JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot

SICHER IN DIE CLOUDMIT ANGULAR UND SPRING BOOT

9. MAI 2017

1

ANDREAS FALKhttp://www.novatec-gmbh.de

andreas.falk@novatec-gmbh.de

@NT_AQE, @andifalk

2

ARCHITECTURE /THREAT MODEL

3 . 1

3 . 2

SQLInjection CSRF XSS OWASP OAuth2

OpenID-Connect AbUser-Stories

Authentication Authorization Secure Coding

Security-Testing SSO DoS Sensitive-Data Data-

Privacy Crypto Code-Reviews Threat-

Modeling Architecture Dependencies

DAST SAML SAST DevSecOps

3 . 3

SQLInjection CSRF XSS OWASP

OAuth2 OpenID-ConnectAuthentication Authorization Secure Coding Security-

Testing

3 . 4

HTTPS://GITHUB.COM/OWASP/TOP103 . 5

APP SECURITY VERIFICATION STANDARD PRO ACTIVE CONTROLS

https://github.com/OWASP/ASVS

https://www.owasp.org/index.php/OWASP_Proactive_Controls

3 . 6

ANGULAR

4 . 1

ANGULARJS = ANGULAR 1ANGULAR = ANGULAR 2.X, 4.X, 5.X, ...

4 . 2

A3: CROSS-SITE SCRIPTING (XSS)

4 . 3

ANGULAR JS SECURITY

https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html

4 . 4

ANGULAR SECURITY“...The basic idea is to implement

automatic, secure escaping for all valuesthat can reach the DOM... By default,with no speci�c action for developers,

Angular apps must be secure...”

https://github.com/angular/angular/issues/8511

4 . 5

ANGULAR XSSPROTECTIONANGULAR TEMPLATE = SAFE

INPUT VALUES = UNSAFE

4 . 6

ANGULAR COMPONENTTYPESCRIPT

@Component({ selector: 'app-root', templateUrl: 'app.component.html', styleUrls: ['app.component.css'] }) export class AppComponent {

untrustedHtml:string = '<em><script>alert("hello")</script></em>';

}

4 . 7

ANGULAR TEMPLATEHTML BINDINGS

<h2>Binding of potentially dangerous HTML-snippets</h2>

<h3>Encoded HTML snippet</h3> <h3 class="trusted">{{untrustedHtml}}</h3>

<h3>Sanitized HTML snippet</h3> <h3 class="trusted" [innerhtml]="untrustedHtml"></h3>

4 . 8

UNSAFE ANGULAR API'S

ElementRef: Direct access to DOM!

DomSanitizer: Deactivates XSS-Protection!

Do NOT use!https://angular.io/docs/ts/latest

4 . 9

DEMO

4 . 10

BACKEND

5 . 1

A1: INJECTION

5 . 2

SPRING MVC + SPRING DATA JPAPREVENT INJECTIONS USING BEAN VALIDATION

@Entity public class Person extends AbstractPersistable<Long> {

@NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName;

@NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ... }

5 . 3

SPRING DATA JPAPREVENT SQL-INJECTION USING PREPARED STATEMENTS

@Query( "select u from User u where u.username = " + " :username and u.password = :password") User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password);

5 . 4

A8: CROSS-SITE REQUEST FORGERY (CSRF)

5 . 5

DOUBLE SUBMIT CSRF TOKEN

5 . 6

SPRING SECURITYSECURE BY DEFAULT

Authentication required for all HTTP endpointsSession Fixation ProtectionSession Cookie (HttpOnly, Secure)CSRF ProtectionSecurity Response Header

5 . 7

SPRING SECURITY CSRF CONFIGURATIONANGULAR SUPPORT

@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() ); }

5 . 8

WHO AM I?A2: BROKEN AUTHENTICATION AND SESSION MANAGEMENT

A10: UNDERPROTECTED APIS

5 . 9

AUTHENTICATION (STATEFUL OR STATELESS?)Session Cookie Token (Bearer, JWT)

With each Request Manually as Header

Potential CSRF! No CSRF possible

Persisted when unloadingDOM

No automaticpersistence

One domain Cross domain (CORS)

Sensitive Information(HTTPS)

Sensitive Information(HTTPS)

5 . 10

OAUTH 2

5 . 11

OPENID CONNECT

5 . 12

OAUTH 2 / OPENID CONNECT RESOURCE@EnableResourceServer @Configuration public class OAuth2Configuration { @Bean public JwtAccessTokenConverterConfigurer jwtAccessTokenConverterConfigurer() { return new MyJwtConfigurer(...); } static class MyJwtConfigurer implements JwtAccessTokenConverterConfigurer { @Override public void configure( JwtAccessTokenConverter converter) {...} }}

OAuth 2.0 Threat Model and Security Considerations

5 . 13

IMPLICIT GRANT

Implicit Client Implementer’s GuideOAuth 2.0 Threat Model and Security Considerations

5 . 14

CLIENT CREDENTIALSGRANT

5 . 15

RESOURCE OWNERGRANTDO NOT USE!

5 . 16

WHAT CAN I ACCESS?A4: BROKEN ACCESS CONTROL

A10: UNDERPROTECTED APIS

5 . 17

AUTHORIZATION OF REST APIROLE BASED

public class UserBoundaryService {

@PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {...}

}

5 . 18

AUTHORIZATION OF REST APIPERMISSION BASED

public class TaskBoundaryService {

@PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')") public Task findTask(UUID taskId) {...}

}

5 . 19

AUTHORIZATION OF REST APIINTEGRATIONTEST

public class AuthorizationIntegrationTest {

@WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersAuthorized() {...}

@WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersUnauthorized() {...}

}

5 . 20

DEMO

5 . 21

WHAT ABOUT THECLOUD?

6 . 1

GOOD OLD FRIENDS ...UND MORE...CSRF XSS SQL Injection Session Fixation

Vulnerable Dependencies Weak Passwords Broken Authorization Sensitive Data Exposure

Distributed DoS

Economic DoS

6 . 2

WEAK PASSWORDS

6 . 3

SO WHAT HAS BEEN CHANGED

IN THE CLOUD?

6 . 4

6 . 5

ROTATE, REPAIR, REPAVEJUSTIN SMITH

“What if every server inside my datacenter had a maximum lifetime of twohours? This approach would frustrate

malware writers...”

6 . 6

WHAT ABOUT APPLICATIONCONFIGURATION AND SENSIBLE DATA IN

THE CLOUD?

6 . 7

MANAGE DISTRIBUTED CONFIGURATION AND SECRETSWITH SPRING CLOUD AND VAULT

Friday 19th May, 2017 6:00pm to 6:50pm

6 . 8

ONE MORE THING...

7 . 1

A7: INSUFFICIENT ATTACK PROTECTION

7 . 2

7 . 3

http://www.novatec-gmbh.de http://blog.novatec-gmbh.de

andreas.falk@novatec-gmbh.de

@NT_AQE, @andifalk

8