2012/11/30

OWASP BeNeLux 2012: OWASP Top 10 vs Drupal - Erwin Geirnaert

Checkmarx scan: Source Code Analysis (SCA)
  • only issues in the backend
Highest Risks:
  • PHP Injections -> input validation
  • XSS: Blind acces
    • Filter_xss:
    • Check_Plain: html encoding
    • Check_url: url encoding
    • drupal_set_error_message: secure / uniform error messages
  • indirect references:
    • NOK for drupal
    • site can be crawled for hidden pages
  • misconfiguration
    • no ftp
    • ssh
  • insufficient Transport Layer protection
    • Drupal config: full SSL (or mixed mode?)
Other:
  • Make sure you update the modules
  • Drupal 8: different approach Symphony framework

OWASP BeNeLux 2012: Sandboxing Javascript - Lieven Desmet

'Standard' webpage composition patterns:
  • script tag: full 3rd party integration
  • iframe tag: more robust (+ sandboxed keyword)
Solutions for security:
  • use a secure subset of Javascript (e.g. ADSafe, Facebook JS, etc.)
  • browser sandboxing (e.g. WebJail)
  • Serverside Tranformation of scripts (Google Caja, BrowserShield, etc.)
Risk examples of 3rd party integrations: (research)
  • stale domain names -> re-register & abuse
  • typo squatting: e.g. googlesyndicatio.com (without the 'n') triggered a lot of hits
JSand presentation:
  • prototype
  • aims
    • complete JS mediation
    • backwards compatibility
    • reasonable performance
  • components:
    • policies for 3rd party scripts
    • isolate JS through Google Secure EcmaScript library ("use strict" directive)
    • Proxy wrapper for domain access
    • AST transformations through Uglify lib
    • CORS / UMP headers
    • Serversside JS Proxy
  • nice demo, very early preview.

OWASP BeNeLux 2012: Secure Web Integration Patterns in the Era of HTML5 - John Wilander

Old / classic web integration patterns to avoid same-origin restrictions: do NOT use it anymore (security / manageability issues)
  • crafted <img /> tag
  • JSONP (Json "Padding")
    • JS wiring of 2 domains with callback
    • JQuery calls JSONP "Crossdamain
    • blind trustassociation
    • check the origin
  • document.domain
    • change in both script providers to same common part
New HTML5 web integration patterns:
  • CORS: Cross Origin Resource Sharing
    • Ajax + header: Access-Control-Allow-Origin: allowed.domain.com
    • explicit cookie sharing with xhr.withCredentials = true
    • special headers:
      • setRequestHeader
      • ! check "origin" header on servers (whitelist based)!
  • Sandboxed iframe
    • iframe tag +  sandbox
    • optional & explicit features: allow-same-origin, allow-scripts, allow-forms
    • ideal to isolate legacy web apps, even served from the same domain
  • postMessage:
    • textbased message channels between 2 domains
    • whitelist checks
    • keep handle of windows -> communiction between windows (tabs...)
    • combine postMessage + sandboxed IFrames to integrate legacy webapps with new HTML5 apps: limits risks to iframe.
Demo's: OWASP One-Liners

2012/11/16

Devoxx2012: mgwt - GWT goes mobile - Daniel Kurka

PhoneGap: hybrid web app. http://phonegap.com
  • javascript
  • uses w3c standards (including future api's)
  • Web part / Native part
  • web part: uses local web browser (mostly webkit)
  • native part: called through special 'gap://...' urls
    • string parameters
    • asynchronous
  • temporary solution till browser capabilities are enhanced
GWT
  • compiles java to javascript
  • integrated debugging
  • deferred binding
  • optimal siz
  • can be combined with PhoneGap
mgwt http://www.m-gwt.com
  • native look and feel
  • optimizing compiler
  • local / offline support (appcache)
  • use css3 (faster and more flexible). E.g. Flexible box model http://hacks.mozilla.org/2010/04/the-css-3-flexible-box-model/
  • dead code removal: compilation per device

