SlideShare a Scribd company logo

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf

D
drewz lin
Technology
1 of 24
Defeating XSS and XSRF with JSF Frameworks
About Me Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter
JSF Based Frameworks Oracle/Java Reference Implementation Apache MyFaces Family Other Third Party Build your own Hosted by OWASP & the NYC Chapter
Cross Site Scripting Hacker Favorite Persistent XSS Non-persistent XSS Hosted by OWASP & the NYC Chapter
Preventing Cross Site Scripting Validate ALL User Input Context Appropriate Encoding Protect the Cookies Hosted by OWASP & the NYC Chapter
JSF Based Frameworks Validation Frameworks Context Appropriate Encoding Anti-Samy Input Filters Web Application Firewalls Hosted by OWASP & the NYC Chapter
JSF Validation Framework JSF 2.2 Server Side Validation Pre-defined Validation Mechanisms Custom Validators Hosted by OWASP & the NYC Chapter
Pre-defined Validators LongRange Validator <h:inputText id=“num1" value="#{myDataBean.num1}"> <f:validateLongRange minimum="10" maximum="133" /> </h:inputText> <h:message for=“num1" style="color:red" /><br/> Hosted by OWASP & the NYC Chapter
Other Pre-defined Validators LengthValidator <f:validateLength minimum="5" maximum="10" /> DoubleRangeValidator <f:validateDoubleRange minimum="10.11" maximum="1000.11”/> RegexValidator <f:validateRegex pattern="((?=.*[a-z])(?=.*[A-Z]))" /> RequiredValidator <f:validateRequired /> Date Time Validator <f:convertDateTime pattern="d-M-yyy"/> Hosted by OWASP & the NYC Chapter
Custom Validators Validator Class Public class EmailValidator implements Validator { public void validate(FacesContext context, UIComponent component, Object value) throws ValidatorException { matcher = "^[_A-Za-z0-9-]+(." + "[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(.[A-Za-z0-9]+)*" + "(.[A-Za-z]{2,})$"; if(!matcher.matches()){ FacesMessage msg = new FacesMessage("E-mail validation failed.", "Invalid E-mail format."); msg.setSeverity(FacesMessage.SEVERITY_ERROR); throw new ValidatorException(msg); } } } Hosted by OWASP & the NYC Chapter
Custom Validators Info.xhtml <h:panelGrid columns="3"> Enter your email : <h:inputText id="email" value="#{user.email}" size="20" required="true" label="Email Address"> <f:validator validatorId="com.myvalidators.EmailValidator" /> </h:inputText> <h:message for="email" style="color:red" /> </h:panelGrid> Hosted by OWASP & the NYC Chapter
Output Encoding JSF 1.1 Literal text output <h:outputText value="#{user.name}" /> JSF 2.0 Literal text output using EL #{user.name} Encoding turned off <h:outputText value="#{user.name}" escape="false" /> Hosted by OWASP & the NYC Chapter
Another Technique Jboss SeamTextParser <s:formattedText value=“<b>#{user.name}</b>” /> Hosted by OWASP & the NYC Chapter
Some Early Flaws Select Items Renderer <f:selectItems value=“#{bean.selectItems}” var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> JSF Version 1.2 before 1.2_08 Some tags were not rendering escape=true by default. Websphere JSF Widget Library before 7.0.0.10 TreeControl and ResourceServlet allowing XSS. GlassFish Admin Console 2.1 Injection via query string on some pages. Apache MyFaces Tomhawk before 1.1.6 Injections in autoscroll parameter. Hosted by OWASP & the NYC Chapter
Cross Site Request Forgery Tricks the Browser into Sending Requests Susceptible Pages are those that Alter Data Inherits Identity and Privileges of the Victim Usually Initiated through Fiche or XSS Hosted by OWASP & the NYC Chapter
Cross Site Request Forgery Full Protection in JSF 2.2 Post vs. Get Protecting the View State Some earlier JSF based Frameworks Hosted by OWASP & the NYC Chapter
Protecting a Postback Request Post is always Protected Non-Postback Require Config Hosted by OWASP & the NYC Chapter
Protecting a non-Postback Request faces-config.xml <protected-views> <url-pattern>my_protected_page.xhtml</url-pattern> </protected-views> Hosted by OWASP & the NYC Chapter
Protecting a non-Postback Request URL when Calling the Protected Page http://localhost/faces/my_protected_page.xhtml?javax .faces.Token=98791798361565472309342 Hosted by OWASP & the NYC Chapter
Using JSF 2.2 Built-in Protection web.xml <env-entry> <env-entry-name> com.sun.faces.ClientStateSavingPassword </env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>MY_PASSWORD</env-entry-value> </env-entry> Hosted by OWASP & the NYC Chapter
Encrypting MyFaces Viewstate web.xml <context-param> <param-name>org.apache.myfaces.USE_ENCRYPTION</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.ALGORITHM</param-name> <param-value>AES</param-value> </context-param> Hosted by OWASP & the NYC Chapter
Be Informed About the Implementation Implementations Differ Doc is Not always Good Unit Test your Implementation Corporate Standards Hosted by OWASP & the NYC Chapter
Wrap-up JSF Validation Framework Output Encoding Protect the View State Hosted by OWASP & the NYC Chapter
Defeating XSS and XSRF with JSF Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter

Recommended

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 

Recommended

Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
OWASP Khartoum
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
Adam Caudill
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
Markus Eisele
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
OmprakashVerma56
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 

More Related Content

What's hot

Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 

What's hot (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
XSS
XSSXSS
XSS
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 

Similar to Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf

Sichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von DjangoSichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von Django
Markus Zapke-Gründemann
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Shreeraj Shah
 
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Peter Pilgrim
 

Similar to Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf (20)

WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Sichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von DjangoSichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von Django
 
Java ist doch schon sicher?!
Java ist doch schon sicher?!Java ist doch schon sicher?!
Java ist doch schon sicher?!
 
XSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkearyXSS Defence with @manicode and @eoinkeary
XSS Defence with @manicode and @eoinkeary
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Architecture of Professionals.az
Architecture of Professionals.azArchitecture of Professionals.az
Architecture of Professionals.az
 
Securing JSF Applications Against the OWASP Top Ten
Securing JSF Applications Against the OWASP Top TenSecuring JSF Applications Against the OWASP Top Ten
Securing JSF Applications Against the OWASP Top Ten
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
In The Brain of Cagatay Civici: Exploring JavaServer Faces 2.0 and PrimeFaces
In The Brain of Cagatay Civici: Exploring JavaServer Faces 2.0 and PrimeFaces In The Brain of Cagatay Civici: Exploring JavaServer Faces 2.0 and PrimeFaces
In The Brain of Cagatay Civici: Exploring JavaServer Faces 2.0 and PrimeFaces
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
Defending against application level DoS attacks
Defending against application level DoS attacksDefending against application level DoS attacks
Defending against application level DoS attacks
 
Web application
Web applicationWeb application
Web application
 
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
Devoxx UK 2013 Test-Driven Development with JavaEE 7, Arquillian and Embedded...
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Jsfsunum
JsfsunumJsfsunum
Jsfsunum
 

More from drewz lin

Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
drewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
drewz lin
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
drewz lin
 

More from drewz lin (20)

Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 
天猫后端技术架构优化实践
天猫后端技术架构优化实践天猫后端技术架构优化实践
天猫后端技术架构优化实践
 
天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电天猫大促性能测试实践 耿电
天猫大促性能测试实践 耿电
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf

  • 1. Defeating XSS and XSRF with JSF Frameworks
  • 2. About Me Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter
  • 3. JSF Based Frameworks Oracle/Java Reference Implementation Apache MyFaces Family Other Third Party Build your own Hosted by OWASP & the NYC Chapter
  • 4. Cross Site Scripting Hacker Favorite Persistent XSS Non-persistent XSS Hosted by OWASP & the NYC Chapter
  • 5. Preventing Cross Site Scripting Validate ALL User Input Context Appropriate Encoding Protect the Cookies Hosted by OWASP & the NYC Chapter
  • 6. JSF Based Frameworks Validation Frameworks Context Appropriate Encoding Anti-Samy Input Filters Web Application Firewalls Hosted by OWASP & the NYC Chapter
  • 7. JSF Validation Framework JSF 2.2 Server Side Validation Pre-defined Validation Mechanisms Custom Validators Hosted by OWASP & the NYC Chapter
  • 8. Pre-defined Validators LongRange Validator <h:inputText id=“num1" value="#{myDataBean.num1}"> <f:validateLongRange minimum="10" maximum="133" /> </h:inputText> <h:message for=“num1" style="color:red" /><br/> Hosted by OWASP & the NYC Chapter
  • 9. Other Pre-defined Validators LengthValidator <f:validateLength minimum="5" maximum="10" /> DoubleRangeValidator <f:validateDoubleRange minimum="10.11" maximum="1000.11”/> RegexValidator <f:validateRegex pattern="((?=.*[a-z])(?=.*[A-Z]))" /> RequiredValidator <f:validateRequired /> Date Time Validator <f:convertDateTime pattern="d-M-yyy"/> Hosted by OWASP & the NYC Chapter
  • 10. Custom Validators Validator Class Public class EmailValidator implements Validator { public void validate(FacesContext context, UIComponent component, Object value) throws ValidatorException { matcher = "^[_A-Za-z0-9-]+(." + "[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(.[A-Za-z0-9]+)*" + "(.[A-Za-z]{2,})$"; if(!matcher.matches()){ FacesMessage msg = new FacesMessage("E-mail validation failed.", "Invalid E-mail format."); msg.setSeverity(FacesMessage.SEVERITY_ERROR); throw new ValidatorException(msg); } } } Hosted by OWASP & the NYC Chapter
  • 11. Custom Validators Info.xhtml <h:panelGrid columns="3"> Enter your email : <h:inputText id="email" value="#{user.email}" size="20" required="true" label="Email Address"> <f:validator validatorId="com.myvalidators.EmailValidator" /> </h:inputText> <h:message for="email" style="color:red" /> </h:panelGrid> Hosted by OWASP & the NYC Chapter
  • 12. Output Encoding JSF 1.1 Literal text output <h:outputText value="#{user.name}" /> JSF 2.0 Literal text output using EL #{user.name} Encoding turned off <h:outputText value="#{user.name}" escape="false" /> Hosted by OWASP & the NYC Chapter
  • 13. Another Technique Jboss SeamTextParser <s:formattedText value=“<b>#{user.name}</b>” /> Hosted by OWASP & the NYC Chapter
  • 14. Some Early Flaws Select Items Renderer <f:selectItems value=“#{bean.selectItems}” var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> JSF Version 1.2 before 1.2_08 Some tags were not rendering escape=true by default. Websphere JSF Widget Library before 7.0.0.10 TreeControl and ResourceServlet allowing XSS. GlassFish Admin Console 2.1 Injection via query string on some pages. Apache MyFaces Tomhawk before 1.1.6 Injections in autoscroll parameter. Hosted by OWASP & the NYC Chapter
  • 15. Cross Site Request Forgery Tricks the Browser into Sending Requests Susceptible Pages are those that Alter Data Inherits Identity and Privileges of the Victim Usually Initiated through Fiche or XSS Hosted by OWASP & the NYC Chapter
  • 16. Cross Site Request Forgery Full Protection in JSF 2.2 Post vs. Get Protecting the View State Some earlier JSF based Frameworks Hosted by OWASP & the NYC Chapter
  • 17. Protecting a Postback Request Post is always Protected Non-Postback Require Config Hosted by OWASP & the NYC Chapter
  • 18. Protecting a non-Postback Request faces-config.xml <protected-views> <url-pattern>my_protected_page.xhtml</url-pattern> </protected-views> Hosted by OWASP & the NYC Chapter
  • 19. Protecting a non-Postback Request URL when Calling the Protected Page http://localhost/faces/my_protected_page.xhtml?javax .faces.Token=98791798361565472309342 Hosted by OWASP & the NYC Chapter
  • 20. Using JSF 2.2 Built-in Protection web.xml <env-entry> <env-entry-name> com.sun.faces.ClientStateSavingPassword </env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>MY_PASSWORD</env-entry-value> </env-entry> Hosted by OWASP & the NYC Chapter
  • 22. Be Informed About the Implementation Implementations Differ Doc is Not always Good Unit Test your Implementation Corporate Standards Hosted by OWASP & the NYC Chapter
  • 23. Wrap-up JSF Validation Framework Output Encoding Protect the View State Hosted by OWASP & the NYC Chapter
  • 24. Defeating XSS and XSRF with JSF Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter