Beruflich Dokumente
Kultur Dokumente
ClassesofSecurityDefects
ClassesofSecurityDefects
TableofContents:
CourseOverviewandObjectives
SQL Injection
DefiningSQLInjection
DefendingagainstSQLInjection
Command Injection
DefiningCommandInjection
DefendingagainstCommandInjection
DefiningUnprotectedNetworkTraffic
DefendingagainstUnprotectedNetworkTraffic
DefiningLackofServersideAuthorization
DefendingagainstLackofServersideAuthorization
Spoofing
DefiningSpoofing
SpottheBug!
DefendingagainstSpoofing
Information Leakage
DefiningInformationLeakage
DefendingagainstInformationLeakage
LocatingAdditionalResources
DefiningImproperErrorHandling
DefendingagainstImproperErrorHandling
Weak Authentication
DefiningWeakAuthentication
DefendingagainstWeakAuthentication
DefiningWeakDataProtection
DefendingagainstWeakDataProtection
Buffer Overflows
DefiningBufferOverflows
DefendingagainstBufferOverflows
DefiningFormatStringProblems
DefendingagainstFormatStringProblems
Integer Overflows
DefiningIntegerOverflows
DefendingagainstIntegerOverflows
DefiningImproperFileAccess
DefendingagainstImproperFileAccess
DefiningImproperUseofSSLandTLS
StopandThink!
DefendingagainstImproperUseofSSLandTLS
DefiningUnauthenticatedKeyExchange
DefendingagainstUnauthenticatedKeyExchange
LocatingAdditionalResources
DefiningWeakRandomNumberGeneration
DefendingagainstWeakRandomNumberGeneration
LocatingAdditionalResources
Race Conditions
DefiningRaceConditions
DefendingagainstRaceConditions
Poor Usability
DefiningPoorUsability
SpottheBug!
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
1/74
9/29/2016
DefiningPoorUsability
SpottheBug!
DefendingagainstPoorUsability
LocatingAdditionalResources
CourseSummary
LocatingAdditionalResources(1of3)
LocatingAdditionalResources(2of3)
TEAMMentoreKnowledge
ClassesofSecurityDefects
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
2/74
9/29/2016
ClassesofSecurityDefects
UnderstandingtheRootsofSecurityDefects
The Causes of Software Defects
Softwaredevelopmentisahumanactivity.Therefore,defects(orbugs)areanunavoidablepartofthe
softwaredevelopmentprocess.Achievingcorrectnessduringagivenphaseofthedevelopmentprocessdoes
notguaranteethatdefectswillnotbeintroducedatalaterstageofasystemslifecycle.
Asamatteroffact,softwaredefectscanbeintroducedatanystageofthedevelopmentlifecycle,dueto:
Incorrect requirements:Gatheringerroneousorincompleterequirementswillcertainlyleadtosoftware
defects.
Improper design:Abadapplicationdesignmay:
Bebasedonmistakenassumptions.
Makesubtledecisionsthathaveadisproportionateeffectinoverallrobustness.
Neglectcertainareasoftheapplication.
Beinsufficientlyclearandconcisefordeveloperstofollow.
Errors in implementation:Codingdefectscanbeintroducedasaresultofmanyfactorsincluding:
Individualprogrammingskill.
Badcodingpractices.
Lackofunderstandingofthedesigndocuments.
Improper verification:Aninefficienttestingprocessthatfailstoverifygeneralprogramcorrectnesswill
causedefectstoremainunnoticedandthereforeunresolved.
Deployment and configuration errors:Insufficientguidanceonhowtodeployandconfigureasystem
cancauseittoworkimproperly.
Lack of maintenance:Inadequatemaintenanceofreleasedsoftwarepreventsusersfromtakingtheproper
measurestomitigatepotentialerrorscontainedinthesoftware.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
3/74
9/29/2016
ClassesofSecurityDefects
Narration: Aprogramsintendedbehaviorisusuallybasedonasetoffunctionalrequirementsthatarederivedfrom
realbusinessneeds.
Thesoftwaresactualbehavior,however,almostneverperfectlycoincideswiththeitsintendedbehavior.
Functionaldefectsrepresentthepartoftheintendedsoftwarebehaviorthatiseithermissingorimproperly
implemented.
Securitydefects,however,resultinextrafunctionalitythattheapplicationexposestomaliciousattackers
whocanuseittocompromisethesystem.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
4/74
9/29/2016
ClassesofSecurityDefects
DefendingagainstCommonSecurityDefects
CrossSiteScripting
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
5/74
9/29/2016
ClassesofSecurityDefects
Applicability
Crosssite
scripting
exploits
attempttorun
malicious
scripts
(JavaScriptor
VBScript)
insidethe
victims
browsers.
Therefore,
crosssite
scripting
vulnerabilities
affectWeb
applications
ingeneral,
regardlessof
thelanguage
theyare
writtenin.
Any
application
thatexhibits
thefollowing
behaviorisat
riskofcross
sitescripting:
TheWeb
application
takesinput
fromtheuser
(datapartof
theHTTP
request).
TheWeb
application
doesnot
checkforthe
validityof
userinput.
TheWeb
application
echoesuser
inputintoa
browser.
Explanation
Potential
Impact
Successfulcrosssitescriptingattackscanhavemanydifferent
outcomesastheyresultintheattackercontrollingthevictims
browser.Classicalattackscenariosusuallyinvolvetheattacker
stealingthevictimssessioncookieandgainingaccesstothe
victimsaccountontheapplication.Thistypicallyopensthedoorto
othermaliciousactionsthatdependonthevulnerableapplications
functionality.Moreadvancedexploitationtechniquesaimat
bypassingthevictimsnetworksecurityandperformingnetwork
levelattacks,suchasportscanningortheexploitationof
unpatchedsystems.
Narration: ThefollowingshowspartoftheASP.NETsourcecodefora"forgottenpassword"feature,alongwith
thecorrespondingWebuserinterface.Thisfeatureallowsuserswhohaveforgottentheirpassword
toretrieveitbyprovidingtheiremailaddress.
