Presentation is loading. Please wait.

Presentation is loading. Please wait.

REST Security with JAX-RS JavaOne 2013. Frank Kim – SANS Institute Curriculum Lead, Application Security Author, Secure Coding in Java About 2.

Similar presentations


Presentation on theme: "REST Security with JAX-RS JavaOne 2013. Frank Kim – SANS Institute Curriculum Lead, Application Security Author, Secure Coding in Java About 2."— Presentation transcript:

1 REST Security with JAX-RS JavaOne 2013

2 Frank Kim – SANS Institute Curriculum Lead, Application Security Author, Secure Coding in Java About 2

3 Outline Authentication Encryption Validation Wrap Up 3

4 Authentication Process of establishing and verifying an identity Can be based on three factors – Something you know – Something you have – Something you are 4

5 Java EE Authentication Configuration in web.xml Example 4 /* user 9 admin FORM /login.jsp 17 /loginerror.jsp

6 JAX-RS SecurityContext getAuthenticationScheme() – Returns String authentication scheme used to protect the resource – BASIC, FORM, CLIENT_CERT getUserPrincipal() – Returns Principal object containing the username isUserInRole(String role) – Returns a boolean indicating if the user has the specified logical role 6

7 Photo Sharing Site Demo 7

8 Photo Sharing Site API { "photos" : [ { "id":"1", "name":"photo1.jpg" }, { "id":"3", "name":"photo3.jpg" }, { "id":"5", "name":"photo5.jpg" }] } 8

9 Issues Userid/password authentication is fine – If the API is used only by your site But what if your API needs to be used by – Other web apps – Mobile apps – Native apps Do you want these apps to – Have your password? – Have full access to your account? 9

10 10

11 OAuth Way to authenticate a service – Valet key metaphor coined by Eran Hammer-Lahav Authorization token with limited rights – You agree which rights are granted – You can revoke rights at any time – Can gracefully upgrade rights if needed 11

12 OAuth Roles 12 User Client Server - Person using the app - Also known as the "resource owner" - Photo printing service called Tonr - Photo sharing service called Sparklr - Also known as the "resource server"

13 Simplified OAuth Flow 13 User Client Server 1) You log in to Tonr - Photo printing service called Tonr - Photo sharing service called Sparklr 2) Tonr needs pictures to print and redirects you to Sparklr's log in page 3) You log in to Sparklr directly

14 Simplified OAuth Flow 14 User Client Server 6) You are happy printing and viewing your pictures - Photo printing service called Tonr - Photo sharing service called Sparklr 5) Tonr stores the "access token" with your account 4) Sparklr returns an OAuth "access token"

15 Photo Printing Site Demo 15

16 Detailed OAuth Flow 1)Via browser: Tonr starts OAuth process – Once you click the "Authorize" button client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 16

17 Detailed OAuth Flow 1)Via browser: Tonr starts OAuth process – Once you click the "Authorize" button client_id=tonr&redirect_uri=http://www.tonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T 17

18 Detailed OAuth Flow 2) Via browser: Sparklr redirects back to Tonr code=cOuBX6&state=92G53T 18

19 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} 19

20 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} 20

21 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} 21

22 Detailed OAuth Flow 3) Via "Client": Tonr sends OAuth request to Sparklr using client id/password Request: POST /sparklr2/oauth/token HTTP/1.1 Authorization: Basic dG9ucjpzZWNyZXQ= grant_type=authorization_code&code=cOuBX6& redirect_uri=http://www.tonr.com:8080/tonr2/sparklr/photos Response: {"access_token":"5881ce86-3ed a6b-42aef1068dfb", "token_type":"bearer","expires_in":"42528", "scope":"read write"} 22

23 Detailed OAuth Flow 4) Via "Client": Tonr gets pictures from Sparklr All Requests include: Authorization: Bearer 5881ce86-3ed a6b-42aef1068dfb 23

