SlideShare a Scribd company logo

CRESTCon Asia 2018 - Config Password Encryption Gone Wrong

Keith Lee
Keith Lee

Config Password Encryption Gone Wrong

Technology
1 of 34
Download to read offline
CONFIG PASSWORD ENCRYPTION GONE WRONG
DISCLAIMER The views expressed in this talk are those of the author and do not reflect the official policy or position of Trustwave SpiderLabs.
BACKGROUND Keith Lee
 Senior Security Consultant
 Trustwave SpiderLabs
 
 @keith55
 http://github.com/milo2012/ 
 http://milo2012.wordpress.com/
 https://www.linkedin.com/in/keithlee2012/ • Presented 
 THOTCON, PHDays, Zeronights, Rootcon, DEFCON (Wall of Sheep, Skytalks, Demo Labs), Blackhat Asia, HackInTheBox
OWASP GUIDE Password Plaintext Storage
 Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. Developers sometimes believe that they cannot defend the application from someone who has access to the configuration, but this attitude makes an attacker's job easier. Good password management guidelines require that a password never be stored in plaintext. [https://www.owasp.org/index.php/Password_Plaintext_Storage]
TOMCAT AND JAVA SERVLET Apache Tomcat
 Apache Tomcat (in this context) is a servlet container. 
 The server is responsible for managing the lifestyle of servlets, mapping a URL to a particular servlet and ensuring that the URL requester has the correct access-rights. Java Servlet
 A Java servlet is a Java program that extends the capabilities of a server.
 They most commonly implement applications hosted on Web servers.
WHAT IS JASYPT? Jasypt (Java Simplified Encryption)
 Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
SOME STATISTICS Jasypt
 181,822 downloads since 2007.
 48,800 results in Google Google Search: “tomcat encrypting configuration passwords”
 About 711,000 results
TOMCAT SERVER AND JAVA SERVLET 101 https://www.youtube.com/watch?v=BrvAYxN8jjM
IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - server.xml (system specific settings)
 - web.xml (servlets definitions)
 - context.xml (application specific settings)
 - Data source definitions (server names, database names, usernames, passwords)
 - catalina.properties (class loader paths, security package lists, some tunable performance properties. custom properties)
IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - server.xml (system specific settings - configuration relating to startup)
IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - web.xml (servlet definitions)
IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - context.xml (application specific settings) - Data source definitions (server names, database names, usernames, passwords)
IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - catalina.properties (class loader paths, security package lists, some tunable performance properties. custom properties)
THOUGHT PROCESS Understand how things work Decrypt the passwords Find the missing pieces
 (Keys, passwords, usernames, DB locations, etc) Find sensitive data in database
 Move laterally and vertically in the network using new found credentials Don’t run way just because you see encrypted passwords If you already ‘own’ the host, you should have everything you need to decrypt
HOW JASYPT WORKS Purpose • Encrypt clear text credentials in configuration files • Uses a symmetric key for encrypting and decrypting passwords Encryption steps • Extract the properties such as server names, databases and users credentials into a separate property file • Replace credentials in configuration files with ‘property placeholders’ • Use the Jasypt CLI utility to encrypt the password using a predetermined key. • The definitions of ‘property placeholders’ and encrypted passwords in properties file (e.g. catalina.properties). Decryption steps • The decryption key is passed via an environment variable or manually. during runtime. • The property file is read and the placeholders are replaced with the actual values
CONTEXT.XML FILE BEFORE AND AFTER JASYPT 
 Before encryption with JASYPT <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“Password1"/>
 </Context> After encryption with JASYPT • Passwords are replaced by property placeholders
 <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
 </Context>
IS JASYPT USED ON THE TOMCAT SERVER ? $ find . -name jasypt-*.jar
 /data/tomcat/service01/lib/jasypt-1.9.2.jar 
 $ cat /data/tomcat/service/conf/context.xml
 <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
 </Context>
JASYPT - SYMMETRIC KEY https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences
JASYPT - LOADING THE KEY BEFORE RUNTIME • system environment variables 
 (export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Moai23q6M8z) • web configuration (Web PBE configuration) • class that implements org.apache.tomcat.util.IntrospectionUtils.PropertySource. Class is invoked when ${parameters} are found in XML files when Tomcat parses them.
THINKING LIKE A SYSADMIN/DEVELOPER So what does this mean to an attacker ?
 The key must be conveniently located somewhere on the system Important considerations when using servlets and Jasypt
 The servlets on the Tomcat server must be able to survive a reboot.
 Servlets must start up automatically.
 It is just not feasible to manually enter the encryption key for Jasypt after every reboot. 
 If the server goes down and doesn’t come back up immediately, it will affect my KPI
HUNTING FOR THE PUZZLE PIECES 1. Encryption Key 2. Hostnames, Usernames, Password (place holders) 3. Encrypted passwords
HUNTING FOR THE PUZZLE PIECES Encryption Key 
 Most commonly defined in an environment variable (easiest to implement)
 Can be found in a number of places - Environment variable
 — Startup scripts
 - Classes 

CATALINA.PROPERTIES Apache Tomcat Configuration Reference org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.org name.tomcat.utils.EncryptedPropertySource Sample catalina.properties file
CATALINA.PROPERTIES org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.org name.tomcat.utils.EncryptedPropertySource ‣ Sample catalina.properties file $ ls /data/tomcat/service01/lib/
 /data/tomcat/service01/lib/jasypt-1.9.2.jar
 /data/tomcat/service01/lib/tomcat-utils-1.0.1.jar $ unzip tomcat-utils-1.0.1.jar
 Archive: tomcat-utils-1.0.1.jar
 inflating: META-INF/MANIFEST.MF 
 inflating: com/orgname/tomcat/utils/EncryptedPropertiesUtils.class 
 inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class 
 inflating: META-INF/maven/ ‣ Searching for the class file that will be invoked when ${parameter} denoted parameters are found in the XML files that Tomcat parses.
TAKING A CLOSER LOOK AT DECRYPTION CLASS FILE $ unzip tomcat-utils-1.0.1.jar
 inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class import org.jasypt.util.text.BasicTextEncryptor;
 public class EncryptedPropertiesUtils { 
 private static String passPhrase;
 public static String decrypt(final String textToDecrypt) {
 loadPassPhrase();
 final BasicTextEncryptor textEncryptor = new BasicTextEncryptor(); 
 textEncryptor.setPassword(EncryptedPropertiesUtils.passPhrase);
 return textEncryptor.decrypt(newValue);
 } private static void loadPassPhrase() {
 String pp = getenv("APP_ENCRYPTION_PASSWORD");
 EncryptedPropertiesUtils.passPhrase = pp;
 }
 } ‣ Sample decompiled source code of EncryptedPropertySource.class
CONTEXT.XML url=“jdbc:sqlserver://db01;database=accountService" username="dbAdmin" password="${db.password}" minLimit="1" $ cat /data/tomcat/service01/conf/context.xml
HUNTING FOR ENCRYPTION KEYS export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ cat /data/tomcat/service01/config/runtime.settings
HUNTING FOR ENCRYPTED PASSWORDS $ find . -name *.properties* /data/tomcat/app1/conf/catalina.properties $ cat /data/tomcat/app1/conf/catalina.properties org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.orgname.t omcat.utils.EncryptedPropertySource db.password=ENC(+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP) ‣ If encrypted parameters are used ‣ Finding encrypted passwords in property files
HUNTING FOR ENCRYPTION KEYS export APP_ENCRYPTION_PASSWORD=secretkey <encryption:encryptor-config id="encryptorConfig" password-env- name=“PASSWORD” algorithm=“PBEWithMD5AndDES"/> ‣ Environment variable ‣ Application context (context.xml)
DECRYPTING PASSWORDS $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo 
 ——ENVIRONMENT----------------- Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 ----ARGUMENTS------------------- input: +2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password: O8Z13Epg0Mo ----OUTPUT---------------------- password ‣ Using Jasypt CLI tool
DECRYPTING THE KEYS Configuration File url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)"/> Property File
 db.password=ENC(+2zkKYEl0R TO+MkdsA/yU3HKb7ZDXhCP)
 
