site Scripting SQL Injection Session Hijacking Denial of Service Attacks Breaking Access Control Error Handling and Logging Weak Cryptography Malicious Code

| 2004 JavaOne SM Conference | Session Hackers Trick Your Code Network protection means nothing to application attackers Firewall Hardened OS Web Server App Server Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Custom Developed Application Code APPLICATION ATTACK Network Layer Application Layer

| 2004 JavaOne SM Conference | Session Inside an HTTP Request Attackers Can Manipulate Anything! POST HTTP/1.0 Referer: Accept-Language: en-us Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) Host: id.boa.com Content-Length: 135 Cache-Control: no-cache Cookie: BOA_Cookie=6EC CAFE337:*****1234; SERVERID= _12582_1; state=MD reason=&Access_ID=jeff&Current_Passcode=java&acct=& pswd=&from=homepage&Customer_Type=MODEL&id=*******& rembme=Y&pc=*******&state=VA All HTML form elements become strings in the clear!

| 2004 JavaOne SM Conference | Session WebScarab from OWASP (

| 2004 JavaOne SM Conference | Session Cross Site Scripting Hacker tricks user into sending request containing script in search parameter. alert(document.cookie) Site reflects the script back to user where it executes and sends the session cookie to the hacker.

| 2004 JavaOne SM Conference | Session Example: Hello Trouble! public class HelloTrouble extends HttpServlet { public void doGet( … ) { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println(" "); out.println(" Hello Trouble! "); out.println(" "); out.println("Hello, " + request.getParameter("name")); out.println(" "); } Every example program out there… XSS can be used to hijack sessions or modify how web pages appear

| 2004 JavaOne SM Conference | Session SQL Injection Hacker sends SQL commands into a form field. Site executes modified SQL query and returns results to hacker. 101’ or ‘1’=‘1

| 2004 JavaOne SM Conference | Session Example: Query Disaster Class.forName("org.gjt.mm.mysql.Driver"); connection = DriverManager.getConnection( "jdbc:mysql:// /test? user=dba&password=java"); … String = req.getParameter( " " ); String company = req.getParameter( "Company" ); Statement statement = connection.createStatement(); statement.execute( "INSERT INTO guestbook ( , company ) values ( '" + + "', '" + company + ");" ); statement.close(); … Please use PreparedStatement… Queries can be changed to disclose, modify, corrupt, or delete data Class.forName("org.gjt.mm.mysql.Driver"); String user = p.getEncryptedProperty(“dbuser”); String pass = p.getEncryptedProperty(“dbpass”); connection = DriverManager.getConnection( "jdbc:mysql:// /test? user=“+dbuser+”&password=“+ dbpass); … String = req.getParameter( " " ); String company = req.getParameter( "Company" ); Statement stmt = connection.prepareStatement( "INSERT INTO guestbook ( , company ) values ( ?, ? );" ); stmt.setString( 1, ); stmt.setString( 2, company ); stmt.executeQuery(); stmt.close();

| 2004 JavaOne SM Conference | Session Example: Command Injection public void doGet(…) { Runtime runtime = Runtime.getRuntime(); Process process = null; String user = request.getParameter("user"); try { process = runtime.exec( "finger " + user ); out.println( "Hello, " + user ); // print output from process to out } catch (Exception e) { out.println("Problem with finger: " + ServletUtils.getStackTraceAsString(e)); } Are You Running Your Web App as Root?

| 2004 JavaOne SM Conference | Session Never Trust an HttpServletRequest Trace the “taint” from all calls used to get input ─HttpServletRequest.getParameter() ─HttpServletRequest.getCookies() ─HttpServletRequest.getHeader() ─Etc… Bad patterns ─Input -> Output == Cross-Site Scripting (XSS) ─Input -> Query == SQL Injection ─Input -> System == Command Injection The HttpServletRequest API does not do ANY validation! Client-side validation is irrelevant

| 2004 JavaOne SM Conference | Session Example: Faulty Struts! public class DamagedStrutsForm extends ActionForm { public void doForm( HttpServletRequest request) { UserBean u = session.getUserBean(); u.setName(request.getParameter("name")); u.setFavoriteColor(request.getParameter("color")); } public boolean validate( HttpServletRequest request) { try { String param = request.getParameter("Name"); if ( param.indexOf("<script") != -1 ) { logger.log("Script detected" ); return false; } } catch( Exception e ) {} return true; } Validation ain’t so simple

| 2004 JavaOne SM Conference | Session It’s All Jon Postel’s Fault “TCP implementations will follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.” -- Jon Postel, RFC 793, Sept. 1981

| 2004 JavaOne SM Conference | Session “Boundary Validation” Validate at reasonable system boundaries ─Between client and business logic ─Between business logic and database ─Between application and major libraries ─Between major subsystems within an application Do not rely on “Sender Validates” ─Modified Postel’s Law… ─“…be liberal in what you accept from others, then validate the hell out of it.”

