SlideShare a Scribd company logo

Secure by Default Web Applications

Robert Munteanu
Robert Munteanu

A product that works is not done, as there are many facets to consider - availability, scalability, security. Of those, security is probably the most costly to get wrong. This talk will build a threat model for a sample web application, showcasing a structured approach to securing your web application. Various vulnerabilities are shown and mitigated, based on current best practices. We take special care to show to eliminate entire classes of vulnerabilities, rather than tackling problems one by one. The code samples will be built on top of Apache Sling, but previous knowledge of Sling is not required. Talk delivered at BaselOne 2023

1 of 42
Download to read offline
1
Secure By Default Web Applications Robert Munteanu, Senior Computer Scientist, Adobe
2
About me 2
3
→ Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 3
4
Threat modelling process Define security requirements Create application diagram Identify threats Mitigate threats Validate mitigations 4
5
Security requirements examples 99.9% availability confidentiality of user profiles integrity of purchase transactions prevent unauthorized users from modifying database entries 5
6
Data flow diagram 6
7
STRIDE model Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 7
8
Threat modelling → OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 8
9
OWASP Top 10 9
10
A01:2021 - Broken Access Control bypassing access control checks by modifying the URL, internal application state, or the HTML page, or by using an attack tool modifying API requests. viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) API with missing access controls for POST, PUT and DELETE. replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. 10
11
A03:2021 - Injection User-supplied data is not validated, filtered, or sanitized Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. 11
12
A05:2021 - Security Misconfiguration Missing appropriate security hardening across any part of the application stack Improperly configured permissions on cloud services. Unnecessary features are enabled or installed Default accounts and their passwords are still enabled and unchanged. Error handling reveals stack traces or other overly informative error messages to users. For upgraded systems, the latest security features are disabled or not configured securely. The server does not send security headers or directives, or they are not set to secure values. 12
13
A06:2021 - Vulnerable and Outdated Components Vulnerable, unsupported, or out of date software OS web/application server database management system (DBMS) applications APIs components runtime environments libraries. Failure to regularly scan for vulnerabilities Failure to timely patch security vulnerabilities 13
14
A09:2021 - Security Logging and Monitoring Failures Not logging auditable events logins failed logins high-value transactions Inadequate log messages for warnings and errors Failure to monitor logs for suspicious activity Local-only storage for logs Missing alerting thresholds and response escalation processes 14
15
Threat modelling OWASP Top 10 (selection) → Sample application Apache Sling primer Handling security threats Demo 15
16
Sample application description simple website content authors can post articles authenticated users can post comments unauthenticated users can read articles and comments 16
17
Data flow 17
18
Threat catalogue T001 - malicious content added by authors / A03:2021-Injection T002 - malicious content added by authenticated users / A03:2021-Injection T003 - unauthorized changes made by authenticated users / A01:2021-Broken Access Control T004 - unauthorized changes made by unauthenticated users / A01:2021-Broken Access Control T005 - comments deleted by authenticated users / A01:2021-Broken Access Control T006 - denial of service by bulk posting comments / A09:2021 - Security Logging and Monitoring Failures T007 - extraction of personally identifiable data / A01:2021 - Broken Access Control 18
19
Threat modelling OWASP Top 10 (selection) Sample application → Apache Sling primer Handling security threats Demo 19
20
Web application framework 20
21
