Programming Flaws and How to Fix Them



Similar documents
REVIEWS FOR 24 DEADLY SINS OF SOFTWARE SECURITY

IJMIE Volume 2, Issue 9 ISSN:

Web Application Security

Last update: February 23, 2004

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

What is Web Security? Motivation

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

Chapter 1 Web Application (In)security 1

Management. Oracle Fusion Middleware. 11 g Architecture and. Oracle Press ORACLE. Stephen Lee Gangadhar Konduri. Mc Grauu Hill.

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Sample Report. Security Test Plan. Prepared by Security Innovation

90% of data breaches are caused by software vulnerabilities.

Thick Client Application Security

D. Best Practices D.1. Assurance The 5 th A

WebLogic Server 11g Administration Handbook

Lecture 11 Web Application Security (part 1)

(WAPT) Web Application Penetration Testing

Understanding the Pros and Cons of Combination Networks 7. Acknowledgments Introduction. Establishing the Numbers of Clients and Servers 4

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Web Application Security

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

SAST, DAST and Vulnerability Assessments, = 4

Designing and Coding Secure Systems

Web Application Report

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Security Goals Services

Web Application Guidelines

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Check list for web developers

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Payment Card Industry (PCI) Data Security Standard

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Course Modules for Software Security

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Application Code Development Standards

Web Application Security Considerations

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

Where every interaction matters.

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Web Application Vulnerability Testing with Nessus

2,000 Websites Later Which Web Programming Languages are Most Secure?

Lecture 2. Internet: who talks with whom?

MANAGED SECURITY TESTING

ASSOCIATE IN ARTS DEGREE-60 UNITS

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

ICAWEB424A Evaluate and select a web hosting service

Application Security Testing. Generic Test Strategy

Using Nessus In Web Application Vulnerability Assessments

MySQL Security: Best Practices

Quick Reference Guide: Shared Hosting

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Web Application Security Assessment and Vulnerability Mitigation Tests

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Network Test Labs (NTL) Software Testing Services for igaming

JAVA 2 Network Security

elearning for Secure Application Development

An Introduction to Application Security in J2EE Environments

CS5008: Internet Computing

Attack Vector Detail Report Atlassian

Contents. Assessing Social Media Security. Chapter! The Social Media Security Process 3

Introduction to Computer Security

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

JVA-122. Secure Java Web Development

Introduction to Web Security

ICANWK414A Create a common gateway interface script

Chapter 7 Transport-Level Security

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Web Security Testing Cookbook*

Criteria for web application security check. Version

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Secure Programming and Source-Code Reviews - In the UNIX Environment. Thomas Biege <thomas@suse.de>

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web application security

IIS 6: The Complete Reference

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Columbia University Web Security Standards and Practices. Objective and Scope

Introduction. Two levels of security vulnerabilities:

Security First Umbrella

Web application testing

Systematization of Knowledge Lessons Learned From SSL/TLS Attacks

Transcription:

19 ö Programming Flaws and How to Fix Them MICHAEL HOWARD DAVID LEBLANC JOHN VIEGA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City- Milan New Delhi San Juan Seoul Singapore Sydney Toronto

CONTENTS Foreword Acknowledgments Introduction xv xvii xix 1 Buffer Overruns 1 Overview of the Sin 2 Affected Languages 2 The Sin Explained 3 SinfulC/C++ 6 Related Sins 8 Spotting the Sin Pattern 9 Spotting the Sin During Code Review 9 Testing Techniques to Find the Sin 9 Example Sins 10 CVE-1999-0042 10 CVE-2000-0389-CVE-2000-0392 11 CVE-2002-0842, CVE-2003-0095, CAN-2003-0096 11 CAN-2003-0352 12 Redemption Steps 12 Replace Dangerous String Handling Functions 12 Audit Allocations 13 Check Loops and Array Accesses 13 Replace C String Buffers with C++ Strings 13 Replace Static Arrays with STL Containers 13 Use Analysis Tools 13 Extra Defensive Measures 14 Stack Protection 14 Non-executable Stack and Heap 14 Other Resources 15 Summary 16 2 Format String Problems 17 Overview of the Sin 18 Affected Languages 18 The Sin Explained 18 SinfulC/C++ 21 Related Sins 21 Spotting the Sin Pattern 21 Spotting the Sin During Code Review 22 V

19 Deadly Sins of Software Security Testing Techniques to Find the Sin 22 ExampleSins 22 CVE-2000-0573 23 CVE-2000-0844 23 Redemption Steps 23 C/C++Redemption 23 Extra Defensive Measures 24 Other Resources 24 Summary 24 3 Integer Overflows 25 Overview of the Sin 26 Affected Languages 26 The Sin Explained 26 Sinful C and C++ 26 Sinful C# 31 Sinful Visual Basic and Visual Basic.NET 33 Sinful Java 34 Sinful Perl 34 Spotting the Sin Pattern 35 Spotting the Sin During Code Review 36 C/C++ 36 C# 38 Java 38 Visual Basic and Visual Basic.NET 38 Perl 39 Testing Techniques to Find the Sin 39 Example Sins 39 Flaw in Windows Script Engine Could Allow Code Execution 39 Integer Overflow in the SOAPParameter Object Constructor 39 Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise 40 Redemption Steps 40 Extra Defensive Measures 42 Other Resources 42 Summary 43 4 SQLInjection 45 Overview of the Sin 46 Affected Languages 46 The Sin Explained 46 Sinful C# 47 Sinful PHP 48 Sinful Perl/CGI 48 Sinful Java and JDBC 49 Sinful SQL 50 Related Sins 51

Contents Spotting the Sin Pattern 52 Spotting the Sin During Code Review 52 Testing Techniques to Find the Sin 53 Example Sins 54 CAN-2004-0348 54 CAN-2002-0554 55 Redemption Steps 55 Validate All Input 55 Never Use String Concatenation to Build SQL Statements 55 PHP 5.0 and MySQL 4.1 or Later Redemption 56 Perl/CGI Redemption 57 Java Using JDBC Redemption 58 ColdFusion Redemption 59 SQL Redemption 59 Extra Defensive Measures 59 Other Resources 59 Summary 60 5 Command Injection 63 Overview of the Sin 64 Affected Languages 64 The Sin Explained 64 Related Sins 66 Spotting the Sin Pattern 66 Spotting the Sin During Code Review 66 Testing Techniques to Find the Sin 68 Example Sins 68 CAN-2001-1187 68 CAN-2002-0652 69 Redemption Steps 69 Data Validation 69 When a Check Fails 71 Extra Defensive Measures 72 Other Resources 72 Summary 72 6 Failing to Handle Errors 73 Overview of the Sin 74 Affected Languages 74 The Sin Explained 74 Yielding Too Much Information 74 Ignoring Errors 74 Misinterpreting Errors 75 Using Useless Error Values 75 Handling the Wrong Exceptions 75 Handling All Exceptions 76 SinfulC/C++ 76 Sinful C/C++on Windows 77 SinfulC++ 78

19 Deadly Sins of Software Security Sinful C#, VB.NET, and Java 78 Related Sins 79 Spotting the Sin Pattern 79 Spotting the Sin During Code Review 79 Testing Techniques to Find the Sin 80 Example Sin 80 CAN-2004-0077 Linux Kernel do_mremap 80 Redemption Steps 80 C/C++Redemption 80 C#, VB.NET, and Java Redemption 81 Other Resources 82 Summary 82 7 Cross-Site Scripting 83 Overview of the Sin 84 Affected Languages 84 The Sin Explained 84 Sinful C/ C++ IS API Application or Filter 85 Sinful ASP 85 Sinful ASP.NET Forms 86 Sinful JSP 86 Sinful PHP 86 Sinful CGI Using Perl 86 Sinful mod_perl 87 Spotting the Sin Pattern 87 Spotting the Sin During Code Review 87 Testing Techniques to Find the Sin 88 Example Sins 89 IBM Lotus Domino Cross-Site Scripting and HTML Injection Vulnerabilities 89 Oracle HTTP Server "isqlplus" Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks 90 CVE-2002-0840 90 Redemption Steps 90 ISAPIC/C++Redemption 90 ASP Redemption 91 ASP.NET Forms Redemption 91 JSP Redemption 92 PHP Redemption 94 CGI Redemption 95 mod_perl Redemption 95 A Note on HTML Encode 96 Extra Defensive Measures 96 Other Resources 97 Summary 98 8 Failing to Protect Network Traffic 99 Overview of the Sin 100 Affected Languages 100 The Sin Explained 100

