Tomcat Webapp Security Jason Brittain Software Architect Mulesoft

Tomcat Webapp Security Jason Brittain Software Architect, Mulesoft Co-author, Tomcat: The Definitive Guide

HTTP Request Model Vulnerabilities Request Parameters - XSS - CSRF - HTML Injection - SQL Injection Request Headers Request URI Container-Level vs. Webapp-Level Filtering

How to Write Secure Webapps Use only HTTPS and disable small key length ciphers Distrust and sanitize all input from the client Filter for CSRF (Enable the Csrf. Prevention. Filter) Filter for XSS (Enable the Bad. Input. Filter) http: //www. sf. net/projects/catnip Generally secure Tomcat Enable the Tomcat security manager and customize catalina. policy

Scanning Tools and Remediation Tools Process

Scanning Tools and Remediation (cont) Commercial scanning tools: - IBM Rational App. Scan - HP Web. Inspect - Acunetix Web Vulnerability Scanner Open Source: - Ratproxy

Scanning Tools and Remediation (cont) Process for removing vulnerabilities: 1. Scan 2. Investigate Reported Vulnerabilities 3. Fix vulnerability 4. Goto 1.

HTTP Caching and Security Browser Cache Proxy Cache // Standard HTTP 1. 1 cache disabling header. http. Response. set. Header("Cache-Control", "no-cache, must-revalidate"); // Set IE extended HTTP 1. 1 no-cache headers. http. Response. add. Header("Cache-Control", "post-check=0, pre-check=0"); // Tell proxy caches not to cache this resource. http. Response. add. Header("Cache-Control", "proxy-revalidate"); // Standard HTTP 1. 0 cache disabling header. http. Response. set. Header("Pragma", "no-cache"); // Standard HTTP 1. 0 cache disabling header. Prevents caching at the proxy server. http. Response. set. Date. Header("Expires", 0);

Use HTTPS Configure Your Webapp to Require HTTPS Disable Insecure Key Lengths / Ciphers Use v 6. 0. 24 and Higher session. Cache. Size and session. Timeout

Configuring for HTTPS-only Configure your HTTPS connector: <Connector port="8443" protocol="HTTP/1. 1" SSLEnabled="true" max. Threads="450" scheme="https" secure="true" client. Auth="false" ssl. Protocol="TLS” keystore. File="conf/keystore" keystore. Pass="shhhh" proxy. Host="10. 1. 1. 1" proxy. Port="443" URIEncoding="UTF-8" max. Http. Header. Size="32768"/>

Configuring for HTTPS-only (cont. ) Configure your HTTP connector to redirect to HTTPS: <Connector port="8080" protocol="HTTP/1. 1" connection. Timeout="20000" redirect. Port="443" proxy. Host="10. 1. 1. 1" proxy. Port="80" URIEncoding="UTF-8" max. Http. Header. Size="32768"/>

Configuring for HTTPS-only (cont. ) In your webapp's WEB-INF/web. xml: <security-constraint> <web-resource-collection> <web-resource-name>Secure. Connection</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <web-resource-collection> <web-resource-name>Non. Secure. Connection. Ok</web-resource-name> <url-pattern>*. ico</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>

Configuring HTTPS Disable “weak” encryption: <Connector ciphers=”SSL_RSA_WITH_RC 4_128_MD 5, SSL_RSA_WITH_ RC 4_128_SHA, . . . ”> See http: //java. sun. com/javase/6/docs/technotes/guides/security/Sun Providers. html#Supported. Cipher. Suites

Connector Hardening <Server port="-1" shutdown="SHUTDOWN"> Max Post Size Max Http Header Size Max Threads

Java Security Manager Prevents your webapp from: Reading/writing arbitrary files Making network connections Instantiating/using arbitrary Java packages & classes Etc. To effectively use it you must: - Write custom permissions rules - Debug permissions issues - Test exhaustively. . it's not for everyone!

Webapp File Permissions - Tomcat needs these readable, but not writable - Don't write files in your webapp tree

Tomcat File Permissions CIS: Apache Tomcat Security http: //www. cisecurity. org/benchmarks. html In general: - Start with the whole tree read only - conf/Catalina and conf/Catalina/localhost must be read/write - temp/ work/ and logs/ need to be read/write - webapps/ needs to be read/write, but not webapp dirs

Monitor for Announced Vulnerabilities Tomcat project security vulnerabilities page: http: //tomcat. apache. org/security. html Upgrade when there is a fix!

Additional Resources Mule. Soft Tcat Server http: //www. mulesoft. com/tcat-server-enterprise-tomcat-applicationserver TLS Renegotiation Extension and Vulnerability https: //svn. resiprocate. org/rep/ietf-drafts/ekr/draft-rescorla-tlsrenegotiate. txt Web App Scanners Miss Half of Vulnerabilities http: //news. slashdot. org/story/10/02/06/1933211/Web-App. Scanners-Miss-Half-of-Vulnerabilities? art_pos=5 Turning XSS Into Clickjacking http: //ha. ckers. org/blog/20100614/turning-xss-into-clickjacking

Q&A Thanks!