RESTful $ curl http://localhost:8080/content/pospai/home/welcome.json { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 21
22
Resource types { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 22
23
Script resolution 23
24
Scripts <div style="display: grid; grid-template-columns: 100px; 300px"> <div> <img width="60px" src="/pospai/avatar.jpg/${resource.createdBy}"> </div> <div>${resource.createdBy}</div> <div>${resource.message}</div> </div> 24
25
Servlets @Component( service = Servlet.class, property = { "sling.servlet.resourceTypes=pospai/avatar", "sling.servlet.extensions=jpg", } ) public class AvatarServlet extends SlingSafeMethodsServlet { @Override protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { } } 25
26
Content repository 26
27
Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer → Handling security threats Demo 27
28
Built-in access control 28
29
Built-in access control 29
30
Authentication opt-in for servlets @Component(service = { Servlet.class }, property = { AuthConstants.AUTH_REQUIREMENTS +"=+/my/servlet"} ) @SlingServletPaths("/my/servlet") public class MyProtectedServlet extends SlingAllMethodsServlet { /* implementation here */ } 30
31
XSS protection 31
32
Injection-safe APIs // automatically loaded, ensures user has access Resource requested = request.getResource(); // access properties String title = requested.getValueMap().get("jcr:title", String.class); // gather children paths List<String> childrenPaths = new ArrayList<>(); for ( Resource child: requested.getChildren() ) { childrenPaths.add(child.getPath()); } // access parent resource Resource parent = requested.getParent(); 32
33
Side note: type-safe APIs @Model(adaptables=Resource.class) public class MyModel { @ValueMapValue(name="jcr:title") private String title; public String getTitle() { return title; } } MyModel model = resource.adaptTo(MyModel.class) model.getTitle(); 33
34
Metrics $ curl --silent http://localhost:8080/metrics | grep -E '^(sling|oak|jvm)' | wc -l 486 oak_SESSION_COUNT oak_security_authentication_login_failed_total oak_security_authentication_login_token_failed_total 34
35
Dashboards 35
36
Alerts 36
37
Fine-grained artifacts 37
38
Automatic updates 38
39
Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats → Demo 39
40
40
41
Resources Apache Sling : https://sling.apache.org/ Apache Jackrabbit Oak: https://jackrabbit.apache.org/oak/ Pospai Sample App: https://github.com/rombert/pospai STRIDE model: https://en.wikipedia.org/wiki/STRIDE_(security) OWASP Top 10: https://owasp.org/www-project-top-ten/ 41
42
42
Secure By Default Web Applications Robert Munteanu, Senior Computer Scientist, Adobe
About me 2
→ Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 3
Threat modelling process Define security requirements Create application diagram Identify threats Mitigate threats Validate mitigations 4
Security requirements examples 99.9% availability confidentiality of user profiles integrity of purchase transactions prevent unauthorized users from modifying database entries 5
Data flow diagram 6
STRIDE model Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege 7
Threat modelling → OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 8
OWASP Top 10 9
A01:2021 - Broken Access Control bypassing access control checks by modifying the URL, internal application state, or the HTML page, or by using an attack tool modifying API requests. viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) API with missing access controls for POST, PUT and DELETE. replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. 10
A03:2021 - Injection User-supplied data is not validated, filtered, or sanitized Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. 11
A05:2021 - Security Misconfiguration Missing appropriate security hardening across any part of the application stack Improperly configured permissions on cloud services. Unnecessary features are enabled or installed Default accounts and their passwords are still enabled and unchanged. Error handling reveals stack traces or other overly informative error messages to users. For upgraded systems, the latest security features are disabled or not configured securely. The server does not send security headers or directives, or they are not set to secure values. 12
