SlideShare a Scribd company logo

JavaFest. Nanne Baars. Web application security for developers

F
FestGroup

The document discusses key security practices for developers, emphasizing the importance of safeguarding secrets, preventing vulnerabilities like path traversal and host header injection, and implementing robust cryptographic solutions. It highlights tools and strategies for managing secrets and securing applications against common exploits, including the use of frameworks like Spring Security. Developers are encouraged to enhance their security knowledge through code reviews and the adoption of comprehensive security guidelines.

Education
1 of 55
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
SECURITY FOR DEVELOPERS Nanne Baars
About me ¨ Java developer ¨ Developer à Security consultant à Developer ¨ Project lead of WebGoat à https://github.com/WebGoat/
WebGoat is… ¨ A deliberately vulnerable web application maintained by OWASP designed to teach web application security lessons. ¨ In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application
https://webgoat.github.io/WebGoat/ Learn in 3 steps
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
- Examples - Background - How to prevent
https://www.pentestpartners.com/security-blog/hacking-ski-helmet-audio/
https://www.pentestpartners.com/security-blog/hacking-ski-helmet-audio/
JavaFest. Nanne Baars. Web application security for developers
Secret management
Still a problem https://darkport.co.uk/blog/ahh-shhgit!/
https://darkport.co.uk/blog/ahh-shhgit!/
JavaFest. Nanne Baars. Web application security for developers
https://blog.milessteele.com/posts/2013-07-07-hiding-djangos-secret-key.html
JavaFest. Nanne Baars. Web application security for developers
Within projects as developers… ¨ Make sure secrets do not end up in Git ¤ Encrypt your secrets (for example like Travis CI) ¤ More fancy use Vault, KeyCloak etc ¨ Use tooling to scan your repository ¨ Define a policy what should be done in case it happens ¤ Git history
As a team… ¨ Think about what to do when a team member leaves… ¤ Think about how many systems you have access to, is the access to AWS, Kubernetes, Github, Gitlab, Jira etc centrally provided? ¨ Again, have a clear policy in place
Easy to automate
Cryptography
private static final byte[] ENCRYPT_IV = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; public static String encrypt(String dataPassword, String cleartext) throws Exception { IvParameterSpec zeroIv = new IvParameterSpec(ENCRYPT_IV); SecretKeySpec key = new SecretKeySpec(dataPassword.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key, zeroIv); … } private static final byte[] ENCRYPT_IV = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; public static String encrypt(String dataPassword, String cleartext) throws Exception { IvParameterSpec zeroIv = new IvParameterSpec(ENCRYPT_IV); SecretKeySpec key = new SecretKeySpec(dataPassword.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key, zeroIv); … }
Cryptography vs developers
“In this post I will show you how to use RSA in Java…..” public static String encrypt(String plainText, PublicKey publicKey) { Cipher encryptCipher = Cipher.getInstance("RSA"); encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey); byte[] cipherText = encryptCipher.doFinal(plainText.getBytes(UTF_8)); return Base64.getEncoder().encodeToString(cipherText); }
public static void main(String [] args) throws Exception { // generate public and private keys … // sign the message byte [] signed = encrypt(privateKey, "This is a secret message"); System.out.println(new String(signed)); // <<signed message>> // verify the message byte[] verified = decrypt(pubKey, encrypted); System.out.println(new String(verified)); // This is a secret message } public static byte[] encrypt(PrivateKey privateKey, String message) { Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, privateKey); return cipher.doFinal(message.getBytes()); } public static byte[] decrypt(PublicKey publicKey, byte [] encrypted) { Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.DECRYPT_MODE, publicKey); return cipher.doFinal(encrypted); }
JavaFest. Nanne Baars. Web application security for developers
Solution - Libsodium or Google Tink
https://github.com/google/tink
Path traversal ¨ A path(directory) traversal is a vulnerability where an attacker is able to access or store files and directories outside the location where the application is running. ¨ For example: http://example.com/file=report.pdf ¨ Change into: http://example.com/file=../../../../../etc/passwd ¨ In case of a file upload you might be able to overwrite other files
https://hackerone.com/reports/827052
https://snyk.io/research/zip-slip-vulnerability
