Secure Programming And Common Errors[Michele Orru Dec 2008]
0 likes1,846 views
This document provides a summary of common secure programming errors and vulnerabilities in web applications. It discusses input validation (CWE-20), output encoding (CWE-116), error message leaks (CWE-209), SQL injection (CWE-89), and cross-site scripting (CWE-79). Specific examples are provided and mitigation strategies are described, such as using a validation framework, stored procedures, and output encoding. The document is intended to educate developers on these risks and how to avoid them.
![h$p://www.integra1ngweb.com
h$p://an1snatchor.com
CWE-116:
Example
Credits: antisnatchor [http://antisnatchor.com/
2008/12/18/eclipse-birt-reflected-xss]
Java Exception stack trace was not HTML-
encoded, so we can inject an iframe
CWE-116: Example
GET
/birt-viewer/run?__report='"><iframe
%20src=javascript:alert(666)>&r=-703171660
HTTP/1.1
Host: localhost:8780
Our code was executed correctly in the
application output
14 of 44](https://image.slidesharecdn.com/secureprogrammingandcommonerrorsmicheleorru-dec2008-091202142845-phpapp02/85/Secure-Programming-And-Common-Errors-Michele-Orru-Dec-2008-14-320.jpg)
![h$p://www.integra1ngweb.com
h$p://an1snatchor.com
CWE-209: Examples!
1. www.dm.unibo.it
CWE-209: www.dm.unibo.it
Credits: antisnatchor
MySQL error when forging a malicious request
altering the anno parameter
GET /seminari/archivio.php?anno=2008%27 HTTP/1.1
Host: www.dm.unibo.it
[...]
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: dm=[...]
17 of 44](https://image.slidesharecdn.com/secureprogrammingandcommonerrorsmicheleorru-dec2008-091202142845-phpapp02/85/Secure-Programming-And-Common-Errors-Michele-Orru-Dec-2008-17-320.jpg)
![CWE-352: XSRF Who has been vulnerable?
h$p://www.integra1ngweb.com
h$p://an1snatchor.com
CWE-352: XSRF!
Who has been vulnerable?
ING direct [We discovered CSRF vulnerabilities in
ING's site that allowed an attacker to open
additional accounts on behalf of a user and transfer
funds from a user's account to the attacker's
account.]
Youtube
New York Times
Gmail [http://directwebremoting.org/blog/joe/
2007/01/01/
csrf_attacks_or_how_to_avoid_exposing_your_gm
ail_contacts.html]
38 of 44](https://image.slidesharecdn.com/secureprogrammingandcommonerrorsmicheleorru-dec2008-091202142845-phpapp02/85/Secure-Programming-And-Common-Errors-Michele-Orru-Dec-2008-38-320.jpg)
Secure Programming And Common Errors[Michele Orru Dec 2008]
- 1. Secure Programming and! Common Errors! PART I brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 3 December 2009 1
- 2. h$p://www.integra1ngweb.com h$p://an1snatchor.com Who am I? irector and CSO of Integrating Web LTD D achelor Degree in Internet Sciences B ndependent Security Researcher I wner of http://antisnatchor.com security O advisory blog EE developer J Outline 2 of 44
- 3. h$p://www.integra1ngweb.com h$p://an1snatchor.com Seminar outline (part I) iscuss the most relevant SANS top 25 D errors that concern Web Applications Seminar outline (part I) ractical demonstrations of some P vulnerable Real World web applications (my totally independent security research) nderstand the impact of these threats U on the most valuable web-app assets 3 of 44
- 4. h$p://www.integra1ngweb.com h$p://an1snatchor.com What we will discuss: CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output What we will discuss CWE-209: Error Message Information Leak CWE-89: Failure to Preserve SQL Query Structure (SQL injection) CWE-79: Failure to Preserve Web Page Structure (XSS) CWE-352: Cross-Site Request Forgery (XSRF) 4 of 44
- 5. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: Improper ! CWE-20: Improper Input Validation Input Validation The biggest issue on today’s Internet Applications (not just WebApps) Improper Input Validation can lead to security vulnerabilities when attackers can modify input in unexpected ways for the application The only way to protect our applications is by understanding that all input can be malicious 5 of 44
- 6. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: Example 8e6 R3000 Internet Filter (commercial HTTP(S) Proxy filter solution) CWE-20: Example 6 of 44
- 7. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: Example Credits: nnposter DNS based website blacklist can be bypassed by providing a forged request with custom HTTP header CWE-20: Example Http request: GET / HTTP/1.1 X-DecoyHost: www.milw0rm.org Host: www.blocked.org 7 of 44
- 8. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: Mitigation Understand every potential attack areas: parameters, arguments, cookies, headers, files, databases... CWE-20: Mitigation Whitelist approach instead of blacklist (you are certainly going to miss some character encoding variants) WebApp case: use a WebApp Firewall (ModSecurity/F5) or an Input Validation Framework for your language. 8 of 44
- 9. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: Mitigation! CWE-20: Mitigation with ModSecurity ModSecurity 9 of 44
- 10. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20:MITIGATION CWE-20:MITIGATION OWASP ESAPI OWASP ESAPI A common set of interfaces for security controls such as: Authentication Access Control Input Validation Output Encoding Cryptography Error handling/logging 10 of 44
- 11. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-20: MITIGATION PHPIDS CWE-20: MITIGATION PHPIDS Input validation framework for PHP based applications Developed by skilled hackers (Mario Heiderich - .mario on sla.ckers.org) Try their demo with your nasty attack vectors here: http://demo.php-ids.org Integrated as a module in Drupal, works with the powerful Zend Framework (http://forum.php- ids.org/comments.php?DiscussionID=113) 11 of 44
