CanSecWest: Security Masters Dojo Vancouver
Java/JEE security Dojo: Attack and Defense Strategies
Instructor:
Marc Schoenefeld
Register for this course.
Description
JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the application developers. For a complete JEE security audit it is therefore more important to build up the skill to „feel“ the attack surface than just applying pre-build exploits that only expose framework bugs.
This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participants to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success.
The examples and exercises shown in this class cover apache tomcat, apache geronimo, jboss and sun glassfish.
Topics
The topics presented are:
- The Java architecture, JVMs and bytecode
- The java security model
- Secure programming in a nutshell
- Java vulnerabilities, how they differ from C-type bugs
- The JEE architecture
- Open holes in JEE, how to spot them
- How to harden a JEE server
- Tools and toys to prepare and conduct JEE pentests
- Writing self-assessment clients
- Short excursion to web security, xss and xsrf, how to spot and prevent in JEE
- Examples, examples...
Prerequisites
- Working knowledge of distributed java concepts
- No specific OS knowledge required
- Be able to work easily with java developer tools (command line, eclipse/netbeans IDE)
- Understanding of Java (secure) programming and JEE concepts would be a bonus (boosts your mileage).
Prerequisite material
- Each student must bring his own laptop.
- A working network adapter (along with a IPv4 TCP/IP) stack is recommended.
