Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Software Professional Recommendations from CWE/SANS.

Published byClarissa Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Software Professional Recommendations from CWE/SANS."— Presentation transcript:

1 Secure Software Professional Recommendations from CWE/SANS

2 References Material is from:: 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct 29, 2009. CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter H Gregory, McGraw-Hill Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributors: Megan Reid, Todd Burri Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

3 Objectives Define attacks: Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message Define solutions: Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment Recognize major coding errors. Modify a Requirements Document to include Security Requirements

4 Problem: Incorrect Input Car Sale Model: Chevrolet XR2Price $: 25.45 VIN: 12K4FG436DDE842Status: New Sale to:Rubber Ducky 2222 Atlantic Ocean Antarctica, NY, 00000 Phone: 911VISA: RUAFOOL444

5 Problem: Buffer overflow NameZzzzzzzzzz Count49, 425,222 State:84 Return address 0x246625 Frame pointer 0x246625 Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz

6 Fix: Input Validation Assume all input is malicious! Validate: Length Type Syntax Context: Business Rules Or Use Special input checkers  Struts or OWASP ESAPI Validation API Whitelist: List of acceptable input Blacklist: Reject suspect input network Validate First!!!

7 Problem: Insecure Interaction Between Components network real -> fake -> Problem: Server assumes validation occurred in client Does not recheck Attack: Code is reverse engineered and modified to act differently. Program B Program B*

8 Fix: Server-Side Authentication Perform authentication and input validation on both client and server sides Use encryption & hash between client & server network real ->

9 Problem: SQL Injection Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘% Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ Login: Password: Welcome to My System

10 Fix: Input Sanitization Avoid dynamically- constructed query strings Disallow Meta-characters Persistence Software: Oracle DBMS_ASSERT MySQL mysql_real_escape_strin g() for C, PHP Hibernate or Enterprise Java Beans if used properly Persistence Layer Database Business Logic GUI - Validation

11 Problem: OS Command Injection Problem: Command Injection into SQL Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’  Data and control can traverse same path Login: Password: Welcome to My System

12 Fix: Avoid OS Command Injection Separate control information from data information.  E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment (discussed in further detail on next slide) Provide lowest possible permissions for executable Control: Start WPI session, parms -lmk Data: “Terry, Brian, Jerry, Ann, Louis, …”

13 Define Jail & Sandbox Jail OS imposes resource limits on programs. It may include: I/O bandwidth caps disk quotas network access restrictions restricted file system namespace Sandbox Quarantines an untrusted program as it runs Can execute untested/ untrusted programs from untrusted third-parties, suppliers, and users.

14 Problem: External Control of Critical State Data User-side data can be modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys Web request Web Form Form with fake data

15 Fix: Control Critical State Data Understand all locations that are accessible to attackers Do not keep state info on client without using encryption and integrity checking (e.g. HMAC) Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt

16 Problem: Insecure Interaction Between Components Web servers are memoryless Do not remember sending a form to a client – what type, info Client side can remove checks, insert other code, return unexpected data, etc. Web access Web Form with javascript Revised form With data and java script Modifies javascript to avoid error checks

17 Problem: Cross-Site Scripting A reputable site has links to an unknowingly disreputable site The disreputable site generates a Javascript or VB script, which gets inserted into the reputable company’s html response. The result looks like a valid web page from the reputable company. E.g.: Error: Page not found Web access to product link Web Form with javascript attack reference Should be error (Not Found) Instead: fake form

18 Fix: Preserve Web Page Structure Specify strong character encoding such as UTF-8 or ISO-8859.  Use on output  Check on input  Or use other encoders: MS Anti-XSS library, OWASP ESAPI Encoding, Apache Wicket Validate not only input data, but all parts of the HTTP input.

19 Problem: Forgery Web access Web Form with javascript Fake form With data and java script Real form Also known as Cross-Site Request Forgery

20 Problem: Improper Access Control Web access Web Form need authentication Reply to www.abc.com/123www.abc.com/123 Web Request for www.abc.com/345 Web Form for actual data for www.abc.com/345www.abc.com/345 Web Reply w. authent. To www.abc.com/123www.abc.com/123 cache Web Form for actual data for www.abc.com/345www.abc.com/345

21 Fix: Access Permissions Use Role-Based Access  At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active authorization token Only provide higher level access when you need it; always run with the minimum possible authorization level Check that files read have the required access level permissions; administrators may not set them properly. Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence

22 Problem: Incorrect Access Permissions Database Program Sales Sell on Web Sell to Distributor Accounting Adjust Price Manufac- turing Add Inventory Ship Order What permissions to use for these forms???

