View
1.107
Download
0
Category
Tags:
Preview:
Citation preview
Secure CodingWeb Application Security Vulnerabilities and Best Practices
What is Secure Coding?
Is it this?
...or this?
...maybe even this?
Security Principles• Minimise Attack Surface Area
• Establish Secure Defaults
• Principle of Least Privilege
• Principle of Defence in Depth
• Fail Securely
• Separation of Duties
• Avoid Security by Obscurity
• Keep Security Simple
• Fix Security Issues Correctly
Minimise Attack Surface
• Every feature or technology is a risk.
• Secure development is all about reducing the risk by minimising the attack surface.
Thanks Boromir.
Establish Secure Defaults
• By default a system should be secure out-of-the-box.
• It should be up to the user to reduce their security if allowed.
Trust Morpheus!
Principle of Least Privilege
• Use the least possible privilege to perform the required business task.
Don’t be the luser!
Principle of Defence in Depth
• Always consider that upper layers are already compromised.
This is how we do it.
Fail Securely
• Code fails regularly.
Fail SecurelyisAdmin = true;!try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator");} catch (Exception ex) { log.write(ex.toString());}
Separation of Duties
• Some roles have different levels of trust than normal users.
Hell yeah!?!
Avoid Security By Obscurity
• Security By Obscurity is a weak security control.
• Security By Obscurity depends on knowledge.
Don’t be like Dawson!
Keep Security Simple
• Simplicity leads to better understanding the system and its constraints.
Please!
Fix Security Issues Correctly
• Understand the root cause of the problem.
• Identify the the pattern of the problem.
• Some issues are wide-spread across the code base.
• Develop a Fix
• Develop Tests
Fix Security Issues Correctly PHP Hash Collision DOS(CVE-2011-4885)
• Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables
• Solution: max_input_vars was introduced to limit the number of variables that can be used in a request
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);}!... code removed ...!PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC){!... code removed ...!if (is_array) {!... code removed ...! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }! ... code removed ...! symtable1 = Z_ARRVAL_PP(gpc_element_p);!... code removed ...!}
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
• Vulnerability occurs when max_input_vars is exceeded and the variable is an array.
• Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable.
• If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.
Security in Languages
Rails/Grails/MVC
• Model/View/Controller and scaffolding paradigm is often abused.
Python
• Python has a funny way of dealing with different data types.
Python Number Rounding
round(4000/5000)# vsround(4000.0/5000)
JavaScript Type Problems
• JavaScript has loose semantics on its types.
JavaScript Types Differences
{} + {} = NaN{} + [] = 0[] + {} = "[object Object]"[] + [] = ""{} - 1 = -1[] - 1 = -1-1 + {} = "-1[object Object]"-1 + [] = "-1"
JavaScript Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+"\\"+$.$__+$.___+")"+"\"")())();!// equal to!alert(1);
C
• In C the type system is completely arbitrary. You can do whatever you like with pointers.
Ruby
• The Ruby language supports the use of system commands.
• Kernel.system provides means of injecting malicious input into the application to bypass security measures.
Struts
• Struts allows you to do dynamic method invocation
• http://host/struts2_security_vulnerability/changepassword!changePassword.action?newPassword=my_new_password&username=bruce
• <init-param><param-name>struts.enable.DynamicMethodInvocation</param-name><param-value>false</param-value></init-param>
Thanks!
Recommended