software security basics
TRANSCRIPT
![Page 1: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/1.jpg)
CY L. SOFTWARE SECURITY BASICS
By CY L. https://github.com/cyl337
Photo Credit: Yuri Samoilov CC BY 2.0
![Page 2: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/2.jpg)
To provide a brief introduction on software security
and web attacks
To raise security awareness in program design and
implementation
OBJECTIVES OF THIS SHARING
By CY L. https://github.com/cyl337 2
![Page 3: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/3.jpg)
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 3
![Page 4: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/4.jpg)
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 4
![Page 5: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/5.jpg)
Functionality concerns Correctness
e.g. Searching function should return results based
on user input
Security concerns Preventing Undesired Behaviour
e.g. Searching function should NOT reveal Admin
password
WHAT IS SOFTWARE SECURITY?
By CY L. https://github.com/cyl337 5
![Page 6: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/6.jpg)
Stealing Information
Breach of Confidentiality
Modifying Information or functionality
Breach of Integrity
Denying Access
Breach of Availability
UNDESIRED BEHAVIOURS
By CY L. https://github.com/cyl337 6
![Page 7: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/7.jpg)
In this session we will focus on
Reduce vulnerability caused by defects in design and implementation
Avoid web attack in particular
Other areas not covered
Low level attack (Buffer overflow)
Static Analysis and Symbolic Execution
Defensive measures like Anti-virus, Firewalls
Usability security like Authentication, Secure Browsing
SESSION’S FOCUS
By CY L. https://github.com/cyl337 7
![Page 8: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/8.jpg)
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 8
![Page 9: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/9.jpg)
Cross-Site Scripting (XSS)
SQL Injection
Cross-Site Request Forgery (CSRF)
COMMON WEB ATTACKS
By CY L. https://github.com/cyl337 9
![Page 10: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/10.jpg)
COMMON WEB ATTACKS
Cross-Site Scripting
(XSS)
By CY L. https://github.com/cyl337 10
![Page 11: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/11.jpg)
Subvert Same Origin Policy
Trick user’s browser into believing origin of malicious
script is trusted server
Malicious script executed with access privilege
granted to trusted server
CROSS-SITE SCRIPTING (XSS)
By CY L. https://github.com/cyl337 11
![Page 12: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/12.jpg)
CROSS-SITE SCRIPTING (XSS)
Browser
Attacker.com
Trusted.com
1. Inject
malicious script
4. Execute
malicious script
as though trusted
server meant us
to run it
By CY L. https://github.com/cyl337 12
![Page 13: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/13.jpg)
Counter-measures
Validate user input before publish
Sanitizing
Filter out all scripts (e.g. <script>, <javascript>)
… but there are ways to circumvent
White List
Instead of full markup language support, use a
simple restricted subset, e.g. markdown
CROSS-SITE SCRIPTING (XSS)
By CY L. https://github.com/cyl337 13
![Page 14: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/14.jpg)
COMMON WEB ATTACKS
SQL Injection
By CY L. https://github.com/cyl337 14
![Page 15: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/15.jpg)
Inject SQL statements into parameters of original
query statement
Programs confused input data as code and execute
malicious SQL statements
SQL INJECTION
By CY L. https://github.com/cyl337 15
![Page 16: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/16.jpg)
SQL INJECTION
http://xkcd.com/327/
By CY L. https://github.com/cyl337 16
![Page 17: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/17.jpg)
String sql =
"select * from user where
username='" + username +"' and
password='" + password + "'";
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
SQL INJECTION
By CY L. https://github.com/cyl337 17
![Page 18: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/18.jpg)
SQL INJECTION
select * from user where
username='anyone' or 1=1;
-- ' and password='whocares';
select * from user where
username= 'anyone' or 1=1;
DROP TABLE Users;
-- ' and password='whocares';
By CY L. https://github.com/cyl337 18
![Page 19: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/19.jpg)
Counter-measures
Validate user input
Whitelist
Blacklist
Remove special SQL characters (e.g. ‘ ; - \)
Escaping
Escape special SQL characters
SQL INJECTION
By CY L. https://github.com/cyl337 19
![Page 20: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/20.jpg)
Counter-measures
Prepared Statement (Parameterized Queries)