 
 Decryption Key (Symmetric)
 environment variable (e.g.) export APP_ENCRYPTION_PASSWORD =O8Z13Epg0Mo
 
 Decrypting the Passwords
 $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo
 ----ENVIRONMENT-----------------
 Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 
 ----ARGUMENTS------------------
 input: +2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP
 password: O8Z13Epg0Mo
 ----OUTPUT---------------------- password
 Download CLI tool from http://www.jasypt.org/download.html
QUICK WINS $ find . -name jasypt-*.jar
 /data/tomcat/service01/lib/jasypt-1.9.2.jar $ printenv | grep -i APP_ENCRYPTION_PASSWORD
 APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ grep -lir APP_ENCRYPTION_PASSWORD .
 export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ cat /etc/profile
 export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo
 
 $ grep -ir javax.sql.DataSource .
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/> $ grep -i ‘=ENC(*)’
 db.password=ENC(+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP) $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo
 ——OUTPUT----------------------
 Password1
OTHER NOTES $ ./encrypt.sh input=passwrod password=1 ----ENVIRONMENT----------------- Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 ----ARGUMENTS------------------- input: passwrod password: 1 ----OUTPUT---------------------- S4siv8IPYClnMPCg8GwNYzKZotISf78U Jasypt does not enforce the length of the secret key.
ITS BETTER THAN NO ENCRYPTION [https://wiki.apache.org/tomcat/FAQ/Password]

Recommended

Ant
AntAnt
AntManav Prasad
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...ThomasElling1
 
CQ5 QueryBuilder - .adaptTo(Berlin) 2011
CQ5 QueryBuilder - .adaptTo(Berlin) 2011CQ5 QueryBuilder - .adaptTo(Berlin) 2011
CQ5 QueryBuilder - .adaptTo(Berlin) 2011Alexander Klimetschek
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
Intro to-ant
Intro to-antIntro to-ant
Intro to-antManav Prasad
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinAlexander Klimetschek
 
Java Microservices with DropWizard
Java Microservices with DropWizardJava Microservices with DropWizard
Java Microservices with DropWizardBruno Buger
 
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 

Recommended

Ant
AntAnt
AntManav Prasad
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...ThomasElling1
 
CQ5 QueryBuilder - .adaptTo(Berlin) 2011
CQ5 QueryBuilder - .adaptTo(Berlin) 2011CQ5 QueryBuilder - .adaptTo(Berlin) 2011
CQ5 QueryBuilder - .adaptTo(Berlin) 2011Alexander Klimetschek
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
Intro to-ant
Intro to-antIntro to-ant
Intro to-antManav Prasad
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinAlexander Klimetschek
 
Java Microservices with DropWizard
Java Microservices with DropWizardJava Microservices with DropWizard
Java Microservices with DropWizardBruno Buger
 
Provisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixProvisioning with OSGi Subsystems and Repository using Apache Aries and Felix
Provisioning with OSGi Subsystems and Repository using Apache Aries and FelixDavid Bosschaert
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 
Hibernate
HibernateHibernate
Hibernateksain
 
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rulesSrijan Technologies
 
Scala active record
Scala active recordScala active record
Scala active record鉄平 土佐
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
Play vs Rails
Play vs RailsPlay vs Rails
Play vs RailsDaniel Cukier
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 
Greach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut ConfigurationsGreach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut ConfigurationsIván López Martín
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)Stephen Chin
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPAFaren faren
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersSematext Group, Inc.
 
