Download presentation
Presentation is loading. Please wait.
Published byWilfrid Barrett Modified over 8 years ago
1
Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide
2
HTTP Request Model Vulnerabilities Request Parameters - XSS - CSRF - HTML Injection - SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering
3
How to Write Secure Webapps Use only HTTPS and disable small key length ciphers all Distrust and sanitize all input from the client Filter for CSRF (Enable the CsrfPreventionFilter) Filter for XSS (Enable the BadInputFilter) http://www.sf.net/projects/catnip Generally secure Tomcat Enable the Tomcat security manager and customize catalina.policy
4
Scanning Tools and Remediation Tools Process
5
Scanning Tools and Remediation (cont) Commercial scanning tools: - IBM Rational AppScan - HP WebInspect - Acunetix Web Vulnerability Scanner Open Source: - Ratproxy
6
Scanning Tools and Remediation (cont) Process for removing vulnerabilities: 1. Scan 2. Investigate Reported Vulnerabilities 3. Fix vulnerability 4. Goto 1.
7
HTTP Caching and Security Browser Cache Proxy Cache // Standard HTTP 1.1 cache disabling header. httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate"); // Set IE extended HTTP 1.1 no-cache headers. httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0"); // Tell proxy caches not to cache this resource. httpResponse.addHeader("Cache-Control", "proxy-revalidate"); // Standard HTTP 1.0 cache disabling header. httpResponse.setHeader("Pragma", "no-cache"); // Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server. httpResponse.setDateHeader("Expires", 0);
8
Use HTTPS Configure Your Webapp to Require HTTPS Disable Insecure Key Lengths / Ciphers Use v6.0.24 and Higher sessionCacheSize and sessionTimeout
9
Configuring for HTTPS-only Configure your HTTPS connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="450" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS” keystoreFile="conf/keystore" keystorePass="shhhh" proxyHost="10.1.1.1" proxyPort="443" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>
10
Configuring for HTTPS-only (cont.) Configure your HTTP connector to redirect to HTTPS: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" proxyHost="10.1.1.1" proxyPort="80" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>
11
Configuring for HTTPS-only (cont.) In your webapp's WEB-INF/web.xml: SecureConnection /* CONFIDENTIAL NonSecureConnectionOk *.ico NONE
12
Configuring HTTPS Disable “weak” encryption: See http://java.sun.com/javase/6/docs/technotes/guides/security/Sun Providers.html#SupportedCipherSuites
13
Connector Hardening port="-1" Max Post Size Max Http Header Size Max Threads
14
Java Security Manager Prevents your webapp from: Reading/writing arbitrary files Making network connections Instantiating/using arbitrary Java packages & classes Etc. To effectively use it you must: - Write custom permissions rules - Debug permissions issues - Test exhaustively.. it's not for everyone!
15
Webapp File Permissions - Tomcat needs these readable, but not writable - Don't write files in your webapp tree
16
Tomcat File Permissions CIS: Apache Tomcat Security http://www.cisecurity.org/benchmarks.html In general: - Start with the whole tree read only conf/Catalina - conf/Catalina and conf/Catalina/localhost must be read/write - temp/ work/ and logs/ need to be read/write - webapps/ needs to be read/write, but not webapp dirs
17
Monitor for Announced Vulnerabilities Tomcat project security vulnerabilities page: http://tomcat.apache.org/security.html Upgrade when there is a fix!
18
Additional Resources MuleSoft Tcat Server http://www.mulesoft.com/tcat-server-enterprise-tomcat-application- server TLS Renegotiation Extension and Vulnerability https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls- renegotiate.txt Web App Scanners Miss Half of Vulnerabilities http://news.slashdot.org/story/10/02/06/1933211/Web-App- Scanners-Miss-Half-of-Vulnerabilities?art_pos=5 Turning XSS Into Clickjacking http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking
19
Q&A Thanks!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.