Post on 22-Jan-2018
transcript
SICHER IN DIE CLOUDMIT ANGULAR UND SPRING BOOT
9. MAI 2017
1
ANDREAS FALKhttp://www.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
2
ARCHITECTURE /THREAT MODEL
3 . 1
3 . 2
SQLInjection CSRF XSS OWASP OAuth2
OpenID-Connect AbUser-Stories
Authentication Authorization Secure Coding
Security-Testing SSO DoS Sensitive-Data Data-
Privacy Crypto Code-Reviews Threat-
Modeling Architecture Dependencies
DAST SAML SAST DevSecOps
3 . 3
SQLInjection CSRF XSS OWASP
OAuth2 OpenID-ConnectAuthentication Authorization Secure Coding Security-
Testing
3 . 4
APP SECURITY VERIFICATION STANDARD PRO ACTIVE CONTROLS
https://github.com/OWASP/ASVS
https://www.owasp.org/index.php/OWASP_Proactive_Controls
3 . 6
ANGULAR
4 . 1
ANGULARJS = ANGULAR 1ANGULAR = ANGULAR 2.X, 4.X, 5.X, ...
4 . 2
A3: CROSS-SITE SCRIPTING (XSS)
4 . 3
ANGULAR JS SECURITY
https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html
4 . 4
ANGULAR SECURITY“...The basic idea is to implement
automatic, secure escaping for all valuesthat can reach the DOM... By default,with no speci�c action for developers,
Angular apps must be secure...”
https://github.com/angular/angular/issues/8511
4 . 5
ANGULAR XSSPROTECTIONANGULAR TEMPLATE = SAFE
INPUT VALUES = UNSAFE
4 . 6
ANGULAR COMPONENTTYPESCRIPT
@Component({ selector: 'app-root', templateUrl: 'app.component.html', styleUrls: ['app.component.css'] }) export class AppComponent {
untrustedHtml:string = '<em><script>alert("hello")</script></em>';
}
4 . 7
ANGULAR TEMPLATEHTML BINDINGS
<h2>Binding of potentially dangerous HTML-snippets</h2>
<h3>Encoded HTML snippet</h3> <h3 class="trusted">{{untrustedHtml}}</h3>
<h3>Sanitized HTML snippet</h3> <h3 class="trusted" [innerhtml]="untrustedHtml"></h3>
4 . 8
UNSAFE ANGULAR API'S
ElementRef: Direct access to DOM!
DomSanitizer: Deactivates XSS-Protection!
Do NOT use!https://angular.io/docs/ts/latest
4 . 9
DEMO
4 . 10
BACKEND
5 . 1
A1: INJECTION
5 . 2
SPRING MVC + SPRING DATA JPAPREVENT INJECTIONS USING BEAN VALIDATION
@Entity public class Person extends AbstractPersistable<Long> {
@NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName;
@NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ... }
5 . 3
SPRING DATA JPAPREVENT SQL-INJECTION USING PREPARED STATEMENTS
@Query( "select u from User u where u.username = " + " :username and u.password = :password") User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password);
5 . 4
A8: CROSS-SITE REQUEST FORGERY (CSRF)
5 . 5
DOUBLE SUBMIT CSRF TOKEN
5 . 6
SPRING SECURITYSECURE BY DEFAULT
Authentication required for all HTTP endpointsSession Fixation ProtectionSession Cookie (HttpOnly, Secure)CSRF ProtectionSecurity Response Header
5 . 7
SPRING SECURITY CSRF CONFIGURATIONANGULAR SUPPORT
@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() ); }
5 . 8
WHO AM I?A2: BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A10: UNDERPROTECTED APIS
5 . 9
AUTHENTICATION (STATEFUL OR STATELESS?)Session Cookie Token (Bearer, JWT)
With each Request Manually as Header
Potential CSRF! No CSRF possible
Persisted when unloadingDOM
No automaticpersistence
One domain Cross domain (CORS)
Sensitive Information(HTTPS)
Sensitive Information(HTTPS)
5 . 10
OAUTH 2
5 . 11
OPENID CONNECT
5 . 12
OAUTH 2 / OPENID CONNECT RESOURCE@EnableResourceServer @Configuration public class OAuth2Configuration { @Bean public JwtAccessTokenConverterConfigurer jwtAccessTokenConverterConfigurer() { return new MyJwtConfigurer(...); } static class MyJwtConfigurer implements JwtAccessTokenConverterConfigurer { @Override public void configure( JwtAccessTokenConverter converter) {...} }}
OAuth 2.0 Threat Model and Security Considerations
5 . 13
IMPLICIT GRANT
Implicit Client Implementer’s GuideOAuth 2.0 Threat Model and Security Considerations
5 . 14
CLIENT CREDENTIALSGRANT
5 . 15
RESOURCE OWNERGRANTDO NOT USE!
5 . 16
WHAT CAN I ACCESS?A4: BROKEN ACCESS CONTROL
A10: UNDERPROTECTED APIS
5 . 17
AUTHORIZATION OF REST APIROLE BASED
public class UserBoundaryService {
@PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {...}
}
5 . 18
AUTHORIZATION OF REST APIPERMISSION BASED
public class TaskBoundaryService {
@PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')") public Task findTask(UUID taskId) {...}
}
5 . 19
AUTHORIZATION OF REST APIINTEGRATIONTEST
public class AuthorizationIntegrationTest {
@WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersAuthorized() {...}
@WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersUnauthorized() {...}
}
5 . 20
DEMO
5 . 21
WHAT ABOUT THECLOUD?
6 . 1
GOOD OLD FRIENDS ...UND MORE...CSRF XSS SQL Injection Session Fixation
Vulnerable Dependencies Weak Passwords Broken Authorization Sensitive Data Exposure
Distributed DoS
Economic DoS
6 . 2
WEAK PASSWORDS
6 . 3
SO WHAT HAS BEEN CHANGED
IN THE CLOUD?
6 . 4
6 . 5
ROTATE, REPAIR, REPAVEJUSTIN SMITH
“What if every server inside my datacenter had a maximum lifetime of twohours? This approach would frustrate
malware writers...”
6 . 6
WHAT ABOUT APPLICATIONCONFIGURATION AND SENSIBLE DATA IN
THE CLOUD?
6 . 7
MANAGE DISTRIBUTED CONFIGURATION AND SECRETSWITH SPRING CLOUD AND VAULT
Friday 19th May, 2017 6:00pm to 6:50pm
6 . 8
ONE MORE THING...
7 . 1
A7: INSUFFICIENT ATTACK PROTECTION
7 . 2
7 . 3
http://www.novatec-gmbh.de http://blog.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
8