Download - SECURE CODING PART 1 - Image and Video Upload, … · Goal: Have a Guide for Secure Coding 3 When you are in charge of software development, ... OWASP Mutillidae II Web Pen-Test Practice

AGENDA

2

1. Introduction: What is security? How much security is necessary?

2. Security Framework

3. Design Principles - Least Privilege, Security vs. Obscurity

4. Good programming practices (OWASP TOP 10, CWE SANS TOP 25)

5. Practical Tools

6. Design (authentication, authorization, integrity)

7. C/C++ (buffer overflows, safe practices)

8. PHP (session handling, database)

9. OWASP TOP 10 Example SQL Injection

INTRODUCTION

Goal: Have a Guide for Secure Coding

3

When you are in charge of software development, ensure that you consider security:

• From the initial project requirements

• Throughout development

• Through deployment

• After deployment / During maintenance

SECURITY FRAMEWORK

I found the SD3 FRAMEWORK useful to have an overview for your secure coding approach.

4

SECURE BY DESIGN

Secure architecture and

code

Threat analysis

Vulnerability reduction

SECURE BY DEFAULT

Attack surface area

reduced

Unused features turned

off by default

Minimum privileges

used

SECURE IN DEPLOYMENT

Protection: Detection,

defence, recovery,

management

Process: Architecture

guides

People: Training

LEAST PRIVILEGE, SECURITY VS. OBSCURITY

5

Take in consideration:

OWASP TOP 10

‘’The Open Web Application Security Project (OWASP) is a 501(c) worldwide

not-for-profit charitable organization focused on improving the security of

software.’’

CWE SANS TOP 25

The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most

critical programming errors that can lead to critical software vulnerabilities.

GOOD PROGRAMMING PRACTICES

6

Ensure that you:

▪ Raise security awareness of design team with ongoing training

▪ Get security right during the design phase

▪ Define security goals

▪ Integrate security in all requirements

▪ Use threat modelling

GOOD PROGRAMMING PRACTICES

7

Be Aware of the Insecure Interaction Between Components

Source: https://www.slideshare.net/blueinfy/advanced-applicationsarchitecturethreats

PRACTICAL TOOLS

8

Below are few of the tools that I have been using, and got also positive feedback from

the industry’s professionals:

• Burp Suite https://portswigger.net/burp

‘’Burp or Burp Suite is a graphical tool for testing Web application security. The tool is

written in Java and developed by PortSwigger Security.’’

• Veracode Static Analysis https://www.veracode.com/products/static-analysis-

sast/static-code-analysis

‘’Static code analysis, also commonly called "white-box" testing, is one of veracode's

code review tools that looks at applications in non-runtime environment. ‘’

https://portswigger.net/burp

https://www.veracode.com/products/static-analysis-sast/static-code-analysis

DESIGN (AUTHENTICATION, AUTHORIZATION,

INTEGRITY)

9

DESIGN (AUTHENTICATION, AUTHORIZATION, INTEGRITY)

10

He is ‘’Yuri’’

He has access to the web admin page.


11

▪ Identification is the first step when a user connects. It is identifying the user

without authenticating him. This means that the user needs to be identified

with a unique ID. Each value should be unique, for accountability.

▪ Authentication needs 3 general factors for authenticating a user.

• Something a person knows- E.g.: passwords

• Something a person has – E.g.: Access Card

• Something a person is- E.g.: Biometrics


12

▪ Identification is the first step when a user connects. It is identifying the user

without authenticating him. This means that the user needs to be identified

with a unique ID. Each value should be unique, for accountability.

▪ Authentication needs 3 general factors for authenticating a user.

• Something a person knows- E.g.: passwords

• Something a person has – E.g.: Access Card

• Something a person is- E.g.: Biometrics


13

▪ Authorization needs to be based on least privileged. Access should be

granted on least privilege basis.

▪ Integrity is an important aspect. Below are some of the important points to

take in consideration:

• Secure Database access

• Log all activity

• Define unique identifier for database admins

C/C++ (BUFFER OVERFLOWS, SAFE

PRACTICES)

14

C/C++ (BUFFER OVERFLOWS, SAFE PRACTICES)

15


16

Example: int arr[5]

▪ In the above example, ‘arr’ defines an array of 5 integers.

▪ Let’s assume that the size of an integer is 4 bytes, the total buffer size of

‘arr’ is 5*4 = 20 bytes.

▪ arr[0] is the left boundary and arr[4] is the right boundary.

Buffer overflow example:

char buff[5];

buff[5] = 'a';


17

▪ The buffer overflow is mainly due to lack of verification of the amount of

data written in the buffer.

