Upload
websecurify
View
1.106
Download
0
Tags:
Embed Size (px)
Citation preview
Secure CodingWeb Application Security Vulnerabilities and Best Practices
What is Secure Coding?
Is it this?
...or this?
...maybe even this?
Security Principles• Minimise Attack Surface Area
• Establish Secure Defaults
• Principle of Least Privilege
• Principle of Defence in Depth
• Fail Securely
• Separation of Duties
• Avoid Security by Obscurity
• Keep Security Simple
• Fix Security Issues Correctly
Minimise Attack Surface
• Every feature or technology is a risk.
• Secure development is all about reducing the risk by minimising the attack surface.
Thanks Boromir.
Establish Secure Defaults
• By default a system should be secure out-of-the-box.
• It should be up to the user to reduce their security if allowed.
Trust Morpheus!
Principle of Least Privilege
• Use the least possible privilege to perform the required business task.
Don’t be the luser!
Principle of Defence in Depth
• Always consider that upper layers are already compromised.
This is how we do it.
Fail Securely
• Code fails regularly.
Fail SecurelyisAdmin = true;!try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator");} catch (Exception ex) { log.write(ex.toString());}
Separation of Duties
• Some roles have different levels of trust than normal users.
Hell yeah!?!
Avoid Security By Obscurity
• Security By Obscurity is a weak security control.
• Security By Obscurity depends on knowledge.
Don’t be like Dawson!
Keep Security Simple
• Simplicity leads to better understanding the system and its constraints.
Please!
Fix Security Issues Correctly
• Understand the root cause of the problem.
• Identify the the pattern of the problem.
• Some issues are wide-spread across the code base.
• Develop a Fix
• Develop Tests
Fix Security Issues Correctly PHP Hash Collision DOS(CVE-2011-4885)
• Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables
• Solution: max_input_vars was introduced to limit the number of variables that can be used in a request
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);}!... code removed ...!PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC){!... code removed ...!if (is_array) {!... code removed ...! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }! ... code removed ...! symtable1 = Z_ARRVAL_PP(gpc_element_p);!... code removed ...!}
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
• Vulnerability occurs when max_input_vars is exceeded and the variable is an array.
• Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable.
• If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.
Security in Languages
Rails/Grails/MVC
• Model/View/Controller and scaffolding paradigm is often abused.
Python
• Python has a funny way of dealing with different data types.
Python Number Rounding
round(4000/5000)# vsround(4000.0/5000)
JavaScript Type Problems
• JavaScript has loose semantics on its types.
JavaScript Types Differences
{} + {} = NaN{} + [] = 0[] + {} = "[object Object]"[] + [] = ""{} - 1 = -1[] - 1 = -1-1 + {} = "-1[object Object]"-1 + [] = "-1"
JavaScript Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+"\\"+$.$__+$.___+")"+"\"")())();!// equal to!alert(1);
C
• In C the type system is completely arbitrary. You can do whatever you like with pointers.
Ruby
• The Ruby language supports the use of system commands.
• Kernel.system provides means of injecting malicious input into the application to bypass security measures.
Struts
• Struts allows you to do dynamic method invocation
• http://host/struts2_security_vulnerability/changepassword!changePassword.action?newPassword=my_new_password&username=bruce
• <init-param><param-name>struts.enable.DynamicMethodInvocation</param-name><param-value>false</param-value></init-param>
Thanks!