Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks

•

1 like•1,743 views

lastrand

Presentation about Rich Internet Application security with GWT and Vaadin. Presented at 33rd Degree 2014 in Krakow.

Software Technology

Platinum Sponsor
Kim Leppänen & Leif Åstrand
Web Application
Security and Modern
Frameworks
Disclaimer: Highly technical content ahead. Participating in this
lecture might change your perspective towards the security of
your application. In some cases, listening to this presentation
might cause symptoms such as raised awareness of security and
general interest towards web application security.

<script language="javascript">!
if ( prompt("Enter password") == "supersecret" ) {!
! document.location.href = "secret.html";!
}!
</script>

OWASP Top 10
Open Web Application Security Project

Client Server
UI logic
Business
logic
DB
GWT
DOM

Client Server
UI logic
Business
logic
DB
Vaadin
DOM
Handled by the framework

Username demouser
Password ************
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘“ + request.getParameter(“username”) + “‘ AND!
! ! password=‘“ + request.getParameter(“password”) + “‘“;

!
!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser‘ AND!
! ! password=‘secretpass‘“;
// username = demouser!
// password = secretpass

// username = demouser’ --!
// password = secretpass!
!
String sql = !
! “SELECT * FROM users !
! WHERE !
! ! username=‘demouser’--‘ AND!
! ! password=‘secretpass‘“;

GWT
!
• N/A
Vaadin
!
• N/A
Web frameworks can help

A2: Broken
Authentication
and Session
Management

Session ID fixation
!
Exposure of session ID
!
Exposing user credentials

GWT
!
• N/A
Vaadin
!
• Helper for changing
session id
Web frameworks can help

GWT
!
• setText
• SafeHtml
Vaadin
!
• setHtmlContent
Allowed(false)
• Beware of tooltips
(setDescription)
Web frameworks can help

Other things to keep in
mind
The XSS ﬁlter evasion cheat
sheet
Context is king
Consider using Markdown

GWT
!
• Not so much, since
this is mostly a
server-side thing
• Can be hard to
realize the problem
since requests are
“invisible”
Vaadin
!
• All ids are
generated values
that the server uses
to ﬁnd the right
object when
needed
Web frameworks can help

GWT
!
• N/A
Vaadin
!
• productionMode =
true
Web frameworks can help

Keep in mind
Avoid handling sensitive data,
e.g. credit card numbers
Salt and hash passwords
Use SSL, no excuses!

A7: Missing
Function Level
Access Control

Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00

http://your.bank/transfer?
account=4059820-440198&amount=130,00
<img src=“
“ />

Creative commons - http://www.ﬂickr.com/photos/esparta/367002402/

You’ve got mail
Creative Commons - http://www.ﬂickr.com/photos/8058853@N06/2685196800/

Banking application example
Account 4059820-440198
Amount 130,00 €
http://your.bank/transfer?
account=4059820-440198&amount=130,00
&token=ab8342d8943nkg34iung3o9j

GWT
!
• GWT-RPC:
XsrfTokenService
and/or
HasRpcToken
• RequestFactory:
Make your own
RequestTransport
Vaadin
!
• Secured out of the
box
Web frameworks can help

A9: Using
Components
with Known
Vulnerabilities

How do you
know whether
they are
vulnerable?

<a href=”http://myapp.com?
redirect=example.com/evil"> Open app </a>!

Questions?
!
? leif@vaadin.com
kim@vaadin.com

What's hot

Securing Web Applications with Token AuthenticationStormpath

Coding Uirajivmordani

Mobile Authentication for iOS Applications - Stormpath 101Stormpath

Cross Site Scripting Defense Presentation Ikhade Maro Igbape

Cross-Site Scripting (XSS)Daniel Tumser

Rest Introduction (Chris Jimenez)PiXeL16

The Cross Site Scripting GuideDaisuke_Dan

BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi

Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar

XSSHrishikesh Mishra

Cross site scripting (xss)Manish Kumar

XSS-Alert-Pentration testing toolArjun Jain

XssRajendra Dangwal

Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx

How to Use Stormpath in angular jsStormpath

Cross site scripting XSSRonan Dunne, CEH, SSCP

What is xss, blind xss and xploiting google gadgetsZiv Ginsberg

You wanna crypto in AEMDamien Antipa

Cross Site Scripting(XSS)Nabin Dutta

Web Application SecurityNelsan Ellis

What's hot (20)

Securing Web Applications with Token Authentication

Coding Ui

Mobile Authentication for iOS Applications - Stormpath 101

Cross Site Scripting Defense Presentation

Cross-Site Scripting (XSS)

Rest Introduction (Chris Jimenez)

The Cross Site Scripting Guide

BsidesDelhi 2018: DomGoat - the DOM Security Playground

Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar

XSS

Cross site scripting (xss)

XSS-Alert-Pentration testing tool

Xss

Owasp Top 10 A3: Cross Site Scripting (XSS)

How to Use Stormpath in angular js

Cross site scripting XSS

What is xss, blind xss and xploiting google gadgets

You wanna crypto in AEM

Cross Site Scripting(XSS)

Web Application Security

Similar to Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks

Jan 2008 Allupllangit

Writing Secure Code – Threat Defenseamiable_indian

Application Securitynirola

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

phpbhuvana553

The top 10 security issues in web applicationsDevnology

Devbeat Conference - Developer First SecurityMichael Coates

Hacking Client Side Insecuritiesamiable_indian

Starwest 2008Caleb Sima

Top Ten Tips For Tenacious Defense In Asp.Netalsmola

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff

Token Authentication for Java ApplicationsStormpath

Become a Security NinjaPaul Gilzow

Web Application Security: The Land that Information Security ForgotJeremiah Grossman

Secure coding in C#Siddharth Bezalwar

Spa Secure Coding GuideGeoffrey Vandiest

Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network

Defcon9 Presentation2001Miguel Ibarra

Web Application Security - "In theory and practice"Jeremiah Grossman

Top 10 Web Security VulnerabilitiesCarol McDonald

Similar to Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks (20)

Jan 2008 Allup

Writing Secure Code – Threat Defense

Application Security

Building Secure User Interfaces With JWTs (JSON Web Tokens)

php

The top 10 security issues in web applications

Devbeat Conference - Developer First Security

Hacking Client Side Insecurities

Starwest 2008

Top Ten Tips For Tenacious Defense In Asp.Net

OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF

Token Authentication for Java Applications

Become a Security Ninja

Web Application Security: The Land that Information Security Forgot

Secure coding in C#

Spa Secure Coding Guide

Developing Secure Applications and Defending Against Common Attacks

Defcon9 Presentation2001

Web Application Security - "In theory and practice"

Top 10 Web Security Vulnerabilities

Recently uploaded

JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver

Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea

Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1

Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp

Powering Real-Time Decisions with Continuous Data StreamsSafe Software

eSoftTools IMAP Backup Software and migration toolsosttopstonverter

Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions

UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz

OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan

Salesforce Implementation Services PPT By ABSYZABSYZ Inc

Zer0con 2024 final share short version.pdfmaor17

Post Quantum Cryptography – The Impact on Identityteam-WIBU

SAM Training Session - How to use EXCEL ?Alexandre Beguel

2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin

Precise and Complete Requirements? An Elusive GoalLionel Briand

SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler

Understanding Flamingo - DeepMind's VLM Architecturerahul_net

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan

Recently uploaded (20)

JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...

Keeping your build tool updated in a multi repository world

Amazon Bedrock in Action - presentation of the Bedrock's capabilities

Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx

Powering Real-Time Decisions with Continuous Data Streams

eSoftTools IMAP Backup Software and migration tools

Best Angular 17 Classroom & Online training - Naresh IT

Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...

UI5ers live - Custom Controls wrapping 3rd-party libs.pptx

OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording

Salesforce Implementation Services PPT By ABSYZ

Zer0con 2024 final share short version.pdf

Post Quantum Cryptography – The Impact on Identity

SAM Training Session - How to use EXCEL ?

