Secure Software Programming and Vulnerability Analysis

Similar documents
Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Magento Security and Vulnerabilities. Roman Stepanov

CTF Web Security Training. Engin Kirda

Lecture 11 Web Application Security (part 1)

Web application security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Implementation of Web Application Firewall

CS 356 Lecture 23 and 24 Software Security. Spring 2013

What is Web Security? Motivation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Barracuda Syslog Barracuda Web Site Firewall

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Criteria for web application security check. Version

LabVIEW Internet Toolkit User Guide

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Check list for web developers

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Common Security Vulnerabilities in Online Payment Systems

Gateway Apps - Security Summary SECURITY SUMMARY

Certified Secure Web Application Secure Development Checklist

Web Application Report

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Web Application Vulnerability Testing with Nessus

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

End User Guide The guide for /ftp account owner

Introduction to Computer Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Cross-Site Scripting

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Last update: February 23, 2004

Columbia University Web Security Standards and Practices. Objective and Scope

Ruby on Rails Secure Coding Recommendations

Where every interaction matters.

Homeland Security Red Teaming

Binonymizer A Two-Way Web-Browsing Anonymizer

Using Foundstone CookieDigger to Analyze Web Session Management

Application Security: Web service and

Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and . Chapter 9

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Application Security Testing. Generic Test Strategy

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Network Technologies

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

How To Fix A Web Application Security Vulnerability

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

CGI An Example. CGI Model (Pieces)

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Thick Client Application Security

Web Application Security

Web Application Security Assessment and Vulnerability Mitigation Tests

CLC Server Command Line Tools USER MANUAL

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

OPENID AUTHENTICATION SECURITY

Cross Site Scripting Prevention

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Java Web Application Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Session Management in Web Applications

Hack Proof Your Webapps

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Application Security Policy

Columbia University Web Application Security Standards and Practices. Objective and Scope

Web Application Guidelines

Web Plus Security Features and Recommendations

Chapter 17. Transport-Level Security

CMP3002 Advanced Web Technology

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Cross-site site Scripting Attacks on Android WebView

7 Why Use Perl for CGI?

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Cosign Multi-Factor Specification 20 March 2006 Draft 6 Wesley Craig & Johanna Craig cosign@umich.edu

Intrusion detection for web applications

CS390S, Week 9:Meta-Character Vulnerabilities

Web Application Firewall on SonicWALL SSL VPN

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web Application Security

elearning for Secure Application Development

FF/EDM Intro Industry Goals/ Purpose Related GISB Standards (Common Codes, IETF) Definitions d 4 d 13 Principles p 6 p 13 p 14 Standards s 16 s 25

Workday Mobile Security FAQ

Webapps Vulnerability Report

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Web Application Security

How To Protect A Web Application From Attack From A Trusted Environment

Transcription:

Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Input Validation Secure Software Programming 2

Overview Systems receive data from variety of sources from software's users to remote systems on a network Often, these sources are untrusted potentially hostile Every piece of data needs to be checked data has to be as anticipated (conform to specification)! Input Validation Secure Software Programming 3 Input Validation Task determine legal input clean input data from illegal parts (filtering) Filtering use principle of fail-safe defaults reject anything that is not explicitly considered legal, don t specify filters for bad input bad input is only useful to test filter check for data content and data length (minimum and maximum length) Secure Software Programming 4

Input Validation Drop privileges while parsing input especially when using unsafe languages (e.g., C / C++) and complex parsers such as lex and yacc Use trustworthy channels especially for authentication and pre-validated input Deputy problem checking program and program that uses data make slightly different assumptions standards are helpful, but often specific extensions Secure Software Programming 5 Input Validation Common sources of untrusted input Input that a program operates on (local or remote) strings files web-based transactions (HTML, URLs, session management) Input that controls program behavior command line arguments environment variables configuration files locale settings signals Secure Software Programming 6

Strings Optimally, specified as regular expression Problem control and metacharacters Metacharacters characters that are not interpreted as data used as delimiters or command characters Examples command line shell SQL interpreter terminals WWW Security FAQ [Stein 1999] & ; ` ' \ " *? ~ < > ^ ( ) [ ] { } $ \n \r Secure Software Programming 7 Strings Metacharacters shell is used for several important library calls popen, system metacharacters need to be escaped Line ending encoding Platform Apple UNIX DOS / Windows OS/390 Line Encoding [CR] [LF] [CR][LF] [NEL] ASCII 0x0d 0x0a 0x0d 0x0a 0x85 HTTP specification ISS evasion attack Secure Software Programming 8

