SlideShare a Scribd company logo

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf

D
drewz lin

This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.

1 of 24
Defeating XSS and XSRF with JSF Frameworks
About Me Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter
JSF Based Frameworks Oracle/Java Reference Implementation Apache MyFaces Family Other Third Party Build your own Hosted by OWASP & the NYC Chapter
Cross Site Scripting Hacker Favorite Persistent XSS Non-persistent XSS Hosted by OWASP & the NYC Chapter
Preventing Cross Site Scripting Validate ALL User Input Context Appropriate Encoding Protect the Cookies Hosted by OWASP & the NYC Chapter
JSF Based Frameworks Validation Frameworks Context Appropriate Encoding Anti-Samy Input Filters Web Application Firewalls Hosted by OWASP & the NYC Chapter
JSF Validation Framework JSF 2.2 Server Side Validation Pre-defined Validation Mechanisms Custom Validators Hosted by OWASP & the NYC Chapter
Pre-defined Validators LongRange Validator <h:inputText id=“num1" value="#{myDataBean.num1}"> <f:validateLongRange minimum="10" maximum="133" /> </h:inputText> <h:message for=“num1" style="color:red" /><br/> Hosted by OWASP & the NYC Chapter
Other Pre-defined Validators LengthValidator <f:validateLength minimum="5" maximum="10" /> DoubleRangeValidator <f:validateDoubleRange minimum="10.11" maximum="1000.11”/> RegexValidator <f:validateRegex pattern="((?=.*[a-z])(?=.*[A-Z]))" /> RequiredValidator <f:validateRequired /> Date Time Validator <f:convertDateTime pattern="d-M-yyy"/> Hosted by OWASP & the NYC Chapter
Custom Validators Validator Class Public class EmailValidator implements Validator { public void validate(FacesContext context, UIComponent component, Object value) throws ValidatorException { matcher = "^[_A-Za-z0-9-]+(." + "[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(.[A-Za-z0-9]+)*" + "(.[A-Za-z]{2,})$"; if(!matcher.matches()){ FacesMessage msg = new FacesMessage("E-mail validation failed.", "Invalid E-mail format."); msg.setSeverity(FacesMessage.SEVERITY_ERROR); throw new ValidatorException(msg); } } } Hosted by OWASP & the NYC Chapter
Custom Validators Info.xhtml <h:panelGrid columns="3"> Enter your email : <h:inputText id="email" value="#{user.email}" size="20" required="true" label="Email Address"> <f:validator validatorId="com.myvalidators.EmailValidator" /> </h:inputText> <h:message for="email" style="color:red" /> </h:panelGrid> Hosted by OWASP & the NYC Chapter
Output Encoding JSF 1.1 Literal text output <h:outputText value="#{user.name}" /> JSF 2.0 Literal text output using EL #{user.name} Encoding turned off <h:outputText value="#{user.name}" escape="false" /> Hosted by OWASP & the NYC Chapter
Another Technique Jboss SeamTextParser <s:formattedText value=“<b>#{user.name}</b>” /> Hosted by OWASP & the NYC Chapter
Some Early Flaws Select Items Renderer <f:selectItems value=“#{bean.selectItems}” var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> JSF Version 1.2 before 1.2_08 Some tags were not rendering escape=true by default. Websphere JSF Widget Library before 7.0.0.10 TreeControl and ResourceServlet allowing XSS. GlassFish Admin Console 2.1 Injection via query string on some pages. Apache MyFaces Tomhawk before 1.1.6 Injections in autoscroll parameter. Hosted by OWASP & the NYC Chapter
Cross Site Request Forgery Tricks the Browser into Sending Requests Susceptible Pages are those that Alter Data Inherits Identity and Privileges of the Victim Usually Initiated through Fiche or XSS Hosted by OWASP & the NYC Chapter
Cross Site Request Forgery Full Protection in JSF 2.2 Post vs. Get Protecting the View State Some earlier JSF based Frameworks Hosted by OWASP & the NYC Chapter
Protecting a Postback Request Post is always Protected Non-Postback Require Config Hosted by OWASP & the NYC Chapter
Protecting a non-Postback Request faces-config.xml <protected-views> <url-pattern>my_protected_page.xhtml</url-pattern> </protected-views> Hosted by OWASP & the NYC Chapter
Protecting a non-Postback Request URL when Calling the Protected Page http://localhost/faces/my_protected_page.xhtml?javax .faces.Token=98791798361565472309342 Hosted by OWASP & the NYC Chapter
Using JSF 2.2 Built-in Protection web.xml <env-entry> <env-entry-name> com.sun.faces.ClientStateSavingPassword </env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>MY_PASSWORD</env-entry-value> </env-entry> Hosted by OWASP & the NYC Chapter
Encrypting MyFaces Viewstate web.xml <context-param> <param-name>org.apache.myfaces.USE_ENCRYPTION</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.ALGORITHM</param-name> <param-value>AES</param-value> </context-param> Hosted by OWASP & the NYC Chapter
Be Informed About the Implementation Implementations Differ Doc is Not always Good Unit Test your Implementation Corporate Standards Hosted by OWASP & the NYC Chapter
Wrap-up JSF Validation Framework Output Encoding Protect the View State Hosted by OWASP & the NYC Chapter
Defeating XSS and XSRF with JSF Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter

More Related Content

Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf

  • 1. Defeating XSS and XSRF with JSF Frameworks
  • 2. About Me Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter
  • 3. JSF Based Frameworks Oracle/Java Reference Implementation Apache MyFaces Family Other Third Party Build your own Hosted by OWASP & the NYC Chapter
  • 4. Cross Site Scripting Hacker Favorite Persistent XSS Non-persistent XSS Hosted by OWASP & the NYC Chapter
  • 5. Preventing Cross Site Scripting Validate ALL User Input Context Appropriate Encoding Protect the Cookies Hosted by OWASP & the NYC Chapter
  • 6. JSF Based Frameworks Validation Frameworks Context Appropriate Encoding Anti-Samy Input Filters Web Application Firewalls Hosted by OWASP & the NYC Chapter
  • 7. JSF Validation Framework JSF 2.2 Server Side Validation Pre-defined Validation Mechanisms Custom Validators Hosted by OWASP & the NYC Chapter
  • 8. Pre-defined Validators LongRange Validator <h:inputText id=“num1" value="#{myDataBean.num1}"> <f:validateLongRange minimum="10" maximum="133" /> </h:inputText> <h:message for=“num1" style="color:red" /><br/> Hosted by OWASP & the NYC Chapter
  • 9. Other Pre-defined Validators LengthValidator <f:validateLength minimum="5" maximum="10" /> DoubleRangeValidator <f:validateDoubleRange minimum="10.11" maximum="1000.11”/> RegexValidator <f:validateRegex pattern="((?=.*[a-z])(?=.*[A-Z]))" /> RequiredValidator <f:validateRequired /> Date Time Validator <f:convertDateTime pattern="d-M-yyy"/> Hosted by OWASP & the NYC Chapter
  • 10. Custom Validators Validator Class Public class EmailValidator implements Validator { public void validate(FacesContext context, UIComponent component, Object value) throws ValidatorException { matcher = "^[_A-Za-z0-9-]+(." + "[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(.[A-Za-z0-9]+)*" + "(.[A-Za-z]{2,})$"; if(!matcher.matches()){ FacesMessage msg = new FacesMessage("E-mail validation failed.", "Invalid E-mail format."); msg.setSeverity(FacesMessage.SEVERITY_ERROR); throw new ValidatorException(msg); } } } Hosted by OWASP & the NYC Chapter
  • 11. Custom Validators Info.xhtml <h:panelGrid columns="3"> Enter your email : <h:inputText id="email" value="#{user.email}" size="20" required="true" label="Email Address"> <f:validator validatorId="com.myvalidators.EmailValidator" /> </h:inputText> <h:message for="email" style="color:red" /> </h:panelGrid> Hosted by OWASP & the NYC Chapter
  • 12. Output Encoding JSF 1.1 Literal text output <h:outputText value="#{user.name}" /> JSF 2.0 Literal text output using EL #{user.name} Encoding turned off <h:outputText value="#{user.name}" escape="false" /> Hosted by OWASP & the NYC Chapter
  • 13. Another Technique Jboss SeamTextParser <s:formattedText value=“<b>#{user.name}</b>” /> Hosted by OWASP & the NYC Chapter
  • 14. Some Early Flaws Select Items Renderer <f:selectItems value=“#{bean.selectItems}” var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> JSF Version 1.2 before 1.2_08 Some tags were not rendering escape=true by default. Websphere JSF Widget Library before 7.0.0.10 TreeControl and ResourceServlet allowing XSS. GlassFish Admin Console 2.1 Injection via query string on some pages. Apache MyFaces Tomhawk before 1.1.6 Injections in autoscroll parameter. Hosted by OWASP & the NYC Chapter
  • 15. Cross Site Request Forgery Tricks the Browser into Sending Requests Susceptible Pages are those that Alter Data Inherits Identity and Privileges of the Victim Usually Initiated through Fiche or XSS Hosted by OWASP & the NYC Chapter
  • 16. Cross Site Request Forgery Full Protection in JSF 2.2 Post vs. Get Protecting the View State Some earlier JSF based Frameworks Hosted by OWASP & the NYC Chapter
  • 17. Protecting a Postback Request Post is always Protected Non-Postback Require Config Hosted by OWASP & the NYC Chapter
  • 18. Protecting a non-Postback Request faces-config.xml <protected-views> <url-pattern>my_protected_page.xhtml</url-pattern> </protected-views> Hosted by OWASP & the NYC Chapter
  • 19. Protecting a non-Postback Request URL when Calling the Protected Page http://localhost/faces/my_protected_page.xhtml?javax .faces.Token=98791798361565472309342 Hosted by OWASP & the NYC Chapter
  • 20. Using JSF 2.2 Built-in Protection web.xml <env-entry> <env-entry-name> com.sun.faces.ClientStateSavingPassword </env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>MY_PASSWORD</env-entry-value> </env-entry> Hosted by OWASP & the NYC Chapter
  • 22. Be Informed About the Implementation Implementations Differ Doc is Not always Good Unit Test your Implementation Corporate Standards Hosted by OWASP & the NYC Chapter
  • 23. Wrap-up JSF Validation Framework Output Encoding Protect the View State Hosted by OWASP & the NYC Chapter
  • 24. Defeating XSS and XSRF with JSF Steve Wolf Vice President, Application Security AsTech Consulting, Inc. steve.wolf@astechconsulting.com www.astechconsulting.com OWASP Chapter Lead – Sacramento, CA steve.wolf@owasp.org www.linkedin.com/in/swolf530/ Hosted by OWASP & the NYC Chapter