Provisioning in Microsoft Azure
Provisioning in Microsoft AzureProvisioning in Microsoft Azure
Provisioning in Microsoft Azureilagin
 
Presentation
PresentationPresentation
PresentationManav Prasad
 
Drupal 8: Fields reborn
Drupal 8: Fields rebornDrupal 8: Fields reborn
Drupal 8: Fields rebornPablo López Escobés
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebeanFaren faren
 
Infrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformInfrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformAdin Ermie
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 

More Related Content

What's hot

20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 
Hibernate
HibernateHibernate
Hibernateksain
 
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rulesSrijan Technologies
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityakashdprajapati
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGiDavid Bosschaert
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureTiago Simões
 
Greach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut ConfigurationsGreach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut ConfigurationsIván López Martín
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)David Bosschaert
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)Stephen Chin
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPAFaren faren
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersSematext Group, Inc.
 
Provisioning in Microsoft Azure
Provisioning in Microsoft AzureProvisioning in Microsoft Azure
Provisioning in Microsoft Azureilagin
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebeanFaren faren
 

What's hot (20)

20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2a
 
Hibernate
HibernateHibernate
Hibernate
 
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
[Srijan Wednesday Webinars] Ruling Drupal 8 with #d8rules
 
Scala active record
Scala active recordScala active record
Scala active record
 
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise securityMuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
MuleSoft ESB Payload Encrypt Decrypt using anypoint enterprise security
 
Maximize the power of OSGi
Maximize the power of OSGiMaximize the power of OSGi
Maximize the power of OSGi
 
Play vs Rails
Play vs RailsPlay vs Rails
Play vs Rails
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
 
Greach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut ConfigurationsGreach 2019 - Creating Micronaut Configurations
Greach 2019 - Creating Micronaut Configurations
 
OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)OSGi Cloud Ecosystems (EclipseCon 2013)
OSGi Cloud Ecosystems (EclipseCon 2013)
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
JavaFX 2 and Scala - Like Milk and Cookies (33rd Degrees)
 
Java Play Restful JPA
Java Play Restful JPAJava Play Restful JPA
Java Play Restful JPA
 
Administering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud ClustersAdministering and Monitoring SolrCloud Clusters
Administering and Monitoring SolrCloud Clusters
 
Provisioning in Microsoft Azure
Provisioning in Microsoft AzureProvisioning in Microsoft Azure
Provisioning in Microsoft Azure
 
Presentation
PresentationPresentation
Presentation
 
Drupal 8: Fields reborn
Drupal 8: Fields rebornDrupal 8: Fields reborn
Drupal 8: Fields reborn
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozie
 
Java Play RESTful ebean
Java Play RESTful ebeanJava Play RESTful ebean
Java Play RESTful ebean
 

Similar to CRESTCon Asia 2018 - Config Password Encryption Gone Wrong

Infrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformInfrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformAdin Ermie
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
SCR Annotations for Fun and Profit
SCR Annotations for Fun and ProfitSCR Annotations for Fun and Profit
SCR Annotations for Fun and ProfitMike Pfaff
 
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...Case Study _Cloud Native Transformation Deploying Integration workloads to AK...
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...Srikanth Prathipati
 
Terrastore - A document database for developers
Terrastore - A document database for developersTerrastore - A document database for developers
Terrastore - A document database for developersSergio Bossa
 
Introduction to Apache Mesos
Introduction to Apache MesosIntroduction to Apache Mesos
Introduction to Apache MesosJoe Stein
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Arun Gupta
 
Red Hat Agile integration Workshop Labs
Red Hat Agile integration Workshop LabsRed Hat Agile integration Workshop Labs
Red Hat Agile integration Workshop LabsJudy Breedlove
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenchesLukas Smith
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
GlassFish REST Administration Backend
GlassFish REST Administration BackendGlassFish REST Administration Backend
GlassFish REST Administration BackendArun Gupta
 
Hammock, a Good Place to Rest
Hammock, a Good Place to RestHammock, a Good Place to Rest
Hammock, a Good Place to RestStratoscale
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 

Similar to CRESTCon Asia 2018 - Config Password Encryption Gone Wrong (20)

Infrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using TerraformInfrastructure-as-Code (IaC) using Terraform
Infrastructure-as-Code (IaC) using Terraform
 
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
SCR Annotations for Fun and Profit
SCR Annotations for Fun and ProfitSCR Annotations for Fun and Profit
SCR Annotations for Fun and Profit
 
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...Case Study _Cloud Native Transformation Deploying Integration workloads to AK...
Case Study _Cloud Native Transformation Deploying Integration workloads to AK...
 