| 2004 JavaOne SM Conference | Session Nikto ( > nikto.pl -h localhost -p 80 -c -verbose - Scan is dependent on "Server" string which can be faked, use -g to override + Server: Apache Coyote/ server checks loaded for GET: /servlet/org.apache.catalina.ContainerServlet/ alert(‘!') for GET: /test/jsp/declaration/IntegerOverflow.jsp for GET: /%22%3cscript%3ealert(%22xss%22)%3c/script%3e for GET: /..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam + /admin/ Redirects to ' for GET: /../../../../../../../../../../etc/passwd for GET: /jsp/jspsamp/jspexamples/viewsource.jsp?source=../../../../../etc/passwd for GET: /servlet/allaire.jrun.ssi.SSIFilter for GET: /servlet/com.unify.servletexec.UploadServlet for GET: /servlet/ContentServer?pagename= alert('Vulnerable') + Got Cookie on file '/‘ value 'JSESSIONID=8CA5A9BF9E09B7EDF907944C C; Path=/admin'

| 2004 JavaOne SM Conference | Session Session Hijacking Protect like other credentials ─Don’t send in the clear (use SSL) ─Prevent cross site scripting Use your environment’s JSESSIONID ─Don’t craft your own ─Don’t use multiple cookies Regenerate session identifier upon login Don’t put in session identifier in URL ─They end up in bookmarks and referers A session is just as good as a username/password

| 2004 JavaOne SM Conference | Session Denial of Service Attacks Flooding attacks ─Easy for attackers ─Don’t commit resources until necessary ─Implement quotas and delays where possible Lockout attacks ─Be careful with “5 tries” policies How much can your application take?

| 2004 JavaOne SM Conference | Session Breaking Access Control Testing approach ─Walk the site as admin, then logout ─Force browse to admin links as ordinary user ─Also attempt to access other user resources ─Don’t assume hackers can’t figure it out Identifiers ─Many sites use a global identifier (…?cart=10234) ─Attackers will brute force if they have to ─Use indirection with a user-specific identifier Restricting users to authorized stuff only… The lack of a link is is not a security mechanism.

| 2004 JavaOne SM Conference | Session Error Handling and Logging Attackers rely on error messages ─Never printStackTrace() to the user ─Don’t provide too much information ─Catch all Exceptions and handle them appropriately ─Be sure your mechanisms “fail closed” Log message and error message are different ─Don’t send unvalidated input back to user ─Don’t send unvalidated input to the log

| 2004 JavaOne SM Conference | Session Weak Cryptography Keep sensitive information to a minimum ─1. Just don’t store it, users can re-enter ─2. Hash if you need to VERIFY sensitive information ─3. Encrypt if you must STORE sensitive information Use the JCE carefully ─Don’t write your own crypto ─Protect your secrets ─Plan for changing keys ─Keep it simple ─Never store plaintext passwords

| 2004 JavaOne SM Conference | Session Malicious Code Trojan Horse runs for admin if ( System.getCurrentUser().getName().equals( “admin” ) ) Runtime.exec( “sendmail < /etc/passwd” ); Secret trigger removes all files on root partition if( req.getParameter( “codeword” ).equals( “eagle” ) ) Runtime.exec( “rm –rf /” ); Randomly corrupt data one time in 100 if ( Math.random() <.01 ) bean.setValue( “corrupt” ); Load and execute code from remote server ((A)(ClassLoader.getSystemClassLoader().defineClass (null, readBytesFromNetwork(),0,422).newInstance())).attack(); Make backdoor look like inadvertent mistake if ( input < 0 ) throw new RuntimeException( “Input error” ); Are you running with a SecurityManager enabled? Who Wrote Those Libraries?

| 2004 JavaOne SM Conference | Session WebGoat from OWASP (

| 2004 JavaOne SM Conference | Session Summary Never assume your code can’t be attacked To stop a hacker, think like a hacker Never trust an HttpServletRequest Don’t trust libraries (run a SecurityManager) Precompile JSPs Check your code!

| 2004 JavaOne SM Conference | Session For More Information The Open Web Application Security Project (OWASP) tools and guidelines ─ The OWASP Top Ten Most Critical Web Application Security Vulnerabilities ─ Sverre Huseby, “Innocent Code” ─A security wake-up call for web programmers

| 2004 JavaOne SM Conference | Session Q&A Any questions about web application security, Java or J2EE security, or OWASP? 27

java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session Jeff Williams CEO, Aspect SecurityChair, OWASP Foundation How to Attack Java™ 2 Platform, Enterprise Edition (J2EE) Applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.