Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers a defenses overview and how to make a more secure configuration in either web server configuration settings or in programmatic settings. Including: Web Server Configuration o Disable directory indexing/directory browsing (IIS, Apache) o Secure settings in web application configuration file (web xml, ibm-web-ext.xml) Programmatic Settings o Secure XML Parser settings o Addresses XXE Injection and Access control Participants receive samples of these codes and learn how to build parsers.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding. Course my name miss anywhere. And this is Boa's top 10 for 2013
00:13
a five security, Miss configuration, Mitigations, countermeasures and defenses.
00:20
So our defenses overview. We're gonna talk about
00:24
how to make a more secure configuration
00:28
in either our Web server configuration settings or programmatic settings. I'm going to talk about each detail,
00:36
basically for the Web server configuration settings these congee done at two different levels. You can have the disabling, for example, off directory indexing or directory browsing
00:50
at the actual Web server configuration files themselves along with actual secure settings in your Web application configuration files. And these might be web dot xml Or, in the case of IBM, WebSphere. It's known as the IBM Web
01:08
extension. Got XML file.
01:11
Now programmatically. We can also do
01:15
some similar settings where we can ensure that we're using
01:21
parse her settings that disallow for entity injection,
01:27
and we're going to look at some sample code for these. But basically we don't want to have the parcels support de TDs.
01:36
We want to disallow external entities. We wanna disallow external parameter entities
01:42
we want to disallow ex include a wears, and we also want to disallow expand density references so we'll look att these in detail in our code sample. So first, let's talk about the Web server configurations. As I mentioned thes ca NBI done at two different levels,
02:02
we can actually set thes within our Web server itself.
02:07
Whether you're running I, I s Apache or some other Web server,
02:12
there's usually a main configuration file where you can specify at a complete server level
02:21
the viewing of directories, and you definitely want to do this.
02:24
So for Apache, for example,
02:30
the name of the configuration file list http de comp. And there's a directory tag where you would add the options with the minus index is this is going to
02:45
turn off any viewing of the directories across the entire Web server to basically prevent the directory diverse oh, attacks that we spoke of.
02:58
Now, at the next level, where there's more of a program or influence, we have secure settings in the Web application configuration file.
03:07
Normally, this is web dot XML or IBM Web extension dot x amount.
03:14
So for Apache and Tomcat, what you would do is look for the unit parameter. That's entitled listings. Now, this is gonna be Web application wide.
03:25
If you want to specify it
03:28
only for a particular instance of a Web app, then you would need to do that separately in a separate configuration.
03:38
But basically you want to set this listing to be false so that the directories are not viewable.
03:45
So in IBM WebSphere the setting would be the enabled directory browsing value, and you would just sit that to fault.
03:53
So these are just a couple of examples of how could be done
03:57
now. Programmatic settings.
03:59
There are actually two different vulnerability areas that need to be addressed, particularly when it comes to ex Mel Parsons.
04:10
So first we're gonna look at the security small part sir settings and how we basically don't want to allow anything from the outside or anything locally to be accessing our Web service.
04:25
And so
04:27
that's the reason for a lot of these disallows
04:30
the second area, and we saw this as well in some of the demos and you'll see it in the lab
04:38
is where there's a lack of access control. We may need to actually also put authorization in place.
04:46
Now this could be done a number of different ways. Probably the most common way is using role based access control. And so whatever the action is, you basically ensure that a particular role
05:01
is authorized to perform that action
05:05
another way that it could be done. Another implementation option would be using the access controller dot do privilege wrapped around. And so let's take a look at some of that sample code.
05:17
So first we are looking at the secure part, sir. Sample code.
05:23
Now, the example provided here is in Java,
05:27
but the same thing could apply to other languages. If you
05:32
take a look at the text book that accompanies wth e this course,
05:38
um, you should be able to find your language available there. And so in our tribe lock as we build our Parsa through the document builder factory. In this particular example, we need to make sure that we set validation to true
05:57
that we do not allow D two D's that we certainly don't allow external entities or parameters from those entities
06:04
that we set the secure processing feature on,
06:11
and also that we include some other, uh,
06:16
some other settings for put the prevention of XML scheme attacks, which includes the X, include aware and expand entity references.
06:28
Now, if we move on to the Axis Control
06:31
or authorization Check area here, we have the parse method for an XML file using the document builder.
06:42
However, we have the action actually wrapped around
06:46
a an access controller do privilege method.
06:50
And so this basically is going to reach out to the in this case, the job of security policy but could be done in dot net us well
07:01
and validates that particular entity,
07:05
uh, is able to
07:09
to actually perform this action.
07:12
It could also be used. The policy could be used to
07:16
ensure that the entity is only accessing
07:20
the Web service or the Web XML file from particular directory.
07:26
And so there's a lot of granularity that can be added
07:30
to those policy files
07:32
and can basic basically be enforced using the access control of class.
07:39
So there are other Web application secure settings that can be done.
07:45
You can disable any debug information, particularly as you go into the production environment. You can see the example done here for dot net application and C sharp.
07:58
Make sure you don't have excessive timeout settings
08:01
have the HDP on Lee Flying set on your cookies.
08:07
The session cookie should be sent over over T l s.
08:11
If you use in. Q. Siri's make sure that the anonymous transport client is disabled.
08:18
Have a message. Credential on message Security enabled Foreign Cube
08:24
and have service authorizations specified. Of course, this goes back to the access controls that we've already talked about
08:31
and finally make sure that you've got certificate replication checking enabled. This is just a sampling of some of the many
08:41
secure settings that might be available for your Web application, so please consult your documentation.
08:50
So now we'll move on to the lab portion of our module.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor