[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
- From: Dinis Cruz <dinis@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
- Date: Tue, 21 Mar 2006 09:47:52 -0500
------_SmarterMail_NextPart_5083376881083788
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Pilon, how are you analysing the struts xml files?=0D=0A=0D=0AI wrote a qui=
ck xslt transformation that allowed me to see them in a nice format (in htm=
l tables)=0D=0A=0D=0ALet me know if you think that will be usefull to you a=
nd I will post in online=0D=0A=0D=0ADinis=0D=0A=0D=0A----------------------=
------------------=0D=0AFrom: Pilon Mntry <pilonmntry@yahoo.com>=0D=0ASent:=
21 March 2006 09:40=0D=0ATo: dinis.cruz@ddplus.net=0D=0ASubject: Re: [WEB =
SECURITY] How to Create Secure Web Applications with Struts =0D=0A=0D=0AHi =
Dinis,=0D=0A=0D=0A> if the presentation is on the client side (ala =0D=0A> =
AJAX ...=0D=0A=0D=0AWell, when I wrote "presentation layer" I meant the=0D=
=0Aone at the server side (since the issue was Struts),=0D=0Abut of course,=
you are right that when AJAX or alike=0D=0Ais employed then there remains =
one (secure)=0D=0Avalidation.=0D=0A=0D=0A> For example, I did an audit to a=
struts based Java=0D=0A> App which had massive Authorization problems ...=
=0D=0A=0D=0AAnd I'm doing one right now :). When a developer uses=0D=0AStru=
ts Validator on a parameter with positive=0D=0Aapproach(let's say [a-zA-Z0-=
9]), then it would be hard=0D=0Ato convince him to do another validation in=
his=0D=0Abusiness logic for SQL injection.=0D=0A=0D=0A-pilon=0D=0A=0D=0A--=
- Dinis Cruz wrote:=0D=0A=0D=0A> Pilon, when you say:=0D=0A> =0D=0A> > How=
ever, with this approach when positive=0D=0A> validation (whitelist) is use=
d, there probably will=0D=0A> be=0D=0A> > unnecessary double validation: on=
e in presentation=0D=0A> layer and the other in business layer. But I guess=
,=0D=0A> > that's one should pay for extensibility and=0D=0A> security sake=
. =0D=0A> =0D=0A> if the presentation is on the client side (ala=0D=0A> AJA=
X), then there is only one security validation=0D=0A> (since the one done a=
t client slide has no security=0D=0A> relevance and doesn't count :)=0D=0A>=
=0D=0A> Also note that doing data validation very away from=0D=0A> the bus=
iness logic (i.e. the presentation layer) can=0D=0A> introduce massive expl=
oitable blind spots=0D=0A> =0D=0A> For example, I did an audit to a struts =
based Java=0D=0A> App which had massive Authorization problems (and=0D=0A> =
some data validation issues too)=0D=0A> =0D=0A> Dinis Cruz=0D=0A> Owasp .Ne=
t Project=0D=0A> www.owasp.net=0D=0A> =0D=0A> -----------------------------=
-----------=0D=0A> From: Pilon Mntry =0D=0A> Sent: 21 March 2006 07:36=0D=
=0A> To: Stephen de Vries =0D=0A> Subject: Re: [WEB SECURITY] How to Create=
Secure Web=0D=0A> Applications with Struts =0D=0A> =0D=0A> > It may not be=
a big issue, but I think it's=0D=0A> > important to understand =0D=0A> > h=
ow choosing the web tier as a security provider=0D=0A> > could impact the =
=0D=0A> > extensibility of the app down the line.=0D=0A> =0D=0A> Nice comme=
nt. In owasp guide it goes like this;=0D=0A> =0D=0A> "...the web / presenta=
tion tier should validate for=0D=0A> web related issues, persistence layers=
should=0D=0A> validate=0D=0A> for persistence issues such as SQL / HQL inj=
ection,=0D=0A> directory lookups should check for LDAP injection,=0D=0A> an=
d=0D=0A> so on."=0D=0A> =0D=0A> However, with this approach when positive v=
alidation=0D=0A> (whitelist) is used, there probably will be=0D=0A> unneces=
