SE604: Software Testing and QA Secure SW Development for QA Lecture#3 Slides by Ahmed Ibrahim http://www.acadox.com/class/48453
Agenda Prevention Techniques Practical Demo with Vulnerability Scanners Assignment #4
The reviewer must be aware with software vulnerabilities. Secure code review is to identify and fix potentially risky security vulnerabilities in the late stages of the development process. The reviewer must be aware with software vulnerabilities. The developer must write a secure code and avoid software vulnerabilities
Common 10 Software Vulnerabilities There are many software vulnerabilities, we will discuss the common 10 software vulnerabilities from CWE* list SQL Injection Cross-site Scripting OS Command Injection Classic Buffer Overflow Integer Overflow Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Use of Hard-coded Credentials Missing Authentication for Critical Function Missing Encryption of Sensitive Data * CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Common 10 Software Vulnerabilities There are many software vulnerabilities, we will discuss the common 10 software vulnerabilities from CWE* list SQL Injection Cross-site Scripting OS Command Injection Classic Buffer Overflow Integer Overflow Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Use of Hard-coded Credentials Missing Authentication for Critical Function Missing Encryption of Sensitive Data * CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Agenda Prevention Techniques Practical Demo with Vulnerability Scanners Assignment #4
Prevention Techniques
Prevention Techniques Definition of prevention - the action of stopping something from happening or arising. Organizations apply prevention techniques to avoid software vulnerabilities and save time, cost and resources and ensure data integrity, availability and confidentiality.
Prevention Techniques SQL Injection, Cross-site Scripting and OS Command Injection Recall that SQLI, XSS and OS Command Injection attacks are types of code injection: user input is mistakenly interpreted as malicious program code. In order to prevent these types of code injection, secure input handling is needed. For a web developer, there are two fundamentally different ways of performing secure input handling: Encoding (Escaping) and Validation
Prevention Techniques Encoding (Escaping), which escapes the user input so that we can interpret it only as data, not as code. Validation, which filters the user input so that we can interpret it as code without malicious commands.
Prevention Techniques Encoding is the act of escaping user input so we can see it only as data, not as code. Examples SQLI ‘ to ‘’ XSS < to <
Encoding Example: SQLI ... string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt);
Encoding Example: SQLI The query that this code intends to execute follows: However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string: for itemName, then the query becomes the following: SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>; name' OR 'a'='a SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a'; SELECT * FROM items;
Encoding Example: SQLI Use Escape Routines to Handle Special Input Characters private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); } string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + SafeSqlLiteral(username) + "' AND itemname = '" + SafeSqlLiteral(ItemName.Text) + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...
Encoding Example: SQLI If an attacker with the user name wiley enters the string: for itemName, then the query becomes the following: name => “ name' OR 'a' = 'a ” Invalid query name' OR 'a'='a SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name’' OR ‘’a‘’=‘’a';
Encoding Example: SQLI Is converting ‘ to ‘’ enough? Study the next query: If an attacker enters the string: then the query becomes the following كل عام وانتم بخير Solution? More Encoding (;) Validation and Sanitization SELECT * FROM Products WHERE ProductID = <product_id>; 5 ;Drop Table Admin SELECT * FROM Products WHERE ProductID = 5 ; Drop Table Admin
Encoding Example: XSS The most recognizable type of encoding in web development is HTML escaping, which converts characters like < and > into < and >, respectively. The following pseudocode is an example of how user input could be encoded using HTML escaping and then inserted into a page by a server-side script: Print “<html>” Print “Latest comment: ” Print encodeHtml( userInput ) Print “</html>”
Encoding Example: XSS If the user input were the string <script>...</script>, the resulting HTML would be as follows: Because all characters with special meaning have been escaped, the browser will not parse any part of the user input as HTML or execute script. document.write(escape(userInput)); => JS escapeshellcmd($input) => PHP <html>” Latest comment: <script>…</script> </html>”
Prevention Techniques Validation is the act of filtering user input so that all malicious parts of it are removed, without necessarily removing all code in it. There are two main characteristics of validation: Classification strategy: User input can be classified using either blacklisting or whitelisting. Validation outcome: User input identified as malicious can either be rejected or sanitized.
Validation classification strategy Blacklisting: Instinctively, it seems reasonable to perform validation by defining a forbidden pattern that should not appear in user input. If a string matches this pattern, it is then marked as invalid.
Validation classification strategy Whitelisting: Whitelisting is essentially the opposite of blacklisting: instead of defining a forbidden pattern, a whitelist approach defines an allowed pattern and marks input as invalid if it does not match this pattern.
Validation outcome When input has been marked as invalid, one of two actions can be taken Rejection: the input is simply rejected, preventing it from being used elsewhere in the website. Sanitization: all invalid parts of the input are removed, and the remaining input is used normally by the website.
Validation outcome Of these two, rejection is the simplest approach to implement. That being said, sanitization can be more useful since it allows a broader range of input from the user. For example, if a user submits a credit card number, a sanitization routine that removes all non-digit characters would prevent code injection as well as allowing the user to enter the number either with or without hyphens.
Validation Example: SQLI Study the next query: If an attacker enters the string: Blacklisting [( ‘ ), ( ; ), ( = ), ( LIKE ), ( % ), ( TABLE), (DROP), (.)] Applying sanitization => will remove (;), (Drop) and (Table) then the query becomes the following SELECT * FROM Products WHERE ProductID = <product_id>; 5 ;Drop Table Admin SELECT * FROM Products WHERE ProductID = 5 Admin => Invalid query and Prevents SQLI
Validation Example: SQLI Study the next query: If the user enters the string: Blacklisting [( ‘ ), ( ; ), ( = ), ( LIKE ), ( % ), ( TABLE), (DROP), (.)] Applying sanitization => will remove (.) then the query becomes the following SELECT * FROM Cards WHERE CardID= <card_id>; 1234.5678.9101.1123 SELECT * FROM Cards WHERE CardID= 1234567891011123; => Valid query
Validation Example: XSS One of the most recognizable types of validation in web development is allowing some HTML elements (such as <em> and <strong>) but disallowing others (such as <script> and onclick). String unsafe = "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>"; String safe = clean(unsafe, Whitelist.basic()); // now: <p><a href="http://example.com/" >Link</a></p>
Validation Example: OS Command Injection The following PHP code snippet is vulnerable to a command injection attack: http://127.0.0.1/delete.php?filename=bob.txt;rm -rf / Sanitizing Input Replace or Ban “;” Other shell escapes available Example: && | ... <?php $file=$_GET['filename']; system("rm $file"); ?>
Sanitization Examples Google Search “ahmed ' ibrahim . Mohamed” => ahmed Ibrahim Mohamed Facebook https://www.facebook.com/profile.php?id=100009773593971 https://www.facebook.com/profile.php?id=100009.77’35*93971
Agenda Prevention Techniques Practical Demo with Vulnerability Scanners Assignment #4
Vulnerability Scanners w3af w3af is a Web Application Attack and Audit Framework. “The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities”. The framework is developed using Python to be easy to use and extend.
Vulnerability Scanners Demo
Agenda Prevention Techniques Practical Demo with Vulnerability Scanners Assignment #4
References https://www.mikesdotnetting.com/article/113/preventing-sql- injection-in-asp-net https://msdn.microsoft.com/en-us/library/ff648339.aspx https://excess-xss.com/ https://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer http://resources.infosecinstitute.com/14-popular-web-application- vulnerability-scanners/ http://w3af.org/