24 When to Use OAuth Use OAuth for consuming APIs from – Third-party web apps – Mobile apps – Native apps Don't need to use OAuth – If API is only consumed by the user within the same web app – If APIs are only consumed server to server 24

25 Benefits No passwords shared between web apps No passwords stored on mobile devices Limits impact of security incidents – If Tonr gets hacked Sparklr revokes OAuth access – If Sparklr gets hacked you change your Sparklr password but don't have to do anything on Tonr – If you lose your mobile device you revoke the access Sparklr gave to the Tonr mobile app 25

26 OAuth Versions 26 VersionComments Has a security flaw related to session fixation - Don’t use it 1.0a - Stable and well understood - Uses a signature to exchange credentials and signs every request - Signatures are more of a pain than it seems Spec is final with good support

27 OAuth 2.0 Authorization Grant Types 27 Grant TypeDescription Authorization Code - Optimized for confidential clients - Uses a authorization code from the Server - User doesn't see the access token Implicit Grant - Optimized for script heavy web apps - Does not use an authorization code from the Server - User can see the access token Resource Owner Password Credentials - Use in cases where the User trusts the Client - Exposes User credentials to the Client Client Credentials - Client gets an access token based on Client credentials only

28 OAuth 2.0 Access Token Types Bearer – Large random token – Need SSL to protect it in transit – Server needs to store it securely hashed like a user password Mac – Uses a nonce to prevent replay – Does not require SSL – OAuth 1.0 only supported a mac type token 28

29 Outline Authentication Encryption Validation Wrap Up 29

30 Session Hijacking Public WiFi Network Public WiFi Network mybank.com Victim Attacker Internet 1) Victim goes to mybank.com via HTTP 30

31 Session Hijacking Public WiFi Network Public WiFi Network mybank.com Victim Attacker Internet 2) Attacker sniffs the public wifi network and steals the JSESSIONID 31

32 Session Hijacking Public WiFi Network Public WiFi Network mybank.com Victim Attacker Internet 3) Attacker uses the stolen JSESSIONID to access the victim's session 32

33 Enable SSL in web.xml Example 4 /* CONFIDENTIAL

34 JAX-RS SecurityContext iSecure() – Returns a boolean indicating whether the request was made via HTTPS 34

35 Secure Flag Ensures that the Cookie is only sent via SSL Configure in web.xml as of Servlet 3.0 true Programmatically Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 35

36 Strict-Transport-Security Tells browser to only talk to the server via HTTPS – First time your site accessed via HTTPS and the header is used the browser stores the certificate info – Subsequent requests to HTTP automatically use HTTPS Supported browsers – Implemented in Firefox and Chrome – Defined in RFC 6797 Strict-Transport-Security: max-age=seconds [; includeSubdomains] 36

37 Outline Authentication Encryption Validation Wrap Up 37

38 Restrict Input Restrict to POST – annotation Restrict the Content-Type – – Invalid Content-Type results in HTTP 415 Unsupported Media Type Restrict to Ajax if applicable – Check X-Requested-With:XMLHttpRequest header Restrict response types – Check Accept header for valid response types 38

39 Cross-Site Request Forgery (CSRF) 39 Victim browser mybank.com 1) Victim signs on to mybank 2) Victim visits attacker.com 3) Page contains CSRF code 4) Browser sends the request to mybank

document.forms[0].submit() POST /transfer.jsp HTTP/1.1 Cookie: recipient=attacker&amount=1000 attacker.com

40 CSRF and OAuth 2.0 How can an attacker use CSRF to take over your account? – Many sites allow logins from third-party identity providers like Facebook – Many identity providers use OAuth – Attacker can automatically associate your account with an attacker controlled Facebook account 40

41 OAuth CSRF Research Accounts at many sites could be taken over using OAuth CSRF – Stack Exchange, woot.com, IMDB, Goodreads, SoundCloud, Pinterest, Groupon, Foursquare, SlideShare, Kickstarter, and others Research by Rich Lundeen – can-use-to-take-over-accounts Prior research by Stephen Sclafani – 41