A06:2021 - Vulnerable and Outdated Components Vulnerable, unsupported, or out of date software OS web/application server database management system (DBMS) applications APIs components runtime environments libraries. Failure to regularly scan for vulnerabilities Failure to timely patch security vulnerabilities 13
A09:2021 - Security Logging and Monitoring Failures Not logging auditable events logins failed logins high-value transactions Inadequate log messages for warnings and errors Failure to monitor logs for suspicious activity Local-only storage for logs Missing alerting thresholds and response escalation processes 14
Threat modelling OWASP Top 10 (selection) → Sample application Apache Sling primer Handling security threats Demo 15
Sample application description simple website content authors can post articles authenticated users can post comments unauthenticated users can read articles and comments 16
Data flow 17
Threat catalogue T001 - malicious content added by authors / A03:2021-Injection T002 - malicious content added by authenticated users / A03:2021-Injection T003 - unauthorized changes made by authenticated users / A01:2021-Broken Access Control T004 - unauthorized changes made by unauthenticated users / A01:2021-Broken Access Control T005 - comments deleted by authenticated users / A01:2021-Broken Access Control T006 - denial of service by bulk posting comments / A09:2021 - Security Logging and Monitoring Failures T007 - extraction of personally identifiable data / A01:2021 - Broken Access Control 18
Threat modelling OWASP Top 10 (selection) Sample application → Apache Sling primer Handling security threats Demo 19
Web application framework 20
RESTful $ curl http://localhost:8080/content/pospai/home/welcome.json { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 21
Resource types { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 22
Script resolution 23
Scripts <div style="display: grid; grid-template-columns: 100px; 300px"> <div> <img width="60px" src="/pospai/avatar.jpg/${resource.createdBy}"> </div> <div>${resource.createdBy}</div> <div>${resource.message}</div> </div> 24
Servlets @Component( service = Servlet.class, property = { "sling.servlet.resourceTypes=pospai/avatar", "sling.servlet.extensions=jpg", } ) public class AvatarServlet extends SlingSafeMethodsServlet { @Override protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { } } 25
Content repository 26
Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer → Handling security threats Demo 27
Built-in access control 28
Built-in access control 29
Authentication opt-in for servlets @Component(service = { Servlet.class }, property = { AuthConstants.AUTH_REQUIREMENTS +"=+/my/servlet"} ) @SlingServletPaths("/my/servlet") public class MyProtectedServlet extends SlingAllMethodsServlet { /* implementation here */ } 30
XSS protection 31
Injection-safe APIs // automatically loaded, ensures user has access Resource requested = request.getResource(); // access properties String title = requested.getValueMap().get("jcr:title", String.class); // gather children paths List<String> childrenPaths = new ArrayList<>(); for ( Resource child: requested.getChildren() ) { childrenPaths.add(child.getPath()); } // access parent resource Resource parent = requested.getParent(); 32
Side note: type-safe APIs @Model(adaptables=Resource.class) public class MyModel { @ValueMapValue(name="jcr:title") private String title; public String getTitle() { return title; } } MyModel model = resource.adaptTo(MyModel.class) model.getTitle(); 33
Metrics $ curl --silent http://localhost:8080/metrics | grep -E '^(sling|oak|jvm)' | wc -l 486 oak_SESSION_COUNT oak_security_authentication_login_failed_total oak_security_authentication_login_token_failed_total 34
Dashboards 35
Alerts 36
Fine-grained artifacts 37
Automatic updates 38
Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats → Demo 39
40
Resources Apache Sling : https://sling.apache.org/ Apache Jackrabbit Oak: https://jackrabbit.apache.org/oak/ Pospai Sample App: https://github.com/rombert/pospai STRIDE model: https://en.wikipedia.org/wiki/STRIDE_(security) OWASP Top 10: https://owasp.org/www-project-top-ten/ 41
42
Ad

