Securing Your Grails App - Beyond Authentication & Authorization
98
description
Application security is not a concern that we can ignore. Vulnerabilities come from various angles, but it is important to stay aware and vigilant so we can recognize and thwart threats.
Transcript of Securing Your Grails App - Beyond Authentication & Authorization
Thistalkismeanttodiscusssecurityissuesinthespiritofhelpingthosewhobuildsystemsmakestable,secure
webapplications.
HappyPathEasiestthingpossibleMVP
Nounauthorizedaccess.HardenedTested
Grandma'scatphotosYourblogStaticcontent
BankingHealthinformation
GovernmentBigbusiness
Paymentsystems
$$$oflosspotentialOfficeSpaceLossofconsumerconfidence
RestorethebackupMaybeafewcommentslost
sincelastbackupNoanimalswereharmed
Grandmacriesforaminute
(butverify)
Non-profitgroupNamingborrowedCheckouttheirrecommendations
#1issueontheweb
"SELECT*FROMaccountsWHEREcustID='"+params.id+"'"
http://example.com/app/accountView?id='or'1'='1
Stringhql="""fromAccountHolderwhereusername='$username'andpassword='$password'"""
defrow=AccountTransaction.executeQuery(hql)
admin'ANDsubstring(password,0,1)==char(64)AND'1'='1
http://security.stackexchange.com/questions/24265/hql-injection-example
Orbettertestedsanitizationtools
Grails1.3.7(pre1.3.8)
classMyDomainObject{defSpringSecurityService...}
“cpimg.png./archive/$filename”.execute()
log.info“userbenignsaid${message}”
http://example.com/thing/action?message=[ERROR]Adminpasswordhasexpired!!OHCRAPHELP
deftransfer(Transfertfr){Depositd=newDeposit(amount:tfr.amt)d.save()
Withdrawalw=newWithdrawal(amount:tfr.amt,description:tfr.desc)w.save()}
http://example.com/sale/saleitems;jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
UnencryptedtransportsAccountsignupForgotpasswordPasswordhintexposureInsecureSSO
xkcd.com/936/
reviewText="""ExcellentProduct</div><iframesrc="myadnetwork.com/pwnage.html"/><h1>InjectedDOM</h1><divclass='review'>Goodwork"""
view.gsp(codec=none)
<divclass='review'>${reviewText}</div>
Defaultcodec=HTMLnowCarefulwhendoingyourownTagLibsAntiSamy
Directexecution
eval()window.execScript()/function()/setInterval()/setTimeout()script.src(),iframe.src()
document.write(),document.writeln()elem.innerHTML=dangerelem.outerHTML=dangerelem.setAttribute(“dangerousattribute”,danger)
CookiesinsomebrowsersLocalStorageReverseJavaScriptShellsStackedMore..
https://example.com/account/123
https://example.com/account/999
FiltersACLPermissions
OwnershiplevelcheckingAuthorization
...forexample
socat-vtcp-listen:8080,forktcp:localhost:80
Poorsalting
Notshowingthelinksdoesn'tmeanitisprotectedAssumingauserisloggedindoesn'tmeantheyshouldhaveaccesstoeverything
<imgsrc="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#"width="0"height="0"/>
URLMappingsallowedMethods
AppleSSLissueOSX/iOS
