Java application security the hard way – a workshop for the serious developer
Speaker: Brian Vermeer @brianverm & Steve Poole
For more blog posts, see The Oracle Code One table of contents
- In 2016, cybercrime was estimated to be worth slightly more than the illicit drug trade
- Cybercrime has less risk than drugs. Rarely get caught. And if do get caught, harder to prosecute.
- Cybercrime is growing faster than drugs.
- Cybercrime estimated to quadruple between 2016 and 2019. And to triple again between 2020 and 2021.
- Illicit drug trade is linear/capped.
- Cybercrime worth about $600 for every person on the planet through tools you rely on.
- 2017 – Equifax Struts 2 – Remote Code Injection. Discovered July 29, 2017. But the exploit started months prior. The fix for the vulnerability had been out since March 5. On March 5th, they started probing the system for weakness
- With vulnerabilities can: steal your data, change your data, crash your systems, use your compute power and use your system to get to another
- Hard to spot vulnerabilities – missing code, off by one errors
- Exploits are chained vulnerabilities
- CVEs can be vague so not providing instructions on how to reverse engineer
- How do you know you are connected to the wifi you expect?
- How do you know the USB charger you have is yours and not one that has been modified.
- How do you know a free power charger is just charging phone and not attacking it.
- In some countries, hotels are designed so only one place convenient to use laptop and they have a camera angled at it.
- Fixing is easy. Everything else is not – h=How many people affected? How long? How bad?
- Every time you add flexibility, you add opportunity
Tools for attackers
- Google filetype:action to learn which app using Struts
- Browser developer tools returns information. Response headers including web server (unless change config)
- https://www.shodan.io – search by IP. Used for IoT devices. Can also type keywords like “java”. Information comes from default response haders.
- https://exploits.shodan.io/welcome – Can search exploits (pre written attack; just provide IP). And filter by platform.
- https://www.wappalyzer.com – plugin to learn about website
- https://www.cvedetails.com – search CVEs and see details. Just like it sounds
- Note: https://snyk.io/blog/10-java-security-best-practices/
- Demo: SQL Injection
- taking parameter in String query vs using PreparedStatement/bind variables
- SQL Injection still #1 in OWASP top 10 vunlerabilities
- Demo: XXE (XML External Entity Processing)
- <!ENTITY xxe SYSTEM “file:///etc/passed”>]> and <a>&xxe;</x>
- Each XML parser has different way of turning off external general entities
- Demo: JSON marshalling
- Don’t trust everyone who can see the log
Also, laws against having plain text credit card info
- Automatically provided toString() that contains sensitive info using Project Lombok to automatically provide toString(). Can annotate fields to exclude using Lombok with @ToString.Exclude
- Also Jackson writeValueAsString() writes out all fields. Easy t send to front end by accident. Has @JsonIgnore annotation to solve this.
- Don’t trust everyone who can see the log
- Demo: Authentication
- Don’t do yourself unless have to. Better to use an existing provider
- Use strong crypto hashes – consume a lot of power/CPU so brute forcing less likely. BcCypt or SCrypt. Provided with Spring Security
- Password encryption should be fast, but not too fast.
- You write a small fraction of your app.
- Much is open source that is well known and written by Pivotal (Spring), Apache, etc. Trusted providers
- Attackers are targeting open source – one vulnerability, many victims
- Demo: Struts
- Inject code in Content-type header. Contains Ogml. Injects code including /bin/bash command
- The bad header is published so effort is low for attackers
- Upload file to replace a native jdk file by using ..\..\….
- We think like good guys. Need to think how to break out of the safe parts.
- Backtracking can use a lot of computing power
- Node.JS app only has one thread
- If regex is using up CPU, nothing else happens
- Temporary denial of service
- Test with long match and long non-matching string
- Expensive if in cloud because pay for CPU/scaling
- On average, takes 2.5 years before vulnerability is found/exposed
- NPM has most packages indexed in last year (by a large margin). Maven Central is second.
- Need to look at: yourself, your code and the code you depend on
- Encrypt laptop so don’t get passwords/keys if steal
- Don’t reuse passwords
- Two factor authentication
- Use password manager
- Randomly generate password
- you have to maintain/support it as the developer
- open have elevated privileges
- Solution: Team culture + process + tooling
- Use tooling to make right process unobtrusive
- It doesn’t matter what tooling, it matters that you use it
- Test dependencies for issues before commit
Types of Security Issues
- Time and state – unexpected interaction
- Errors – ex: line number in error message gives insight into library in use
- API abuse – use not as intended
- Code quality – if can’t understand, how know how it works
- Security features – authentication, access control, confidentiality, cryptography, privilege management
- Encapsulation – lack of encapsulation for critical data
- Input validation & representation – metacharacters, alternate encodings, numeric representations. Trusting input
- Environment – everything outside source code
- Keep libraries current
- Learn about secure coding
- Compartmentalize – data, code, access controls, etc
- Design for intrusion – review levels of “helpfulness” and flexibility
- Learn more about security tools and services.
- Lear about penetration testing
- Understanding that making your development life easier makes the hacker’s job easier.
Free book/report: https://www.ibm.com/downloads/cas/G3L0EPOL
Great start to the morning. A mix of review and new (to me.) Also, useful to have a “the world is a scary place” reminder. Helps motivate to do the right thing!