23 Fix: Prevent Forgery Use a nonce for each form (a number or CAPTCHA generated for a specific use, such as session authentication) Verifier not predictable If dangerous operation, send a separate confirmation request Name: Ann Winkler Address: 2526 Pratt Ave Racine WI Phone: 262-595-2111 Interests: Horses, Movies, Travel Security Code: Johnson Rivers Submit Security Code: Johnson Rivers

24 Problem: Cleartext Transmit of Sensitive Info Fix: Encrypt data with standard, reliable encryption before transmission Login: Ginger Password: Snap

25 Problem: Race Condition Thread P1 Thread P2Comment cin >> input;..// read in "hello" into global.. cin >> input;// read in "good-bye" into global out = input; out = input;// do a string copy (...use strcpy()) cout << out;..// print out "good-bye".. cout << out;// print out "good-bye“ Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions Result: Data Corruption & Denial of Service

26 Problem: Chatty Error Messages “Cannot find file: C:/users/Lincke/valida tion.txt” “Invalid password for login ID” “Lab.cs.uwp.edu error: divide by zero error” Fix: Error messages should avoid file, network configuration, and PII information. Must be helpful to user Remove debug info before release

27 Problem: External Control of Path If you download an external file or navigate to a URL – and execute If you provide access to a file on your system  Attacker can insert../../ and access files outside privilege. Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor Submit File: Enter pathname: Browse Browse

28 Problem: Adopting Untrusted Software Fix: Use monitoring tools that examine processes as it interacts with the OS  Truss (Solaris)  Strace (Linux)  FileMon, RegMon, Process Monitor, Sysinternals (Windows)  Sniffers, Protocol analyzers Download File Free Software … Is it Safe?

29 Problem: Other Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); }

30 Problem: Other Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } 1. Variables contents & environment not initialized Can cause problems if executed in certain ways Attacker can initialize or read variables from previous session 2. “security.dat” is not full pathname. File can be replaced if run from another location 3. File ‘security’ not closed  Leaves file open to attack  Keeps unnecessary resources busy 4. Error message indicates file name Can give attacker important info

31 Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; // input total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m); }

32 Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m); } Errors: 1. Password is hardcoded  If attacker finds it, every system can be broken into before software is changed on all computers  Passwords may only be stored in encrypted file 2. Total may overflow, producing very small number  Input is not checked (could be zero or invalid) 3. Encryption should be standard algorithm  Home-written variety can be broken into easily

33 Fix: Test All Software!!! Dynamic Tools: use large test suites such as fuzz testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results Use automated static analysis tools, e.g., warnings on program analysis tools Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.

34 Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment 1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas). 2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA) 3. List of acceptable input 4. A security mechanism for quarantining untrusted running programs. 5. Reject suspect input

35 Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment 1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas). 2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA) 3. List of acceptable input 4. A security mechanism for quarantining untrusted running programs. 5. Reject suspect input

36 Question A third party inserts attack data into another organization’s html response. This is known as: 1. Cross-Site Scripting 2. Blacklist 3. Race Condition 4. Cleartext

37 Question What technique would NOT be appropriate in avoiding OS Command Injection? 1. Separate control information from data information 2. Use library calls instead of external processes 3. Run code in “jail” or other sandbox environment 4. Use a hard-coded password to enable access

38 Question Which of the following is true concerning web servers? 1. Servers cannot retain web session state, and thus the client must do it 2. The single best place to do input validation and authentication is at the client-side 3. Using client as storage is safe if encryption and integrity checking are used 4. The server can trust web input if it validates the data in the web form

39 Question The BEST way to ensure input validity at the client is: 1. Nonce 2. Whitelist 3. Blacklist 4. Integrity Checking

40 Question The BEST implementation of Access Control would be: 1. Do not provide caches for sensitive data 2. Always use minimal possible permissions in code, for as short of a time as possible 3. Avoid using cookies and hidden fields 4. Never provide an authorization above ‘guest’ to web users

41 Question SQL Injection is BEST protected against by using: 1. Cleartext 2. Encryption and Integrity Checking 3. Sanitization 4. Clearly defined code such as UTF-8

42 Question The main way to avoid replay between a client and server is: 1. Integrity checking 2. Whitelist 3. Blacklist 4. Nonce

43 Question An attack that could cause the MOST problems includes: 1. Hard-coded password 2. Race condition 3. Denial of Service 4. Chatty error message

44 Question The BEST way to ensure no message modification occurs is: 1. Hashing 2. Whitelist 3. Blacklist 4. Encryption

45 Question All of the following EXCEPT which answer can result in invalid data AND break-in? 1. Non-random random number generator 2. Buffer overflow 3. Uninitialized variables resulting in error messages 4. Race conditions

Download ppt "Secure Software Professional Recommendations from CWE/SANS."

Similar presentations

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 Incorrect Permission Assignment for Critical Resource
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google