Usethedropdownmenubelowtosubmitdifferentstringstotheapplicationandobservethe
resultingbehaviors.
Theemailaddressthatwassubmittedtotheapplicationwasnotfound.Notethattheemailaddress
thatwassubmittedisincludedbytheapplicationintheerrormessage.
ThestringsubmittedalteredtheHTMLoftheresultingpage.Thisusuallyindicatestheexistenceof
amoreimportanttypeofsecurityissue.
Thestringsubmittedtriggeredascriptinjectionbugotherwiseknownasacrosssitescripting
vulnerability.Thisbugcanbeexploitedtoexecutearbitraryscriptsinavictimusersbrowser.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
6/74
9/29/2016
ClassesofSecurityDefects
vulnerability.Thisbugcanbeexploitedtoexecutearbitraryscriptsinavictimusersbrowser.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
7/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Cross
Site
Scripting
Crosssitescriptingvulnerabilitiesusuallyarisefromthefollowingfalseassumptions:
InputwillnotcontainexecutablecontentsuchasHTML,JavaScript,VBScriptorXML.
Inputwillonlycontaindata.
InputwillonlycontaintheassumedHTMLtags.
Theseassumptionsresultinthefollowinginsecurecodingbehaviors:
AcceptingdatafromWebuserswithoutproperlysanitizingit.
OutputtingofdynamicdatatoWebpageswithoutcheckingfordangerouscharacters/content.
Inordertoavoidcrosssitescriptingvulnerabilities,thefollowingbestpracticesshouldbeapplied:
Perform input validation.
Detectillegalcharactersinuserinput.
UsetheMicrosoftAntiXSSLibrary.
Useallowliststorejectdangerouscharacterssuchas<,>,",'.
Perform output validation.
BeawareofthecontextinwhichinputdatawillbeoutputintoWebpagessuchasHTMLelements,attributes,JavaScript.
EncodealloutputusingtheHtmlEncodeandUrlEncodemethodsoftheMicrosoftAntiXSSlibrary.
Generate secure error messages.
Helpfulerrormessagesthatdontrevealinformationtoanattacker.
Donotechotheuserinputthattriggeredtheerror.
Code
Reviewing
for Cross
Site
Scripting
Testing
for Cross
Site
Scripting
The
above
code
constructs
shouldbe
checked
forXSS
when
code
reviewing.
Alternatively,followthebelowguidelinestodetectCrosssiteScriptingduringtesting:
TestingaWebapplicationforCrosssiteScriptingbugsisfairlysimple.ThegoalistomaketheapplicationoutputHTML/executable
scriptwhenitisnotsupposedto.Todothis,setallinputparametersoftheapplicationtoaknownvaluecontainingHTMLspecific
charactersorexecutablecontentsuchas<SCRIPT>alert('TEST')</SCRIPT>.Thenattempttomaketheapplicationoutputthedata
thatwassubmitted.IfthetestdataisoutputtoaWebpageunchanged,thenyouhaveidentifiedaCrosssiteScriptingbug.Suchtests
canbeperformedbymanuallyinputtingdatathroughthebrowser,byusingsemiautomatedtoolssuchasproxies,orbyusingfully
automatedWebscanners.
ThefollowingtoolscanassistyouintestingforCrosssiteScriptingvulnerabilities:
Webproxies:
BurpProxyAsimple,lightweightbutefficientWebproxytool.
ParosAmorecomprehensiveHTTP/Sproxy.
Webvulnerabilityscanners:
AcunetixWebVulnerabilityScanner.
IBMWatchfireAppScan.
Mitigating
Cross
Site
Scripting
<system.web>
<pagesbuffer="true"validateRequest="true"/>
</system.web>
8/74
9/29/2016
ClassesofSecurityDefects
<%@PageLanguage="C#"%>
<scriptrunat="server">
voidPage_Load(objectsender,EventArgse)
{
//CreateanHttpOnlycookie.
HttpCookiecookie=
newHttpCookie("LastVisit",
DateTime.Now.ToString())
cookie.HttpOnly=true
cookie.Name="DateCookieExample"
Response.AppendCookie(cookie)
}
</script>
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
9/74
9/29/2016
ClassesofSecurityDefects
SQLInjection
Defining SQL Injection
SQLinjectionoccurswhenuserinputisusedtobuildSQLqueriesdynamicallywithoutproperly
sanitizingthatinputforSQLspecificcharacters.Asaresult,anattackermightbeabletosubmit
speciallycrafteddatatotheapplicationwhichmodifiesthebehavioroftheSQLquerysubmittedtothe
backenddatabase.
DamagescausedbySQLinjectionarenotlimitedtodisclosingortamperingwithinformationstored
inthedatabase.Inmanycases,anattackercanalsoexecutearbitrarySQLcommandsagainstthe
backenddatabase.
Applicability
Although
Web
applications
aremost
commonly
affectedby
thistypeof
vulnerability,
any
application
thatqueries
abackend
database
basedon
userinput
can
potentially
be
vulnerable
toSQL
injection.
Explanation
Potential
Impact
AsSQLinjectionallowsattackerstomodifythebehaviorofSQL
queries,anattackercouldpotentiallydiscloseortamperwiththe
informationstoredinadatabase.Thisinformationincludesuser
dataandalsosystemdatasuchasdatacontainedinusertables.
Additionally,ifspecialoptions,suchasxp_cmdshell,areenabled
ontheserver,itmightbepossibleforattackerstoelevatetheir
privilegeandrunarbitrarycommandsonthedatabasehost.
Narration: ThefollowingshowspartoftheASP.NETsourcecodeforaforgottenpasswordfeature,alongwith
thecorrespondingWebuserinterface.Thisfeatureallowsuserswhohaveforgottentheirpassword
toretrieveitbyprovidingtheiremailaddress.Astheprovidedcodeshows,theapplicationtakes
inputfromtheemailfieldtocraftanSQLstatementwhichisthenexecutedagainstthebackend
database.Usethedropdownmenutosubmitdifferentinputsandobservetheapplicationsresulting
behavior.
Anemailcontainingtheuserspasswordisbeingsenttotheprovidedemailaddress.
ThestringthatyouhavesubmittedhasmodifiedthebehavioroftheSQLqueryusedbythe
applicationtoretrievetheuserspassword.Theemailwasinfactsenttotheaddressstoredinthe
firstrecordoftheusersdatabasetable.
ThestringthatyouhavesubmittedmodifiesthebehavioroftheapplicationsSQLqueryinsucha
waythatcreditcardnumbersstoredinthecreditcardsdatabasetablecanbedisclosed.
ThestringthatyouhaveenteredmodifiesthebehavioroftheapplicationsSQLquery.Byusingthe
extendedstoredprocedurexp_cmdshell,arbitrarycommandscanbeexecutedonthedatabase
server.Inthiscase,thecommandthatyouhaveenteredshutsdownthemachinethathoststhe
databaseserver.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
10/74
9/29/2016
ClassesofSecurityDefects
Avoiding
SQL
Injection
SQLinjectionvulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
UsergeneratedinputwillnotcontainexecutableSQLstatementsnorescapecharacters.
Inputwillonlycontaindata.
Theseassumptionsleadtothefollowinginsecurecodingbehaviors:
Omissionofinputvalidationandsanitizationcode.
UsingstringconcatenationandstringreplacementtoconstructdynamicSQLstatements.
ThefollowingbestpracticeswillpreventdevelopersfromwritingcodevulnerabletoSQLinjection:
Constrain input.InputusedtobuildSQLstatementsshouldNEVERbetrusted,properinputvalidationshouldbeperformed,onthe
serverside,todetectillegalcharacters.Theallowlistapproachispreferredtoblocklistswhichcancausefalsenegatives.Ratherthan
escaping(SQLencoding)metacharacters,theyshouldjustbeexcludedfromtheallowlist.
Use stored procedures.
ThecorrectuseofstoredprocedureswillpreventyourapplicationfromSQLinjectionvulnerabilities.
Neverencloseuserinputinsidesinglequotes.EnsurethatusergenerateddataispassedasaparametertotheSQLstatement.
Use parameterized queries.Parameterizedqueriesprovideawayforprogrammerstocreateadynamicquerybyspecifyingwhich
partofthequerywillbemadeofuserinput.ThiseffectivelyavoidsSQLInjectionvulnerabilitiesbecausetheusersinputisnotdirectly
insertedintothequerystring.Instead,theusersinputistreatedasanargumentandcannotbemistakenforSQLcode.
Do not echo database errors.Exceptionsshouldbecaughtontheserver,anderrormessagesshouldnotrevealanyuseful
informationtoattackers.EchoingdetailedSQLerrormessagesoftenrevealsthestructureofqueriesthatfailedandinformsmalicious
usersthattheapplicationisvulnerabletoSQLinjection.Echoingdetailederrormessagescouldalsogivetheattackerinsightabout
howtomodifytheinjectedstringsothequeryisexecutedsuccessfully.
Code
Reviewing
for SQL
Injection
Testing
for SQL
Injection
Duringa
code
review,
lookfor
codethat
queries
the
database.
Listed
aboveare
specific
stringsto
checkfor,
depending
onwhat
language
thecodeis
writtenin.
TestinganapplicationforSQLinjectionisnotanoverlycomplextask.ThefollowingstepswillallowtesterstouncoverSQLinjection
vulnerabilitiespresentinyourapplication:
Submit SQL reserved symbols and keywords to the identified input vectors.Thefollowingstringscanbeused:
1'or1=1
1'or1'=1
admin'
Check the response to see if the supplied input was treated as data or as part of the SQL statement itself.
ThefollowingaretoolsthatcanassistyouwhenlookingforSQLvulnerabilities:
AcunetixWebVulnerabilityScanner.
IBMWatchfireAppScan.
Mitigating
SQL
Injection
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
11/74
9/29/2016
ClassesofSecurityDefects
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
12/74
9/29/2016
ClassesofSecurityDefects
CommandInjection
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
13/74
9/29/2016
ClassesofSecurityDefects
Applicability
Command
injection
vulnerabilities
maybe
presentin
applications
thatrelyon
thirdparty
functionality,
suchas
scripting
enginesor
command
interpreters.
Applications
usinganyof
thefollowing
maybe
vulnerableto
command
injection
attacks:
AnOS
command
shell
Abrowser
ASQL
database
server
Anytypeof
scripting
engine(PHP,
Perl,Python
orRuby)
Explanation
Potential
Impact
Examples
Theimpactofcommandinjectionvulnerabilitiesdependsonthe
capabilitiesoftheunderlyingscriptingengineandtheprivilegesof
theuserrunningthecommand.Potentially,theseissuesallowan
attackertorunarbitrarycommandsonthevulnerablesystem,
openingthedoortoawiderangeofmaliciousactions.
Narration: ThefollowingASP.NETapplicationisaWebbasednetworkmanagementtool.Thisapplication,
throughaWebinterface,allowsuserstoperformmultiplenetworkmaintenancerelatedtasks,
includingmodifyingthenetworknameoftheserverrunningtheapplication.Usetheprovideddrop
downmenutosubmitdifferentstringstotheapplicationandobservetheresultingbehaviors.
Thestringthatyouhaveselectedisavalidmachinename.Asaresult,thecomputernamehas
beensuccessfullymodified.
Thestringthatyouhaveselectedisnotavalidmachinename,thereforethecomputernamehasnot
beenset.
Thestringthatyouhaveselectedwasacommandinjectionattackandsuccessfullyexecutedonthe
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
14/74
9/29/2016
ClassesofSecurityDefects
Thestringthatyouhaveselectedwasacommandinjectionattackandsuccessfullyexecutedonthe
server.Theampersandisametacharacterinotherwords,itisacharacterthathasaspecial
meaningtotheWindowscommandlineinterpreter.Theampersandisusedtoappendcommandsin
theWindowscommandshell.Astheapplicationdidnotproperlyvalidateuserinput,ashutdown
commandwasappendedtotheoriginalcommand,andtheserverwassuccessfullyturnedoff.