Character Encoding Strings are represented as characters Traditionally, 8-bit ASCII characters were used only 256 characters possible unsuitable for many languages except English ISO 10646 Universal Multiple-Octet Coded Character Set (UCS) unique 31 bit values for each character first 65536 characters termed16-bit BSM (basic multi-lingual plane) merged with Unicode forum efforts Problem with existing programs that expect a character to be a byte! UTF-8 encoding Secure Software Programming 9 Character Encoding UTF-8 encoding variable length encoding (character is 1 to 7 bytes long) classical US ASCII characters (0 to 0x7f) encode as themselves UCS characters beyond 0x7f are encoded as a multi-byte sequence consisting only of bytes in the range 0x80 to 0xfd especially, no null character permitted lexicographic sorting order of UCS-4 strings is preserved Problem good for search algorithms same value can be encoded in different ways standard now requires smallest possible form thus some sequences are not permitted opens problems for misinterpretation 00 could be encoded (illegally) as C0 80 Secure Software Programming 10

Files File names avoid globbing (i.e., expanding metacharacters such as *) avoid directory delimiter / and control characters.. problematic characters \0 end of filename - misinterpreted as program argument filename -la ls * gets expanded to ls -la <other files> control characters spaces separation of arguments Secure Software Programming 11 Files File descriptors invoking program chooses file descriptors used for redirection Problem standard file descriptors (stdin, stdout, stderr) can be closed next open operation opens smallest file descriptor for example, when open reopens stdout then all regular print statements are also sent to this file File contents must be protected properly (permission settings) Secure Software Programming 12

Command Line Arguments Obviously complete control of attacker execve system call Important program name can be tampered with argv[0] cannot be trusted Secure Software Programming 13 Environment Variables Inherited from calling process also complete control of attacker should be cleared (or at least sanitized) add safe default values PATH, IFS, TZ (time zone) Dangerous environment variables IFS (internal field separator) used to determine argument separator can be set to / system( /bin/bash ) calls bin program in local directory Secure Software Programming 14

Environment Variables Dangerous environment variables storage format array of pointers to strings strings have name=value format possible to have set up multiple entries of same name checked and used variable might be different User control over environment via configuration files (e.g., user login file,.ssh/environment) using protocol support (telnet environment option) should be avoided LD_PRELOAD attack against nologin program Secure Software Programming 15 Locale Settings Combination of language and cultural factors internationalization (support for multiple locales) localization (usage of a particular locale) Selection for local programs via environment variables for web applications via browser request line Support using the catgets or gettext interface catgets uses integer indexes into string tables gettext uses a mapping from English text to the locale heavily dependent on environment variable settings Secure Software Programming 16

Web Issues Web traffic is ubiquitous few popular web servers but many (custom made) web applications Many security concerns complex specifications URL encoding HTML stateless protocol session tracking needed URL rewriting hidden fields cookies Secure Software Programming 17 CGI Programs Common Gateway Interface programs run on trusted server receive input from remote clients via stdin and environment variables Often, script languages are used shell code Perl PHP Unchecked input is the biggest issue according to OWASP Top 10 list Secure Software Programming 18

CGI Programs Perl supports tainting mechanism unsafe input is tainted tainted input cannot be used in unsafe operations unless explicitly checked check works by using regular expressions run-time check PHP can be configured with unsafe global register behavior all query variables are immediately copied into global variables allows easy access to query variables in scripts can unexpectedly overwrite any variable that is not initialized Forbid HTTP GET for non-queries to transmit data, POST should be used GET transmits data via URL attacker can create malicious URLs that can be clicked or auto-loaded and perform undesired actions Secure Software Programming 19 URL Encoding Values in URLs can be URL-encoded must be decoded properly Hex encoding (RFC compliant) %XX, where XX is hexadecimal ASCII value of character A = %41 Double hex encoding (Microsoft IIS) %25XX, where XX is hexadecimal ASCII value of character (%25 = %) A = %25XX Double nibble hex encoding (Microsoft IIS) each hexadecimal nibble is separately encoded A = %25%34%31 Secure Software Programming 20

HTML Filtering Problem HTML input data that is sent to other users Cross-site malicious content attacker embeds malicious content in page that is displayed at victim s site can be used to steal cookies, launch denial of service attacks (spawn windows, tamper with fonts, ), or display bogus forms Solution Filter HTML tags make sure to remove < and > Encode HTML tags using &val; Secure Software Programming 21 HTML Filtering When HTML data must be accepted use validation of HTML data list of safe HTML tags nesting must be balanced check attributes (some may contain scripts) Validating links (URIs/URLs) URI = scheme://authority[path][?query][#fragment] authority = [username[:password]@]host[:portnumber] scheme should be restricted to http / https most other options should be immediately removed (user / passwd) Secure Software Programming 22

HTTP Sessions Sessions are needed for applications that require state all applications that require authentication Session ID can be encoded in URL (caching, stored in referrer logs of other sites) hidden fields (not all requests are POSTs) cookies (preferable, but cookies can be disabled) Cookie token that is stored on client machine set by server uses a single domain attribute cookies are only sent back to servers whose domain attribute match Secure Software Programming 23 HTTP Sessions Non-persistent cookies are only stored im memory during browser session good for sessions Secure cookies cookies that are only sent over encrypted (SSL) connections Only encrypting the cookie over insecure connection is useless attackers can simply replay a stolen, encrypted cookie Cookies that include the IP address makes cookie stealing harder breaks session if IP address of client changes during that session Secure Software Programming 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information