1. Professional Recommendations from CWE/SANS
Secure Software
Professional Recommendations from CWE/SANS
Describes many of the CWE/SANS Problems

2. References Material is from::
2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct 29, 2009.
CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter H Gregory, McGraw-Hill
Author:
Susan J Lincke, PhD Univ. of Wisconsin-Parkside
Contributors: Megan Reid, Todd Burri
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant : Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

3. Problem: Incorrect Input
Car Sale
Model: Chevrolet XR2 Price $:
VIN: 12K4FG436DDE842 Status: New
Sale to: Rubber Ducky
2222 Atlantic Ocean
Antarctica, NY, 00000
Phone: VISA: RUAFOOL444
Bad checks get passed signed by ‘Rubber Ducky’, so it is not improbable that silly input such as this may be entered.
On some slides you will see 1, 2, or 3 mice indicating the severity of the problem. Here, the 3 mice at top right-hand side signify a currently popular problem.

4. Problem: Buffer overflow
Name
Zzzzzzzzzz
Count
49, 425,222
State: 84
Return
address
0x246625
Frame
pointer
Enter Name: Zzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzz
Here when the zzzzz was entered, variables following the Name field were overlaid. This can happen at the assembly language level or at the high level language level.
The value entered into the ‘name’ field was too long for the program to process, so the excess overwrote the next sections of the buffer. A skilled cracker can use this flaw to gain control of a program or an OS.

5. Fix: Input Validation Assume all input is malicious! Validate: Length
Type
Syntax
Context: Business Rules
Or Use
Special input checkers
Struts or OWASP ESAPI Validation API
Whitelist: List of acceptable input
Blacklist: Reject suspect input
Validate
First!!!
network
Validation should be fully checked on the server side; the code that gets executed on the client’s browser can be viewed and altered by the client. (next two slides)

6. Problem: Insecure Interaction Between Components
real ->
network
Program B
Attack: Code is
reverse engineered
and modified to act
differently.
fake ->
Problem:
Server assumes
validation
occurred in client
Does not recheck
Program B*

7. Fix: Server-Side Authentication
real ->
network
Perform authentication and input validation on both client and server sides
Use encryption & hash between client & server
Hash = integrity check
Most invalid input will be the result of user error, not cracking attempts, and doing client-side validation can save processing time and bandwidth for your servers. However the server still needs to double check input.

8. Problem: SQL Injection
Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’
Login:
Password:
Welcome to My System
Attackers insert SQL commands where they don’t belong to try and get information from (or about) the database – or change it.

9. Fix: Input Sanitization
Avoid dynamically-constructed query strings
Disallow Meta-characters
Persistence Software:
Oracle DBMS_ASSERT
MySQL mysql_real_escape_string() for C, PHP
Hibernate or Enterprise Java Beans if used properly
GUI - Validation
Business Logic
Persistence software is a software package that help in sanitizing input
Persistence Layer
Database

10. Problem: OS Command Injection
Problem: Command Injection into SQL
Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’
Data and control can traverse same path
Login:
Password:
Welcome to My System
With this problem, attackers use an SQL feature to exit SQL and to access the operating system command line.

11. Fix: Avoid OS Command Injection
Separate control information from data information.
E.g. where data-> database, control defines application
Use library calls instead of external processes
Avoid external control of command input
Run code in “jail” or other sandbox environment (discussed in further detail on next slide)
Provide lowest possible permissions for executable
Data can be separated from control using two TCP Ports, for example, or different message types.
Data: “Terry, Brian, Jerry, Ann, Louis, …”
Control: Start WPI session, parms -lmk

12. Web Form & Web Service Attacks
Attack Name
Attack Description
Directory Traversal
A URL is coded to access unexpected files or commands on the web server, such as
Characters may be encoded to hide contents: %2e%2e%2f.
WSDL Enumeration
Discovery of web services via UDDI or a search for WSDL files for attack purposes.
Replay
Transmitted packets may be copied and resent.
Packets may also be modified before transmission.
URL Jumping
Avoids authentication by referencing web accesses out- of-order.
XPath Injection
Modifies XML format or contents to create unintended data. Similar to SQL Injection except that XML is attacked.
XML Overflow
DOS attack constructs invalid or repeats XML structures, in an attempt to confuse the server or overflow memory.