Avoiding
Command
Injection
Commandinjectionvulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
Inputwillonlycontainvaliddata.
Usergeneratedinputwillnotcontainmetacharacters,suchassemicolons,singlequotationmarks,orampersands.
Suchassumptionsleadtothefollowinginsecurebehaviors:
Placingcommandsandusergenerateddatainlinenexttoeachother.
Omissionofinputvalidationandsanitizationcode.
Thefollowingbestpracticeswillavoidcommandinjectionvulnerabilities:
Constrain input.Usergeneratedinputpassedtocommandinterpretersorscriptingenginesshouldneverbetrusted.Properinput
validationshouldbeperformedtodetectillegalcharacters.Theallowlistapproachispreferredtoblocklistswhichcancausefalse
negatives.Ratherthanescapingmetacharacters,theyshouldjustnotbeaddedtothelistofallowedcharacters.
Code
Reviewing
for
Command
Injection
The
above
table
showsthe
constructs
tocheck
inorderto
detect
command
injection
during
code
review.
Testing
for
Command
Injection
ThefollowingtoolsautomatethiskindoftestingforWebbasedapplications:
IBMWatchfireAppScan.
HPWebInspect.
Mitigating
Command
Injection
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
15/74
9/29/2016
ClassesofSecurityDefects
UnprotectedNetworkTraffic
Defining Unprotected Network Traffic
Networktrafficissaidtobeunprotectedwhensensitiveorothersystemcriticaldataistransmittedin
cleartextoverinsecurenetworkchannels.Manynetworkprotocols,nowadays,protectcommunications
byencryptingnetworktrafficusingstrongcryptographicmethods.Althoughthesesecurealternatives
exist,someapplicationsarestillusingprotocolssuchasSMTP,IMAP,POP,HTTP,FTP,IRC,TELNET
andmanymorethatoperatebysendingdataunencrypted.Asaresult,datatransferredusingthese
methodscaneasilybeintercepted,viewedandmodifiedbyanattackerplacedbetweentwo
communicatingparties.
Applicability
All
applications
sendingdata
overthe
network,
regardlessof
the
programming
language
used,might
potentiallybe
affectedby
unprotected
network
trafficissues.
Explanation
Potential
Impact
Examples
Bytransmittingdataoverthenetworkincleartext,applications
allowattackerstoviewandmodifyinformationtransmitted
betweencommunicatingparties.Additionally,attackerscan
potentiallyimpersonateentitiestakingpartinacommunication
andperformManintheMiddleattacks.
Narration: Whentwopartiescommunicateoveranuntrustedchannel,itistheirresponsibilitytosecurethe
datatheytransmit.
Ifthisisnotdone,attackerscaneasilyinterceptdataexchangedontheseinsecurenetworksusing
widelyavailablenetworkmonitoringtools.
Wiredandwirelessnetworksareequallyatriskwhenitcomestoeavesdroppingandmaninthe
middleattacks.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
16/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Unprotected
Network
Traffic
Unprotectednetworktrafficvulnerabilitiesariseasaresultofthefollowingfalse
assumptions:
Attackerscannotintercept(ortamperwith)datasentacrossthenetwork.
Attackerscannotspooftheidentityofoneofthetwoparties.
Attackerscannottakeexistingdatafromadatastreamandreplayit.
Attackerscannothijackanestablishedconnection.
Suchassumptionsturnintothefollowinginsecurebehaviors:
Usingweakornoencryptiontoprotectdatasentoverthenetwork.
Usingweakauthenticationmechanisms.
Inordertoavoidunprotectednetworktrafficvulnerabilities,thefollowingbest
practicesshouldbeapplied:
Use established cryptographic solutions to ensure the confidentiality
and the integrity of data sent across the network.Applicationsshoulduse
industrystandardcryptographicsolutionstoensurethatattackerscannotread
datatransferredfromonepartytoanother.Usingasigningmechanismisone
methodtoascertainwhetherthetransferreddatahasbeenalteredornot.
WindowsprovidesasetofcryptographicAPI(CryptoAPI)thatallows
applicationstoexchangedatainasecureenvironmentoverinsecurechannels
suchastheInternet.
Use strong authentication mechanisms.Theapplicationshouldensure
thatthetwopartiescommunicatingarewhatorwhotheyclaimtobe.Industry
standardauthenticationprotocolssuchasKerberos,shouldbeusedwhen
possibletoensureproperauthentication.
Practice secure key management.UsetheWindowsDataProtectionAPI
toensurethatcryptographickeysaresecurelystored.
Use industryrecognized block ciphers.Symmetriccryptographyis
usuallypreferredoverasymmetriccryptographyforitsbetterperformance.
Therearetwotypesofsymmetricciphers:blockciphersandstreamciphers.
Streamciphersshouldnotbeusedastheyareknowntohaveweaknesses.
Code
Reviewing
for
Unprotected
Network
Traffic
Whencodereviewingforunprotectednetworktraffic,youshould:
Identifyallnetworkbasedentrypointsoftheapplication.
Ensurethatallcommunicationsareencryptedfromandtotheseentrypoints.
Askyourselfthefollowingquestions:
Istheapplicationsendingunencrypteddataonthenetwork?
Istheapplicationusingindustryrecognizedsolutionstoencryptdataorisit
usingacustomsolution?
Whichunderlyingcryptographiccipheristheapplicationusing?
Istheapplicationusingablockcipher?Ifyesfindoutwhatmodeofoperation
isbeingused.
Testing for
Unprotected
Network
Traffic
Inordertodetectunprotectednetworktrafficduringtesting,youshould
determinewhethertheapplicationisencryptingdatabeforesendingitonthe
network.YoucanusethefollowingtooltodetermineifthedataisSSL
encrypted:
ssldumpanSSLv3/TLSnetworkprotocolanalyzer.