42 OAuth CSRF Attack Flow 1)Create attacker controlled Facebook account 2)Victim is signed on to provider account (i.e. Stack Exchange) 3)Lure victim into visiting an evil site with OAuth CSRF code – CSRF code sends OAuth authorization request 4) Attacker's Facebook account now controls victim provider account 42

43 43 Image from Linking Stack Exchange with an Evil Facebook Account

44 CSRF Protection Spec defines a "state" parameter that must be included in the redirect to the Client – Value must be non-guessable and tied to session Client sends "state" to Server: client_id=tonr&redirect_uri=http://www.eviltonr.com:8080/ tonr2/sparklr/photos& response_type=code& scope=read write&state=92G53T Server sends "state" back to Client after authorization: code=cOuBX6&state=92G53T 44

45 OAuth CSRF Protection Demo 45

46 OWASP 1-Liner Deliberately vulnerable application – Intended for demos and training – Created by John More information at – https://www.owasp.org/index.php/OWASP_1- Liner 46

47 JSON CSRF Demo 47

48 Normal JSON Message {"id":0,"nickName":"John", "oneLiner":"I LOVE Java!", "timestamp":" T17:04:23"} 48

49 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy 49

50 CSRF Attack Form 50

51 CSRF Attack Form 51

52 Forged JSON Message {"id": 0, "nickName": "John", "oneLiner": "I hate Java!", "timestamp": " "}//=dummy 52

53 CSRF Defense Must include something random in the request – Use an anti-CSRF token OWASP CSRFGuard – Written by Eric – Can inject anti-CSRF token using JSP Tag library - for manual, fine grained protection JavaScript DOM manipulation - for automated protection requiring minimal effort – Filter that intercepts requests and validates tokens 53

54 CSRFGuard JSP Tags Tags for token name and value " value=" "/> Tag for name/value pair (delimited with "=") ">protect.html Convenience tags for forms and links as well and 54 Examples from https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection

55 CSRFGuard DOM Manipulation Include JavaScript in every page that needs CSRF protection JavaScript used to hook the open and send methods XMLHttpRequest.prototype._open = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(method, url, async, user, pass) { // store a copy of the target URL this.url = url; this._open.apply(this, arguments); } XMLHttpRequest.prototype._send = XMLHttpRequest.prototype.send; XMLHttpRequest.prototype.send = function(data) { if(this.onsend != null) { // call custom onsend method to modify the request this.onsend.apply(this, arguments); } this._send.apply(this, arguments); } 55

56 Protecting XHR Requests CSRFGuard sends two HTTP headers XMLHttpRequest.prototype.onsend = function(data) { if(isValidUrl(this.url)) { this.setRequestHeader("X-Requested-With", "OWASP CSRFGuard Project") this.setRequestHeader("OWASP_CSRFTOKEN", "EDTF-U8O6-J91L-RZOW-4X09-KEXB-K9B3-4OIV"); } }; 56

57 JSON CSRF Protection Demo 57

58 Outline Authentication Encryption Validation Wrap Up 58

59 Summary Authentication  Can use userid/password for services consumed by your app  Use OAuth for third-party web apps and mobile apps Encryption  Use SSL  Use Secure flag  Use Strict-Transport-Security header Validation  Restrict input  Protect your apps against CSRF 59

60 Frank Thanks!

61

62 References JAX-RS 2.0 – – https://jax-rs-spec.java.net/nonav/2.0/apidocs OAuth 2.0 Specification – – Spring Security OAuth – OAuth: The Big Picture – OAuth CSRF issues – – OWASP 1-Liner – https://www.owasp.org/index.php/OWASP_1-Liner CSRFGuard – https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project – 62


Download ppt "REST Security with JAX-RS JavaOne 2013. Frank Kim – SANS Institute Curriculum Lead, Application Security Author, Secure Coding in Java About 2."

Similar presentations


Ads by Google