sary double validation: one in presentation=0D=0A> layer and the other in b=
usiness layer. But I guess,=0D=0A> that's one should pay for extensibility =
and security=0D=0A> sake. =0D=0A> =0D=0A> And this is for data validation o=
nly. Authorization=0D=0A> is=0D=0A> another issue...=0D=0A> =0D=0A> And nic=
e article by the way.=0D=0A> =0D=0A> -pilon=0D=0A> =0D=0A> --- Stephen de V=
ries wrote:=0D=0A> =0D=0A> > =0D=0A> > Great article!=0D=0A> > =0D=0A> > It=
did make me think of a particular architectural=0D=0A> > issue which seems=
=0D=0A> > to be cropping up more and more; that is, the=0D=0A> impact=0D=
=0A> > that =0D=0A> > implementing security in the web tier has on the=0D=
=0A> > future extensibility =0D=0A> > of the app.=0D=0A> > =0D=0A> > For ap=
plications that were designed as web apps=0D=0A> and=0D=0A> > will continue=
to =0D=0A> > only be web apps for the rest of their lives, this=0D=0A> > s=
houldn't impact =0D=0A> > much on the extensibility of the apps. If the=0D=
=0A> > validation rules or =0D=0A> > access control requirements change, th=
ese can=0D=0A> easily=0D=0A> > be changed in =0D=0A> > the web tier (and as=
you've shown Struts makes it=0D=0A> > really easy, =0D=0A> > because it's =
all declarative).=0D=0A> > But if the application needs to be extensible,=
=0D=0A> e.g.=0D=0A> > must have a fat =0D=0A> > client down the road or mus=
t expose web services,=0D=0A> > then any security =0D=0A> > implemented in =
the web tier would have to be=0D=0A> > re-implemented in all =0D=0A> > the =
other facades. To be truly extensible=0D=0A> > applications should =0D=0A> =
> implement security functionality in the business=0D=0A> > tier so that an=
y =0D=0A> > changes to the presentation technology (or new=0D=0A> > technol=
ogies) don't =0D=0A> > impact the core functionality. E.g. for classic=0D=
=0A> > J2EE technologies =0D=0A> > this would mean implementing access cont=
rol on the=0D=0A> > EJB's themselves =0D=0A> > rather than in the web tier.=
This is also the=0D=0A> > approach taken by the =0D=0A> > Spring framework=
: both access control and input=0D=0A> > validation are tied =0D=0A> > to t=
he beans that form the middle tier, not the=0D=0A> > presentation.=0D=0A> >=
=0D=0A> > It may not be a big issue, but I think it's=0D=0A> > important t=
o understand =0D=0A> > how choosing the web tier as a security provider=0D=
=0A> > could impact the =0D=0A> > extensibility of the app down the line.=
=0D=0A> > =0D=0A> > 2p=0D=0A> > =0D=0A> > Stephen=0D=0A> > =0D=0A> > =0D=0A=
> > On 20 Mar 2006, at 02:44, bugtraq@cgisecurity.net=0D=0A> > wrote:=0D=0A=
> > =0D=0A> > > "This article will focus on developing secure=0D=0A> Web=0D=
=0A> > applications with =0D=0A> > > the popular Java framework Struts.=0D=
=0A> > > It will detail a set of best practices using the=0D=0A> > included=
security =0D=0A> > > mechanisms. The first section will=0D=0A> > > provide=
an overview of both Struts and Web=0D=0A> > application security as =0D=0A=
> > > a context for discussion. Each=0D=0A> > > subsequent section will foc=
us on a specific=0D=0A> > security principle and =0D=0A> > > discuss how St=
ruts can be leveraged=0D=0A> > > to address it."=0D=0A> > >=0D=0A> > > http=
://be.sys-con.com/read/192434.htm=0D=0A> > >=0D=0A> > > - zeno=0D=0A> > > h=
ttp://www.cgisecurity.com/ Application Security=0D=0A> > News, and more!=0D=
=0A> > > http://www.cgisecurity.com/index.rss [RSS Feed]=0D=0A> > >=0D=0A> =
> >=0D=0A> >=0D=0A>=0D=0A--------------------------------------------------=
-------------------=0D=0A> > > The Web Security Mailing List=0D=0A> > > htt=
p://www.webappsec.org/lists/websecurity/=0D=0A> > >=0D=0A> > > The Web Secu=
rity Mailing List Archives=0D=0A> > >=0D=0A> >=0D=0A> http://www.webappsec.=
org/lists/websecurity/archive/=0D=0A> > >=0D=0A> > =0D=0A> > -- =0D=0A> > S=
tephen de Vries=0D=0A> > Corsaire Ltd=0D=0A> > E-mail: stephen@corsaire.com=
=0D=0A> > Tel: +44 1483 226014=0D=0A> > Fax: +44 1483 226068=0D=0A> > Web: =
http://www.corsaire.com=0D=0A> > =0D=0A> > =0D=0A> > =0D=0A> > =0D=0A> > =
=0D=0A> > =0D=0A> >=0D=0A>=0D=0A-------------------------------------------=
------------------------------=0D=0A> > This List Sponsored by: SpiDynamics=
=0D=0A> > =0D=0A> > ALERT: "How A Hacker Launches A Web Application=0D=0A> =
> Attack!" =0D=0A> > Step-by-Step - SPI Dynamics White Paper=0D=0A> > Learn=
how to defend against Web Application=0D=0A> Attacks=0D=0A> > with real-wo=
rld =0D=0A> > examples of recent hacking methods such as: SQL=0D=0A> > Inje=
ction, Cross Site =0D=0A> > Scripting and Parameter Manipulation=0D=0A> > =
=0D=0A> >=0D=0A>=0D=0Ahttps://download.spidynamics.com/1/ad/web.asp?Campaig=
n_ID=3D701300000003gRl=0D=0A> >=0D=0A>=0D=0A-------------------------------=
-------------------------------------------=0D=0A> > =0D=0A> > =0D=0A> =0D=
=0A> __________________________________________________=0D=0A> Do You Yahoo=
!?=0D=0A> Tired of spam? Yahoo! Mail has the best spam=0D=0A> protection =
=0D=0A=3D=3D=3D message truncated =3D=3D=3D=0D=0A=0D=0A____________________=
______________________________=0D=0ADo You Yahoo!?=0D=0ATired of spam? Yaho=
o! Mail has the best spam protection around =0D=0Ahttp://mail.yahoo.com =0D=
=0A=0D=0A
------_SmarterMail_NextPart_5083376881083788
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<font face=3D"arial" size=3D"2">Pilon, how are you analysing the struts xml=
files?<br /><br />I wrote a quick xslt transformation that allowed me to s=
ee them in a nice format (in html tables)<br /><br />Let me know if you thi=
nk that will be usefull to you and I will post in online<br /><br />Dinis<b=
r /><br /></font><font face=3D"Tahoma, Arial, Sans-Serif" size=3D"2"><hr al=
ign=3D"center" size=3D"2" width=3D"100%" /><b>From</b>: Pilon Mntry <pil=
onmntry@yahoo.com><br /><b>Sent</b>: 21 March 2006 09:40<br /><b>To</b>:=
dinis.cruz@ddplus.net<br /><b>Subject</b>: Re: [WEB SECURITY] How to Creat=
e Secure Web Applications with Struts</font><br /><br /><br />Hi Dinis,<br =
/><br />> if the presentation is on the client side (ala <br />> AJAX=
...<br /><br />Well, when I wrote "presentation layer" I meant the<br />on=
e at the server side (since the issue was Struts),<br />but of course, you =
are right that when AJAX or alike<br />is employed then there remains one (=
secure)<br />validation.<br /><br />> For example, I did an audit to a s=
truts based Java<br />> App which had massive Authorization problems ...=
<br /><br />And I'm doing one right now :). When a developer uses<br />Stru=
ts Validator on a parameter with positive<br />approach(let's say [a-zA-Z0-=
9]), then it would be hard<br />to convince him to do another validation in=
his<br />business logic for SQL injection.<br /><br />-pilon<br /><br /><b=
r />--- Dinis Cruz <dinis@ddplus.net> wrote:<br /><br />> Pilon, when yo=
u say:<br />> <br />> > However, with this approach when positive<=
br />> validation (whitelist) is used, there probably will<br />> be<=
br />> > unnecessary double validation: one in presentation<br />>=
layer and the other in business layer. But I guess,<br />> > that's =
