secure coding - web application security vulnerabilities and best practices
TRANSCRIPT
![Page 1: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/1.jpg)
Secure CodingWeb Application Security Vulnerabilities and Best Practices
![Page 2: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/2.jpg)
What is Secure Coding?
![Page 3: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/3.jpg)
Is it this?
![Page 4: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/4.jpg)
...or this?
![Page 5: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/5.jpg)
...maybe even this?
![Page 6: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/6.jpg)
Security Principles• Minimise Attack Surface Area
• Establish Secure Defaults
• Principle of Least Privilege
• Principle of Defence in Depth
• Fail Securely
• Separation of Duties
• Avoid Security by Obscurity
• Keep Security Simple
• Fix Security Issues Correctly
![Page 7: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/7.jpg)
Minimise Attack Surface
• Every feature or technology is a risk.
• Secure development is all about reducing the risk by minimising the attack surface.
![Page 8: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/8.jpg)
Thanks Boromir.
![Page 9: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/9.jpg)
Establish Secure Defaults
• By default a system should be secure out-of-the-box.
• It should be up to the user to reduce their security if allowed.
![Page 10: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/10.jpg)
Trust Morpheus!
![Page 11: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/11.jpg)
Principle of Least Privilege
• Use the least possible privilege to perform the required business task.
![Page 12: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/12.jpg)
Don’t be the luser!
![Page 13: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/13.jpg)
Principle of Defence in Depth
• Always consider that upper layers are already compromised.
![Page 14: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/14.jpg)
This is how we do it.
![Page 15: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/15.jpg)
Fail Securely
• Code fails regularly.
![Page 16: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/16.jpg)
Fail SecurelyisAdmin = true;!try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator");} catch (Exception ex) { log.write(ex.toString());}
![Page 17: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/17.jpg)
Separation of Duties
• Some roles have different levels of trust than normal users.
![Page 18: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/18.jpg)
Hell yeah!?!
![Page 19: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/19.jpg)
Avoid Security By Obscurity
• Security By Obscurity is a weak security control.
• Security By Obscurity depends on knowledge.
![Page 20: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/20.jpg)
Don’t be like Dawson!
![Page 21: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/21.jpg)
Keep Security Simple
• Simplicity leads to better understanding the system and its constraints.
![Page 22: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/22.jpg)
Please!
![Page 23: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/23.jpg)
Fix Security Issues Correctly
• Understand the root cause of the problem.
• Identify the the pattern of the problem.
• Some issues are wide-spread across the code base.
• Develop a Fix
• Develop Tests
![Page 24: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/24.jpg)
Fix Security Issues Correctly PHP Hash Collision DOS(CVE-2011-4885)
• Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables
• Solution: max_input_vars was introduced to limit the number of variables that can be used in a request
![Page 25: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/25.jpg)
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);}!... code removed ...!PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC){!... code removed ...!if (is_array) {!... code removed ...! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); }! ... code removed ...! symtable1 = Z_ARRVAL_PP(gpc_element_p);!... code removed ...!}
![Page 26: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/26.jpg)
Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830)
• Vulnerability occurs when max_input_vars is exceeded and the variable is an array.
• Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable.
• If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.
![Page 27: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/27.jpg)
Security in Languages
![Page 28: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/28.jpg)
Rails/Grails/MVC
• Model/View/Controller and scaffolding paradigm is often abused.
![Page 29: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/29.jpg)
Python
• Python has a funny way of dealing with different data types.
![Page 30: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/30.jpg)
Python Number Rounding
round(4000/5000)# vsround(4000.0/5000)
![Page 31: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/31.jpg)
JavaScript Type Problems
• JavaScript has loose semantics on its types.
![Page 32: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/32.jpg)
JavaScript Types Differences
{} + {} = NaN{} + [] = 0[] + {} = "[object Object]"[] + [] = ""{} - 1 = -1[] - 1 = -1-1 + {} = "-1[object Object]"-1 + [] = "-1"
![Page 33: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/33.jpg)
JavaScript Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+"\\"+$.$__+$.___+")"+"\"")())();!// equal to!alert(1);
![Page 34: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/34.jpg)
C
• In C the type system is completely arbitrary. You can do whatever you like with pointers.
![Page 35: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/35.jpg)
Ruby
• The Ruby language supports the use of system commands.
• Kernel.system provides means of injecting malicious input into the application to bypass security measures.
![Page 36: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/36.jpg)
Struts
• Struts allows you to do dynamic method invocation
• http://host/struts2_security_vulnerability/changepassword!changePassword.action?newPassword=my_new_password&username=bruce
• <init-param><param-name>struts.enable.DynamicMethodInvocation</param-name><param-value>false</param-value></init-param>
![Page 37: Secure Coding - Web Application Security Vulnerabilities and Best Practices](https://reader034.vdocument.in/reader034/viewer/2022052618/554f43fab4c905cd048b563d/html5/thumbnails/37.jpg)
Thanks!