Archive for 'security'

Web security workshop @ confess 2012

Yesterday was the workshop day of CONFESS 2012. My workshop was called “How to exploit and fix typical web application vulnerabilities” and that was what we did. I provided two JSF web applications, some PHP scripts and some C files, which all were vulnerable. At the workshop, we tried to break them in as many different ways, as possible.

At the beginning we did a lot of SQL injection exploits, at first manually and later using sqlmap. Then we looked into XSS, XSRF and poor session management. And last but not least we took a look at buffer overflows, using metasploit as shellcode generator. Unfortunately, we did not have time to check out the jsf-security web application, which would have shown some vulnerabilities of (old versions of) JSF 2.

The workshop HOW-TO and all the source files used at the workshop are available at github: https://github.com/jakobk/confess-2012

Web security session @ confess 2012

Today I spoke at the conference for enterprise software solutions (CONFESS) in Leogang, Austria. My session was called “Introduction to web security” and it explained attacks like SQL injection, XSS, XSRF or buffer overflows. It was quite well-attended and I got lots of positive feedback, which I was really happy about.

As promised at the session, here are the slides as PDF: Web_Security_jakobk.pdf

I really enjoyed speaking at CONFESS, and now I am looking forward to my workshop (again about web security) on Wednesday.

Edit 2012-05-15: The slides are now also available on slideshare:

JSF value expression injection vulnerability

A few days ago this issue was reported to Mojarra: http://java.net/jira/browse/JAVASERVERFACES-2247.

It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.

To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/

Use the following steps to run the example:

1. svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
2. mvn clean jetty:run-exploded -PjettyConfig
3. go to http://localhost:8080/include-view-params-security and follow the instructions

This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405

Until this is fixed you should avoid using includeViewParams=true!

search

Search for:

blogroll

• Adam Bien
• Ali Ok
• Gerhard Petracek
• Hanspeter Dünnenberger
• Leonardo Uribe
• Mark Struberg
• Matthias Wessendorf
• Michael Kurz
• Werner Punz

archive

• Juli 2012
• Mai 2012
• März 2012
• November 2011
• Mai 2011
• April 2011
• Dezember 2010
• Oktober 2010
• September 2010
• August 2010
• Juni 2010
• April 2010

meta

• RSS
• Kommentare als RSS