Securing JSF Applications Against the OWASP Top Ten

  • View
    2.855

  • Download
    5

Embed Size (px)

DESCRIPTION

Conference presentation on designing JSF applications to address top security concerns

Text of Securing JSF Applications Against the OWASP Top Ten

  • 1. Securing JSF Applications Against the OWASP Top Ten David ChandlerSr. Engineer, Intuitdchandler@turbomanage.comJSF OneRich Web Experience Copyright 2007 - The OWASP FoundationSep 2008Permission is granted to copy, distribute and/or modify this document under theterms of the Creative Commons Attribution-ShareAlike 2.5 License. To view thislicense, visit http://creativecommons.org/licenses/by-sa/2.5/The OWASP Foundation http://www.webappsec.org/ http://www.owasp.org/

2. JSF is a Great Framework Tool-friendlyMVCComponent-orientation makes reuse easyBut. Is it safe?JSF One / Rich Web Experience Sep 2008 3. Framework Security Continuum More secure Framework makes it impossible fordevelopers to write insecure codeDevelopers must do all the right stuff, butyou can use code scanning tools andlimited inspection to find holesPossible, but developers must do all theright stuffNot possible to create a secure app(framework is flawed)Less secureJSF One / Rich Web Experience Sep 2008 4. Security Analysis Goals Address framework / implementationvulnerabilitiesLock front door and back doorInspect application code for vulnerabilities Ideally, centralize validation and use other JSF extensions to minimize inspection points Use automated scanning tools to verify thatApplication code uses only safe components / extensionsApplication code does not access the external contextdirectly (HttpSession) or use Lifecycle in unsafe ways JSF One / Rich Web Experience Sep 2008 5. Our Mission Today Learn how to secure JSF applicationsUsing the OWASP Top Ten as a guideOWASP=Open Web Application Security ProjectFantastic resourceGo to an OWASP conference sometimeIf your security folks think that Firewalls AreThe Answer To Everything, they might enjoy anOWASP conference, tooJSF One / Rich Web Experience Sep 2008 6. What is JavaServer Faces (JSF)? What is JSF? Spec, not an implementation (JSR 127, 252) Many vendor implementations and two open source Mojarra (Sun) Apache MyFacesWhere does it fit in the frameworks universe? MVC, component-based framework servlet Builds on Struts controller, form bean concepts Builds on Tapestry components JSF One / Rich Web Experience Sep 2008 7. Whats in a Typical JSF App View templates (JSP or Facelets)Managed bean for each view registered in faces-config.xmlNavigation rules in faces-config.xml JSF One / Rich Web Experience Sep 2008 8. Major JSF Concepts ComponentsRenderersManaged beansConverters / ValidatorsController (navigation model)Event handlingRequest lifecycleJSF One / Rich Web Experience Sep 2008 9. JSF Components Separate business logic from presentationEvery view is composed of a component hierarchyComponents can be added to view programmatically orvia template (JSP by default, Facelets for superiorperformance and ease of development)Standard components divided into two groups:Faces Core , HTML wrappers , , etc.Component = class + [renderer] + tag handler (JSP) JSF One / Rich Web Experience Sep 2008 10. JSF Renderers Component renderer encodes (generates theHTML) for the componentRenderer also decodes (sets component valuesfrom URL query string and form vars)Renderers are grouped into render kitsDefault render kit is HTMLProvide device independence w/o changing thetemplating language or components themselvesMost String I/O happens in renderersJSF One / Rich Web Experience Sep 2008 11. JSF Managed Beans Link view to the model (like controller)Provide action methods which in turn call appropriatemodel code (save, new)Provide helper methods (getAvailableSelectItems)Hold references to one or more domain objectsManaged by the framework in one of severalscopesStandard: request, session, application, noneSEAM offers conversation scopeSpring Web Flow offers flashScope, flowScope,conversationScope JSF One / Rich Web Experience Sep 2008 12. JSF Value Binding Component values bind to model beansFor each request, the frameworkConverts each input value (String) into the underlyingJava type (MoneyAmount)On output, converts underlying Java type to StringYou register converters for custom typesAll security validation therefore handled centrallyand automatically by model type JSF One / Rich Web Experience Sep 2008 13. JSF Value Binding Exampleview.xhtml In logger objectJSF One / Rich Web Experience Sep 2008 14. JSF Value Binding Example view.xhtmlManaged beans are registered in faces-config.xmlJSF One / Rich Web Experience Sep 2008 15. JSF Converters / Validators Converters are bi-directional Input converter: getAsObject() Output converter: getAsString()Validators work with Objects, not just StringsJSF supplies standard converters for date / time,numbers, etc.You write custom converters for rich types orspecial behavior JSF One / Rich Web Experience Sep 2008 16. JSF Converters / Validators JSF One / Rich Web Experience Sep 2008 17. JSF Converter ExampleConverter is registered in faces-config.xml, so allValuedTypesafeEnum properties of any bean will use this converterValidators also registered in faces-config.xml, but not by class JSF One / Rich Web Experience Sep 2008 18. JSF Controller Stateful or stateless navigation modelFramework selects next view based on Previous view Outcome of the event handler Event itself (regardless of outcome) Any combination of the abovePossibilities Universal error view (triggered by error outcome) Wildcard matching permitted in outcomes, view IDsJSF One / Rich Web Experience Sep 2008 19. JSF Event Handling Generates an event when pressed save() is a method on a managed beanJSF calls ReportController.save()Can also define action listeners associated with othercomponents in the form Example: AccountSearch on any page without having to tell JSF navigation controller about each instanceCustom ActionListenerImpl runs before invoking method JSF One / Rich Web Experience Sep 2008 20. JSF Request LifecycleRestore Retrieve component treeView from client or sessionMay skip to Apply Requestrender phaseDecode componentsValues or abort request(populate w/ String values) Process Convert Strings to ObjectsValidationsValidate Objects Request RequestUpdateCall settersModel on managed beans Invoke bean method(s) Invoke Compute navigationApplication Response ResponseCall bean getters to Render populate components Response JSF One / Rich Web Experience Sep 2008 21. JSF Extension Points Custom componentsPhase listeners (before, after any phase)Custom converters / validatorsCustom renderersCustion ActionListenerImpl to handle eventDecorate or replace view handler, navigationhandler, state manager, etc. JSF One / Rich Web Experience Sep 2008 22. JSF Configuration faces-config.xmlContains navigation rules as well as anycustomizations / extensionsCan be split among directories and sub-directories as well as jarsSet javax.faces.application.CONFIG_FILES in web.xmlOr put META-INF/faces-config.xml in jars so canbundle required configuration with codeJSF One / Rich Web Experience Sep 2008 23. OWASP Top Ten* A1 Unvalidated Input A6 Injection FlawsA2 Broken Access A7 Improper Error Control HandlingA3 Broken Authentication A8 Insecure Storage and Session MgmtA9 Application Denial ofA4 Cross Site ScriptingServiceA5 Buffer Overflow A10 Insecure Configuration Mgmt* Previous Top Ten listing used for better presentation flow JSF One / Rich Web Experience Sep 2008 24. A1 Unvalidated InputParameter tampering (hidden & list boxes) Required fields Length, data type, allowed values Cross site request forgery (CSRF) Buffer overflows (see A5)JSF One / Rich Web Experience Sep 2008 25. A1 Unvalidated Input JSF Validation ProcessValidation is part of the request lifecycle When validation fails Throw ConverterException or ValidationException Add message to the message queueMessage is associated with offending componentUse or Dont forget one of these in your view! Skip directly to render response phase JSF One / Rich Web Experience Sep 2008 26. JSF Request LifecycleRetrieve component tree Restorefrom client or session May skip toViewApply Request render phase Decode components Valuesor abort request (populate w/ String values) Process Convert Strings to ObjectsValidationsValidate Objects Request RequestUpdateCall settersModel on managed beansInvoke bean method(s)InvokeCompute navigation ApplicationResponseCall bean getters to Render Response populate components ResponseJSF One / Rich Web Experience Sep 2008 27. A1 Unvalidated Input JSF Validation ProcessThing of beauty! Model values never updated with invalid data User remains on current view No action methods called Messages tagged with component ID Unless immediate=true for some component If so, managed bean can access raw component values through component tree (dont!) JSF will NEVER update model unless validation passes JSF One / Rich Web Experience Sep 2008 28. A1 Unvalidated Input Parameter TamperingHidden fields Multiple choices (radio, check box, select) Required fields JSF One / Rich Web Experience Sep 2008 29. A1 Unvalidated Input Parameter Tampering (Hidden Fields) Did you say hidden fields?YUCK!Of course, they can be tampered with! Must rely on validation as with any other field JSF One / Rich Web Experience Sep 2008 30. A1 Unvalidated Input Parameter Tampering (Select Options)List boxes, radio buttons, check boxes JSF selectOne and selectMany components validate selected items against available choices Component calls selectItems getter again and compares selected String with available Strings See java.faces.component.UISelectOne/ManyJSF One / Rich Web Experience Sep 2008 31. A1 Unvalidated Input Parameter Tampering (Reqd Fields)Required fields If required field is empty (, not null), JSF will fail validation as usual Can change default msg in properties file Or for really custom requiredness checking, write a custom converter (because validator doesnt get called for empty fields, but converter does) JSF One / Rich Web Experience Sep 2008 32. A1 Unv