Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide.

Published byWilfrid Barrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide."— Presentation transcript:

1 Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide

2 HTTP Request Model Vulnerabilities  Request Parameters - XSS - CSRF - HTML Injection - SQL Injection  Request Headers  Request URI  Container-Level vs. Webapp-Level Filtering

3 How to Write Secure Webapps  Use only HTTPS and disable small key length ciphers all  Distrust and sanitize all input from the client  Filter for CSRF (Enable the CsrfPreventionFilter)  Filter for XSS (Enable the BadInputFilter) http://www.sf.net/projects/catnip  Generally secure Tomcat  Enable the Tomcat security manager and customize catalina.policy

4 Scanning Tools and Remediation  Tools  Process

5 Scanning Tools and Remediation (cont)  Commercial scanning tools: - IBM Rational AppScan - HP WebInspect - Acunetix Web Vulnerability Scanner  Open Source: - Ratproxy

6 Scanning Tools and Remediation (cont)  Process for removing vulnerabilities: 1. Scan 2. Investigate Reported Vulnerabilities 3. Fix vulnerability 4. Goto 1.

7 HTTP Caching and Security  Browser Cache  Proxy Cache  // Standard HTTP 1.1 cache disabling header.  httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate");  // Set IE extended HTTP 1.1 no-cache headers.  httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0");  // Tell proxy caches not to cache this resource.  httpResponse.addHeader("Cache-Control", "proxy-revalidate");  // Standard HTTP 1.0 cache disabling header.  httpResponse.setHeader("Pragma", "no-cache");  // Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server.  httpResponse.setDateHeader("Expires", 0);

8 Use HTTPS  Configure Your Webapp to Require HTTPS  Disable Insecure Key Lengths / Ciphers  Use v6.0.24 and Higher  sessionCacheSize and sessionTimeout

9 Configuring for HTTPS-only Configure your HTTPS connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="450" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS” keystoreFile="conf/keystore" keystorePass="shhhh" proxyHost="10.1.1.1" proxyPort="443" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>

10 Configuring for HTTPS-only (cont.) Configure your HTTP connector to redirect to HTTPS: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" proxyHost="10.1.1.1" proxyPort="80" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>

11 Configuring for HTTPS-only (cont.) In your webapp's WEB-INF/web.xml: SecureConnection /* CONFIDENTIAL NonSecureConnectionOk *.ico NONE

12 Configuring HTTPS Disable “weak” encryption: See http://java.sun.com/javase/6/docs/technotes/guides/security/Sun Providers.html#SupportedCipherSuites

13 Connector Hardening port="-1"   Max Post Size  Max Http Header Size  Max Threads

14 Java Security Manager Prevents your webapp from:  Reading/writing arbitrary files  Making network connections  Instantiating/using arbitrary Java packages & classes  Etc. To effectively use it you must: - Write custom permissions rules - Debug permissions issues - Test exhaustively.. it's not for everyone!

15 Webapp File Permissions - Tomcat needs these readable, but not writable - Don't write files in your webapp tree

16 Tomcat File Permissions CIS: Apache Tomcat Security http://www.cisecurity.org/benchmarks.html In general: - Start with the whole tree read only conf/Catalina - conf/Catalina and conf/Catalina/localhost must be read/write - temp/ work/ and logs/ need to be read/write - webapps/ needs to be read/write, but not webapp dirs

17 Monitor for Announced Vulnerabilities  Tomcat project security vulnerabilities page: http://tomcat.apache.org/security.html Upgrade when there is a fix!

18 Additional Resources MuleSoft Tcat Server http://www.mulesoft.com/tcat-server-enterprise-tomcat-application- server TLS Renegotiation Extension and Vulnerability https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls- renegotiate.txt Web App Scanners Miss Half of Vulnerabilities http://news.slashdot.org/story/10/02/06/1933211/Web-App- Scanners-Miss-Half-of-Vulnerabilities?art_pos=5 Turning XSS Into Clickjacking http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking

19 Q&A Thanks!

Download ppt "Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide."

Similar presentations

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
CTS IT Security Enhancement Projects December 10, 2014.

CTS IT Security Enhancement Projects December 10, 2014.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Advanced Java Class Web Applications – Part 0 (Introduction)

Advanced Java Class Web Applications – Part 0 (Introduction)
XMAS installation instructions Windows Version: 1.0 4/22/2008.

XMAS installation instructions Windows Version: 1.0 4/22/2008.
Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.

Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.

Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.

Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Installing and Configuring Tomcat A quick guide to getting things set up on Windows.

Installing and Configuring Tomcat A quick guide to getting things set up on Windows.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Similar presentations

Ads by Google