A product that works is not done, as there are many facets to consider - availability, scalability, security. Of those, security is probably the most costly to get wrong. This talk will build a threat model for a sample web application, showcasing a structured approach to securing your web application. Various vulnerabilities are shown and mitigated, based on current best practices. We take special care to show to eliminate entire classes of vulnerabilities, rather than tackling problems one by one. The code samples will be built on top of Apache Sling, but previous knowledge of Sling is not required. Talk delivered at BaselOne 2023

1. Secure By Default Web Applications
Robert Munteanu, Senior Computer Scientist, Adobe

2. About me
2

3. → Threat modelling
OWASP Top 10 (selection)
Sample application
Apache Sling primer
Handling security threats
Demo
3

4. Threat modelling process
Define security requirements
Create application diagram
Identify threats
Mitigate threats
Validate mitigations
4

5. Security requirements examples
99.9% availability
confidentiality of user profiles
integrity of purchase transactions
prevent unauthorized users from modifying database entries
5

6. Data flow diagram
6

7. STRIDE model
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
7

8. Threat modelling
→ OWASP Top 10 (selection)
Sample application
Apache Sling primer
Handling security threats
Demo
8

9. OWASP Top 10
9

10. A01:2021 - Broken Access Control
bypassing access control checks by modifying the URL, internal application state,
or the HTML page, or by using an attack tool modifying API requests.
viewing or editing someone else's account, by providing its unique identifier
(insecure direct object references)
API with missing access controls for POST, PUT and DELETE.
replaying or tampering with a JSON Web Token (JWT) access control token, or a
cookie or hidden field manipulated to elevate privileges or abusing JWT
invalidation.
10

11. A03:2021 - Injection
User-supplied data is not validated, filtered, or sanitized
Dynamic queries or non-parameterized calls without context-aware escaping are
used directly in the interpreter.
Hostile data is used within object-relational mapping (ORM) search parameters to
extract additional, sensitive records.
Hostile data is directly used or concatenated. The SQL or command contains the
structure and malicious data in dynamic queries, commands, or stored procedures.
11

12. A05:2021 - Security Misconfiguration
Missing appropriate security hardening across any part of the application stack
Improperly configured permissions on cloud services.
Unnecessary features are enabled or installed
Default accounts and their passwords are still enabled and unchanged.
Error handling reveals stack traces or other overly informative error messages to
users.
For upgraded systems, the latest security features are disabled or not configured
securely.
The server does not send security headers or directives, or they are not set to
secure values.
12

13. A06:2021 - Vulnerable and Outdated Components
Vulnerable, unsupported, or out of date software
OS
web/application server
database management system (DBMS)
applications
APIs
components
runtime environments
libraries.
Failure to regularly scan for vulnerabilities
Failure to timely patch security vulnerabilities 13

14. A09:2021 - Security Logging and Monitoring
Failures
Not logging auditable events
logins
failed logins
high-value transactions
Inadequate log messages for warnings and errors
Failure to monitor logs for suspicious activity
Local-only storage for logs
Missing alerting thresholds and response escalation processes
14

15. Threat modelling
OWASP Top 10 (selection)
→ Sample application
Apache Sling primer
Handling security threats
Demo
15

16. Sample application description
simple website
content authors can post articles
authenticated users can post comments
unauthenticated users can read articles and comments
16

17. Data flow
17

18. Threat catalogue
T001 - malicious content added by authors / A03:2021-Injection
T002 - malicious content added by authenticated users / A03:2021-Injection
T003 - unauthorized changes made by authenticated users / A01:2021-Broken
Access Control
T004 - unauthorized changes made by unauthenticated users / A01:2021-Broken
Access Control
T005 - comments deleted by authenticated users / A01:2021-Broken Access
Control
T006 - denial of service by bulk posting comments / A09:2021 - Security Logging
and Monitoring Failures
T007 - extraction of personally identifiable data / A01:2021 - Broken Access
Control
18

19. Threat modelling
OWASP Top 10 (selection)
Sample application
→ Apache Sling primer
Handling security threats
Demo
19

20. Web application framework
20

21. RESTful
$ curl http://localhost:8080/content/pospai/home/welcome.json
{
"jcr:primaryType": "sling:Folder",
"jcr:createdBy": "sling-package-install",
"jcr:title": "pospai Welcome",
"jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300",
"sling:resourceType": "pospai/page"
}
21

22. Resource types
{
"jcr:primaryType": "sling:Folder",
"jcr:createdBy": "sling-package-install",
"jcr:title": "pospai Welcome",
"jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300",
"sling:resourceType": "pospai/page"
}
22

23. Script resolution
23

24. Scripts
<div style="display: grid; grid-template-columns: 100px; 300px">
<div>
<img width="60px" src="/pospai/avatar.jpg/${resource.createdBy}">
</div>
<div>${resource.createdBy}</div>
<div>${resource.message}</div>
</div>
24

25. Servlets
@Component(
service = Servlet.class,
property = {
"sling.servlet.resourceTypes=pospai/avatar",
"sling.servlet.extensions=jpg",
}
)
public class AvatarServlet extends SlingSafeMethodsServlet {
@Override
protected void doGet(SlingHttpServletRequest request,
SlingHttpServletResponse response) throws ServletException,
IOException {
}
}
25

26. Content repository
26

27. Threat modelling
OWASP Top 10 (selection)
Sample application
Apache Sling primer
→ Handling security threats
Demo
27

28. Built-in access control
28

29. Built-in access control
29

30. Authentication opt-in for servlets
@Component(service = { Servlet.class },
property = { AuthConstants.AUTH_REQUIREMENTS +"=+/my/servlet"}
)
@SlingServletPaths("/my/servlet")
public class MyProtectedServlet extends SlingAllMethodsServlet {
/* implementation here */
}
30

31. XSS protection
31

32. Injection-safe APIs
// automatically loaded, ensures user has access
Resource requested = request.getResource();
// access properties
String title = requested.getValueMap().get("jcr:title", String.class);
// gather children paths
List<String> childrenPaths = new ArrayList<>();
for ( Resource child: requested.getChildren() ) {
childrenPaths.add(child.getPath());
}
// access parent resource
Resource parent = requested.getParent();
32

33. Side note: type-safe APIs
@Model(adaptables=Resource.class)
public class MyModel {
@ValueMapValue(name="jcr:title")
private String title;
public String getTitle() {
return title;
}
}
MyModel model = resource.adaptTo(MyModel.class)
model.getTitle();
33

34. Metrics
$ curl --silent http://localhost:8080/metrics | grep -E '^(sling|oak|jvm)' | wc -l
486
oak_SESSION_COUNT
oak_security_authentication_login_failed_total
oak_security_authentication_login_token_failed_total
34

35. Dashboards
35

36. Alerts
36

37. Fine-grained artifacts
37

38. Automatic updates
38

39. Threat modelling
OWASP Top 10 (selection)
Sample application
Apache Sling primer
Handling security threats
→ Demo
39

40. 40

41. Resources
Apache Sling : https://sling.apache.org/
Apache Jackrabbit Oak: https://jackrabbit.apache.org/oak/
Pospai Sample App: https://github.com/rombert/pospai
STRIDE model: https://en.wikipedia.org/wiki/STRIDE_(security)
OWASP Top 10: https://owasp.org/www-project-top-ten/
41

42. 42