- 12. CWE-116: Improper EncodingEscaping ! h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-116: Improper ! Encoding/Escaping ! of Output Insufficient output encoding is the often-ignored sibling to poor input validation Even if input has been filtered, application output could not be safe: it need to be encoded too Common examples: HTML/JavaScript injection of Output on web based applications 12 of 44
- 13. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-116: Example Eclipse BIRT (reporting system that integrates with Java/JEE applications) CWE-116: Example 13 of 44
- 14. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-116: Example Credits: antisnatchor [http://antisnatchor.com/ 2008/12/18/eclipse-birt-reflected-xss] Java Exception stack trace was not HTML- encoded, so we can inject an iframe CWE-116: Example GET /birt-viewer/run?__report='"><iframe %20src=javascript:alert(666)>&r=-703171660 HTTP/1.1 Host: localhost:8780 Our code was executed correctly in the application output 14 of 44
- 15. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-116: Mitigation Always encode Java stack traces (better to don’t show them to prevent Information Leakage) CWE-116: Mitigation Always encode application output, especially if it contains previously user-supplied input WebApp firewall and ESAPI/PHPIDS (you lazy developers :-)) 15 of 44
- 16. CWE-209: Error Message Information Leak h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Error Message Information Leak Chatty or debug error messages could disclose important important information to attackers This information is used in the Penetration Testing phase called “Reconnaissance” Even these little secrets can greatly simplify a more concerted attack that yields much bigger rewards 16 of 44
- 17. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Examples! 1. www.dm.unibo.it CWE-209: www.dm.unibo.it Credits: antisnatchor MySQL error when forging a malicious request altering the anno parameter GET /seminari/archivio.php?anno=2008%27 HTTP/1.1 Host: www.dm.unibo.it [...] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Cookie: dm=[...] 17 of 44
- 18. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Examples! 1. www.dm.unibo.it CWE-209: www.dm.unibo.it Application response: Causing an SQL syntax error we discovered that the DB backend is MySQL We can now run more targeted attacks 18 of 44
- 19. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Examples! 2. uniwex.unibo.it Credits: antisnatchor CWE-209: unibo.unibo.it Session Management was (IS actually) broken and can be manipulated If we are the hacker riding the victim’s session, and the victim then logout from Uniwex, his session (and ours, because is the same) is invalidated. If we invalidate a session and then we try to submit the previously “invalid” session token... MAGICALLY ... 19 of 44
- 20. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Examples! 2. uniwex.unibo.it CWE-209: unibo.unibo.it 20 of 44
- 21. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-209: Examples! 2. uniwex.unibo.it The JSP page /unique/UniqueNewException.jsp CWE-209: unibo.unibo.it is clearly leaved there for debug purposes It shouldn’t be there in production!!! This revealed us that Tomcat is used as Application Server, and we’ve also obtained the specific version of a few frameworks on which the application was built: /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/struts-1.1.jar /home/unimatica/uniwex/uniwexng-4.4.0/WEB-INF/lib/myfaces- api-1.1.4.jar 21 of 44
- 22. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89: ! SQL Injection These days most software is all about the data and how it can be served to maximize user and CWE-89: SQL Injection business needs The most common storage solution is a Relational Database(Oracle, MySQL, Postgres, MS-SQL, Sybase) If attackers can influence the SQL that you use to communicate with your database, then they can do nasty things for fun and profit 22 of 44
- 23. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89: ! SQL Injection Discovering which web application parameters/ cookie/headers are querying the DB, we can test CWE-89: SQL Injection if input is properly escaped or not The previous example on www.dm.unibo.it demonstrates that input is not being escaped at all After we discovered the SQL injection we can fire-up our favorite injection tool to retrieve useful informations 23 of 44
- 24. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89:Example! 1. www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it Confirmed unescaped numeric injection on GET parameter “anno” We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0 For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 24 of 44
- 25. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89:Example! 2. www.virtus.it Credits: antisnatchor Confirmed unescaped numeric injection on GET CWE-89: www.virtus.it parameter “ID” (SPNewsDettaglio.asp) We were able to obtain details about the application stack: Microsoft IIS 6, ASP and SQL Server 2000 We retrieved the exact name of the database name to which the web app is bounded: ServizioNews (and a few tables too) 25 of 44
- 26. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89: ! Mitigation Implement a validation framework (previously discussed) to protect your application Use stored procedures CWE-89: Mitigation Hibernate on JEE, NHibernate on .NET DB specific: Oracle DBMS_ASSERT directive, MySQL real_escape_string() function Use a whitelist approach, permitting only “known good input” 26 of 44
- 27. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-89: ! Dangers As you can see SQL injection can be devastating for the integrity of your data Data loss is probably the most negative CWE-89: Dangers consequence for an Enterprise If the web application (most of them, if not all) is storing web page content inside the DB, we can deface the site too 27 of 44
- 28. CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: The Plague of! Cross Site Scripting We can inject JavaScript, HTML, VBscript or other browser-executable content into pages generated by the application The page is then accessed by other users, whose browsers execute that malicious script as if it came from the legitimate user (the victim) 28 of 44
- 29. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: Examples! 1. www.cia.gov CWE-79: www.cia.gov 29 of 44
- 30. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: portal.hotspotsvankpn.com CWE-79: Examples! 2. portal.hotspotsvankpn.com 30 of 44
- 31. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: Mitigation A real world case example: Apache OFBiz implementation of ESAPI toolkit. After my JIRA issue they started to take really CWE-79: Mitigation care of security (I’m glad to) See http://fisheye6.atlassian.com/changelog/ ofbiz?cs=746409 and http://antisnatchor.com/ 2008/12/11/apache-ofbiz-multiple-security- vulnerabilities 31 of 44
- 32. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: Mitigation The changes of StringUtil.java class: CWE-79: Mitigation 32 of 44
- 33. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: Mitigation The changes of ModelScreenWidget.java class: CWE-79: Mitigation 33 of 44
- 34. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-79: Mitigation Validate every parameter/cookie/header/input that can be manipulated by a potential attacker and then displayed on the page CWE-79: Mitigation Do not create your own filters: you’ll probably miss some attack vectors or encodings Use well known Encoding/Validation frameworks such as ESAPI,PHPIDS,Microsoft Anti-XSS (yes, Microsoft, don’t laugh please :-)) 34 of 44
- 35. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: Cross Site Request Forgery CWE-352: Cross Site ! Request Forgery It exploits the trust that a website has for the currently authenticated user and executes unwanted actions on a web application on his behalf Once the request gets to the application, it looks as if it came from the user, not the attacker If the victim has admin privileges on the application: GAME OVER 35 of 44
- 36. CWE-352: XSRF Concrete Consequences h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF ! Concrete Consequences Performing illegal actions such as using victim's shopping cart, executing stock trades Changing DNS settings of home routers (thanks pdp & GNUCITIZEN) Performing a Denial Of Service attack on the application Combining it with XSS to build WORMS 36 of 44
- 37. CWE-352: XSRF Concrete Consequences h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF ! Concrete Consequences 1. Find a page with a lost-password form inside and find out which fields would be updated 2. Trick the administrator to load a hacker page with a malicious request on it that submits a new email 3. Administrator's e-mail is now changed to the email submitted by hacker 4. A hacker performs a lost-password request and receives a new password 37 of 44
- 38. CWE-352: XSRF Who has been vulnerable? h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! Who has been vulnerable? ING direct [We discovered CSRF vulnerabilities in ING's site that allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user's account to the attacker's account.] Youtube New York Times Gmail [http://directwebremoting.org/blog/joe/ 2007/01/01/ csrf_attacks_or_how_to_avoid_exposing_your_gm ail_contacts.html] 38 of 44
- 39. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! Example A simple practical attack: CWE-352: XSRF Example http://x.x.x.x/account/doTransfer?from=666&to=667 where 666 is a potential victim account and 667 the attacker one. Tricking the victim to load that URL will transfer money from one account to another one. 39 of 44
- 40. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! 1. Apache OFBiz Read my advisory here: https:// CWE-352: Apache OFBiz issues.apache.org/jira/browse/OFBIZ-1959 We can create a malicious form that will add a product (eventually with some JS inside) to the Catalog If the victim is already authenticated she will not even realize what she did 40 of 44
- 41. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! 1. Apache OFBiz CWE-352: Apache OFBiz <form method="POST" id="xsrf" name="xsrf" action="https://127.0.0.1:8443/catalog/control/createProduct"> <input type=hidden name="isCreate" value="true"> <input type=hidden name="productId" value="hack02"> <input type=hidden name="productTypeId" value="DIGITAL_GOOD"> <input type=hidden name="internalName" value="hack02<script>alert(document.cookie)</script>"> </form> <script>document.xsrf.submit(); </script> 41 of 44
- 42. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! Mitigation CWE-352: XSRF Mitigation • Add a unique randomly-generated token to each request (maybe as an hidden form value): this n bit token is changed for every request and is verified by the application • <input id="fkey" name="fkey" type="hidden" value="df8652852f139" /> 42 of 44
- 43. h$p://www.integra1ngweb.com h$p://an1snatchor.com CWE-352: XSRF! Mitigation CWE-352: XSRF Mitigation • Use a secure framework such as ESAPI to add random token to your requests • Implement AJAX functionalities with secure libraries such as DWR-2.0 (Direct Web Remoting) that automatically prevents XSRF 43 of 44
- 44. h$p://www.integra1ngweb.com h$p://an1snatchor.com Thanks for your ! attention! Questions? 44 of 44