Mitigation in file upload var multiPartFile = ... var targetFile = new File("/tmp", multiPartFile.getOriginalName()); var canonicalPath = targetFile.getCanonicalPath(); if (!canonicalPath.startWith("/tmp") { throw new IllegalArgumentException("Invalid filename"); } IOUtils.copy(multiPartFile.getBytes(), targetFile);
Input validation ¨ Check for ../ ¨ Be aware of encoding: %2e%2e/%2f ¨ Spring Security has: StrictHttpFirewall which automatically drops a request if the path variable contains ../
@Getter("/f") public void f(@RequestParam("name") String name) { //name is automatically decoded so %2E%2E%2F%2E%2E%2Ftest //will become ../../test } @Getter("/g") public void g(HttpServletRequest request) { var queryString = request.getQueryString(); // will return %2E%2E%2F%2E%2E%2Ftest } @Getter("/h") public void h(HttpServletRequest request) { var name = request.getParam("name"); //will return ../../test
Host-Header Injection ¨ In web applications, developers use the HTTP Host header available in HTTP request ¨ A remote attacker can exploit this by sending a fake header with a domain name under the attackers control.
Often found during password reset curl 'https://webgoat-cloud.net/create-password-reset-link' --data-raw 'email=test1234@webgoat-cloud.net'
Let’s do that again… curl 'http://webgoat-cloud.net/create-password-reset-link' -H'Host: attacker.com' --data-raw 'email=test1234@webgoat.org'
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
Example 2: Azure Authentication / Spring Boot Example.com
Easy to setup ¨ Standard Spring Boot / Azure auto configuration provided 1. Register your application with your Azure Active Directory Tenant 2. Configure application.properties spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx azure.activedirectory.active-directory-groups=group1, group2
Spring Boot configuration ¨ We enabled this setting in the application.properties: server.use-forward-headers=true
curl -i http://localhost:8080 HTTP/1.1 302 Found Location: http://localhost:8080/oauth2/authorization/azure curl -i http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code https://graph.microsoft.com/user.read&state=& redirect_uri=http://localhost:8080/login/oauth2/code/azure
Now let’s try curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/ HTTP/1.1 302 Found Location: http://attacker.com/oauth2/authorization/azure
But wait how does the redirect_uri work? curl -i http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=codehttps://graph. microsoft.com/user.read&state=&redirect_uri=http://localhost:8080/login/oauth2/code/azure spring.security.oauth2.client.registration.azure.redirect-uri-template={baseUrl}/login/oauth2/code/{registrationId}
curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code https://graph.microsoft.com/user.read&state=& redirect_uri=http://attacker.com/login/oauth2/code/azure
(Un)fortunately this does not work J https://tools.ietf.org/html/rfc6749#section-10.6
JavaFest. Nanne Baars. Web application security for developers
Recap ¨ This is not a bug in Spring security ¨ Something which happened because we added: server.use-forward-headers=true
Solution /** * <p> * Determines which hostnames should be allowed. The default is to allow any * hostname. * </p> * * @param allowedHostnames the predicate for testing hostnames * @since 5.2 */ public void setAllowedHostnames(Predicate<String> allowedHostnames) { if (allowedHostnames == null) { throw new IllegalArgumentException("allowedHostnames cannot be null"); } this.allowedHostnames = allowedHostnames; }
@Bean public HttpFirewall firewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST")); firewall.setAllowedHostnames(s -> s.equals("localhost")); curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/ java.lang.RuntimeException: org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the domain attacker.com is untrusted. at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:507) at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:427)
Solution ¨ As developers we are responsible to validate those headers ¨ Verify all headers you can receive from the outside. ¤ This includes: X-Forwarded-For, X-Forwarded-Host etc ¨ Do not rely on thinking reversed proxy will solve this! ¨ Check to see whether the framework has built in protection
Where to start... 1. Make developers security aware n Code review n Practice / learn / adapt 2. Adopt a security guideline in your team 3. Test your own application 4. Start using tools to find to most obvious mistakes

More Related Content

DOCX
MISE EN PLACE DE SERVICES RESEAUX ET OPTIMISATION DE LA SECURITE AU SEIN DE l...
mouliom matapit hermann cedric
 
PDF
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
Matt Raible
 
PPTX
Secure Coding for NodeJS
Thang Chung
 
PDF
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
PDF
Step-by-step Development of an Application for the Java Card Connected Platform
Eric Vétillard
 