Recommended

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
A talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda TamlyA talk on OWASP Top 10 by Mukunda Tamly
A talk on OWASP Top 10 by Mukunda Tamly
null - The Open Security Community
 
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
David Brossard
 
Web Security
Web SecurityWeb Security
Web Security
KHOANGUYNNGANH
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
Leigh Honeywell
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSe
WP Engine
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
Arthur Shvetsov
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
Konstantin Mirin
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspective
Robert Munteanu
 
Will it blend? Java agents and OSGi
Will it blend? Java agents and OSGiWill it blend? Java agents and OSGi
Will it blend? Java agents and OSGi
Robert Munteanu
 

More Related Content

Similar to Secure by Default Web Applications (20)

Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSe
WP Engine
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
Arthur Shvetsov
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
Konstantin Mirin
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSe
WP Engine
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Braindev Kyiv
 
Owasp 2017 oveview
Owasp 2017 oveviewOwasp 2017 oveview
Owasp 2017 oveview
Shreyas N
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
OWASP Top 10
OWASP Top 10OWASP Top 10
OWASP Top 10
Arthur Shvetsov
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Owasp
Owasp Owasp
Owasp
penetration Tester
 
Shields up - improving web application security
Shields up - improving web application securityShields up - improving web application security
Shields up - improving web application security
Konstantin Mirin
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
Nikola Milosevic
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
Larry Ball
 
API Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About ThemAPI Vulnerabilties and What to Do About Them
API Vulnerabilties and What to Do About Them
Eoin Woods
 

More from Robert Munteanu (20)

Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspective
Robert Munteanu
 
Will it blend? Java agents and OSGi
Will it blend? Java agents and OSGiWill it blend? Java agents and OSGi
Will it blend? Java agents and OSGi
Robert Munteanu
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Crash course in Kubernetes monitoring
Crash course in Kubernetes monitoringCrash course in Kubernetes monitoring
Crash course in Kubernetes monitoring
Robert Munteanu
 
Java agents for fun and (not so much) profit
Java agents for fun and (not so much) profitJava agents for fun and (not so much) profit
Java agents for fun and (not so much) profit
Robert Munteanu
 
Will it blend? Java agents and OSGi
Will it blend? Java agents and OSGiWill it blend? Java agents and OSGi
Will it blend? Java agents and OSGi
Robert Munteanu
 
Cloud-native legacy applications
Cloud-native legacy applicationsCloud-native legacy applications
Cloud-native legacy applications
Robert Munteanu
 
Cloud-Native Sling
Cloud-Native SlingCloud-Native Sling
Cloud-Native Sling
Robert Munteanu
 
From Monolith to Modules - breaking apart a one size fits all product into mo...
From Monolith to Modules - breaking apart a one size fits all product into mo...From Monolith to Modules - breaking apart a one size fits all product into mo...
From Monolith to Modules - breaking apart a one size fits all product into mo...
Robert Munteanu
 
What's new in the Sling developer tooling?
What's new in the Sling developer tooling?What's new in the Sling developer tooling?
What's new in the Sling developer tooling?
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Zero downtime deployments for Sling application using Docker
Zero downtime deployments for Sling application using DockerZero downtime deployments for Sling application using Docker
Zero downtime deployments for Sling application using Docker
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Do you really want to go fully micro?
Do you really want to go fully micro?Do you really want to go fully micro?
Do you really want to go fully micro?
Robert Munteanu
 
Effective web application development with Apache Sling
Effective web application development with Apache SlingEffective web application development with Apache Sling
Effective web application development with Apache Sling
Robert Munteanu
 
Of microservices and microservices
Of microservices and microservicesOf microservices and microservices
Of microservices and microservices
Robert Munteanu
 
Slide IDE Tooling (adaptTo 2016)
Slide IDE Tooling (adaptTo 2016)Slide IDE Tooling (adaptTo 2016)
Slide IDE Tooling (adaptTo 2016)
Robert Munteanu
 
Secure by Default Web Applications with Apache Sling
Secure by Default Web Applications with Apache SlingSecure by Default Web Applications with Apache Sling
Secure by Default Web Applications with Apache Sling
Robert Munteanu
 
Sling Applications - A DevOps perspective
Sling Applications - A DevOps perspectiveSling Applications - A DevOps perspective
Sling Applications - A DevOps perspective
Robert Munteanu
 
Will it blend? Java agents and OSGi
Will it blend? Java agents and OSGiWill it blend? Java agents and OSGi
Will it blend? Java agents and OSGi
Robert Munteanu
 
Escape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud ServiceEscape the defaults - Configure Sling like AEM as a Cloud Service
Escape the defaults - Configure Sling like AEM as a Cloud Service
Robert Munteanu
 
Crash course in Kubernetes monitoring
Crash course in Kubernetes monitoringCrash course in Kubernetes monitoring
Crash course in Kubernetes monitoring
Robert Munteanu
 
Java agents for fun and (not so much) profit
Java agents for fun and (not so much) profitJava agents for fun and (not so much) profit
Java agents for fun and (not so much) profit
Robert Munteanu
 
Will it blend? Java agents and OSGi
Will it blend? Java agents and OSGiWill it blend? Java agents and OSGi
Will it blend? Java agents and OSGi
Robert Munteanu
 
