JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
3 likes641 views
This document discusses securing applications in the cloud using Angular and Spring Boot. It covers topics like authentication, authorization, injection attacks, cross-site scripting, and securing APIs. Angular provides protection against XSS by sanitizing templates and inputs. Spring Security enables authentication, CSRF protection, and secure sessions by default. The document also discusses securing configurations and secrets in the cloud using Spring Cloud and Vault. Overall it provides an overview of application security best practices for building apps with Angular and Spring Boot that are deployed to the cloud.
![ANGULAR COMPONENT
TYPESCRIPT
@Component({
selector: 'app-root',
templateUrl: 'app.component.html',
styleUrls: ['app.component.css']
})
export class AppComponent {
untrustedHtml:string =
'<em><script>alert("hello")</script></em>';
}
4 . 7](https://image.slidesharecdn.com/sicherindiecloudangularspringboot-170510205016/85/JAX-2017-Sicher-in-die-Cloud-mit-Angular-und-Spring-Boot-15-320.jpg)
![ANGULAR TEMPLATE
HTML BINDINGS
<h2>Binding of potentially dangerous HTML-snippets</h2>
<h3>Encoded HTML snippet</h3>
<h3 class="trusted">{{untrustedHtml}}</h3>
<h3>Sanitized HTML snippet</h3>
<h3 class="trusted" [innerhtml]="untrustedHtml"></h3>
4 . 8](https://image.slidesharecdn.com/sicherindiecloudangularspringboot-170510205016/85/JAX-2017-Sicher-in-die-Cloud-mit-Angular-und-Spring-Boot-16-320.jpg)
![SPRING MVC + SPRING DATA JPA
PREVENT INJECTIONS USING BEAN VALIDATION
@Entity
public class Person extends AbstractPersistable<Long> {
@NotNull
@Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$")
private String lastName;
@NotNull
@Enumerated(EnumType.STRING)
private GenderEnum gender;
...
}
5 . 3](https://image.slidesharecdn.com/sicherindiecloudangularspringboot-170510205016/85/JAX-2017-Sicher-in-die-Cloud-mit-Angular-und-Spring-Boot-21-320.jpg)
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
- 1. SICHER IN DIE CLOUD MIT ANGULAR UND SPRING BOOT 9. MAI 2017 1
- 4. 3 . 2
- 5. SQLInjectionCSRFXSS OWASP OAuth2 OpenID-Connect AbUser-Stories AuthenticationAuthorization Secure Coding Security-Testing SSO DoSSensitive-Data Data- Privacy Crypto Code-ReviewsThreat- ModelingArchitectureDependencies DASTSAML SAST DevSecOps 3 . 3
- 6. SQLInjectionCSRFXSS OWASP OAuth2OpenID-Connect Authentication Authorization Secure CodingSecurity- Testing 3 . 4
- 8. APP SECURITY VERIFICATION STANDARD PRO ACTIVE CONTROLS https://github.com/OWASP/ASVS https://www.owasp.org/index.php/ OWASP_Proactive_Controls 3 . 6
- 10. ANGULARJS = ANGULAR 1 ANGULAR = ANGULAR 2.X, 4.X, 5.X, ... 4 . 2
- 11. A3: CROSS-SITE SCRIPTING (XSS) 4 . 3
- 13. ANGULAR SECURITY “...The basic idea is to implement automatic, secure escaping for all values that can reach the DOM... By default, with no speci c action for developers, Angular apps must be secure...” https://github.com/angular/angular/issues/8511 4 . 5
- 14. ANGULAR XSS PROTECTION ANGULAR TEMPLATE = SAFE INPUT VALUES = UNSAFE 4 . 6
- 15. ANGULAR COMPONENT TYPESCRIPT @Component({ selector: 'app-root', templateUrl: 'app.component.html', styleUrls: ['app.component.css'] }) export class AppComponent { untrustedHtml:string = '<em><script>alert("hello")</script></em>'; } 4 . 7
- 16. ANGULAR TEMPLATE HTML BINDINGS <h2>Binding of potentially dangerous HTML-snippets</h2> <h3>Encoded HTML snippet</h3> <h3 class="trusted">{{untrustedHtml}}</h3> <h3>Sanitized HTML snippet</h3> <h3 class="trusted" [innerhtml]="untrustedHtml"></h3> 4 . 8
