WebApp Sec mailing list archives
Re: [WEB SECURITY] How to Create Secure Web Applications with Struts
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Wed, 22 Mar 2006 07:21:08 -0800 (PST)
I'm having an half audit half pen test because of which they don't let me read their struts xml files or any other conf. files for that matter but I have access to their test env. with fake user credentials and some more information. :( But, hey, that would be great and I think helpful for the community, too. -pilon --- Dinis Cruz <dinis () ddplus net> wrote:
Pilon, how are you analysing the struts xml files? I wrote a quick xslt transformation that allowed me to see them in a nice format (in html tables) Let me know if you think that will be usefull to you and I will post in online Dinis ---------------------------------------- From: Pilon Mntry <pilonmntry () yahoo com> Sent: 21 March 2006 09:40 To: dinis.cruz () ddplus net Subject: Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Hi Dinis,if the presentation is on the client side (ala AJAX ...Well, when I wrote "presentation layer" I meant the one at the server side (since the issue was Struts), but of course, you are right that when AJAX or alike is employed then there remains one (secure) validation.For example, I did an audit to a struts based Java App which had massive Authorization problems ...And I'm doing one right now :). When a developer uses Struts Validator on a parameter with positive approach(let's say [a-zA-Z0-9]), then it would be hard to convince him to do another validation in his business logic for SQL injection. -pilon --- Dinis Cruz wrote:Pilon, when you say:However, with this approach when positivevalidation (whitelist) is used, there probablywillbeunnecessary double validation: one inpresentationlayer and the other in business layer. But Iguess,that's one should pay for extensibility andsecurity sake. if the presentation is on the client side (ala AJAX), then there is only one security validation (since the one done at client slide has nosecurityrelevance and doesn't count :) Also note that doing data validation very awayfromthe business logic (i.e. the presentation layer)canintroduce massive exploitable blind spots For example, I did an audit to a struts based Java App which had massive Authorization problems (and some data validation issues too) Dinis Cruz Owasp .Net Project www.owasp.net ---------------------------------------- From: Pilon Mntry Sent: 21 March 2006 07:36 To: Stephen de Vries Subject: Re: [WEB SECURITY] How to Create SecureWebApplications with StrutsIt may not be a big issue, but I think it's important to understand how choosing the web tier as a security provider could impact the extensibility of the app down the line.Nice comment. In owasp guide it goes like this; "...the web / presentation tier should validateforweb related issues, persistence layers should validate for persistence issues such as SQL / HQLinjection,directory lookups should check for LDAP injection, and so on." However, with this approach when positivevalidation(whitelist) is used, there probably will be unnecessary double validation: one in presentation layer and the other in business layer. But Iguess,that's one should pay for extensibility andsecuritysake. And this is for data validation only.Authorizationis another issue... And nice article by the way. -pilon --- Stephen de Vries wrote:Great article! It did make me think of a particulararchitecturalissue which seems to be cropping up more and more; that is, theimpactthat implementing security in the web tier has on the future extensibility of the app. For applications that were designed as web appsandwill continue to only be web apps for the rest of their lives,thisshouldn't impact much on the extensibility of the apps. If the validation rules or access control requirements change, these caneasilybe changed in the web tier (and as you've shown Struts makesitreally easy, because it's all declarative). But if the application needs to be extensible,e.g.must have a fat client down the road or must expose webservices,then any security implemented in the web tier would have to be re-implemented in all the other facades. To be truly extensible applications should implement security functionality in the business tier so that any changes to the presentation technology (or new technologies) don't impact the core functionality. E.g. for classic J2EE technologies this would mean implementing access control ontheEJB's themselves rather than in the web tier. This is also the approach taken by the Spring framework: both access control and input validation are tied to the beans that form the middle tier, not the presentation. It may not be a big issue, but I think it's important to understand how choosing the web tier as a security provider could impact the extensibility of the app down the line. 2p Stephen On 20 Mar 2006, at 02:44,bugtraq () cgisecurity netwrote:"This article will focus on developing secureWebapplications withthe popular Java framework Struts. It will detail a set of best practices usingtheincluded securitymechanisms. The first section will provide an overview of both Struts and Web
=== message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] How to Create Secure Web Applications with Struts Andre Maisonneuve (Mar 21)
- <Possible follow-ups>
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Stephen de Vries (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 22)
- RE: [WEB SECURITY] How to Create Secure Web Applications with Struts PPowenski (Mar 22)