AWS Java SDK @ scale
AWS Java SDK @ scaleAWS Java SDK @ scale
AWS Java SDK @ scale
 
Terrastore - A document database for developers
Terrastore - A document database for developersTerrastore - A document database for developers
Terrastore - A document database for developers
 
Introduction to Apache Mesos
Introduction to Apache MesosIntroduction to Apache Mesos
Introduction to Apache Mesos
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
 
Red Hat Agile integration Workshop Labs
Red Hat Agile integration Workshop LabsRed Hat Agile integration Workshop Labs
Red Hat Agile integration Workshop Labs
 
Symfony2 - from the trenches
Symfony2 - from the trenchesSymfony2 - from the trenches
Symfony2 - from the trenches
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesConf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
GlassFish REST Administration Backend
GlassFish REST Administration BackendGlassFish REST Administration Backend
GlassFish REST Administration Backend
 
Struts2 - 101
Struts2 - 101Struts2 - 101
Struts2 - 101
 
Vault_KT.pptx
Vault_KT.pptxVault_KT.pptx
Vault_KT.pptx
 
Hammock, a Good Place to Rest
Hammock, a Good Place to RestHammock, a Good Place to Rest
Hammock, a Good Place to Rest
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 

Recently uploaded

Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 

Recently uploaded (20)

Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

CRESTCon Asia 2018 - Config Password Encryption Gone Wrong

  • 2. DISCLAIMER The views expressed in this talk are those of the author and do not reflect the official policy or position of Trustwave SpiderLabs.
  • 3. BACKGROUND Keith Lee
 Senior Security Consultant
 Trustwave SpiderLabs
 