PDF
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
 
PDF
Securing Cassandra for Compliance
DataStax
 
PDF
Hardening cassandra q2_2016
zznate
 
MISE EN PLACE DE SERVICES RESEAUX ET OPTIMISATION DE LA SECURITE AU SEIN DE l...
mouliom matapit hermann cedric
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
Matt Raible
 
Secure Coding for NodeJS
Thang Chung
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Jérémy Derussé
 
Step-by-step Development of an Application for the Java Card Connected Platform
Eric Vétillard
 
Continuous Delivery with Maven, Puppet and Tomcat - ApacheCon NA 2013
Carlos Sanchez
 
Securing Cassandra for Compliance
DataStax
 
Hardening cassandra q2_2016
zznate
 

Similar to JavaFest. Nanne Baars. Web application security for developers (20)

PDF
Service Worker - Reliability bits
jungkees
 
PPTX
Building Your Own IoT Platform using FIWARE GEis
FIWARE
 
PDF
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
QCloudMentor
 
PDF
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
PDF
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
PDF
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
PDF
Fun With Spring Security
Burt Beckwith
 
PDF
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
PDF
I/O Extended 2019 WebTech - New capabilities for the web
HanboramRobinJang
 
PDF
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
Matt Raible
 
PDF
Deploying Django with Ansible
andrewmirskynet
 
PDF
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
PPTX
Azure from scratch part 4
Girish Kalamati
 
PDF
Cloud 101: Hands-on Heroku & AWS
Amine Sadry
 
PPT
General Principles of Web Security
jemond
 
PDF
Nko workshop - node js crud & deploy
Simon Su
 
ODP
Rapid JCR Applications Development with Sling
Felix Meschberger
 
PDF
Greach 2019 - Creating Micronaut Configurations
Iván López Martín
 
PDF
Securing Prometheus exporters using HashiCorp Vault
Bram Vogelaar
 
Service Worker - Reliability bits
jungkees
 
Building Your Own IoT Platform using FIWARE GEis
FIWARE
 
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...
QCloudMentor
 
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE
 
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Fun With Spring Security
Burt Beckwith
 
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
I/O Extended 2019 WebTech - New capabilities for the web
HanboramRobinJang
 
Burn down the silos! Helping dev and ops gel on high availability websites
Lindsay Holmwood
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
Matt Raible
 
Deploying Django with Ansible
andrewmirskynet
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
Andrey Devyatkin
 
Azure from scratch part 4
Girish Kalamati
 
Cloud 101: Hands-on Heroku & AWS
Amine Sadry
 
General Principles of Web Security
jemond
 
Nko workshop - node js crud & deploy
Simon Su
 
Rapid JCR Applications Development with Sling
Felix Meschberger
 
Greach 2019 - Creating Micronaut Configurations
Iván López Martín
 
Securing Prometheus exporters using HashiCorp Vault
Bram Vogelaar
 
Ad

More from FestGroup (10)

PPTX
JavaFest. Барух Садогурский. DevOps для разработчиков (или против них?!)
FestGroup
 
PDF
JavaFest. Виктор Полищук. Legacy: как победить в гонке
FestGroup
 
PDF
JavaFest. Cedrick Lunven. Build APIS with SpringBoot - REST, GRPC, GRAPHQL wh...
FestGroup
 
PDF
JavaFest. Philipp Krenn. Scale Elasticsearch for Your Java Applications
FestGroup
 
PDF
JavaFest. Grzegorz Piwowarek. Hazelcast - Hitchhiker’s Guide
FestGroup
 
PDF
JavaFest. Денис Макогон. 6 заблуждений относительно современной Java
FestGroup
 
PDF
JavaFest. Taras Boychuk. There is always a choice. Spring Data JDBC vs. Hiber...
FestGroup
 
PDF
JavaFest. Вадим Казулькин. Projects Valhalla, Loom and GraalVM
FestGroup
 
PDF
JavaFest. Антон Лемешко. Model-Driven Development in the Open Java Universe
FestGroup
 
PDF
JavaFest. Дмитрий Сергеев. Data processing with Kafka Streams and Spring Fram...
FestGroup
 
JavaFest. Барух Садогурский. DevOps для разработчиков (или против них?!)
FestGroup
 
JavaFest. Виктор Полищук. Legacy: как победить в гонке
FestGroup
 
JavaFest. Cedrick Lunven. Build APIS with SpringBoot - REST, GRPC, GRAPHQL wh...
FestGroup
 
JavaFest. Philipp Krenn. Scale Elasticsearch for Your Java Applications
FestGroup
 
JavaFest. Grzegorz Piwowarek. Hazelcast - Hitchhiker’s Guide
FestGroup
 
JavaFest. Денис Макогон. 6 заблуждений относительно современной Java
FestGroup
 
JavaFest. Taras Boychuk. There is always a choice. Spring Data JDBC vs. Hiber...
FestGroup
 
JavaFest. Вадим Казулькин. Projects Valhalla, Loom and GraalVM
FestGroup
 
JavaFest. Антон Лемешко. Model-Driven Development in the Open Java Universe
FestGroup
 
JavaFest. Дмитрий Сергеев. Data processing with Kafka Streams and Spring Fram...
FestGroup
 
Ad

Recently uploaded (20)

PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
RMMM.pdf make it easy to upload and study
sajedul2
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
master seminar digital applications in india
ananyaray35
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Classroom Observation Tools for Teachers
Nicaramirez
 

JavaFest. Nanne Baars. Web application security for developers

  • 2. About me ¨ Java developer ¨ Developer à Security consultant à Developer ¨ Project lead of WebGoat à https://github.com/WebGoat/
  • 3. WebGoat is… ¨ A deliberately vulnerable web application maintained by OWASP designed to teach web application security lessons. ¨ In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application
  • 10. - Examples - Background - How to prevent
  • 20. Within projects as developers… ¨ Make sure secrets do not end up in Git ¤ Encrypt your secrets (for example like Travis CI) ¤ More fancy use Vault, KeyCloak etc ¨ Use tooling to scan your repository ¨ Define a policy what should be done in case it happens ¤ Git history
  • 21. As a team… ¨ Think about what to do when a team member leaves… ¤ Think about how many systems you have access to, is the access to AWS, Kubernetes, Github, Gitlab, Jira etc centrally provided? ¨ Again, have a clear policy in place
  • 24. private static final byte[] ENCRYPT_IV = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; public static String encrypt(String dataPassword, String cleartext) throws Exception { IvParameterSpec zeroIv = new IvParameterSpec(ENCRYPT_IV); SecretKeySpec key = new SecretKeySpec(dataPassword.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key, zeroIv); … } private static final byte[] ENCRYPT_IV = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; public static String encrypt(String dataPassword, String cleartext) throws Exception { IvParameterSpec zeroIv = new IvParameterSpec(ENCRYPT_IV); SecretKeySpec key = new SecretKeySpec(dataPassword.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, key, zeroIv); … }
  • 26. “In this post I will show you how to use RSA in Java…..” public static String encrypt(String plainText, PublicKey publicKey) { Cipher encryptCipher = Cipher.getInstance("RSA"); encryptCipher.init(Cipher.ENCRYPT_MODE, publicKey); byte[] cipherText = encryptCipher.doFinal(plainText.getBytes(UTF_8)); return Base64.getEncoder().encodeToString(cipherText); }
  • 27. public static void main(String [] args) throws Exception { // generate public and private keys … // sign the message byte [] signed = encrypt(privateKey, "This is a secret message"); System.out.println(new String(signed)); // <<signed message>> // verify the message byte[] verified = decrypt(pubKey, encrypted); System.out.println(new String(verified)); // This is a secret message } public static byte[] encrypt(PrivateKey privateKey, String message) { Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.ENCRYPT_MODE, privateKey); return cipher.doFinal(message.getBytes()); } public static byte[] decrypt(PublicKey publicKey, byte [] encrypted) { Cipher cipher = Cipher.getInstance("RSA"); cipher.init(Cipher.DECRYPT_MODE, publicKey); return cipher.doFinal(encrypted); }
  • 29. Solution - Libsodium or Google Tink
  • 31. Path traversal ¨ A path(directory) traversal is a vulnerability where an attacker is able to access or store files and directories outside the location where the application is running. ¨ For example: http://example.com/file=report.pdf ¨ Change into: http://example.com/file=../../../../../etc/passwd ¨ In case of a file upload you might be able to overwrite other files
  • 34. Mitigation in file upload var multiPartFile = ... var targetFile = new File("/tmp", multiPartFile.getOriginalName()); var canonicalPath = targetFile.getCanonicalPath(); if (!canonicalPath.startWith("/tmp") { throw new IllegalArgumentException("Invalid filename"); } IOUtils.copy(multiPartFile.getBytes(), targetFile);