Cloud-native legacy applications
Cloud-native legacy applicationsCloud-native legacy applications
Cloud-native legacy applications
Robert Munteanu
 
Cloud-Native Sling
Cloud-Native SlingCloud-Native Sling
Cloud-Native Sling
Robert Munteanu
 
From Monolith to Modules - breaking apart a one size fits all product into mo...
From Monolith to Modules - breaking apart a one size fits all product into mo...From Monolith to Modules - breaking apart a one size fits all product into mo...
From Monolith to Modules - breaking apart a one size fits all product into mo...
Robert Munteanu
 
What's new in the Sling developer tooling?
What's new in the Sling developer tooling?What's new in the Sling developer tooling?
What's new in the Sling developer tooling?
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Zero downtime deployments for Sling application using Docker
Zero downtime deployments for Sling application using DockerZero downtime deployments for Sling application using Docker
Zero downtime deployments for Sling application using Docker
Robert Munteanu
 
Scaling up development of a modular code base
Scaling up development of a modular code baseScaling up development of a modular code base
Scaling up development of a modular code base
Robert Munteanu
 
Do you really want to go fully micro?
Do you really want to go fully micro?Do you really want to go fully micro?
Do you really want to go fully micro?
Robert Munteanu
 
Effective web application development with Apache Sling
Effective web application development with Apache SlingEffective web application development with Apache Sling
Effective web application development with Apache Sling
Robert Munteanu
 
Of microservices and microservices
Of microservices and microservicesOf microservices and microservices
Of microservices and microservices
Robert Munteanu
 
Slide IDE Tooling (adaptTo 2016)
Slide IDE Tooling (adaptTo 2016)Slide IDE Tooling (adaptTo 2016)
Slide IDE Tooling (adaptTo 2016)
Robert Munteanu
 
Secure by Default Web Applications with Apache Sling
Secure by Default Web Applications with Apache SlingSecure by Default Web Applications with Apache Sling
Secure by Default Web Applications with Apache Sling
Robert Munteanu
 
Ad

Recently uploaded (20)

zOS CommServer support for the Network Express feature on z17
zOS CommServer support for the Network Express feature on z17zOS CommServer support for the Network Express feature on z17
zOS CommServer support for the Network Express feature on z17
zOSCommserver
 
Intranet Examples That Are Changing the Way We Work
Intranet Examples That Are Changing the Way We WorkIntranet Examples That Are Changing the Way We Work
Intranet Examples That Are Changing the Way We Work
BizPortals Solutions
 
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffMicro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Tier1 app
 
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire
 
Content Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ ProductivityContent Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ Productivity
Alex Vladimirovich
 
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdfBoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdfSecure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Northwind Technologies
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Issues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptxIssues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptx
Jalalkhan657136
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdfICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
M. Luisetto Pharm.D.Spec. Pharmacology
 
SQL-COMMANDS instructionsssssssssss.pptx
SQL-COMMANDS instructionsssssssssss.pptxSQL-COMMANDS instructionsssssssssss.pptx
SQL-COMMANDS instructionsssssssssss.pptx
Ashlei5
 
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATIONAI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
miso_uam
 
Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan
OnePlan Solutions
 
Marketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptxMarketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptx
julia smits
 
War Story: Removing Offensive Language from Percona Toolkit
War Story: Removing Offensive Language from Percona ToolkitWar Story: Removing Offensive Language from Percona Toolkit
War Story: Removing Offensive Language from Percona Toolkit
Sveta Smirnova
 
Software Risk and Quality management.pptx
Software Risk and Quality management.pptxSoftware Risk and Quality management.pptx
Software Risk and Quality management.pptx
HassanBangash9
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
zOS CommServer support for the Network Express feature on z17
zOS CommServer support for the Network Express feature on z17zOS CommServer support for the Network Express feature on z17
zOS CommServer support for the Network Express feature on z17
zOSCommserver
 
Intranet Examples That Are Changing the Way We Work
Intranet Examples That Are Changing the Way We WorkIntranet Examples That Are Changing the Way We Work
Intranet Examples That Are Changing the Way We Work
BizPortals Solutions
 
