Web Application Security and Modern Frameworks

  • Published on
    25-May-2015

  • View
    383

  • Download
    3

Embed Size (px)

DESCRIPTION

Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.

Transcript

  • 1. Platinum Sponsor Kim Leppnen & Leif strand Web Application Security and Modern Frameworks Disclaimer: Highly technical content ahead. Participating in this lecture might change your perspective towards the security of your application. In some cases, listening to this presentation might cause symptoms such as raised awareness of security and general interest towards web application security.

2. 3. OWASP Top 10 Open Web Application Security Project 4. Rich Internet Applications 5. Client Server UI logic Business logic DB GWT DOM 6. Client Server UI logic Business logic DB Vaadin DOM Handled by the framework 7. A1: Injection 8. Username demouser Password ************ String sql = ! ! SELECT * FROM users ! ! WHERE ! ! ! username= + request.getParameter(username) + AND! ! ! password= + request.getParameter(password) + ; 9. ! ! ! String sql = ! ! SELECT * FROM users ! ! WHERE ! ! ! username=demouser AND! ! ! password=secretpass; // username = demouser! // password = secretpass 10. // username = demouser --! // password = secretpass! ! String sql = ! ! SELECT * FROM users ! ! WHERE ! ! ! username=demouser-- AND! ! ! password=secretpass; 11. GWT ! N/A Vaadin ! N/A Web frameworks can help 12. A2: Broken Authentication and Session Management 13. Session ID fixation ! Exposure of session ID ! Exposing user credentials 14. GWT ! N/A Vaadin ! Helper for changing session id Web frameworks can help 15. A3: Cross-Site Scripting (XSS) 16. Demo: auction application 17. GWT ! setText SafeHtml Vaadin ! setHtmlContent Allowed(false) Beware of tooltips (setDescription) Web frameworks can help 18. Other things to keep in mind The XSS lter evasion cheat sheet Context is king Consider using Markdown 19. A4: Insecure Direct Object References 20. GWT ! Not so much, since this is mostly a server-side thing Can be hard to realize the problem since requests are invisible Vaadin ! All ids are generated values that the server uses to nd the right object when needed Web frameworks can help 21. A5: Security Misconfiguration 22. GWT ! N/A Vaadin ! productionMode = true Web frameworks can help 23. A6: Sensitive Data Exposure 24. Keep in mind Avoid handling sensitive data, e.g. credit card numbers Salt and hash passwords Use SSL, no excuses! 25. A7: Missing Function Level Access Control 26. A8: Cross-Site Request Forgery (CSRF) 27. Banking application example Account 4059820-440198 Amount 130,00 http://your.bank/transfer? account=4059820-440198&amount=130,00 28. http://your.bank/transfer? account=4059820-440198&amount=130,00 29. Creative commons - http://www.ickr.com/photos/esparta/367002402/ 30. Youve got mail Creative Commons - http://www.ickr.com/photos/8058853@N06/2685196800/ 31. Your bank Rogue bank 32. Banking application example Account 4059820-440198 Amount 130,00 http://your.bank/transfer? account=4059820-440198&amount=130,00 &token=ab8342d8943nkg34iung3o9j 33. GWT ! GWT-RPC: XsrfTokenService and/or HasRpcToken RequestFactory: Make your own RequestTransport Vaadin ! Secured out of the box Web frameworks can help 34. A9: Using Components with Known Vulnerabilities 35. How do you know whether they are vulnerable? 36. A10: Unvalidated Redirects and Forwards 37. Open app ! 38. Very quick conclusion 39. Questions? ! ? leif@vaadin.com kim@vaadin.com

Recommended

View more >