Secure CodingWeb Application Security Vulnerabilities and Best Practices

What is Secure Coding?

Is it this?

...or this?

...maybe even this?

Security Principles• Minimise Attack Surface Area

• Establish Secure Defaults

• Principle of Least Privilege

• Principle of Defence in Depth

• Fail Securely

• Separation of Duties

• Avoid Security by Obscurity

• Keep Security Simple

• Fix Security Issues Correctly

Minimise Attack Surface

• Every feature or technology is a risk.

• Secure development is all about reducing the risk by minimising the attack surface.

Thanks Boromir.

Establish Secure Defaults

• By default a system should be secure out-of-the-box.

• It should be up to the user to reduce their security if allowed.

Trust Morpheus!

Principle of Least Privilege

• Use the least possible privilege to perform the required business task.

Don’t be the luser!

Principle of Defence in Depth

• Always consider that upper layers are already compromised.

This is how we do it.

Fail Securely

• Code fails regularly.

Fail SecurelyisAdmin = true;!try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator");} catch (Exception ex) { log.write(ex.toString());}

Separation of Duties

• Some roles have different levels of trust than normal users.

Hell yeah!?!

Avoid Security By Obscurity

• Security By Obscurity is a weak security control.

• Security By Obscurity depends on knowledge.

Don’t be like Dawson!

Keep Security Simple

• Simplicity leads to better understanding the system and its constraints.

Please!

Fix Security Issues Correctly

• Understand the root cause of the problem.

• Identify the the pattern of the problem.

• Some issues are wide-spread across the code base.

• Develop a Fix

• Develop Tests

Fix Security Issues Correctly PHP Hash Collision DOS(CVE-2011-4885)

• Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables

• Solution: max_input_vars was introduced to limit the number of variables that can be used in a request

Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)

if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);}!... code removed ...!PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC){!... code removed ...!if (is_array) {!... code removed ...! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }! ... code removed ...! symtable1 = Z_ARRVAL_PP(gpc_element_p);!... code removed ...!}

Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)

• Vulnerability occurs when max_input_vars is exceeded and the variable is an array.

• Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable.

• If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.

Security in Languages

Rails/Grails/MVC

• Model/View/Controller and scaffolding paradigm is often abused.

Python

• Python has a funny way of dealing with different data types.

Python Number Rounding

round(4000/5000)# vsround(4000.0/5000)

JavaScript Type Problems

• JavaScript has loose semantics on its types.

JavaScript Types Differences

{} + {} = NaN{} + [] = 0[] + {} = "[object Object]"[] + [] = ""{} - 1 = -1[] - 1 = -1-1 + {} = "-1[object Object]"-1 + [] = "-1"

JavaScript Obfuscation

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+"\\"+$.$__+$.___+")"+"\"")())();!// equal to!alert(1);

C

• In C the type system is completely arbitrary. You can do whatever you like with pointers.

Ruby

• The Ruby language supports the use of system commands.

• Kernel.system provides means of injecting malicious input into the application to bypass security measures.

Struts

• Struts allows you to do dynamic method invocation

• http://host/struts2_security_vulnerability/changepassword!changePassword.action?newPassword=my_new_password&username=bruce

• <init-param><param-name>struts.enable.DynamicMethodInvocation</param-name><param-value>false</param-value></init-param>

Thanks!