one should pay for extensibility and<br />> security sake. <br />> <b=
r />> if the presentation is on the client side (ala<br />> AJAX), th=
en there is only one security validation<br />> (since the one done at c=
lient slide has no security<br />> relevance and doesn't count :)<br />&=
gt; <br />> Also note that doing data validation very away from<br />>=
; the business logic (i.e. the presentation layer) can<br />> introduce =
massive exploitable blind spots<br />> <br />> For example, I did an =
audit to a struts based Java<br />> App which had massive Authorization =
problems (and<br />> some data validation issues too)<br />> <br />&g=
t; Dinis Cruz<br />> Owasp .Net Project<br />> www.owasp.net<br />>=
; <br />> ----------------------------------------<br />> From: Pilon=
Mntry <pilonmntry@yahoo.com><br />> Sent: 21 March 2006 07:36<br />>=
To: Stephen de Vries <stephen@corsaire.com><br />> Subject: Re: [WEB SE=
CURITY] How to Create Secure Web<br />> Applications with Struts <br />&=
gt; <br />> > It may not be a big issue, but I think it's<br />> &=
gt; important to understand <br />> > how choosing the web tier as a =
security provider<br />> > could impact the <br />> > extensibi=
lity of the app down the line.<br />> <br />> Nice comment. In owasp =
guide it goes like this;<br />> <br />> "...the web / presentation ti=
er should validate for<br />> web related issues, persistence layers sho=
uld<br />> validate<br />> for persistence issues such as SQL / HQL i=
njection,<br />> directory lookups should check for LDAP injection,<br /=
>> and<br />> so on."<br />> <br />> However, with this approac=
h when positive validation<br />> (whitelist) is used, there probably wi=
ll be<br />> unnecessary double validation: one in presentation<br />>=
; layer and the other in business layer. But I guess,<br />> that's one =
should pay for extensibility and security<br />> sake. <br />> <br />=
> And this is for data validation only. Authorization<br />> is<br />=
> another issue...<br />> <br />> And nice article by the way.<br =
/>> <br />> -pilon<br />> <br />> --- Stephen de Vries wrote:<b=
r />> <br />> > <br />> > Great article!<br />> > <br =
/>> > It did make me think of a particular architectural<br />> &g=
t; issue which seems <br />> > to be cropping up more and more; that =
is, the<br />> impact<br />> > that <br />> > implementing s=
ecurity in the web tier has on the<br />> > future extensibility <br =
/>> > of the app.<br />> > <br />> > For applications tha=
t were designed as web apps<br />> and<br />> > will continue to <=
br />> > only be web apps for the rest of their lives, this<br />>=
> shouldn't impact <br />> > much on the extensibility of the app=
s. If the<br />> > validation rules or <br />> > access control=
requirements change, these can<br />> easily<br />> > be changed =
in <br />> > the web tier (and as you've shown Struts makes it<br />&=
gt; > really easy, <br />> > because it's all declarative).<br />&=
gt; > But if the application needs to be extensible,<br />> e.g.<br /=
>> > must have a fat <br />> > client down the road or must exp=
ose web services,<br />> > then any security <br />> > implemen=
ted in the web tier would have to be<br />> > re-implemented in all <=
br />> > the other facades. To be truly extensible<br />> > app=
lications should <br />> > implement security functionality in the bu=
siness<br />> > tier so that any <br />> > changes to the prese=
ntation technology (or new<br />> > technologies) don't <br />> &g=
t; impact the core functionality. E.g. for classic<br />> > J2EE tech=
