Tomcat Webapp Security Presentation

Download Report

Transcript Tomcat Webapp Security Presentation 

Tomcat Webapp
Security
Jason Brittain
Software Architect, Mulesoft
Co-author, Tomcat: The Definitive Guide
HTTP Request Model Vulnerabilities
 Request Parameters
- XSS
- CSRF
- HTML Injection
- SQL Injection
 Request Headers
 Request URI
 Container-Level vs. Webapp-Level Filtering
How to Write Secure Webapps
 Use only HTTPS and disable small key length ciphers
 Distrust and sanitize all input from the client
 Filter for CSRF (Enable the CsrfPreventionFilter)
 Filter for XSS (Enable the BadInputFilter)
http://www.sf.net/projects/catnip
 Generally secure Tomcat
 Enable the Tomcat security manager and customize
catalina.policy
Scanning Tools and Remediation
 Tools
 Process
Scanning Tools and Remediation (cont)
 Commercial scanning tools:
- IBM Rational AppScan
- HP WebInspect
- Acunetix Web Vulnerability Scanner
 Open Source:
- Ratproxy
Scanning Tools and Remediation (cont)
 Process for removing vulnerabilities:
1. Scan
2. Investigate Reported Vulnerabilities
3. Fix vulnerability
4. Goto 1.
HTTP Caching and Security
 Browser Cache
 Proxy Cache
// Standard HTTP 1.1 cache disabling header.
httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate");
// Set IE extended HTTP 1.1 no-cache headers.
httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0");
// Tell proxy caches not to cache this resource.
httpResponse.addHeader("Cache-Control", "proxy-revalidate");
// Standard HTTP 1.0 cache disabling header.
httpResponse.setHeader("Pragma", "no-cache");
// Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server.
httpResponse.setDateHeader("Expires", 0);
Use HTTPS




Configure Your Webapp to Require HTTPS
Disable Insecure Key Lengths / Ciphers
Use v6.0.24 and Higher
sessionCacheSize and sessionTimeout
Configuring for HTTPS-only
Configure your HTTPS connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="450" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS”
keystoreFile="conf/keystore" keystorePass="shhhh"
proxyHost="10.1.1.1" proxyPort="443"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.)
Configure your HTTP connector to redirect to HTTPS:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
proxyHost="10.1.1.1" proxyPort="80"
URIEncoding="UTF-8"
maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.)
In your webapp's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>NonSecureConnectionOk</web-resource-name>
<url-pattern>*.ico</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Configuring HTTPS
Disable “weak” encryption:
<Connector
ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_
RC4_128_SHA, ...”>
See
http://java.sun.com/javase/6/docs/technotes/guides/security/Sun
Providers.html#SupportedCipherSuites
Connector Hardening




<Server port="-1" shutdown="SHUTDOWN">
Max Post Size
Max Http Header Size
Max Threads
Java Security Manager
Prevents your webapp from:
 Reading/writing arbitrary files
 Making network connections
 Instantiating/using arbitrary Java packages & classes
 Etc.
To effectively use it you must:
- Write custom permissions rules
- Debug permissions issues
- Test exhaustively
.. it's not for everyone!
Webapp File Permissions
- Tomcat needs these readable, but not writable
- Don't write files in your webapp tree
Tomcat File Permissions
CIS: Apache Tomcat Security
http://www.cisecurity.org/benchmarks.html
In general:
- Start with the whole tree read only
- conf/Catalina and conf/Catalina/localhost must be read/write
- temp/ work/ and logs/ need to be read/write
- webapps/ needs to be read/write, but not webapp dirs
Monitor for Announced Vulnerabilities
 Tomcat project security vulnerabilities page:
http://tomcat.apache.org/security.html
Upgrade when there is a fix!
Additional Resources
MuleSoft Tcat Server
http://www.mulesoft.com/tcat-server-enterprise-tomcat-applicationserver
TLS Renegotiation Extension and Vulnerability
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tlsrenegotiate.txt
Web App Scanners Miss Half of Vulnerabilities
http://news.slashdot.org/story/10/02/06/1933211/Web-AppScanners-Miss-Half-of-Vulnerabilities?art_pos=5
Turning XSS Into Clickjacking
http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking
Q&A
Thanks!