String sql = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt =
conn.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();
SQL INJECTION
By CY L. https://github.com/cyl337 20
![Page 21: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/21.jpg)
Counter-measures
Limit privileges
Limit user’s access right per DB table
SQL INJECTION
By CY L. https://github.com/cyl337 21
![Page 22: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/22.jpg)
COMMON WEB ATTACKS
Cross-Site Request Forgery
(CSRF)
By CY L. https://github.com/cyl337 22
![Page 23: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/23.jpg)
URLs with side effects
http://bank.com/transfer?amount=99999&to=attacker
Users got tricked to visit the crafted link when
logged in
And make unintended request
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 23
![Page 24: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/24.jpg)
CROSS-SITE REQUEST FORGERY (CSRF)
Browser
Attacker.com
bank.com
User logged on
bank.com
$$$
By CY L. https://github.com/cyl337 24
![Page 25: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/25.jpg)
Counter-measures
Avoid URL with side effect
Check HTTP Referrer
Secretized link
Include a token as parameter in query string
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 25
![Page 26: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/26.jpg)
More information on other common attacks:
https://www.owasp.org/index.php/Top_10_2013-
Top_10
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 26
![Page 27: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/27.jpg)
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 27
![Page 28: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/28.jpg)
A very common source of vulnerability is that
program confused data with instruction
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 28
![Page 29: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/29.jpg)
Trust with Reluctance
Always validate external input
Eliminate input data which may be confused
as instruction
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 29
![Page 30: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/30.jpg)
Client-side validation
Early feedback on user’s mistakes
Better user experience
But it can be circumvented, ALWAYS!
Server-side validation
Gate keeper
Should guard against any invalid input
It can NEVER be replaced by client-side validation,
NOT even partly
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 30
![Page 31: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/31.jpg)
VARIOUS TYPES OF EXTERNAL INPUT
Form field
Query String
Hidden form field
Cookie
Header
AJAX
By CY L. https://github.com/cyl337 31
![Page 32: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/32.jpg)
PRACTICE ON FORM PROCESSING
Servlet / controller /
Managed Bean
Backend
Handler /
Session Bean
External input External input
By CY L. https://github.com/cyl337 32
![Page 33: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/33.jpg)
PRACTICE ON FORM PROCESSING
Problem
Backend expects untainted, trusted valid input
Servlet / controller /
Managed Bean
Backend
Handler /
Session Bean
@tainted
External input
@tainted
External input
By CY L. https://github.com/cyl337 33
![Page 34: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/34.jpg)
PRACTICE ON FORM PROCESSING
Better approach
– Validate external input and only pass validate data to
backend
Servlet / controller /
Managed Bean
With
Validation
Backend
Handler /
Session Bean
@tainted
External input
@untainted
Validated input
By CY L. https://github.com/cyl337 34
![Page 35: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/35.jpg)
Form VO – Untrusted
Backend DTO – Trusted
public String doSubmit() {
if (validate(formVo, request) == PASS) {
backendDto = composeDto(formVo,request);
BackendHandler.process(backendDto);
} else {
// Reject input
}
PRACTICE ON FORM PROCESSING
By CY L. https://github.com/cyl337 35
![Page 36: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/36.jpg)
Software security concern preventing breach of
Confidentiality
Integrity
Availability
Some common web attack and countermeasures
XSS
SQL Injection
CSRF
Principle: Trust with reluctance
Always validate external input
SUMMARY
By CY L. https://github.com/cyl337 36
![Page 37: Software Security Basics](https://reader034.vdocument.in/reader034/viewer/2022050714/58ef57671a28abe4138b468d/html5/thumbnails/37.jpg)
2013 Top 10 security risks | Open Web Application Security
Project (OWASP)
https://www.owasp.org/index.php/Top_10_2013-Top_10
Software Security online course on Coursera
https://www.coursera.org/course/softwaresec
Badstore - ISO image for demonstrating web application
vulnerabilities
https://www.vulnhub.com/entry/badstore-123,41/
REFERENCE
By CY L. https://github.com/cyl337 37