nologies <br />> > this would mean implementing access control on the=
<br />> > EJB's themselves <br />> > rather than in the web tie=
r. This is also the<br />> > approach taken by the <br />> > Sp=
ring framework: both access control and input<br />> > validation are=
tied <br />> > to the beans that form the middle tier, not the<br />=
> > presentation.<br />> > <br />> > It may not be a big =
issue, but I think it's<br />> > important to understand <br />> &=
gt; how choosing the web tier as a security provider<br />> > could i=
mpact the <br />> > extensibility of the app down the line.<br />>=
> <br />> > 2p<br />> > <br />> > Stephen<br />> &=
gt; <br />> > <br />> > On 20 Mar 2006, at 02:44, bugtraq@cgise=
curity.net<br />> > wrote:<br />> > <br />> > > "This =
article will focus on developing secure<br />> Web<br />> > applic=
ations with <br />> > > the popular Java framework Struts.<br />&g=
t; > > It will detail a set of best practices using the<br />> >=
; included security <br />> > > mechanisms. The first section will=
<br />> > > provide an overview of both Struts and Web<br />> &=
gt; application security as <br />> > > a context for discussion. =
Each<br />> > > subsequent section will focus on a specific<br />&=
gt; > security principle and <br />> > > discuss how Struts can=
be leveraged<br />> > > to address it."<br />> > ><br />=
> > > http://be.sys-con.com/read/192434.htm<br />> > ><br=
/>> > > - zeno<br />> > > http://www.cgisecurity.com/ Ap=
plication Security<br />> > News, and more!<br />> > > http:=
//www.cgisecurity.com/index.rss [RSS Feed]<br />> > ><br />> &g=
t; ><br />> ><br />><br />-------------------------------------=
--------------------------------<br />> > > The Web Security Maili=
ng List<br />> > > http://www.webappsec.org/lists/websecurity/<br =
/>> > ><br />> > > The Web Security Mailing List Archives=
<br />> > ><br />> ><br />> http://www.webappsec.org/list=
s/websecurity/archive/<br />> > ><br />> > <br />> > -=
- <br />> > Stephen de Vries<br />> > Corsaire Ltd<br />> &g=
t; E-mail: stephen@corsaire.com<br />> > Tel: +44 1483 226014<br />&g=
t; > Fax: +44 1483 226068<br />> > Web: http://www.corsaire.com<br=
/>> > <br />> > <br />> > <br />> > <br />> >=
; <br />> > <br />> ><br />><br />--------------------------=
-----------------------------------------------<br />> > This List Sp=
onsored by: SpiDynamics<br />> > <br />> > ALERT: "How A Hacker=
Launches A Web Application<br />> > Attack!" <br />> > Step-by=
-Step - SPI Dynamics White Paper<br />> > Learn how to defend against=
Web Application<br />> Attacks<br />> > with real-world <br />>=
; > examples of recent hacking methods such as: SQL<br />> > Injec=
tion, Cross Site <br />> > Scripting and Parameter Manipulation<br />=
> > <br />> ><br />><br />https://download.spidynamics.com/1=
/ad/web.asp?Campaign_ID=3D701300000003gRl<br />> ><br />><br />---=
-----------------------------------------------------------------------<br =
/>> > <br />> > <br />> <br />> _________________________=
_________________________<br />> Do You Yahoo!?<br />> Tired of spam?=
Yahoo! Mail has the best spam<br />> protection <br />=3D=3D=3D message=
truncated =3D=3D=3D<br /><br /><br />_____________________________________=
_____________<br />Do You Yahoo!?<br />Tired of spam? Yahoo! Mail has the b=
est spam protection around <br />http://mail.yahoo.com <br /><br /></stephe=
n@corsaire.com></pilonmntry@yahoo.com></dinis@ddplus.net>
------_SmarterMail_NextPart_5083376881083788--
Brought to you by http://www.webappsec.org