13. Define Jail & Sandbox Jail Sandbox
OS imposes resource limits on programs. It may include:
I/O bandwidth caps
disk quotas
network access restrictions
restricted file system namespace
Quarantines an untrusted program as it runs
Can execute untested/ untrusted programs from untrusted third-parties, suppliers, and users.
NEW SLIDE (MEGAN)

14. Problem: Reliance on Untrusted Inputs
User-side data can be modified:
Cookies
Configuration files
Profiles
Hidden form fields
Environmental variables
Registry keys
Web request
Web Form
Form with fake data

15. Fix: Control Critical State Data
Understand all locations that are accessible to attackers
Do not keep state info on client without using encryption and integrity checking (e.g. HMAC)
Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt

16. Problem: Incorrect Authorization
Web servers are memoryless
Do not remember sending a form to a client – what type, info
Client side can remove checks, insert other code, return unexpected data, etc.
Web access
Web Form
with javascript
Modifies
javascript
to avoid
error
checks
Revised form
With data and java script

17. Problem: Cross-Site Scripting
A reputable site has links to a disreputable site
Disreputable site generates a script, which is inserted into the reputable company’s html response
The result looks like a valid web page from the reputable company.
E.g.: Error: Page not found
Database, Document Object Model, client input may be bad
Create link
or data
Web access
to product
link
reference
Another Example: I get s from ISACA that contain links to areas of their website. An attacker sends me a bogus that looks like ISACA’s, with a link to a copy of an ISACA page that the attacker has modified to contain malicious code or links to black-hat websites. Because the modifications are all executed on the client’s computer, nothing unusual happens on ISACA’s server.
Should be
form,
instead
requests
payment
Web Form
with javascript
attack

18. More on: Cross-Site Scripting (XSS)
Local XSS: Modifies webpage code by modifying JavaScript in Document Object Model (DOM)
Stored XSS: The attacker uses form input to modify a database. The input includes infected links or files.
Reflective XSS: Victim server returns infected client data, submitted as part of the client input.

19. Fix: Preserve Web Page Structure
Same-origin policy: All parts of webpage must
use same protocol, port number
be derived from the same host
Specify strong character encoding such as UTF-8 or ISO-8859.
Use on output
Check on input
Or use other encoders: MS Anti-XSS library, OWASP ESAPI Encoding, Apache Wicket
Validate input data and all parts of HTTP input.

20. Problem: Forgery Cross-Site-Request Forgery
Server provides authentication token to user A
User uses token for other purpose
Attacker copies and uses token
Problem: authentication token is pre-approved
Fix: Complete mediation: every request to server is verified for authorization
Web access
w. Authentication
Web Form
with credential
listens
Here the attacker is pretending to be someone else, sending in fake data. He may try to bypass authentication and proceed straight to the middle of someone else’s session.
Other fake form
With data copied credential
Fake form
With data copied credential
Also known as Cross-Site Request Forgery

21. Problem: Missing Authorization
Web access login form
Web URL with authentication:
Web Request for
Web Request for
cache
In this case, the server may be programmed correctly to respond only to authenticated users, but the web page is cached and available to anyone.
Web Request for
Web Request for
Web Form for actual data
for

22. Problem: Missing Authentication
Web access
Web Form need authentication
Reply to
Web Reply w. authent. To
cache
Web Form for actual data
for
In this case, the server may be programmed correctly to respond only to authenticated users, but the web page is cached and available to anyone.
Web Request for
Web Form for actual data
for

23. Fix: Authentication & Permissions
Use Role-Based Access Control
At least permissions: anonymous, normal, privileged, administrative
Verify authentication at server side for every input
Sensitive pages are never cached and must have active authorization token
Only provide higher level access when you need it; always run with the minimum possible authorization level
Check that files read have the required access level permissions; administrators may not set them properly.
Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence

24. Problem: Incorrect Access Permissions
Answers on future page.
What permissions to use for these forms???

25. Fix: Prevent Forgery Rivers
Name: Ann Winkler
Address: Pratt Ave
Racine WI
Phone:
Interests: Horses, Movies, Travel
Security Code: Johnson Rivers
Use a nonce for each form (a number or CAPTCHA generated for a specific use, such as session authentication)
Verifier not predictable
If dangerous operation, send a separate confirmation request
Nonce = Active authorization ticket: Security code, or permission tag which indicates the maximum time the user has to respond.
MINOR EDIT NONCE DEFINITION ADDED IN PARENTHESIS (MEGAN)
Security Code:
Johnson
Rivers
Submit

26. Problem: Cleartext Transmit of Sensitive Info
Login: Ginger Password: Snap
Fix:
Encrypt data with standard, reliable encryption before transmission
The dog is ‘sniffing’. That is what hackers (or admins) do when they listen to traffic on a communications medium.
One mouse means not a significant problem (but still a problem).

