1 / 19

Tomcat Webapp Security

Tomcat Webapp Security. Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide. HTTP Request Model Vulnerabilities. Request Parameters XSS CSRF HTML Injection SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering.

ethan
Download Presentation

Tomcat Webapp Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide

  2. HTTP Request Model Vulnerabilities • Request Parameters • XSS • CSRF • HTML Injection • SQL Injection • Request Headers • Request URI • Container-Level vs. Webapp-Level Filtering

  3. How to Write Secure Webapps • Use only HTTPS and disable small key length ciphers • Distrust and sanitize all input from the client • Filter for CSRF (Enable the CsrfPreventionFilter) • Filter for XSS (Enable the BadInputFilter) http://www.sf.net/projects/catnip • Generally secure Tomcat • Enable the Tomcat security manager and customize catalina.policy

  4. Scanning Tools and Remediation • Tools • Process

  5. Scanning Tools and Remediation (cont) • Commercial scanning tools: • IBM Rational AppScan • HP WebInspect • Acunetix Web Vulnerability Scanner • Open Source: • Ratproxy

  6. Scanning Tools and Remediation (cont) • Process for removing vulnerabilities: 1. Scan 2. Investigate Reported Vulnerabilities 3. Fix vulnerability 4. Goto 1.

  7. HTTP Caching and Security • Browser Cache • Proxy Cache // Standard HTTP 1.1 cache disabling header. httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate"); // Set IE extended HTTP 1.1 no-cache headers. httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0"); // Tell proxy caches not to cache this resource. httpResponse.addHeader("Cache-Control", "proxy-revalidate"); // Standard HTTP 1.0 cache disabling header. httpResponse.setHeader("Pragma", "no-cache"); // Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server. httpResponse.setDateHeader("Expires", 0);

  8. Use HTTPS • Configure Your Webapp to Require HTTPS • Disable Insecure Key Lengths / Ciphers • Use v6.0.24 and Higher • sessionCacheSize and sessionTimeout

  9. Configuring for HTTPS-only Configure your HTTPS connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="450" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS” keystoreFile="conf/keystore" keystorePass="shhhh" proxyHost="10.1.1.1" proxyPort="443" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>

  10. Configuring for HTTPS-only (cont.) Configure your HTTP connector to redirect to HTTPS: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" proxyHost="10.1.1.1" proxyPort="80" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>

  11. Configuring for HTTPS-only (cont.) In your webapp's WEB-INF/web.xml: <security-constraint> <web-resource-collection> <web-resource-name>SecureConnection</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>NonSecureConnectionOk</web-resource-name> <url-pattern>*.ico</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>

  12. Configuring HTTPS Disable “weak” encryption: <Connector ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, ...”> See http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites

  13. Connector Hardening • <Server port="-1" shutdown="SHUTDOWN"> • Max Post Size • Max Http Header Size • Max Threads

  14. Java Security Manager Prevents your webapp from: • Reading/writing arbitrary files • Making network connections • Instantiating/using arbitrary Java packages & classes • Etc. To effectively use it you must: - Write custom permissions rules - Debug permissions issues - Test exhaustively .. it's not for everyone!

  15. Webapp File Permissions - Tomcat needs these readable, but not writable - Don't write files in your webapp tree

  16. Tomcat File Permissions CIS: Apache Tomcat Security http://www.cisecurity.org/benchmarks.html In general: - Start with the whole tree read only - conf/Catalina and conf/Catalina/localhost must be read/write - temp/work/ and logs/ need to be read/write - webapps/ needs to be read/write, but not webapp dirs

  17. Monitor for Announced Vulnerabilities • Tomcat project security vulnerabilities page: http://tomcat.apache.org/security.html Upgrade when there is a fix!

  18. Additional Resources MuleSoft Tcat Server http://www.mulesoft.com/tcat-server-enterprise-tomcat-application-server TLS Renegotiation Extension and Vulnerability https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt Web App Scanners Miss Half of Vulnerabilities http://news.slashdot.org/story/10/02/06/1933211/Web-App-Scanners-Miss-Half-of-Vulnerabilities?art_pos=5 Turning XSS Into Clickjacking http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking

  19. Q&A Thanks!

More Related