Web application security in Java and C#

Web application security in Java and C#

Översikt

Target Audience

Java and C# developers working on Web applications.

Goal

  • Understanding Web application security issues
  • Detailed analysis of the OWASP Top Ten elements
  • Going beyond the low hanging fruits
  • Explain approaches in handling security challenges in code
  • Identity security vulnerabilities and their consequences
  • Learn the best practices in how to avoid these mistakes

Pre­requi­si­tes

General Java, C# and Web development.

Content of Web application security in Java and C#

Security basics

– What is security?
– Threat and risk
– Types of threats against computer systems
– Consequences of insecure software
– Constraints and the market
– Bugs, vulnerabilities and exploits
– Categorization of bugs

  • Seven pernicious kingdoms
  • Common Weakness Enumeration (CWE)
  • CWE/SANS Top 25 Most Dangerous Software Errors
  • SEI Cert Secure Coding Guidelines
  • Vulnerabilities in the environment and the dependencies

The OWASP Top Ten

A1 – Injection

  • Injection principles
  • Injection attacks
  • SQL injection
    * SQL injection basics
      – Lab – SQL injection
    * Attack techniques
    * Content-based blind SQL injection
    * Time-based blind SQL injection
    * SQL injection best practices
      – Input validation
      – Output encoding
      – Parameterized queries
      – Other best practices
      – Lab – Using prepared statements in C#
      – Case study – Hacking Fortnite accounts
  • Code injection
    * Command injection
      – Lab – Command injection
      – Command injection best practices
      – Using Runtime.exec() in Java
      – Using ProcessBuilder in Java
      – Command injection best practices in C#
      – Lab – Command injection best practices in C#
      – Case study – Command injection
    * Script injection
    * Expression language injection
  • Injection best practices
    * Input validation
    * Output sanitization
      – Encoding and escaping the output
      – Encoding challenges

A2 – Broken Authentication

  • Authentication basics
  • Authentication weaknesses
  • Spoofing on the Web
  • Case study – PayPal two factor authentication bypass
  • User interface best practices
  • Session management
    * Session management essentials
    * Why do we protect session IDs – Session hijacking
    * Session ID best practices
    * Insufficient session expiration
    * Session fixation
    * Cross-site Request Forgery (CSRF)
      – Lab – Cross-site Request Forgery
      – CSRF best practices
      – Lab – CSRF protection with tokens
    * Cookie security
      – Cookie security best practices
      – Cookie parameters

The OWASP Top Ten

A2 – Broken Authentication

  • Password management
    * Inbound password management
      – Storing account passwords
      – Plaintext passwords at Facebook
      – Lab – Why just hashing passwords is not enough?
      – Dictionary attacks and brute forcing
      – Salting
      – Adaptive hash functions for password storage
      – Password in transit
      – Password policy
      – Weak and strong passwords
      – Using passphrases
      – Lab – Applying a password policy
      – The Ashley Madison data breach
      – The dictionary attack
      – The ultimate attack
      – Exploitation of the results and the lessons learnt
    * Outbound password management
      – Hard coded passwords
      – Lab – Hardcoded password
      – Password in configuration file
      – Protecting sensitive information in memory
      – Challenges in protecting memory
      – Storing sensitive data in memory
      – Storing sensitive data in memory in C#
      – Lab – Storing sensitive data in memory with SecureString in C#

A3 – Sensitive Data Exposure

  • Information exposure
  • Exposure through extracted data and aggregation
  • System information leakage
    * Leaking system information
    * Relying on accessibility modifiers
      – Lab – Inappropriate protection by accessibility modifier
  • Information exposure best practices

A4 – XML External Entities (XXE)

  • DTD and the entities
  • Entity expansion
  •  
  • External Entity Attack (XXE)
    * File inclusion with external entities
    * Server-side request forgery with external entities
    * Lab – External entity attack
    * Case study – XXE attack against some popular services
    * Preventing XXE in Java
    * Preventing XXE in C#

A5 – Broken Access Control

  • Access control basics
  • Missing or improper authorization
  • Failure to restrict URL access
  • Confused deputy
    * Insecure direct object reference (IDOR)
     – Lab – Insecure Direct Object Reference
    * Authorization bypass through user-controlled keys
    * Case study – Authorization bypass on Facebook
  • File upload
    * Unrestricted file upload
    * Best practices
    * Lab – Unrestricted file upload

A6 – Security Misconfiguration

  • Configuration principles
  • Server misconfiguration
  • Configuration management
  • Java related components – best practices
    * Tomcat configuration
  • NET and IIS configuration best practices
    * NET configuration
    * IIS configuration

A7 – Cross-site Scripting (XSS)

  • Cross-site scripting basics
  • Cross-site scripting types
    * Persistent cross-site scripting
    * Reflected cross-site scripting
    * Client-side (DOM-based) cross-site scripting
  • Case study – Yahoo mail stored XSS
      – Lab – Reflected and stored XSS
  • XSS protection best practices
    * Protection principles – escaping
    * Additional protection layers
    * Client-side protection principles
    * XSS protection APIs in Java
    * XSS protection APIs in C#
    * Request validation in ASP.NET
    * Further XSS protection techniques in C#
      – Lab – XSS best practices in C#

The OWASP Top Ten

A8 – Insecure Deserialization

  • Serialization and deserialization challenges
  • Deserializing untrusted streams
  • Deserializing best practices
  • Using ReadObject in Java
  • Sealed objects
  • Look ahead deserialization
  • Property Oriented Programming (POP)
    * POP best practices
      – Lab – Creating POP payload

