[Lift] Re: Security Explained

2009-10-23 Thread aw

Thank you for this, and so quickly!  I was able to leverage this for
what I needed.

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Lift group.
To post to this group, send email to liftweb@googlegroups.com
To unsubscribe from this group, send email to 
liftweb+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/liftweb?hl=en
-~--~~~~--~~--~--~---



[Lift] Re: Security Explained

2009-10-22 Thread David Pollak
On Thu, Oct 22, 2009 at 10:49 AM, aw anth...@whitford.com wrote:


 My company is looking for an explanation of how Lift is secure.

 I recall reading a comment saying that Lift deals well with most of
 the Top 10 OWASP vulnerabilities (http://www.owasp.org/index.php/
 Top_10_2007 http://www.owasp.org/index.php/%0ATop_10_2007), but how?
  Most, not all?  Are there strategies that are
 recommended to deal with the weaknesses?


Quickly:

   1. Lift is resistant to XSS attacks.  By default pages are composed in
   XML rather than Strings.  It takes the developer extra work to insert XSS
   strings into output rather than having to make sure each String is properly
   escaped before being cat'ed to the output.
   2. Lift is resistant to SQL Injection attacks because mapper and JPA do
   not compose Strings into SQL statements, but rather bind well typed
   parameters into prepared statements.  So, if you go the normal path, you get
   SQL injection resistance.  If you want to manually craft a String to send as
   a query, in mapper you have to sign the string with the time, date and a
   certification that you've reviewed the String for SQL Injection problems.
   3. Lift never shells out.  You can't cause a file to be executed from a
   Lift app unless your app manually uses Java's Runtime.execute() call.
   4. By default, Lift creates opaque GUIDs to refer to components on the
   server side (whether that's a function to execute when a form field is
   submitted, what to do on an Ajax call, etc.)  By default, it's easier to use
   this callback mechanism than advertise a primary key or other sensitive
   piece of information.  Lift also has the KeyObfuscator which will create a
   session-specific mapping of primary keys to opaque ids.  Using
   KeyObfuscator, you can send JSON objects to the client with stable primary
   keys that are obfuscated and not usable outside the current session.
   5. By default Lift's form fields contain GUIDs that are cryptographically
   impossible to predict.  It's not possible to do CSRF because one does not
   know the name of form fields (they are not stable)
   6. Lift has different production vs. development mode error messages.
   There's little information that leaks about underlying configurations, even
   exceptions, in production mode.
   7. Lift uses the container's session management (usually JSESSIONID) for
   session management.  As far as I know, Jetty, Tomcat, Glassfish are secure
   in terms of the way they deal with sessions.  Of course, anything that's not
   over SSL is vulnerable to a cookie stealing attack.
   8. Crypto key storage is a container-level issue.  See #7
   9. See #7
   10. Lift's sitemap is the best and most secure integration of UI and
   page-level access.  You can look at the sitemap to determine the access
   control rules for a given page (it's declarative) and it's enforced long
   before your page gets accessed.

Hope this helps.



 I am very interested in a Wiki post that explains how Lift addresses
 the top 10 vulnerabilities.  (No pressure, but I needed this
 yesterday.)  Please point me to any existing resource/documentation
 that explains this.

 Very often, I see points that mention how secure Lift is, and I
 certainly appreciate the fact that Lift promotes security as a core
 initiative.  I can also see how secure it is compared to other
 strategies (yeah, you heard me ColdFusion!).  Keep up the good work.


 Does anybody have experience submitting Lift Apps to third party
 security assessment or vulnerability analysis?  Any tips from that
 experience?

 



-- 
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Lift group.
To post to this group, send email to liftweb@googlegroups.com
To unsubscribe from this group, send email to 
liftweb+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/liftweb?hl=en
-~--~~~~--~~--~--~---



[Lift] Re: Security Explained

2009-10-22 Thread Randinn

I've been pondering this for some time, could an actor be used as a
cookie, if so would that render the stealing attack mote?

    7. Lift uses the container's session management (usually JSESSIONID) for
    session management.  As far as I know, Jetty, Tomcat, Glassfish are secure
    in terms of the way they deal with sessions.  Of course, anything that's 
 not
    over SSL is vulnerable to a cookie stealing attack.

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Lift group.
To post to this group, send email to liftweb@googlegroups.com
To unsubscribe from this group, send email to 
liftweb+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/liftweb?hl=en
-~--~~~~--~~--~--~---



[Lift] Re: Security Explained

2009-10-22 Thread David Pollak
On Thu, Oct 22, 2009 at 4:54 PM, Randinn rand...@gmail.com wrote:


 I've been pondering this for some time, could an actor be used as a
 cookie,


No


 if so would that render the stealing attack mote?

 7. Lift uses the container's session management (usually JSESSIONID)
 for
 session management.  As far as I know, Jetty, Tomcat, Glassfish are
 secure
 in terms of the way they deal with sessions.  Of course, anything
 that's not
 over SSL is vulnerable to a cookie stealing attack.

 



-- 
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Lift group.
To post to this group, send email to liftweb@googlegroups.com
To unsubscribe from this group, send email to 
liftweb+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/liftweb?hl=en
-~--~~~~--~~--~--~---