Contents Related Sins 102 Spotting the Sin Pattern 103 Spotting the Sin During Code Review 103 Testing Techniques to Find the Sin 106 Example Sins 106 TCP/IP 107 E-mail Protocols 107 ETrade 107 Redemption Steps 108 Low-Level Recommendations 108 Extra Defensive Measures 111 Other Resources 111 Summary 111 9 Use of Magic URLs and Hidden Form Fields 113 Overview of the Sin 114 Affected Languages 114 The Sin Explained 114 Magic URLs 114 Hidden Form Fields 115 Related Sins 115 Spotting the Sin Pattern 115 Spotting the Sin During Code Review 116 Testing Techniques to Find the Sin 117 Example Sins 118 CAN-2000-1001 118 MaxWebPortal Hidden Form Field Modification 118 Redemption Steps 118 Attacker Views the Data 119 Attacker Replays the Data 119 Attacker Predicts the Data 121 Attacker Changes the Data 122 Extra Defensive Measures 123 Other Resources 123 Summary 123 10 Improper Use of SSL and TLS 125 Overview of the Sin 126 Affected Languages 126 The Sin Explained 126 Related Sins 129 Spotting the Sin Pattern 130 Spotting the Sin During Code Review 130 Testing Techniques to Find the Sin 132 Example Sins 132 E-mail Clients 132 Safari Web Browser 133 The Stunnel SSL Proxy 133 Redemption Steps 134 Choosing a Protocol Version 134

19 Deadly Sins of Software Security Choosing a Cipher Suite 135 Ensuring Certificate Validity 136 Validating the Hostname 137 Checking Certificate Revocation 138 Extra Defensive Measures 140 Other Resources 140 Summary 140 11 Use of Weak Password-Based Systems 143 Overview of the Sin 144 Affected Languages 144 The Sin Explained 144 Related Sins 146 Spotting the Sin Pattern 146 Spotting the Sin During Code Review 146 Password Content Policy 147 Password Changes and Resets 147 Password Protocols 148 Password Handling and Storage 148 Testing Techniques to Find the Sin 149 Example Sins 149 CVE-2005-1505 150 CVE-2005-0432 150 TheTENEXBug 150 The Paris Hilton Hijacking 151 Redemption Steps 151 Multifactor Authentication 152 Storing and Checking Passwords 152 Guidelines for Choosing Protocols 156 Guidelines for Password Resets 156 Guidelines for Password Choice 157 Other Guidelines 158 Extra Defensive Measures 158 Other Resources 159 Summary 159 12 Failing to Store and Protect Data Securely 161 Overview of the Sin 162 Affected Languages 162 The Sin Explained 162 Weak Access Controls to "Protect" Secret Data 162 Sinful Access Controls 164 Embedding Secret Data in Code 166 Related Sins 166 Spotting the Sin Pattern 166 Spotting the Sin During Code Review 167 Testing Techniques to Find the Sin 168 Example Sins 170 CVE-2000-0100 171 CAN-2002-1590 171

Contents CVE-1999-0886 171 CAN-2004-0311 171 CAN-2004-0391 171 Redemption Steps 172 Use the Operating System's Security Technologies 172 C/C++ Windows 2000 and Later Redemption 173 ASP.NET 1.1 and Later Redemption 175 C#.NET Framework 2.0 Redemption 175 C/C++Mac OS Xvl0.2 and Later Redemption 175 Redemption with No Operating System Help (or Keeping Secrets Out of Harm's Way) 176 A Note on Java and the Java KeyStore 178 Extra Defensive Measures 180 Other Resources 180 Summary 181 13 Information Leakage 183 Overview of the Sin 184 Affected Languages 184 The Sin Explained 184 Side Channels 185 TMI: Too Much Information! 186 A Model for Information Flow Security 188 Sinful C# (and Any Other Language) 190 Related Sins 190 Spotting the Sin Pattern 190 Spotting the Sin During Code Review 191 Testing Techniques to Find the Sin 192 The Stolen Laptop Scenario 192 Example Sins 192 Dan Bernstein's AES Timing Attack 192 CAN-2005-1411 193 CAN-2005-1133 193 Redemption Steps 194 C# (and Other Languages) Redemption 194 Network Locality Redemption 195 Extra Defensive Measures 195 Other Resources 195 Summary 196 14 Improper File Access 197 Overview of the Sin 198 Affected Languages 198 The Sin Explained 198 Sinful C/C++on Windows 199 Sinful C/C++ 199 Sinful Perl 200 Sinful Python 200 Related Sins 200

19 Deadly Sins of Software Security Spotting the Sin Pattern 201 Spotting the Sin During Code Review 201 Testing Techniques to Find the Sin 202 Example Sins 202 CAN-2005-0004 202 CAN-2005-0799 202 CAN-2004-0452 and CAN-2004-0448 203 CVE-2004-0115 Microsoft Virtual PC for the Macintosh 203 Redemption Steps 203 Perl Redemption 204 C/C++ Redemption on *nix 204 C/C++ Redemption on Windows 204 Getting the Location of the User's Temporary Directory 205.NET Code Redemption 205 Extra Defensive Measures 205 Other Resources 206 Summary 206 15 Trusting Network Name Resolution 207 Overview of the Sin 208 Affected Languages 208 The Sin Explained 208 Sinful Applications 210 Related Sins 211 Spotting the Sin Pattern 211 Spotting the Sin During Code Review 212 Testing Techniques to Find the Sin 212 Example Sins 212 CVE-2002-0676 213 CVE-1999-0024 213 Redemption Steps 213 Other Resources 214 Summary 215 16 Race Conditions 217 Overview of the Sin 218 Affected Languages 218 The Sin Explained 218 Sinful Code 220 Related Sins 220 Spotting the Sin Pattern 221 Spotting the Sin During Code Review 221 Testing Techniques to Find the Sin 222 Example Sins 222 CVE-2001-1349 222 CAN-2003-1073 223 CVE-2000-0849 223 Redemption Steps 223 Extra Defensive Measures 225

Contents Other Resources 225 Summary 226 17 Unauthenticated Key Exchange 227 Overview of the Sin 228 Affected Languages 228 The Sin Explained 228 Related Sins 229 Spotting the Sin Pattern 230 Spotting the Sin During Code Review 230 Testing Techniques to Find the Sin 231 Example Sins 231 Novell Netware MITM Attack 231 CAN-2004-0155 231 Redemption Steps 232 Extra Defensive Measures 232 Other Resources 233 Summary 233 18 Cryptographically Strong Random Numbers 235 Overview of the Sin 236 Affected Languages 236 The Sin Explained 236 Sinful NonCryptographic Generators 237 Sinful Cryptographic Generators 237 Sinful True Random Number Generators 238 Related Sins 239 Spotting the Sin Pattern 239 Spotting the Sin During Code Review 239 When Random Numbers Should Have Been Used 239 Finding Places that Use PRNGs 240 Determining Whether a CRNG Is Seeded Properly 241 Testing Techniques to Find the Sin 241 Example Sins 242 The Netscape Browser 242 OpenSSL Problems 242 Redemption Steps 243 Windows 243.NET Code 243 Unix 244 Java 245 Replaying Number Streams 245 Extra Defensive Measures 246 Other Resources 246 Summary 246 19 Poor Usability 247 Overview of the Sin 248 Affected Languages 248

19 Deadly Sins of Software Security The Sin Explained 248 Who Are Your Users? 249 The Minefield: Presenting Security Information to Your Users 249 Related Sins 250 Spotting the Sin Pattern 250 Spotting the Sin During Code Review 250 Testing Techniques to Find the Sin 251 Example Sins 251 SSL/TLS Certificate Authentication 251 Internet Explorer 4.0 Root Certificate Installation 252 Redemption Steps 253 When Users Are Involved, Make the UI Simple and Clear 253 Make Security Decisions for Users 253 Make Selective Relaxation of Security Policy Easy 255 Clearly Indicate Consequences 255 Make It Actionable 258 Provide Central Management 259 Other Resources 259 Summary 259 A Mapping the 19 Deadly Sins to the OWASP "Top Ten" 261 B Summary of Do's and Don'ts 263 Sin 1: Buffer Overruns Summary 264 Sin 2: Format String Problems Summary 264 Sin 3: Integer Overflows Summary 264 Sin 4: SQL Injection Summary 265 Sin 5: Command Injection Summary 266 Sin 6: Failing to Handle Errors Summary 266 Sin 7: Cross-Site Scripting Summary 266 Sin 8: Failing to Protect Network Traffic Summary 266 Sin 9: Use of Magic URLs and Hidden Form Fields Summary 267 Sin 10: Improper Use of SSL and TLS Summary 267 Sin 11: Use of Weak Password-Based Systems Summary 268 Sin 12: Failing to Store and Protect Data Securely Summary 269 Sin 13: Information Leakage Summary 270 Sin 14: Improper File Access Summary 270 Sin 15: Trusting Network Name Resolution Summary 270 Sin 16: Race Conditions Summary 271 Sin 17: Unauthenticated Key Exchange Summary 271 Sin 18: Cryptographically Strong Random Numbers Summary 271 Sin 19: Poor Usability Summary 271 Index 273

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information