This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Scala Frameworks"

From OWASP
Jump to: navigation, search
(Sensitive information in Configuration Files)
(Configuration Keystore)
Line 36: Line 36:
 
===Configuration Keystore  ===
 
===Configuration Keystore  ===
 
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
 
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
The Playframework provides some examples of implementing this
+
The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this]
https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore unfortunately, there is no further information on how to create this information secure. The developer must also keep in mind that the default configuration is quite insecure
+
unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure.
  
 
'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
 
'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
  
Security issue: Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised
+
''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised
  
 
'''play.server.https.keyStore.password''' - The password, defaults to a blank password
 
'''play.server.https.keyStore.password''' - The password, defaults to a blank password
  
lank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' password, but make sure you use an environment variable for this purpose
+
''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file
  
 
'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm
 
'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm
  
Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
+
''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
  
 
==Vulnerable Framework Components==
 
==Vulnerable Framework Components==

Revision as of 06:12, 7 November 2017

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them The following table contains the most popular ones and their security in terms of modules and implementation

Security Frameworks

Framework Authentication Authorization CSRF XSS SQLInjection
Play - - -
Deadbolt 2 - - -
Play-pac4j - - - -
Scala-oauth2-provider - - - -
SecureSocial - - - -
Silhouette - Play Framework Library - - - -
Lift
Akka (Akka-http) - - -
Spray - - -

Sensitive information in Configuration Files

Every Scala project will contain configuration files that can contain sensitive information such as:

  • Passwords in clear text
  • Path to Keystores
  • Passwords from Keystores

Programers should avoid configuring clear text passwords in Application.conf files, for that purpose, encryption is necessary

Configuration Keystore

At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required. The Playframework provides some examples of implementing this unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure.

play.server.https.keyStore.path - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you

Security issue: Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised

play.server.https.keyStore.password - The password, defaults to a blank password

Security issue: Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file

play.server.https.keyStore.algorithm - The key store algorithm, defaults to the platforms default algorithm

Security issue: Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines

Vulnerable Framework Components

It os essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks

Reference https://www.47deg.com/blog/security-frameworks-for-scala/