  • 35. Input validation ¨ Check for ../ ¨ Be aware of encoding: %2e%2e/%2f ¨ Spring Security has: StrictHttpFirewall which automatically drops a request if the path variable contains ../
  • 36. @Getter("/f") public void f(@RequestParam("name") String name) { //name is automatically decoded so %2E%2E%2F%2E%2E%2Ftest //will become ../../test } @Getter("/g") public void g(HttpServletRequest request) { var queryString = request.getQueryString(); // will return %2E%2E%2F%2E%2E%2Ftest } @Getter("/h") public void h(HttpServletRequest request) { var name = request.getParam("name"); //will return ../../test
  • 37. Host-Header Injection ¨ In web applications, developers use the HTTP Host header available in HTTP request ¨ A remote attacker can exploit this by sending a fake header with a domain name under the attackers control.
  • 38. Often found during password reset curl 'https://webgoat-cloud.net/create-password-reset-link' --data-raw 'email=test1234@webgoat-cloud.net'
  • 39. Let’s do that again… curl 'http://webgoat-cloud.net/create-password-reset-link' -H'Host: attacker.com' --data-raw 'email=test1234@webgoat.org'
  • 42. Example 2: Azure Authentication / Spring Boot Example.com
  • 43. Easy to setup ¨ Standard Spring Boot / Azure auto configuration provided 1. Register your application with your Azure Active Directory Tenant 2. Configure application.properties spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx azure.activedirectory.active-directory-groups=group1, group2
  • 44. Spring Boot configuration ¨ We enabled this setting in the application.properties: server.use-forward-headers=true
  • 45. curl -i http://localhost:8080 HTTP/1.1 302 Found Location: http://localhost:8080/oauth2/authorization/azure curl -i http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code https://graph.microsoft.com/user.read&state=& redirect_uri=http://localhost:8080/login/oauth2/code/azure
  • 46. Now let’s try curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/ HTTP/1.1 302 Found Location: http://attacker.com/oauth2/authorization/azure
  • 47. But wait how does the redirect_uri work? curl -i http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=codehttps://graph. microsoft.com/user.read&state=&redirect_uri=http://localhost:8080/login/oauth2/code/azure spring.security.oauth2.client.registration.azure.redirect-uri-template={baseUrl}/login/oauth2/code/{registrationId}
  • 48. curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/oauth2/authorization/azure HTTP/1.1 302 Found Location: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code https://graph.microsoft.com/user.read&state=& redirect_uri=http://attacker.com/login/oauth2/code/azure
  • 49. (Un)fortunately this does not work J https://tools.ietf.org/html/rfc6749#section-10.6
  • 51. Recap ¨ This is not a bug in Spring security ¨ Something which happened because we added: server.use-forward-headers=true
  • 52. Solution /** * <p> * Determines which hostnames should be allowed. The default is to allow any * hostname. * </p> * * @param allowedHostnames the predicate for testing hostnames * @since 5.2 */ public void setAllowedHostnames(Predicate<String> allowedHostnames) { if (allowedHostnames == null) { throw new IllegalArgumentException("allowedHostnames cannot be null"); } this.allowedHostnames = allowedHostnames; }
  • 53. @Bean public HttpFirewall firewall() { StrictHttpFirewall firewall = new StrictHttpFirewall(); firewall.setAllowedHttpMethods(Arrays.asList("GET", "POST")); firewall.setAllowedHostnames(s -> s.equals("localhost")); curl -i -H"X-Forwarded-Host: attacker.com" http://localhost:8080/ java.lang.RuntimeException: org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the domain attacker.com is untrusted. at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:507) at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:427)
  • 54. Solution ¨ As developers we are responsible to validate those headers ¨ Verify all headers you can receive from the outside. ¤ This includes: X-Forwarded-For, X-Forwarded-Host etc ¨ Do not rely on thinking reversed proxy will solve this! ¨ Check to see whether the framework has built in protection
  • 55. Where to start... 1. Make developers security aware n Code review n Practice / learn / adapt 2. Adopt a security guideline in your team 3. Test your own application 4. Start using tools to find to most obvious mistakes