Devoxx2012: Search, the Final Frontier - Shay Banon

Elasticsearch features
  • uses lucene internally
  • Json / rest api + java library
  • web interface
  • distributed:
    • indexes: e.g. Time based indexes: logical grouping
    • shards, replicas
    • clusters
    • auto discovery of master
    • elected master: responsible for consistent state & does bookkeeping for new nodes
    • crashed master: logged, new master is auto-elected
    • move shards
  • other (lucene features)
    • whitespace analyser
    • stop word removal
    • keyword analyser: keep as string
    • ngram / soundex

2012/11/15

Devoxx2012 - Apache TomEE, JEE6 Web Profile on Tomcat - David Blevins

TomEE
  • Tomcat + Java EE
  • Java EE 6 Certified
  • young project: 1 year old (2011),
  • focus on
    • quality: testing
    • performance
    • low footprint (t1.micro linux image on amazon: 613 mb max)
    • tight integration of component's (no extra downloads etc)
TomEE exists in 3 flavors
  1. basic web profile (+ JavaMail) - certified
    • half of the JEE specs
    • missing in official web profile
      • corba, JAX-RPC
      • JAX-RS, JAX-WS
      • JMS, Connectors
  2. web profile + JAX-RS (new) - certified
  3. Plus: JAX-WS, Connectors & JMS - not certified
Integrates in Eclipse
  • dynamic web project
  • eclipse run as... run on server
  • embedded Debug adapter
Modern JEE6 demo's with TomEE
  • ejb:
    • @javax.ejb.Singleton:
    • @javax.ejb.EJB: inject
  • @javax./jws.WebService -> automatic wsdl / publishing.
  • @javax.ws.rs.... -> REST.
  • CDI:
    • bean.xml in WEB-INF
    • pojo + @javax.inject.Inject
Testing & certifcation:
  • very large TCK certification testsuite (+/- week)
  • test infrastructure on Amazon EC2 to speed up certification process
Attention points when choosing plain Tomcat instead of TomEE:
  • slower: lots of annotation scanning
  • bloated memory from duplicate classes
  • incomplete: OpenJPA, OpenWebBeans, JNDI
  • no extensive tests from JEE TCK
TomEE+Arquillian
  • arquillian
    • testing framework
    • junit based @RunWith("Arquillian")
    • create & deploy small war with selected classes to test functionality
    • distributed testing
  • adapters included
  • integrated debugging
Maven integration:
  • tomee-maven-plugin
  • configure servers
  • start/stop servers
  • deploy / undeploy
random TomEE stuff:
  • Jelastic: Cloud provider with upcomming TomEE support.
  • collects & reports multiple errors instead of stopping on the first problem
  • META-INF/resources.xml + @Resource (without spring) 
  • config:
    • tomee.xml:
      • hybrid xml+properties config for readability (cfr apache httpd config)
      • human readable durations
    • or xml alternative: properties: conf/system.properties (can be mixed)

Devoxx2012: Bootstrapping Android Apps with Open Source - Jake Wharton

Libraries:
  • ActionBarSherlock: backport of the actionbar.
  • ViewPagerIndicator: indicates swype action
  • NineOldAndroids: backwards compatibility of animation api
  • Otto: gueva eventbus.  E.g. Async access to the location api.
  • Dagger: dependency injection - @Module @Provide
  • RetroFit: client Rest-access
  • Tape: save locally on unreliable network
  • Activitycompat2: activity backport
  • PonyCrossing
  • Pollexor
  • OkHttp
  • Spoon: test tool

Devoxx2012: OAuth 2 and Identity - Tim Bray & Nicolas Garnier

Google's focus:
  • Oauth2
    • framework -> no guarantee on interoperability
    • core is frozen
  • Openid Connect
    • protocol
    • based on Oauth2
    • "Oauth2 for login"
Javascript-only flow:
  • register for client id + select API's ("scopes")
  • redirect to google.com in popup
  • access token is returned
    • 3600s timeout -> re-logon after that
  • optionally use gapi library (apache license)
  • redirect back to original page + use access token to access the google api's
Server side api:
  • register to get "super-secret" clientid
  • no popup needed
  • redirect to google
  • extra servers-side step: get code id.
  • logon not limited in time (occasional serverside refresh for access token neede)

Mobile
  • embedded browser: no sso -> re-logon
  • call external browser: less user friendly / extra security measures needed
  • Android specific: GoogleAuthUtil
other:
  • AccountChooser framework (javascript-based)