 @keith55
 http://github.com/milo2012/ 
 http://milo2012.wordpress.com/
 https://www.linkedin.com/in/keithlee2012/ • Presented 
 THOTCON, PHDays, Zeronights, Rootcon, DEFCON (Wall of Sheep, Skytalks, Demo Labs), Blackhat Asia, HackInTheBox
  • 4. OWASP GUIDE Password Plaintext Storage
 Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource. Developers sometimes believe that they cannot defend the application from someone who has access to the configuration, but this attitude makes an attacker's job easier. Good password management guidelines require that a password never be stored in plaintext. [https://www.owasp.org/index.php/Password_Plaintext_Storage]
  • 5. TOMCAT AND JAVA SERVLET Apache Tomcat
 Apache Tomcat (in this context) is a servlet container. 
 The server is responsible for managing the lifestyle of servlets, mapping a URL to a particular servlet and ensuring that the URL requester has the correct access-rights. Java Servlet
 A Java servlet is a Java program that extends the capabilities of a server.
 They most commonly implement applications hosted on Web servers.
  • 6. WHAT IS JASYPT? Jasypt (Java Simplified Encryption)
 Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
  • 7. SOME STATISTICS Jasypt
 181,822 downloads since 2007.
 48,800 results in Google Google Search: “tomcat encrypting configuration passwords”
 About 711,000 results
  • 8. TOMCAT SERVER AND JAVA SERVLET 101 https://www.youtube.com/watch?v=BrvAYxN8jjM
  • 9. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - server.xml (system specific settings)
 - web.xml (servlets definitions)
 - context.xml (application specific settings)
 - Data source definitions (server names, database names, usernames, passwords)
 - catalina.properties (class loader paths, security package lists, some tunable performance properties. custom properties)
  • 10. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - server.xml (system specific settings - configuration relating to startup)
  • 11. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - web.xml (servlet definitions)
  • 12. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - context.xml (application specific settings) - Data source definitions (server names, database names, usernames, passwords)
  • 13. IMPORTANT FILES FOR TOMCAT/JAVA SERVLETS - catalina.properties (class loader paths, security package lists, some tunable performance properties. custom properties)
  • 14. THOUGHT PROCESS Understand how things work Decrypt the passwords Find the missing pieces
 (Keys, passwords, usernames, DB locations, etc) Find sensitive data in database
 Move laterally and vertically in the network using new found credentials Don’t run way just because you see encrypted passwords If you already ‘own’ the host, you should have everything you need to decrypt
  • 15. HOW JASYPT WORKS Purpose • Encrypt clear text credentials in configuration files • Uses a symmetric key for encrypting and decrypting passwords Encryption steps • Extract the properties such as server names, databases and users credentials into a separate property file • Replace credentials in configuration files with ‘property placeholders’ • Use the Jasypt CLI utility to encrypt the password using a predetermined key. • The definitions of ‘property placeholders’ and encrypted passwords in properties file (e.g. catalina.properties). Decryption steps • The decryption key is passed via an environment variable or manually. during runtime. • The property file is read and the placeholders are replaced with the actual values
  • 16. CONTEXT.XML FILE BEFORE AND AFTER JASYPT 
 Before encryption with JASYPT <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“Password1"/>
 </Context> After encryption with JASYPT • Passwords are replaced by property placeholders
 <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
 </Context>
  • 17. IS JASYPT USED ON THE TOMCAT SERVER ? $ find . -name jasypt-*.jar
 /data/tomcat/service01/lib/jasypt-1.9.2.jar 
 $ cat /data/tomcat/service/conf/context.xml
 <Context>
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/>
 </Context>
  • 18. JASYPT - SYMMETRIC KEY https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences
  • 19. JASYPT - LOADING THE KEY BEFORE RUNTIME • system environment variables 
 (export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Moai23q6M8z) • web configuration (Web PBE configuration) • class that implements org.apache.tomcat.util.IntrospectionUtils.PropertySource. Class is invoked when ${parameters} are found in XML files when Tomcat parses them.
  • 20. THINKING LIKE A SYSADMIN/DEVELOPER So what does this mean to an attacker ?
 The key must be conveniently located somewhere on the system Important considerations when using servlets and Jasypt
 The servlets on the Tomcat server must be able to survive a reboot.
 Servlets must start up automatically.
 It is just not feasible to manually enter the encryption key for Jasypt after every reboot. 
 If the server goes down and doesn’t come back up immediately, it will affect my KPI
  • 21. HUNTING FOR THE PUZZLE PIECES 1. Encryption Key 2. Hostnames, Usernames, Password (place holders) 3. Encrypted passwords
  • 22. HUNTING FOR THE PUZZLE PIECES Encryption Key 
 Most commonly defined in an environment variable (easiest to implement)
 Can be found in a number of places - Environment variable
 — Startup scripts
 - Classes 