27. Problem: Race Condition
Thread P1 Thread P2 Comment
cin >> input; // read in "hello" into global
cin >> input; // read in "good-bye" into global
out = input; out = input; // do a string copy (...use strcpy())
cout << out; // print out "good-bye"
cout << out; // print out "good-bye“
Fix:
Use Synchronization Primitives around critical code
Minimize use of shared resources
Test using artificial delays in race window
Identify and trigger error conditions
Result: Data Corruption & Denial of Service
A race condition occurs when multiple threads or processes need the same resources to complete their tasks. If not synchronized properly, one or more may become ‘starved’ and unable to finish, or unpredictable errors may occur. A race condition was cited as the original cause of the 2003 (electricity) blackout in the northeastern U.S. Another nearly scuttled the Mars rover Spirit’s mission.

28. Problem: Chatty Error Messages
“Cannot find file: C:/users/Lincke/validation.txt”
“Invalid password for login ID”
“Lab.cs.uwp.edu error: divide by zero error”
Fix:
Error messages should avoid file, network configuration, and PII information.
Must be helpful to user
Remove debug info before release

29. Problem: Path Traversal
If you download an external file or navigate to a URL – and execute
If you provide access to a file on your system
Attacker can insert ../../ and access files outside privilege.
Fix:
Allow only certain files or directories to be visible
Run as low-privilege user
Provide fixed input values
Run code in ‘jail’: Unix chroot jail and AppArmor
If attackers take advantage of your flexibility, it is best to provide them only minimal permissions, by restricting their access.
Submit File:
Enter pathname: Browse
Browse

30. Problem: Adopting Untrusted Software
Fix:
Use monitoring tools that examine processes as it interacts with the OS
Truss (Solaris)
Strace (Linux)
FileMon, RegMon, Process Monitor, Sysinternals (Windows)
Sniffers, Protocol analyzers
Download
File
Free Software … Is it Safe?

31. Problem: Other Security Errors
Find the errors:
Security() {
String contents, environment;
String spath = “security.dat”;
File security = new File;
if (security.open(spath) >0) {
contents = security.read();
environment = security.read();
} else {
print(“Error: Security.dat not found”); }
Some errors are 3 stars, others are 1 star

32. Problem: Other Security Errors
Find the errors:
Security() {
String contents, environment;
String spath = “security.dat”;
File security = new File;
if (security.open(spath) >0) {
contents = security.read();
environment = security.read();
} else {
print(“Error: Security.dat not found”); }
Variables contents & environment not initialized
Can cause problems if executed in certain ways
Attacker can initialize or read variables from previous session
“security.dat” is not full pathname.
File can be replaced if run from another location
File ‘security’ not closed
Leaves file open to attack
Keeps unnecessary resources busy
Error message indicates file name
Can give attacker important info
For 2: create own easy security.dat and run executable from the new location.

33. Problem: More Security Errors
Find the errors:
purchaseProduct() {
encryptKey = “N23m**2d3”;
count = form.quantity; // input
total = count * product.cost();
Message m = new Message(
name,product,total);
m.myEncrypt(encryptKey);
server.send(m); }
Some errors are 3 stars, others are 1 star

34. Problem: More Security Errors
Find the errors:
purchaseProduct() {
encryptKey = “N23m**2d3”;
count = form.quantity;
total = count * product.cost();
Message m = new Message(
name,product,total);
m.myEncrypt(encryptKey);
server.send(m); }
Errors:
EncryptKey is hardcoded
Attacker can break into every system before software is changed on all computers
Total may overflow, producing very small number
Input is not checked (could be zero or invalid)
Encryption should be standard algorithm
Home-written variety can be broken into easily
Message m should have nonce
Race condition can occur: total, count, encryptKey
Some errors are 3 stars, others are 1 star

35. Fix: Test All Software!!!
Dynamic Tools: use large test suites such as fuzz testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results
Use automated static analysis tools, e.g., warnings on program analysis tools
Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools
Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.
Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in code assertions.
Automated static analysis tools provide compile-time warnings that indicate where problems could occur.

36. Other software problems
Use of hard-coded credentials
Missing encryption of sensitive data
Unrestricted upload of file with dangerous type (image vs executable)
Execution with unnecessary privileges
Use of poor encryption algorithm
Download of code without integrity check
Inclusion of Functionality from Untrusted Control Sphere (e.g., Client libraries)

37. Web Service Vocabulary
Service-Oriented Architecture (SOA): Distributed architecture with discoverable, contract-based interfaces
uses platform-neutral HTTP or XML interface
interoperable, modular, reusable components
Universal Discover Description and Integration Server (UDDI): Server Yellow Pages
Web Services Description Language (WSDL): Interface description language describes calling and return parameters

38. Web Service Attacks Attack Name Attack Description Directory Traversal
A URL is coded to access unexpected files or commands:
Characters may be encoded to hide contents: %2e%2e%2f.
WSDL Enumeration
The discovery of web services via UDDI or a search for WSDL files for attack purposes.
Replay
Transmitted packets are copied, potentially modified and resent.
URL Jumping
Web references are accessed out-of-order to avoid authentication
XPath Injection
Modifies XML format or contents to create unintended data. (similar to SQL Injection)
XML Overflow
DOS attack constructs invalid or repeated XML structures to confuse server or overflow memory

39. Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment
A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
List of acceptable input
A security mechanism for quarantining untrusted running programs.
Reject suspect input

40. Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment
A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
List of acceptable input
A security mechanism for quarantining untrusted running programs.
Reject suspect input

41. Question
A third party inserts attack data into another organization’s html response. This is known as:
Cross-Site Scripting
Blacklist
Race Condition
Cleartext 1

42. Question
What technique would NOT be appropriate in avoiding OS Command Injection?
Separate control information from data information
Use library calls instead of external processes
Run code in “jail” or other sandbox environment
Use a hard-coded password to enable access 4

43. Question Which of the following is true concerning web servers?
Servers cannot retain web session state, and thus the client must do it
The single best place to do input validation and authentication is at the client-side
Using client as storage is safe if encryption, nonce and hashes are used
The server can trust web input if it validates the data in the web form
1- there are tools to save session state
2- Input validation and authentication should be done at both client and server
3- True
4- The entire web form should be validated, more than the data can be invalid.

44. Question The BEST way to ensure input validity at the client is: Nonce
Whitelist
Blacklist
Integrity Checking
2: a whitelist is a list of all allowable inputs; anything else is rejected. This avoids leaving a system vulnerable to new hacker innovations and/or stuff the administrator (programmer?) just forgot about.

45. Question The BEST implementation of Access Control would be:
Do not provide caches for sensitive data
Always use minimal possible permissions in code, for as short of a time as possible
Avoid using cookies and hidden fields
Never provide an authorization above ‘guest’ to web users
Which questions refer to access control? 1 does not clearly relate to access control.
3 and 4 are not realistic.

46. Question SQL Injection is BEST protected against by using: Cleartext
Encryption and Integrity Checking
Sanitization
Clearly defined code such as UTF-8
Sanitization = input cleanup, and is most important. It is helpful in sanitization if a clearly defined code is used.

47. Question The main way to avoid replay between a client and server is:
Integrity checking
Whitelist
Blacklist
Nonce
Nonce = active authorization ticket

48. Question An attack that could cause the MOST problems includes:
Hard-coded password
Race condition
Denial of Service
Chatty error message
Hard-coded passwords means once the password is known, everyone can attack until the potentially distributed code is physically changed – a really bad idea!!!

49. Question The BEST way to ensure no message modification occurs is:
Hashing
Whitelist
Blacklist
Encryption
Integrity checking involves hashing

50. Question
All of the following EXCEPT which answer can result in invalid data AND break-in?
Non-random random number generator
Buffer overflow
Uninitialized variables resulting in error messages
Race conditions
Race conditions may result in invalid data, but is not likely to result in break-in. The others can lead to break-in.

51. Vocabulary
Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message
Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment