WEB APPLICATION SECURITY
James RodgerSolution Consultant30/04/2014
AgendaIntroduction
Client Server vs. Web
Security Areas
Threats• Password Cracking
• Interpreter Injection
• Session Hijacking
Why Bother?Internet facing web applications
Internal web applications
Increasingly a developer role
Good tooling helps improve security
Introduction
Huge topic
Taking a developer point of view
Looking at Uniface based solutions
Example code
Client Server vs. Web
Stateless
No control over client
Network is part of the application
Overview
Security Areas
Some areas we need to consider:Authentication
Authorisation
Browser Security
Session Management
Data I/O
Configuration and Deployment
Threats
Password Cracking
Interpreter Injection• SQL Injection
• JavaScript Injection
• Parameter Manipulation
Session Hijacking
Password CrackingThese attacks include techniques like:
Brute forcing the login page (remotely)
Brute forcing the database with common passwords
Brute forcing the database with rainbow tables
Brute ForceSimply trying a lot of passwords at a login page
Basic protection include:Throttling login requests
Logging failed attempts:• Locking out accounts
• Issuing a CAPTCHA
Password policies
Cracking Hashed PasswordsAttacker has access to the user database
Plain text passwords make abuse trivial
Passwords should be properly hashed
Password Hashing Basics
DemoStoring Passwords
Unifacesleep
$webinfo(“WEBSERVERCONTEXT”)
$encode
LDAP driver
ThreatsPassword Cracking
Interpreter Injection• SQL Injection
• JavaScript Injection
• Parameter Manipulation
Session Hijacking
Interpreter InjectionThese attacks include techniques like:
SQL Injection
JavaScript Injection
Parameter Manipulation
SQL InjectionID: 1Date of Birth: 23-feb-1982Name: Robert
INSERT INTO students VALUES(1, ‘23-feb-1982', ‘Robert');
DemoSQL Injection
SQL InjectionID: 2Date of Birth: 13-Nov-1973Name: Robert'); DROP TABLE students;--
INSERT INTO students VALUES(1, ‘23-feb-1982', ‘Robert'); DROP TABLE students; --’);
JavaScript InjectionGetting a browser to execute unintended JS
Usually injected where user input is allowed
Malicious code runs for anyone visiting the page
The code appears to have come from the application
DemoJavaScript Injection
Parameter ManipulationUser has control of the browser
JavaScript based validation can be bypassed
Requests can be sent at any time to:• Any Public Web operation
• Any Public Trigger
DemoRead Only Fields
UnifaceSQL Injection
• Database drivers prevent SQL injection
JavaScript Injection• Widgets correctly escape HTML
• Any Public Web operation
• Any Public Trigger
Parameter Manipulation• Model definitions used for validation at each step
• Read-only field handling
• Public web / Public trigger
• Standard triggers
ThreatsPassword Cracking
Interpreter Injection• SQL Injection
• JavaScript Injection
• Parameter Manipulation
Session Hijacking
Session HijackingThese attacks include techniques like:
Session Fixation
Session Sidejacking
Physical Access
DemoSession Sidejacking
UnifaceTomcat session handling
• $webinfo(“SESSIONCOMMANDS”)
• $webinfo(“WEBSERVERCONTEXT”)
HTTP only cookies by default
SummarySecurity needs to be designed in
Good tooling helps improve security
What else?• Security audits
• Vericode – regular security testing
HeartbleedUniface uses OpenSSL
9.5 / 9.6 vulnerable if using SSL
Patches out now• Uniface 9.5 – E123s
• Uniface 9.6 – X402s
Tomcat version shipped with Uniface is safe• Changed Tomcat version?
• Using different servlet engine?
More information at unifaceinfo.com
QuestionsIf you have any questions, or feedback about this session, please send an email to [email protected]
Enterprise Application Development
Recommended