2024 DevNexus Patterns for Resiliency: Shuffle shards

Precise and Complete Requirements? An Elusive Goal

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars

Understanding Flamingo - DeepMind's VLM Architecture

OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording

Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks

1. Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks Disclaimer: Highly technical content ahead. Participating in this lecture might change your perspective towards the security of your application. In some cases, listening to this presentation might cause symptoms such as raised awareness of security and general interest towards web application security.

2. <script language="javascript">! if ( prompt("Enter password") == "supersecret" ) {! ! document.location.href = "secret.html";! }! </script>

3. OWASP Top 10 Open Web Application Security Project

4. Rich Internet Applications

7. Client Server UI logic Business logic DB GWT DOM

8. Client Server UI logic Business logic DB Vaadin DOM Handled by the framework

9. A1: Injection

10. Username demouser Password ************ String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘“ + request.getParameter(“username”) + “‘ AND! ! ! password=‘“ + request.getParameter(“password”) + “‘“;

11. ! ! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser‘ AND! ! ! password=‘secretpass‘“; // username = demouser! // password = secretpass

12. // username = demouser’ --! // password = secretpass! ! String sql = ! ! “SELECT * FROM users ! ! WHERE ! ! ! username=‘demouser’--‘ AND! ! ! password=‘secretpass‘“;

13. GWT ! • N/A Vaadin ! • N/A Web frameworks can help

14. A2: Broken Authentication and Session Management

15. Session ID fixation ! Exposure of session ID ! Exposing user credentials

16. GWT ! • N/A Vaadin ! • Helper for changing session id Web frameworks can help

17. A3: Cross-Site Scripting (XSS)

18. Demo: auction application

19. GWT ! • setText • SafeHtml Vaadin ! • setHtmlContent Allowed(false) • Beware of tooltips (setDescription) Web frameworks can help

20. Other things to keep in mind The XSS ﬁlter evasion cheat sheet Context is king Consider using Markdown

21. A4: Insecure Direct Object References

22. GWT ! • Not so much, since this is mostly a server-side thing • Can be hard to realize the problem since requests are “invisible” Vaadin ! • All ids are generated values that the server uses to ﬁnd the right object when needed Web frameworks can help

23. A5: Security Misconfiguration

24. GWT ! • N/A Vaadin ! • productionMode = true Web frameworks can help

25. A6: Sensitive Data Exposure

26. Keep in mind Avoid handling sensitive data, e.g. credit card numbers Salt and hash passwords Use SSL, no excuses!

27. A7: Missing Function Level Access Control

28. A8: Cross-Site Request Forgery (CSRF)

29. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00

30. http://your.bank/transfer? account=4059820-440198&amount=130,00 <img src=“ “ />

31. Creative commons - http://www.ﬂickr.com/photos/esparta/367002402/

32. You’ve got mail Creative Commons - http://www.ﬂickr.com/photos/8058853@N06/2685196800/

33. Your bank Rogue bank

34. Banking application example Account 4059820-440198 Amount 130,00 € http://your.bank/transfer? account=4059820-440198&amount=130,00 &token=ab8342d8943nkg34iung3o9j

35. GWT ! • GWT-RPC: XsrfTokenService and/or HasRpcToken • RequestFactory: Make your own RequestTransport Vaadin ! • Secured out of the box Web frameworks can help

36. A9: Using Components with Known Vulnerabilities

37. How do you know whether they are vulnerable?

38. A10: Unvalidated Redirects and Forwards

39. <a href=”http://myapp.com? redirect=example.com/evil"> Open app </a>!

40. Very quick conclusion

41. Questions? ! ? leif@vaadin.com kim@vaadin.com

Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks

Similar to Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks (20)

More from lastrand

More from lastrand (6)

Recently uploaded

Recently uploaded (20)

Platinum Sponsor Kim Leppänen & Leif Åstrand Web Application Security and Modern Frameworks