jax 2017 - sicher in die cloud mit angular und spring boot
TRANSCRIPT
![Page 1: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/1.jpg)
SICHER IN DIE CLOUDMIT ANGULAR UND SPRING BOOT
9. MAI 2017
1
![Page 3: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/3.jpg)
ARCHITECTURE /THREAT MODEL
3 . 1
![Page 4: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/4.jpg)
3 . 2
![Page 5: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/5.jpg)
SQLInjection CSRF XSS OWASP OAuth2
OpenID-Connect AbUser-Stories
Authentication Authorization Secure Coding
Security-Testing SSO DoS Sensitive-Data Data-
Privacy Crypto Code-Reviews Threat-
Modeling Architecture Dependencies
DAST SAML SAST DevSecOps
3 . 3
![Page 6: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/6.jpg)
SQLInjection CSRF XSS OWASP
OAuth2 OpenID-ConnectAuthentication Authorization Secure Coding Security-
Testing
3 . 4
![Page 8: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/8.jpg)
APP SECURITY VERIFICATION STANDARD PRO ACTIVE CONTROLS
https://github.com/OWASP/ASVS
https://www.owasp.org/index.php/OWASP_Proactive_Controls
3 . 6
![Page 9: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/9.jpg)
ANGULAR
4 . 1
![Page 10: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/10.jpg)
ANGULARJS = ANGULAR 1ANGULAR = ANGULAR 2.X, 4.X, 5.X, ...
4 . 2
![Page 11: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/11.jpg)
A3: CROSS-SITE SCRIPTING (XSS)
4 . 3
![Page 12: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/12.jpg)
ANGULAR JS SECURITY
https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html
4 . 4
![Page 13: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/13.jpg)
ANGULAR SECURITY“...The basic idea is to implement
automatic, secure escaping for all valuesthat can reach the DOM... By default,with no speci�c action for developers,
Angular apps must be secure...”
https://github.com/angular/angular/issues/8511
4 . 5
![Page 14: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/14.jpg)
ANGULAR XSSPROTECTIONANGULAR TEMPLATE = SAFE
INPUT VALUES = UNSAFE
4 . 6
![Page 15: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/15.jpg)
ANGULAR COMPONENTTYPESCRIPT
@Component({ selector: 'app-root', templateUrl: 'app.component.html', styleUrls: ['app.component.css'] }) export class AppComponent {
untrustedHtml:string = '<em><script>alert("hello")</script></em>';
}
4 . 7
![Page 16: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/16.jpg)
ANGULAR TEMPLATEHTML BINDINGS
<h2>Binding of potentially dangerous HTML-snippets</h2>
<h3>Encoded HTML snippet</h3> <h3 class="trusted">{{untrustedHtml}}</h3>
<h3>Sanitized HTML snippet</h3> <h3 class="trusted" [innerhtml]="untrustedHtml"></h3>
4 . 8
![Page 17: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/17.jpg)
UNSAFE ANGULAR API'S
ElementRef: Direct access to DOM!
DomSanitizer: Deactivates XSS-Protection!
Do NOT use!https://angular.io/docs/ts/latest
4 . 9
![Page 18: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/18.jpg)
DEMO
4 . 10
![Page 19: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/19.jpg)
BACKEND
5 . 1
![Page 20: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/20.jpg)
A1: INJECTION
5 . 2
![Page 21: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/21.jpg)
SPRING MVC + SPRING DATA JPAPREVENT INJECTIONS USING BEAN VALIDATION
@Entity public class Person extends AbstractPersistable<Long> {
@NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName;
@NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ... }
5 . 3
![Page 22: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/22.jpg)
SPRING DATA JPAPREVENT SQL-INJECTION USING PREPARED STATEMENTS
@Query( "select u from User u where u.username = " + " :username and u.password = :password") User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password);
5 . 4
![Page 23: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/23.jpg)
A8: CROSS-SITE REQUEST FORGERY (CSRF)
5 . 5
![Page 24: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/24.jpg)
DOUBLE SUBMIT CSRF TOKEN
5 . 6
![Page 25: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/25.jpg)
SPRING SECURITYSECURE BY DEFAULT
Authentication required for all HTTP endpointsSession Fixation ProtectionSession Cookie (HttpOnly, Secure)CSRF ProtectionSecurity Response Header
5 . 7
![Page 26: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/26.jpg)
SPRING SECURITY CSRF CONFIGURATIONANGULAR SUPPORT
@Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() ); }
5 . 8
![Page 27: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/27.jpg)
WHO AM I?A2: BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A10: UNDERPROTECTED APIS
5 . 9
![Page 28: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/28.jpg)
AUTHENTICATION (STATEFUL OR STATELESS?)Session Cookie Token (Bearer, JWT)
With each Request Manually as Header
Potential CSRF! No CSRF possible
Persisted when unloadingDOM
No automaticpersistence
One domain Cross domain (CORS)
Sensitive Information(HTTPS)
Sensitive Information(HTTPS)
5 . 10
![Page 29: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/29.jpg)
OAUTH 2
5 . 11
![Page 30: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/30.jpg)
OPENID CONNECT
5 . 12
![Page 31: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/31.jpg)
OAUTH 2 / OPENID CONNECT RESOURCE@EnableResourceServer @Configuration public class OAuth2Configuration { @Bean public JwtAccessTokenConverterConfigurer jwtAccessTokenConverterConfigurer() { return new MyJwtConfigurer(...); } static class MyJwtConfigurer implements JwtAccessTokenConverterConfigurer { @Override public void configure( JwtAccessTokenConverter converter) {...} }}
OAuth 2.0 Threat Model and Security Considerations
5 . 13
![Page 32: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/32.jpg)
IMPLICIT GRANT
Implicit Client Implementer’s GuideOAuth 2.0 Threat Model and Security Considerations
5 . 14
![Page 33: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/33.jpg)
CLIENT CREDENTIALSGRANT
5 . 15
![Page 34: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/34.jpg)
RESOURCE OWNERGRANTDO NOT USE!
5 . 16
![Page 35: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/35.jpg)
WHAT CAN I ACCESS?A4: BROKEN ACCESS CONTROL
A10: UNDERPROTECTED APIS
5 . 17
![Page 36: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/36.jpg)
AUTHORIZATION OF REST APIROLE BASED
public class UserBoundaryService {
@PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {...}
}
5 . 18
![Page 37: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/37.jpg)
AUTHORIZATION OF REST APIPERMISSION BASED
public class TaskBoundaryService {
@PreAuthorize("hasPermission(#taskId, 'TASK', 'WRITE')") public Task findTask(UUID taskId) {...}
}
5 . 19
![Page 38: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/38.jpg)
AUTHORIZATION OF REST APIINTEGRATIONTEST
public class AuthorizationIntegrationTest {
@WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersAuthorized() {...}
@WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersUnauthorized() {...}
}
5 . 20
![Page 39: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/39.jpg)
DEMO
5 . 21
![Page 40: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/40.jpg)
WHAT ABOUT THECLOUD?
6 . 1
![Page 41: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/41.jpg)
GOOD OLD FRIENDS ...UND MORE...CSRF XSS SQL Injection Session Fixation
Vulnerable Dependencies Weak Passwords Broken Authorization Sensitive Data Exposure
Distributed DoS
Economic DoS
6 . 2
![Page 42: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/42.jpg)
WEAK PASSWORDS
6 . 3
![Page 43: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/43.jpg)
SO WHAT HAS BEEN CHANGED
IN THE CLOUD?
6 . 4
![Page 44: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/44.jpg)
6 . 5
![Page 45: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/45.jpg)
ROTATE, REPAIR, REPAVEJUSTIN SMITH
“What if every server inside my datacenter had a maximum lifetime of twohours? This approach would frustrate
malware writers...”
6 . 6
![Page 46: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/46.jpg)
WHAT ABOUT APPLICATIONCONFIGURATION AND SENSIBLE DATA IN
THE CLOUD?
6 . 7
![Page 47: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/47.jpg)
MANAGE DISTRIBUTED CONFIGURATION AND SECRETSWITH SPRING CLOUD AND VAULT
Friday 19th May, 2017 6:00pm to 6:50pm
6 . 8
![Page 48: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/48.jpg)
ONE MORE THING...
7 . 1
![Page 49: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/49.jpg)
A7: INSUFFICIENT ATTACK PROTECTION
7 . 2
![Page 50: JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot](https://reader033.vdocuments.pub/reader033/viewer/2022051710/5a65ed587f8b9aaf638b602f/html5/thumbnails/50.jpg)
7 . 3