  • 23. CATALINA.PROPERTIES Apache Tomcat Configuration Reference org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.org name.tomcat.utils.EncryptedPropertySource Sample catalina.properties file
  • 24. CATALINA.PROPERTIES org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.org name.tomcat.utils.EncryptedPropertySource ‣ Sample catalina.properties file $ ls /data/tomcat/service01/lib/
 /data/tomcat/service01/lib/jasypt-1.9.2.jar
 /data/tomcat/service01/lib/tomcat-utils-1.0.1.jar $ unzip tomcat-utils-1.0.1.jar
 Archive: tomcat-utils-1.0.1.jar
 inflating: META-INF/MANIFEST.MF 
 inflating: com/orgname/tomcat/utils/EncryptedPropertiesUtils.class 
 inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class 
 inflating: META-INF/maven/ ‣ Searching for the class file that will be invoked when ${parameter} denoted parameters are found in the XML files that Tomcat parses.
  • 25. TAKING A CLOSER LOOK AT DECRYPTION CLASS FILE $ unzip tomcat-utils-1.0.1.jar
 inflating: com/orgname/tomcat/utils/EncryptedPropertySource.class import org.jasypt.util.text.BasicTextEncryptor;
 public class EncryptedPropertiesUtils { 
 private static String passPhrase;
 public static String decrypt(final String textToDecrypt) {
 loadPassPhrase();
 final BasicTextEncryptor textEncryptor = new BasicTextEncryptor(); 
 textEncryptor.setPassword(EncryptedPropertiesUtils.passPhrase);
 return textEncryptor.decrypt(newValue);
 } private static void loadPassPhrase() {
 String pp = getenv("APP_ENCRYPTION_PASSWORD");
 EncryptedPropertiesUtils.passPhrase = pp;
 }
 } ‣ Sample decompiled source code of EncryptedPropertySource.class
  • 27. HUNTING FOR ENCRYPTION KEYS export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ cat /data/tomcat/service01/config/runtime.settings
  • 28. HUNTING FOR ENCRYPTED PASSWORDS $ find . -name *.properties* /data/tomcat/app1/conf/catalina.properties $ cat /data/tomcat/app1/conf/catalina.properties org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.orgname.t omcat.utils.EncryptedPropertySource db.password=ENC(+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP) ‣ If encrypted parameters are used ‣ Finding encrypted passwords in property files
  • 29. HUNTING FOR ENCRYPTION KEYS export APP_ENCRYPTION_PASSWORD=secretkey <encryption:encryptor-config id="encryptorConfig" password-env- name=“PASSWORD” algorithm=“PBEWithMD5AndDES"/> ‣ Environment variable ‣ Application context (context.xml)
  • 30. DECRYPTING PASSWORDS $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo 
 ——ENVIRONMENT----------------- Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 ----ARGUMENTS------------------- input: +2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password: O8Z13Epg0Mo ----OUTPUT---------------------- password ‣ Using Jasypt CLI tool
  • 31. DECRYPTING THE KEYS Configuration File url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)"/> Property File
 db.password=ENC(+2zkKYEl0R TO+MkdsA/yU3HKb7ZDXhCP)
 
 
 Decryption Key (Symmetric)
 environment variable (e.g.) export APP_ENCRYPTION_PASSWORD =O8Z13Epg0Mo
 
 Decrypting the Passwords
 $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo
 ----ENVIRONMENT-----------------
 Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 
 ----ARGUMENTS------------------
 input: +2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP
 password: O8Z13Epg0Mo
 ----OUTPUT---------------------- password
 Download CLI tool from http://www.jasypt.org/download.html
  • 32. QUICK WINS $ find . -name jasypt-*.jar
 /data/tomcat/service01/lib/jasypt-1.9.2.jar $ printenv | grep -i APP_ENCRYPTION_PASSWORD
 APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ grep -lir APP_ENCRYPTION_PASSWORD .
 export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo $ cat /etc/profile
 export APP_ENCRYPTION_PASSWORD=O8Z13Epg0Mo
 
 $ grep -ir javax.sql.DataSource .
 <Resource name="jdbc/serviceDB" auth="Container" type=“javax.sql.DataSource” driverClassName=“com.microsoft.sqlserver.jdbc.SQLServerDriver" url=“jdbc:sqlserver:// db01;database=service_prd” username=“dbadmin” password=“$(db.password)“/> $ grep -i ‘=ENC(*)’
 db.password=ENC(+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP) $ ./decrypt.sh input=+2zkKYEl0RTO+MkdsA/yU3HKb7ZDXhCP password=O8Z13Epg0Mo
 ——OUTPUT----------------------
 Password1
  • 33. OTHER NOTES $ ./encrypt.sh input=passwrod password=1 ----ENVIRONMENT----------------- Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.131-b11 ----ARGUMENTS------------------- input: passwrod password: 1 ----OUTPUT---------------------- S4siv8IPYClnMPCg8GwNYzKZotISf78U Jasypt does not enforce the length of the secret key.
  • 34. ITS BETTER THAN NO ENCRYPTION [https://wiki.apache.org/tomcat/FAQ/Password]