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-OffMicro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Micro-Metrics Every Performance Engineer Should Validate Before Sign-Off
Tier1 app
 
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire Unlocking the Future of Tech Talent with AI-Powered Hiring Solution...
GirikHire
 
Content Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ ProductivityContent Mate Web App Triples Content Managers‘ Productivity
Content Mate Web App Triples Content Managers‘ Productivity
Alex Vladimirovich
 
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdfBoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
How John started to like TDD (instead of hating it) (ViennaJUG, June'25)
Nacho Cougil
 
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdfSecure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Secure and Simplify IT Management with ManageEngine Endpoint Central.pdf
Northwind Technologies
 
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdfHow to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
How to Generate Financial Statements in QuickBooks Like a Pro (1).pdf
QuickBooks Training
 
Issues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptxIssues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptx
Jalalkhan657136
 
Rebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core FoundationRebuilding Cadabra Studio: AI as Our Core Foundation
Rebuilding Cadabra Studio: AI as Our Core Foundation
Cadabra Studio
 
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdfICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
ICDL FULL STANDARD 2025 Luisetto mauro - Academia domani- 55 HOURS LONG pdf
M. Luisetto Pharm.D.Spec. Pharmacology
 
SQL-COMMANDS instructionsssssssssss.pptx
SQL-COMMANDS instructionsssssssssss.pptxSQL-COMMANDS instructionsssssssssss.pptx
SQL-COMMANDS instructionsssssssssss.pptx
Ashlei5
 
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATIONAI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
AI-ASSISTED METAMORPHIC TESTING FOR DOMAIN-SPECIFIC MODELLING AND SIMULATION
miso_uam
 
Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan
OnePlan Solutions
 
Marketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptxMarketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptx
julia smits
 
War Story: Removing Offensive Language from Percona Toolkit
War Story: Removing Offensive Language from Percona ToolkitWar Story: Removing Offensive Language from Percona Toolkit
War Story: Removing Offensive Language from Percona Toolkit
Sveta Smirnova
 
Software Risk and Quality management.pptx
Software Risk and Quality management.pptxSoftware Risk and Quality management.pptx
Software Risk and Quality management.pptx
HassanBangash9
 
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Why Indonesia’s $12.63B Alt-Lending Boom Needs Loan Servicing Automation & Re...
Prachi Desai
 
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptxHow AI Can Improve Media Quality Testing Across Platforms (1).pptx
How AI Can Improve Media Quality Testing Across Platforms (1).pptx
kalichargn70th171
 
Ad

Secure by Default Web Applications

  • 1. Secure By Default Web Applications Robert Munteanu, Senior Computer Scientist, Adobe
  • 3. → Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 3
  • 4. Threat modelling process Define security requirements Create application diagram Identify threats Mitigate threats Validate mitigations 4
  • 5. Security requirements examples 99.9% availability confidentiality of user profiles integrity of purchase transactions prevent unauthorized users from modifying database entries 5
  • 8. Threat modelling → OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats Demo 8
  • 10. A01:2021 - Broken Access Control bypassing access control checks by modifying the URL, internal application state, or the HTML page, or by using an attack tool modifying API requests. viewing or editing someone else's account, by providing its unique identifier (insecure direct object references) API with missing access controls for POST, PUT and DELETE. replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. 10
  • 11. A03:2021 - Injection User-supplied data is not validated, filtered, or sanitized Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. 11
  • 12. A05:2021 - Security Misconfiguration Missing appropriate security hardening across any part of the application stack Improperly configured permissions on cloud services. Unnecessary features are enabled or installed Default accounts and their passwords are still enabled and unchanged. Error handling reveals stack traces or other overly informative error messages to users. For upgraded systems, the latest security features are disabled or not configured securely. The server does not send security headers or directives, or they are not set to secure values. 12
  • 13. A06:2021 - Vulnerable and Outdated Components Vulnerable, unsupported, or out of date software OS web/application server database management system (DBMS) applications APIs components runtime environments libraries. Failure to regularly scan for vulnerabilities Failure to timely patch security vulnerabilities 13
  • 14. A09:2021 - Security Logging and Monitoring Failures Not logging auditable events logins failed logins high-value transactions Inadequate log messages for warnings and errors Failure to monitor logs for suspicious activity Local-only storage for logs Missing alerting thresholds and response escalation processes 14
  • 15. Threat modelling OWASP Top 10 (selection) → Sample application Apache Sling primer Handling security threats Demo 15
  • 16. Sample application description simple website content authors can post articles authenticated users can post comments unauthenticated users can read articles and comments 16
  • 18. Threat catalogue T001 - malicious content added by authors / A03:2021-Injection T002 - malicious content added by authenticated users / A03:2021-Injection T003 - unauthorized changes made by authenticated users / A01:2021-Broken Access Control T004 - unauthorized changes made by unauthenticated users / A01:2021-Broken Access Control T005 - comments deleted by authenticated users / A01:2021-Broken Access Control T006 - denial of service by bulk posting comments / A09:2021 - Security Logging and Monitoring Failures T007 - extraction of personally identifiable data / A01:2021 - Broken Access Control 18
  • 19. Threat modelling OWASP Top 10 (selection) Sample application → Apache Sling primer Handling security threats Demo 19
  • 21. RESTful $ curl http://localhost:8080/content/pospai/home/welcome.json { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 21
  • 22. Resource types { "jcr:primaryType": "sling:Folder", "jcr:createdBy": "sling-package-install", "jcr:title": "pospai Welcome", "jcr:created": "Fri Jul 21 2023 15:05:11 GMT+0300", "sling:resourceType": "pospai/page" } 22
  • 24. Scripts <div style="display: grid; grid-template-columns: 100px; 300px"> <div> <img width="60px" src="/pospai/avatar.jpg/${resource.createdBy}"> </div> <div>${resource.createdBy}</div> <div>${resource.message}</div> </div> 24
  • 25. Servlets @Component( service = Servlet.class, property = { "sling.servlet.resourceTypes=pospai/avatar", "sling.servlet.extensions=jpg", } ) public class AvatarServlet extends SlingSafeMethodsServlet { @Override protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { } } 25
  • 27. Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer → Handling security threats Demo 27
  • 30. Authentication opt-in for servlets @Component(service = { Servlet.class }, property = { AuthConstants.AUTH_REQUIREMENTS +"=+/my/servlet"} ) @SlingServletPaths("/my/servlet") public class MyProtectedServlet extends SlingAllMethodsServlet { /* implementation here */ } 30
  • 32. Injection-safe APIs // automatically loaded, ensures user has access Resource requested = request.getResource(); // access properties String title = requested.getValueMap().get("jcr:title", String.class); // gather children paths List<String> childrenPaths = new ArrayList<>(); for ( Resource child: requested.getChildren() ) { childrenPaths.add(child.getPath()); } // access parent resource Resource parent = requested.getParent(); 32
  • 33. Side note: type-safe APIs @Model(adaptables=Resource.class) public class MyModel { @ValueMapValue(name="jcr:title") private String title; public String getTitle() { return title; } } MyModel model = resource.adaptTo(MyModel.class) model.getTitle(); 33
  • 34. Metrics $ curl --silent http://localhost:8080/metrics | grep -E '^(sling|oak|jvm)' | wc -l 486 oak_SESSION_COUNT oak_security_authentication_login_failed_total oak_security_authentication_login_token_failed_total 34
  • 39. Threat modelling OWASP Top 10 (selection) Sample application Apache Sling primer Handling security threats → Demo 39
  • 40. 40
  • 41. Resources Apache Sling : https://sling.apache.org/ Apache Jackrabbit Oak: https://jackrabbit.apache.org/oak/ Pospai Sample App: https://github.com/rombert/pospai STRIDE model: https://en.wikipedia.org/wiki/STRIDE_(security) OWASP Top 10: https://owasp.org/www-project-top-ten/ 41
  • 42. 42