- 17. UNSAFE ANGULAR API'S ElementRef: Direct access to DOM! DomSanitizer: Deactivates XSS-Protection! Do NOT use! https://angular.io/docs/ts/latest 4 . 9
- 18. DEMO 4 . 10
- 19. BACKEND 5 . 1
- 20. A1: INJECTION 5 . 2
- 21. SPRING MVC + SPRING DATA JPA PREVENT INJECTIONS USING BEAN VALIDATION @Entity public class Person extends AbstractPersistable<Long> { @NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName; @NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ... } 5 . 3
- 22. SPRING DATA JPA PREVENT SQL-INJECTION USING PREPARED STATEMENTS @Query( "select u from User u where u.username = " + " :username and u.password = :password") User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password); 5 . 4
- 23. A8: CROSS-SITE REQUEST FORGERY (CSRF) 5 . 5
- 24. DOUBLE SUBMIT CSRF TOKEN 5 . 6
- 25. SPRING SECURITY SECURE BY DEFAULT Authentication required for all HTTP endpoints Session Fixation Protection Session Cookie (HttpOnly, Secure) CSRF Protection Security Response Header 5 . 7
- 26. SPRING SECURITY CSRF CONFIGURATION ANGULAR SUPPORT @Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() ); } 5 . 8
- 27. WHO AM I? A2: BROKEN AUTHENTICATION AND SESSION MANAGEMENT A10: UNDERPROTECTED APIS 5 . 9
- 28. AUTHENTICATION (STATEFUL OR STATELESS?) Session Cookie Token (Bearer, JWT) With each Request Manually as Header Potential CSRF! No CSRF possible Persisted when unloading DOM No automatic persistence One domain Cross domain (CORS) Sensitive Information (HTTPS) Sensitive Information (HTTPS) 5 . 10
- 29. OAUTH 2 5 . 11
- 30. OPENID CONNECT 5 . 12
- 31. OAUTH 2 / OPENID CONNECT RESOURCE @EnableResourceServer @Configuration public class OAuth2Configuration { @Bean public JwtAccessTokenConverterConfigurer jwtAccessTokenConverterConfigurer() { return new MyJwtConfigurer(...); } static class MyJwtConfigurer implements JwtAccessTokenConverterConfigurer { @Override public void configure( JwtAccessTokenConverter converter) {...} } } OAuth 2.0 Threat Model and Security Considerations 5 . 13
- 32. IMPLICIT GRANT Implicit Client Implementer’s Guide OAuth 2.0 Threat Model and Security Considerations 5 . 14
- 33. CLIENT CREDENTIALS GRANT 5 . 15
- 34. RESOURCE OWNER GRANT DO NOT USE! 5 . 16
- 35. WHAT CAN I ACCESS? A4: BROKEN ACCESS CONTROL A10: UNDERPROTECTED APIS 5 . 17
- 36. AUTHORIZATION OF REST API ROLE BASED public class UserBoundaryService { @PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {...} } 5 . 18
- 37. AUTHORIZATION OF REST API PERMISSION BASED public class TaskBoundaryService { @PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')") public Task findTask(UUID taskId) {...} } 5 . 19
- 38. AUTHORIZATION OF REST API INTEGRATIONTEST public class AuthorizationIntegrationTest { @WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersAuthorized() {...} @WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersUnauthorized() {...} } 5 . 20
- 39. DEMO 5 . 21
- 40. WHAT ABOUT THE CLOUD? 6 . 1
- 41. GOOD OLD FRIENDS ...UND MORE... CSRF XSS SQL Injection Session Fixation Vulnerable Dependencies Weak Passwords Broken Authorization Sensitive Data Exposure Distributed DoS Economic DoS 6 . 2
- 42. WEAK PASSWORDS 6 . 3
- 43. SO WHAT HAS BEEN CHANGED IN THE CLOUD? 6 . 4
- 44. 6 . 5
- 45. ROTATE, REPAIR, REPAVE JUSTIN SMITH “What if every server inside my data center had a maximum lifetime of two hours? This approach would frustrate malware writers...” 6 . 6
- 46. WHAT ABOUT APPLICATION CONFIGURATION AND SENSIBLE DATA IN THE CLOUD? 6 . 7
- 47. MANAGE DISTRIBUTED CONFIGURATION AND SECRETS WITH SPRING CLOUD AND VAULT Friday 19th May, 2017 6:00pm to 6:50pm 6 . 8
- 48. ONE MORE THING... 7 . 1
- 49. A7: INSUFFICIENT ATTACK PROTECTION 7 . 2
- 50. 7 . 3