A9 – Using Components with Known Vulnerabilities

  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Importing functionality from untrusted sources
  • Case study – The British Airways data breach
  • Vulnerability management
    * Patch management
    * Vulnerability databases and scanning tools
    * Vulnerability rating – CVSS
      – Lab – Finding vulnerabilities of used components
    * The build process and CI / CD
    * Dependency checking in Maven
    * Dependency checking in Cake
      – Lab – Detecting vulnerable components during the build

A10 – Insufficient Logging & Monitoring

  • Logging and monitoring principles
  • Logging
    * Insufficient logging
    * Logging best practices
    * Java logging best practices
  • Monitoring
    * Monitoring best practices

Web application security beyond the Top Ten

  • Client-side security
  • Same Origin Policy
    * Simple request
    * Preflight request
    * Bypassing the Same Origin Policy
    * Cross-origin resource sharing
  • Frame sandboxing
    * Clickjacking
    * Clickjacking protection best practices
      – Lab – Clickjacking
    * JavaScript hijacking

Common software security weaknesses

Input validation

  • Input validation principles
    * Blacklists and whitelists
    * Validation with regex
    * What to validate – the attack surface
    * When to validate – validation vs transformations
    * Where to validate – defense in depth
    * Server-side vs. client-side validation
  • Integer handling
    * Representing signed numbers
    * Integer visualization
    * Integer problems
      – Integer overflow
      – Lab – Integer overflow
    * Signed / unsigned confusion
      – Signed / unsigned confusion in Java
      – Lab – Signed / unsigned confusion
    * Integer truncation
    * Best practices
      – Upcasting
      – Precondition testing
      – Postcondition testing
      – Using big integer libraries
      – Integer handling in Java
      – Lab – Integer handling in Java
      – Integer handling in C#
      – Lab – Checked arithmetics in C#
    * Other numeric problems
    * Division by zero
    Working with floating-point numbers in Java
    Unsafe reflection
    * Reflection without validation
      – Lab – Unsafe reflection
  • Unsafe native code
    * Native code dependence
      – Lab – Unsafe JNI
  • Some other input validation problems

Security features

  • Java platform security
    * The Java programming language and runtime environment
    * Type safety and security
    * Security features of the JRE
      – The ClassLoader and the BytecodeVerifier
    * Application-level access control in Java
      – Permissions and the Security Manager
      – Privilege best practices
      – Lab – Working with permissions in Java
    * Role-based access control
      – Java Authentication and Authorization Services (JAAS)
    * Protecting Java code and applications
      – Code signing

Common software security weaknesses

Security features

  • .NET platform security
    * Code Access Security
      – Evidences
      – Permissions
      – The Stack Walk
      – Lab – Code Access Security
    * The transparency model
    * Best practices
    * Lab – Experimenting with the transparency model
    * Role-based security
    * Principal and identity
    * Role-based permissions
    * Impersonation
    * Lab – Role-based security
    * Protecting .NET code and applications
    * Code signing

Time and state

  • Thread management best practices
    * Thread management best practices in Java
      – Thread Pools
    * Thread management best practices in C#
  • Race conditions
    * Race condition in object data members
      – Singleton member fields
      – Lab – Singleton member fields
    * File race condition
      – Time-of-check-to-time-of-usage (TOCTTOU)
      – Lab – TOCTTOU
      – Insecure temporary file
    * Database race conditions
      – Lab – Database race conditions
    * Avoiding race conditions in Java
    * Avoiding race conditions in C#
  • Mutual exclusion and locking
    * Deadlocks
    * Mutual exclusion and locking in Java
  • Lab – Locking in Java
  • Mutual exclusion and locking in C#
    – Lab – Locking in C#
    Synchronization and thread safety
    * Synchronization and thread safety in Java
    * Synchronization and thread safety in C#

Errors

  • Error and exception handling principles
  • Error handling
    * Returning a misleading status code
    * Reachable assertion
    * Information exposure through error reporting
      – Missing custom error pages
  • Exception handling
    * In the catch block. And now what?
    * Empty catch block
    * Best practices for catch blocks
    * Overly broad throws
    * Catching NULL pointer exceptions
    * Improper completing of the finally block
    * Swallowed ThreadDeath
    * Checked exceptions escaping from finally
    * Throwing undeclared checked exceptions
    * Throwing RuntimeException, Exception, or Throwable
    – Lab – Exception handling mess
    * Exception handling in C#

Code quality

  • Data
    * Arrays and toString()
    * Initialization and cleanup
      – Uninitialized variable
      – Constructors and destructors
      – Class initialization cycles
      – Lab – Initialization cycles
    * Unreleased resource
  • Object oriented programming pitfalls
    * Accessibility modifiers
    * Overriding and accessibility modifiers in Java
    * Inheritance and overriding
    * Implementing equals()
    * Mutability
      – Readonly collections in C#
      – Lab – Mutable object
    * Cloning
    – Cloning sensitive classes – object hijacking
    – Object hijacking – best practices
    * Serialization

Wrap up

Secure coding principles

  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
  • Some more principles

And now what?

  • Further sources and readings
  • .NET and C# resources
  • Further labs and challenges to do

Ingen övrig information för tillfället
Systemutveckling

Kursöversikt

Denna produkt är för närvarande slut i lager och är inte tillgänglig.

Hittar du inget (passande) datum?

Skicka in en intresseanmälan så gör vi vad vi kan för att planera ett tillfälle som passar. 

Fö­re­tags­an­pas­sad kurs

Kursen kan anpassas från flera perspektiv:
  • Innehåll och fokusområde
  • Omfattning
  • Upplägg

I samspel med kursledaren ser vi till att kursen uppfyller era önskemåll

Skicka intresseanmälan för utbildningen