▪ The attacked can therefore insert data in the buffer.

▪ The problem is related to the fact that strcpy(), strcat(), sprint() has no

range checking.

▪ Stack buffer overflows are the most common.


18

▪ The buffer overflow is mainly due to lack of verification of the amount of

data written in the buffer.

▪ The attacked can therefore insert data in the buffer.

▪ The problem is related to the fact that strcpy(), strcat(),

sprint() has no range checking.

▪ Stack buffer overflows are the most common.


19

Prevention can be achieved through some of the below practices:

▪ Mark the stack (and heap) as non-executable Note that even with non-

executable heap and stack, exploits are still possible using the return-oriented

programming

▪ Randomize stack location or Address space layout randomization (ASLR) It

may still be possible to inject self contained code with relative memory

references when running malicious code

▪ Make sure that the memory auditing is properly done (Configure minimum and

maximum memory)


20

▪ Use fgets() instead of gets()

fgets() reads input and saves to a buffer until: (char *fgets(char *str, int n,

FILE *stream)

1) The buffer is 1 shy of being full - or -

2) '\n' is encountered - or -

3) The stream reaches an end-of-file condition - or -

4) An input error occurs.


21

▪ I owe a proper explanation of buffer

overflow as in the last course, I just

mentioned an issue with the memory.

▪ I cant forget the funny story about

buffalos related to buffer overflow.

Comment if you want to know what it

is about ;)

PHP (SESSION HANDLING, DATABASE)

22


23


24

Sessions keep track of the user with a unique ID.

Session Handling security practices rely on the below actions:

▪ Store session data in different locations

▪ Use built-in frameworks

▪ Encrypt session data

▪ “Secure” cookie attribute (Use only HTTPS)

▪ Http only cookies (Not to allow scripts)

▪ Session ID renewal after privilege change


25

Database security practices rely on the below actions:

▪ Limit admin access to declared IP addresses

▪ Always use .php extension when it comes to related files so they are not

accessible and readable

▪ Ensure that you do not save the .php files within the public folder

▪ Ensure that you create users for each application database

OWASP TOP 10 SQL INJECTION

26


27

▪ SQL injection is a popular attack and is a simple technique.

▪ It is based on code injection that will affect your database. It can for

example the voiding of transactions or the change of balances.

▪ It will place malicious code/SQL query, using an unsecure web page input.

▪ It is very common with PHP and ASP applications.


28

A SQL attack is achieved in two phases:

▪ Research: Attacker submits different unexpected values, analysis how the application

responds, and defines an attack (Identify injectable parameters, Identify the database

type and version, Discover database schema, etc. )

▪ Attack: Attacker injects a predefined and chosen value in the SQL query and it is

executed as part of a SQL command. The command, then is executed by the

database. (Denial of service by locking or deleting tables, Bypassing authentication,

Privilege escalation, etc. )


29

SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 24

This is a query to return the account balance for the user with the id 24.

If the attacker changes the user_id to 0 OR 1=1, as per below:

SELECT accountnumber, balance FROM accounts WHERE accountowner_id = 0 OR

1=1

The result will return all the account numbers and respective balances.


30

I found an educational web application at http://www.techpanda.org/ that is vulnerable to SQL

Injection attacks for demonstration purposes only.

You can exploit the password field. By entering xxx') OR 1 = 1 -- ] in the password field, you get the

result and the details of the database.

http://www.techpanda.org/


31

OWASP Mutillidae II Web Pen-Test Practice Application is another tool that

you can use to practice.

‘’OWASP Mutillidae II is a free, open

source, deliberately vulnerable web-

application providing a target for web-

security enthusiast. Mutillidae can be

installed on Linux and Windows using

LAMP, WAMP, and XAMMP. It is pre-

installed on SamuraiWTF and OWASP

BWA.’’


32

Over the time, we can find several

hacks with a simple SQL injection.

This is one example, when Sony

Pictures has been attacked.

In 2011, PlayStation Network has

been as well attacked with a SQL

injection.


33

The most common defences are:

▪ Neutralizing all special characters Escaping single quotes isn’t enough to

neutralize a SQL string

▪ Input validation Ensure that your input is valid. If you're expecting letters, it

shouldn't contain numbers or special characters. Nor should the date of birth be

allowed to be a sentence.

▪ Whitelisting Technique

THANK YOU !

PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS

34

Download - SECURE CODING PART 1 - Image and Video Upload, … · Goal: Have a Guide for Secure Coding 3 When you are in charge of software development, ... OWASP Mutillidae II Web Pen-Test Practice

Top Related