190 likes | 273 Views
Tomcat Webapp Security. Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide. HTTP Request Model Vulnerabilities. Request Parameters XSS CSRF HTML Injection SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering.
E N D
Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide
HTTP Request Model Vulnerabilities • Request Parameters • XSS • CSRF • HTML Injection • SQL Injection • Request Headers • Request URI • Container-Level vs. Webapp-Level Filtering
How to Write Secure Webapps • Use only HTTPS and disable small key length ciphers • Distrust and sanitize all input from the client • Filter for CSRF (Enable the CsrfPreventionFilter) • Filter for XSS (Enable the BadInputFilter) http://www.sf.net/projects/catnip • Generally secure Tomcat • Enable the Tomcat security manager and customize catalina.policy
Scanning Tools and Remediation • Tools • Process
Scanning Tools and Remediation (cont) • Commercial scanning tools: • IBM Rational AppScan • HP WebInspect • Acunetix Web Vulnerability Scanner • Open Source: • Ratproxy
Scanning Tools and Remediation (cont) • Process for removing vulnerabilities: 1. Scan 2. Investigate Reported Vulnerabilities 3. Fix vulnerability 4. Goto 1.
HTTP Caching and Security • Browser Cache • Proxy Cache // Standard HTTP 1.1 cache disabling header. httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate"); // Set IE extended HTTP 1.1 no-cache headers. httpResponse.addHeader("Cache-Control", "post-check=0,pre-check=0"); // Tell proxy caches not to cache this resource. httpResponse.addHeader("Cache-Control", "proxy-revalidate"); // Standard HTTP 1.0 cache disabling header. httpResponse.setHeader("Pragma", "no-cache"); // Standard HTTP 1.0 cache disabling header. Prevents caching at the proxy server. httpResponse.setDateHeader("Expires", 0);
Use HTTPS • Configure Your Webapp to Require HTTPS • Disable Insecure Key Lengths / Ciphers • Use v6.0.24 and Higher • sessionCacheSize and sessionTimeout
Configuring for HTTPS-only Configure your HTTPS connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="450" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS” keystoreFile="conf/keystore" keystorePass="shhhh" proxyHost="10.1.1.1" proxyPort="443" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.) Configure your HTTP connector to redirect to HTTPS: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" proxyHost="10.1.1.1" proxyPort="80" URIEncoding="UTF-8" maxHttpHeaderSize="32768"/>
Configuring for HTTPS-only (cont.) In your webapp's WEB-INF/web.xml: <security-constraint> <web-resource-collection> <web-resource-name>SecureConnection</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>NonSecureConnectionOk</web-resource-name> <url-pattern>*.ico</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Configuring HTTPS Disable “weak” encryption: <Connector ciphers=”SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, ...”> See http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
Connector Hardening • <Server port="-1" shutdown="SHUTDOWN"> • Max Post Size • Max Http Header Size • Max Threads
Java Security Manager Prevents your webapp from: • Reading/writing arbitrary files • Making network connections • Instantiating/using arbitrary Java packages & classes • Etc. To effectively use it you must: - Write custom permissions rules - Debug permissions issues - Test exhaustively .. it's not for everyone!
Webapp File Permissions - Tomcat needs these readable, but not writable - Don't write files in your webapp tree
Tomcat File Permissions CIS: Apache Tomcat Security http://www.cisecurity.org/benchmarks.html In general: - Start with the whole tree read only - conf/Catalina and conf/Catalina/localhost must be read/write - temp/work/ and logs/ need to be read/write - webapps/ needs to be read/write, but not webapp dirs
Monitor for Announced Vulnerabilities • Tomcat project security vulnerabilities page: http://tomcat.apache.org/security.html Upgrade when there is a fix!
Additional Resources MuleSoft Tcat Server http://www.mulesoft.com/tcat-server-enterprise-tomcat-application-server TLS Renegotiation Extension and Vulnerability https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt Web App Scanners Miss Half of Vulnerabilities http://news.slashdot.org/story/10/02/06/1933211/Web-App-Scanners-Miss-Half-of-Vulnerabilities?art_pos=5 Turning XSS Into Clickjacking http://ha.ckers.org/blog/20100614/turning-xss-into-clickjacking
Q&A Thanks!