Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

playframework owasp top 10

I'm thinking about using Play for a large-scale project, so, has anyone battle-tested Play framework for OWASP Top 10? Are there any security problems you know of in Play framework?

like image 391
sirmak Avatar asked Jun 17 '11 07:06

sirmak


People also ask

What is the difference between Owasp 2017 and 2021?

A8:2017-Insecure Deserialization is now a part of this larger category. A09:2021-Security Logging and Monitoring Failures was previously A10:2017-Insufficient Logging & Monitoring and is added from the Top 10 community survey (#3), moving up from #10 previously.

Which category includes XSS in Owasp top 102021?

Included in the new A03:2021 – Injection category is the A07:2021-Cross Site Scripting (XSS) category.

What benefits do developers gain from the Owasp top 10?

The OWASP Top 10 is important because it gives organisations a priority over which risks to focus on and helps them understand, identify, mitigate, and fix vulnerabilities in their technology. Each identified risk is prioritised according to prevalence, detectability, impact and exploitability.

What is the OWASP Top 10?

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

What is OWASP vulnerability assessment?

Each year OWASP (the Open Web Application Security Project) publishes the top ten security vulnerabilities. It represents a broad consensus about the most critical security risks to web applications.

What's new in OWASP 2021?

The Latest List of OWASP Top 10 Vulnerabilities and Web Application Security Risks A newest OWASP Top 10list came out on September 24, 2021 at the OWASP 20th Anniversary. If you’re familiar with the 2020 list, you’ll notice a large shuffle in the 2021 OWASP Top 10, as SQL injectionhas been replaced at the top spot by Broken Access Control.

What is OWASP and Mitre?

The mistakes described in the OWASP list can generally apply to other types of software as well, such as blockchain applications. MITRE is a federally funded research and development center (FFRDC) of the US government.


2 Answers

On the OWASP Top 10 and Play (some info here):

  • A1: Injection

    Uses JPA and escapes strings by default

  • A2: Cross-Site Scripting (XSS)

    Since version 1.0.1, Play’s template engine automatically escapes string

  • A3: Broken Authentication and Session Management

    Play is stateless, no session involved. Cookies are protected with cryptography. Storing data safely on the database (passwords) via hashing depends on the user, not the framework

  • A4: Insecure Direct Object References

    Again this depends on developer verifying access to allowed resources, not so much the framework

  • A5: Cross-Site Request Forgery (CSRF)

    POST requests allow for authenticity tokens to prevent this. Of course this depends on developer using GET/POST properly

  • A6: Security Misconfiguration

    The default error reporting process seems safe on production (no stack trace leaks). The only concern would be the "catch all" entry in routes, but this should be commented out in production mode

  • A7: Insecure Cryptographic Storage

    Developer is responsible to encrypt sensible information in the database

  • A8: Failure to Restrict URL Access

    Developer must implement a security restriction (via @Before, like in the tutorial) to disallow access to forbidden pages.

  • A9: Insufficient Transport Layer Protection

    Play supports SSL

  • A10: Unvalidated Redirects and Forwards

    Play redirect is via 302, not hardcoded strings, which should prevent this.

TL;DR: In the parts that the framework can do all the work, Play does it. In the parts that developer needs to do all the work, well, developer needs to do all the work. Parts that need 50% of each, Play gives its 50%.

Let's put it this way: there is no reason why you should consider Play less safe than any other Java framework. In many cases you can consider it more safe. And with Play being an easy to developer, stateless and REST framework you get less chances to mess it.

like image 96
Pere Villega Avatar answered Sep 26 '22 10:09

Pere Villega


About A3, you need to be careful. Play has two types of session variables. One is session() which is digitally signed, and the other is flash() which is not signed. Also both of them are stored in cookies client side, which may raise privacy concerns if you decide to store sensitive data there.

Also as it comes to A7 (cryptography), note that Play offers a convenient Crypto library but its encryption uses ECB mode, which again opens a whole new group of potential issues.

like image 28
kravietz Avatar answered Sep 23 '22 10:09

kravietz