Mitigating
Unprotected
Network
Traffic
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
17/74
9/29/2016
ClassesofSecurityDefects
LackofServerSideAuthorization
Defining Lack of Serverside Authorization
Authorizationistheprocessofallowingordisallowingactorsofasystem,suchasusersorprocesses,
accesstoresourcesofthesamesystem.Authorizationisacrucialcomponentofanapplications
securitysinceitenablestheconceptofseparateuseraccountsandprivatedata.Implementing
authorizationonaclientserverarchitecturecanbeverydifficultasthesystemisdividedintwoseparate
entities,oneofthemnamelytheclientbeinguntrusted.Inordertoensurethataccesstoresources
respectspermissionsspecifiedontheserver,authorizationmustbedoneserverside.Lackofserver
sideauthorization,asthetermsuggests,happenswhenanapplicationdoesnotproperlyenforce
permissionsontheserver.Thistypeofvulnerabilitycanpotentiallyallowattackerstoillegallyaccess
protectedresourcesofthesystem.
Applicability
Explanation
Allclient
server
applications,
regardlessof
the
programming
language
used,might
potentially
lackserver
side
authorization.
Lackofserversideauthorizationfallsunderthefollowingcategories:
Clientside authorization.Applicationsaresometimesdesignedbasedontheassumptionthatdatasentbyasoftware
clientcannotbetamperedwithbeforeitreachestheserver.Asaresult,accesscontrolsareimplementedontheclient
insteadofbeingenforcedserverside.However,tamperingwithaclientisaverycommonpracticeandattackersoften
developtoolssuchasproxiesormodifiedclientsinordertobypasstheseclientsiderestrictions.Clientsideauthorization
cantakedifferentforms,including:
Permissionsenforcedontheclient.
Disabledfunctionalitiesontheclient.
Missing authorization.Whenauthorizationisnotpresent,thesecurityoftheapplicationusuallyreliesuponitsobscurity
andthefactthatmalicioususersdonotknowtherequiredinformationtosendtotheserverinordertoaccesssensitive
resources.Theproblemisthatthisinformationcanbedeterminedbynumerousmeans,suchasreverseengineeringthe
applicationorbysimplyguessingtheappropriatedatatosend.Severalbadpracticescontributetotheproblemofmissing
authorization,includingtheuseof:
Magic URLs.ThepracticeofrelyingonURLparameterstopassprogramdataisreferredtoasusingMagicURLs.
PassingidentifyinginformationoranysessionvariablesthroughtheURLopensanavenueformalicioususerstotamper
withdatawhichtheyshouldnotbeabletomodify.
Hidden form fields.AswithmagicURLs,usinghiddenfieldstopassprogramdatarelatedtotheuserssessionallows
attackerstomodifytheinformationbeforesendingittotheserver.
Forceful browsing.Forcefulbrowsingispossiblewhensystemsassumethatonlycertainuserswillknowessential
piecesofinformationrequiredtoaccesssensitiveresourcesandfunctionalities.Theseessentialpiecesofinformationoften
includedatasuchasfilenames,directories,andURLparameters.Unfortunately,thisinformationisoftenpredictableor
easilyobtainablethroughinformationdisclosurevulnerabilities.Therefore,itisfrequentlypossibleforanunauthorizeduser
toillegallyaccessprivilegedresourcesbysimplylearningthenecessaryparameters.
Potential
Impact
Examples
Whenclientserverapplicationsdonotenforceauthorizationon
theserverside,amalicioususermayaccessandmodify
informationthatshouldnotbeaccessibleinthefirstplace.
Attackerscantakeadvantageoflackofserversideauthorizationto
exercisefunctionalitiesrequiringelevatedprivileges,suchas
administrativetasks.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
18/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Lack of
Serverside
Authorization
Lackofserversideauthorizationusuallyarisesasaresultofthefollowingfalseassumptions:
Theclientcannotbemodified.
Thedatasentbytheclientcannotbemodified.
Theappropriatedatarequiredtoperformprivilegedactionsisunpredictable.
Suchassumptionsresultinthefollowinginsecurebehaviors:
Relyingonclientsideauthorization.
Storingsessionrelatedvariablesontheclient.
Trustingdataoriginatedfromtheclient.
Relyingonobscuritytoprotecttheapplication'sresources.
Inordertoavoidlackofserversideauthorizationapplythefollowingbestpractices:
Do not trust data coming from the client.Anydataoriginatedfromtheclientshouldbevalidatedontheserver.Malicioususers
caneasilyinterceptandmodifytrafficsentfromtheclientbrowser.Therefore,developersshouldneverembedcriticalapplicationdata
inclientsidevariablessuchasGETorPOSTparametersorHTTPheaders.Instead,onlypasssessionidentifierstotheclientand
keep all other session related data on the server.
Use builtin ASP.NET authorization features.TheASP.NETroleprovider(inconjunctionwiththeASP.NETmembership
provider)isafeaturethatenablesASP.NETdeveloperstocreateWebsitesthatallowuserstocreateanaccountwithasiteandtobe
assignedrolesforauthorizationpurposes.FormoreinformationreadHowto:UsetheASP.NETRoleproviderwithaService.
Code
Reviewing
for Lack of
Serverside
Authorization
Testing for
Lack of
Serverside
Authorization
When
performing
acode
review,
lookfor
codethat
uses
magic
URLsand
other
places
wherethe
client
mightbe
granted
toomuch
trust.Look
for
constructs
aslistedin
theabove
table.
Todetectthelackofserversideauthorizationduringtesting:
CheckALLfeaturesoftheapplicationtoensurethatONLYauthenticateduserscanaccessprotectedmaterial.
CheckALLfeaturesforforcefulbrowsingissues:determinetheappropriateparametersrequiredtoaccessprotectedresourcesand
replaythoseparametersinthecontextofalessprivilegedorunauthenticatedsession.Ifthoseresourcescanbeaccessed,thereis
mostlikelyalackofserversideauthorizationproblem.
Checkthattheapplicationdoesnotrelyonclientsidevalidation:useaWebproxytointerceptandmodifyHTTPrequeststobypass
clientsiderestrictions.
UsethefollowingWebproxiestofacilitateyourtesting:
BurpProxyasimpleandlightweightproxytool.
ParosamorecomprehensiveHTTP/Sproxy.
TestallWebinput,includingforms,withmaliciousinput.InspectthecontentofallformsandfieldsoftheWebapplication.Lookfor
hiddenfields:checkthecontentofanyHTMLsentbacktotheclientforthetextHIDDENwithinanHTMLinputelement.
Thefollowingtoolscanassistyouinfindingandmodifyingformfieldsbeforesubmittingthem:
TamperIEEnablesHTMLformtampering.
PaesslerSiteInspectorCrossbrowserWebdevelopertools.
Mitigating
Lack of
Serverside
Authorization
URL authorization.URLauthorizationrulescanbespecifiedperURLintheWeb.configfileofASP.NETapplications.Thefollowing
configurationallowsauthenticatedusersanddeniesanonymoususersaccess:
<authorization>
<allowusers="*"/>
<denyusers="?"/>
</authorization>
Formoreinformation,seetheASP.NETAuthorizationdocumentation.
Sandboxing the application.Sandboxingtheapplicationlimitsthedamagesthatcanbedoneiftheapplicationisvulnerable.
Runningtheapplicationinarestrictedsecurityenvironmentwillpreventanattackerfromaccessingresourcesonthehostsystemthat
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
19/74
9/29/2016
ClassesofSecurityDefects
Runningtheapplicationinarestrictedsecurityenvironmentwillpreventanattackerfromaccessingresourcesonthehostsystemthat
areoutsidethescopeoftheapplication.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
20/74
9/29/2016
ClassesofSecurityDefects
Spoofing
Defining Spoofing
Inthecontextofcomputersecurity,spoofingdescribestheabilityofoneentitytosuccessfullyassume
theidentityofanotherentity.Thisattackiscommonlyusedbymaliciousindividualstogainextra
privilegesinsystemswheretheyhavelimitedprivilegesornoprivilegesatall.
Applicability
Explanation
Asthe
successof
spoofing
attacksrelies
onpoor
authentication
or
authorization
betweentwo
entities,such
attackscan
beobserved
inanysystem
involving
multiple
entities,
regardlessof
thelanguage
itwaswritten
in.These
entitiescould
beeither
users,
applications,
ornetwork
hosts.
Spoofingcanbeofthefollowingtypes:
Network spoofing.Networkspoofingoccurswhenanattackertransmitsroguepacketsthatpretendtobecomingfroma
different,spoofed,hostby,forexample,forgingthesourceIPaddressofthenetworkpacket.Mostconnectionlesstransport
protocolssuchasUserDatagramProtocolhavenobuiltinmechanismforfightingagainstspoofing.Ontheotherhand,
connectionbasedprotocols,suchasTransmissionControlProtocol,makespoofingmuchhardertoachievebutnot
impossible.
Application spoofing.Applicationspoofingoccurswhenanattackercreatesanapplicationwiththesoleintentofposingas
anothertrustworthyapplication.Thisisdonebydeceivingusersintotrustingtheattackersapplicationasmuchastheytrust
thespoofedapplication.
User spoofing.Userspoofingoccurswhenanattackerassumestheidentityofanotherpersonorsystem,withtheintentof
abusingthevictimstrustinthesystem,and/orthesystemstrustinthevictimforothermaliciouspurposes.
Potential
Impact
Examples
Spoofingvulnerabilitiesallowmaliciousindividualsorsystemsto
poseaslegitimateones.Dependingontheleveloftrustgrantedby
thevictimsystemtoitsusers(whetherhumanorsoftware),the
consequencesofthesevulnerabilitiescanbedisastrous.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
21/74
9/29/2016
ClassesofSecurityDefects
Narration: Spoofingoccurswhenanentitymasqueradesitselfasanotherentityinanattempttoperformother
maliciousandunauthorizedactions.Spoofingispossiblebecauseapplicationsfailtoproperly
authenticatepartiestheycommunicatewith.Thefollowingscenariowilldemonstratehowspoofing
ofaWebsitecanbeachieved.
Usethebrowsercontrolstovisitwww.microsoft.com.
ThehomepageofMicrosoft.comisshowninthebrowserwindow.
Usingthenetworkmonitoringtool,observethecontentsoftheDNSresponsethatmaps
www.microsoft.comtoitsIPaddress.
Thenamewww.microsoft.comcorrespondstotheIPaddress207.46.19.254.
UsetheDNSspoofingtooltoaltertheDNSresponse.
Usethebrowseragaintovisitwww.microsoft.com.
Aswecanseehere,thelegitimateserverwasspoofedbytamperingwiththeDNSresponse
packets.Althoughthebrowser'saddressbarpointstothecorrectURL,thereturnedpagedoesnot
belongtotheintendedapplication.
22/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Spoofing
Thereareseveralfalseassumptionsthatmayleadtospoofing:
Allhostsonthesamesubnetaretrusted.
ThehostnameorIPaddressofaremotehostcanbetrusted.
Anentitysnameissufficienttoverifyitsidentity.
Theseassumptionsmayresultinthefollowingnegativeoutcome:
Entitiesaretrustedwithoutproperauthentication.
Thefollowingarebestpracticestoavoidspoofing:
Perform strong authentication of remote hosts.Useestablishedsolutions
suchasSSL/TLSorIPSectocertifytheidentityofremoteparties.
Perform strong authentication of applications.Useindustryrecognized
cryptographicsolutionstoprove:
Theidentityofyourapplicationstoendusersorothersystems.
Theidentityofthirdpartycomponentsthatyourapplicationsrelyon.
Enforce user authentication and authorization.Ensurethatuser
authenticationbestpracticesarefollowedwhenauthenticatingusers.Formore
information,gotoDefendingagainstWeakAuthentication.
Code
Reviewing
for
Spoofing
Whencodereviewingfornetworkspoofing:
Identifycodethat:
Initiatesconnectionstoremotehosts.
Acceptsconnectionsfromremotehosts.
Assessthesensivityofthefeaturebeingreviewed:
Isitapublicfeatureorisitrestrictedtospecificentities?
Forprotectedfunctionality,verifythatconnectionsareestablishedonlyafterthe
remotehosthasbeenproperlyauthenticated:
Isauthenticationperformedatall?
Whatevidenceistheapplicationcheckingforauthentication?
Acertificate?
Ausernameandapassword?
AnIPaddress?
Ahostname?
Forcodethatisexecutedafterauthentication,verifythattheremotesystemisnot
grantedtoomuchtrust:
Howisthehostidentifiedbytheapplication(afterauthentication)?
Usingasecuritytoken?
UsingthehostsIPaddress?
Usingthehostsname?
Whencodereviewingforapplicationspoofing:
IdentifycodethatloadsorstartsthirdpartybinariessuchasEXEs,DLLs,
COM/ActiveXobjects.
Determinehowtheapplicationverifiesthosebinariesidentities:
Byname?
Bylocation?
Byhash?
Bydigitalsignature?
Testing
for
Usethefollowingapproacheswhentestingforpotentialspoofingvulnerabilities:
Whenspoofingnetworkhosts,createabogusclientandabogusserverinan
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
23/74
9/29/2016
ClassesofSecurityDefects
for
Spoofing
Whenspoofingnetworkhosts,createabogusclientandabogusserverinan
attempttoproxythecommunicationbetweentherealclientandtherealserver.
Whenspoofingexecutablecontent,createaboguscomponentandaskthe
applicationtoexecuteit.
Whenspoofingusers,logintothesystemandattempttoposeasotherusersin
thesystem.
Whentestingfornetworkspoofing:
Checkwhethertheapplicationusesastrongcryptographicsolution,suchas
certificates,toauthenticatenetworkhosts.
Attempttoimpersonatealegitimatehostafterithasbeenauthenticatedandsee
whethertheapplicationagreestocommunicatewithit.
Whentestingforapplicationspoofing:
Replacebinariesthattheapplicationexpectsbyspoofedonesanddetermine
whatevidenceitischeckingforauthentication.
Onceyouhavedeterminedtheevidence,attempttoforgeit.
Iftheapplicationuseshashes,locatewheretheapplicationstoresthemand
replacethemwithforgedones.
Whentestingforuserspoofing:
PleasegotoDefendingagainstWeakAuthenticationfordetailedstepsfortesting
userauthenticationfeatures.
Mitigating
Spoofing
Spoofingvulnerabilitiescanbemitigatedthroughapproachessuchas:
Using firewalls to limit network connectivity.Createappropriatefirewall
rulestolimitaccesstonetworkenabledsoftware.
Setting appropriate ACLs on executable content such as libraries or EXE
files.Ensurethatonlyadministratorsareabletooverwritefilesthatare
executable.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
24/74
9/29/2016
ClassesofSecurityDefects
InformationLeakage
25/74
9/29/2016
ClassesofSecurityDefects
Applicability
Explanation
Information
leakageis
aproblem
thatcan
occurwith
any
language
orplatform.
Some
languages,
however,
provide
more
verbose
error
messages
than
others.
Thiscan
exacerbate
theeffectof
such
issuesif
these
messages
reveal
information
about
application
internals.
Any
application
thatstores
or
processes
sensitive
information
ofanytype
maybe
susceptible
to
information
disclosure
issues.
Therearecountlesswaysinformationcanbedisclosedtoanattacker.Someofthemorenotableonesinclude:
Side channels.Sidechannelsarecomponentsofasystemthatdiscloseinformationthattheywerenotdesignedto
reveal.Forexample,consideraloginformthattakeslongertorespondtoanincorrectpasswordwhentheinitialcharacter
isincorrect.Theresponsetimeoftheformcanbemeasuredbyanattacker,whichmeanstheloginformcanactasaside
channelrevealinginformationaboutuserspasswords.
Potential
Successfulinformationleakageattackscanhavemanydifferent
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
26/74
9/29/2016
ClassesofSecurityDefects
Potential
Impact
Successfulinformationleakageattackscanhavemanydifferent
impacts.Theprimaryrisk,however,isthedisclosureof
informationthatshouldnotberevealed.Thismightinclude
customersPersonallyIdentifiableInformation(PII),intellectual
property,tradesecrets,andconfidentialconversations.
Revealingsensitiveinformationtoanattackerisbadenough,
butinadditionthisinformationoftenincludespasswordsor
sessionIDswhichenableanattackertoescalatehisorher
privilegesonanapplicationorsystem.
Examples
27/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Information
Leakage
Informationleakagevulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
Itisbesttoprovideasmanydetailederrormessagesaspossible.
Attackerswillnotthinktolookinaspecificfile,directory,ormemorylocation.
Acertainpieceofdataisnotusefultoanattacker.
Theapplicationssecuritydefensescannotbebreached.
Theseassumptionsleadtothefollowinginsecurecodingbehaviors:
Outputtingoverlydetailederrormessages.
Relyingonsecuritythroughobscurity.
Leavingsensitivedataunprotectedineasytofindlocations.
Storingnonessentialsensitiveinformation.
Inordertoavoidinformationleakageissues,youshouldfollowthebelowbestpractices:
Issuehelpfulerrormessagesthatdonotdiscloseunnecessaryinformation.Avoidoutputting:
Filenames.
Pathnames.
Versionnumbers.
Stacktraces.
Minimizethenumberoflocationswheresensitivedataisusedandstored.Assumeanattackerhasfullknowledgeofthesystemor
application.
Storesensitiveinformationusingappropriatesecuritymechanismsthathelppreventunauthorizedaccess.Useaccesscontrol
mechanismsandencryptionasappropriate.
Code
Reviewing
for
Information
Leakage
Testing for
Information
Leakage
Theabove
constructs
shouldbe
checked
whencode
reviewing
touncover
information
leakage
bugs.
Inordertodetectinformationleakageissuesduringtesting:
Forceasmanyerrorconditionsaspossibletodeterminewhatinformationitmightreveal.Inspect:
Programmemory
Files(temporaryfiles,logfiles)
Registrykeys
Errormessages
UseNTSD,FileMon,andRegMontoinspecttheprogramsinternals.
Exploretheapplicationwithnonprivilegedaccountsandseewhattheapplicationdivulges.Examinewhateverdatayouhave
available,suchasHTMLsourcecode.
Anotherworthwhiletestistosimulateastolenlaptopscenario.Allowtheapplicationtoberunonacomputerforafewweeks,and
thenattempttoviewthedataonthecomputerinthewaythatalaptopthiefwouldhavetodoso.Trydualbootingorbootingadifferent
OSinordertoaccessdataindifferentways.
Mitigating
Information
Leakage
28/74
9/29/2016
ClassesofSecurityDefects
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
29/74
9/29/2016
ClassesofSecurityDefects
ImproperErrorHandling
Defining Improper Error Handling
Errorhandlingisthemechanismthatdealswiththeoccurrenceofconditionsthatchangethe
applicationsnormalexecutionflow.Errorhandlingcodeisoftenoverlookedandsuffersfromalackof
attentionwhenitcomestodesigningandimplementingit.Impropererrorhandlingoccurswhencode
failstoadequatelyhandleanerrorconditionencounteredbytheapplication.Asaresultofimproper
errorhandling,anapplicationmayenteravulnerablestateandcrash.Insecurelydesignederror
messagesthatrevealvaluableinformationtopotentialattackersarealsoconsideredasimpropererror
handling.
Applicability
Allcomputer
programsare
requiredto
handleerror
conditionsin
orderto
operate
properly.In
thissense,all
typesof
applications
canpotentially
beaffectedby
impropererror
handling
vulnerabilities.
Explanation
Potential
Impact
Examples
Anoverlydetailederrormessagemaydisclosesensitivesecurity
information.Amalicioususermaythenusethedatacontainedin
sucherrormessagestobettertargethisorherattacksonthe
application.Failingtoproperlyhandleerrorsmayalsocausethe
applicationtoterminate,therebycausingadenialofservice.
Narration: ThefollowingASP.NETapplicationisaWebbulletinboardsystemthatallowsuserstoreadand
postmessages.Usetheprovideddropdownmenutosubmitdifferentinputstotheapplicationand
observetheresultingbehaviors.
ThevalueoftheURLparameterthatyouhaveselectedisavalidmessageID.
ThevalueoftheURLparameterthatyouhaveselectedisnotavalidmessageID.
ThesinglequotecharactersubmittedtotheapplicationcausedittooutputadetailedSQLerror,
informingpotentialattackersabouttheexistenceofanSQLinjectionflaw,butalsorevealingthe
structureoftheSQLstatementusedbytheapplicationtoquerythedatabase.Thisisveryvaluable
informationtoanattacker,anditcanbeusedtodriveverydamagingattacks,suchastheoneshown
here.
30/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Improper
Error
Handling
Impropererrorhandlingusuallyarisesfromthefollowingbadassumptions:
Errorhandlingcodeisofsecondaryimportance.
Errorhandlingcodecanbeaddedafterthecorrespondingfunctionalityisimplemented.
Errorhandlingcodecanbewrittenaftertestingexposeserrors.
Errormessagesneedtobeasdetailedaspossibleforreportinganddebuggingpurposes.
Suchassumptionsturnintothefollowinginsecurebehaviors:
Yielding too much information.Applicationsthatreturnerrormessagescontaininginformationthatisrevealingtoanattackerexpose
themselvestofurtherandmoreeducatedattacks.Whilerevealingdetailedinformationonwhatpartoftheapplicationfailedmaybegood
fromausabilityperspective,malicioususersmayusethisinformationtobettertargettheirattacks.
Ignoring errors.Errorreturnvaluesindicateafailureconditiontherefore,everytimeitisappropriate,theapplicationshouldcheck
functionreturnvalues.Forinstance,consideracalltofopen()thatfails,eitherbecauseaccessisdeniedorbecausethefiledoesnotexist.
Iftheerrorisnothandled,allfollowingcallstofunctionssuchasfwrite()orfread()willfailtoo.Asaresultofreadingdataanddereferencing
thedata,theapplicationwillmostlikelycrash.
Misinterpreting errors.Althoughsomefunctionsmayreturnbizarreerrorvalues,theapplicationneedstodetectpreciselywhicherror
hasoccurredpriortobeingabletohandleit.Forinstance,ifanapplicationmisinterpretsatrivial,recoverableerrorasacritical,non
recoverableone,itmightbepossibleforanattackertolaunchaDenialofServiceattackagainstit.
Employing useless error values.Somefunctionsmaysimplyreturnnoerrorvalues.Forexample,considertheCstandardruntime
strncpyfunctionthatonlyreturnsapointertothedestinationbuffer.Ifabufferoverflowoccurred,thefunctionwouldonlyreturnapointerto
theoverflowedbuffer.
Handling the wrong exceptions.Developerssometimeswritecodetocatchagiventypeofexception,whileinfact,anothertypeof
exceptionwillbethrown.Asaresult,theseexceptionswillnotbecaughtandwillcausetheprogramtoenteravulnerablestatewhichcan
inturnbeexploitedbyanattacker.
Handling all exceptions.Providingagenericexceptionhandlerthathandlesallexceptionsresultsinmaskingerrorspresentinthe
code.Pretendingthatanexceptionneverhappenedisdangerousasitmightcauseerrorstobeleftunaddressedormightcascadethrough
theapplicationwithdisastrouseffects.
Thefollowingbestpracticeswillpreventimpropererrorhandling:
Handletheappropriateexceptionsinyourcode.
Ensurethatyoucheckreturnvalueswhenappropriate.
Ensurethatinformationthatmayberevealingtotheattackerisnotdisclosed.
Code
Reviewing
for
Improper
Error
Handling
Testing
for
Improper
Error
Handling
Whencode
reviewingfor
impropererror
handling
vulnerabilities,
checkforthe
constructs
listedinthe
abovetable.
Useautomatedstaticcodeanalysistoolstohelpyoufindvulnerabilitiesinyourcode.Whilestaticanalysistoolscannotreplaceamanual
review,theyareagoodcomplementandcanbeusedtofindalargenumberofvulnerabilitiesatonce.Thesetoolscanalsobeusedto
buildacomprehensivemodelofthecodeincludingdataflowandcontrolflow.Usetheseresultsnotonlytofixthediscovered
vulnerabilitiesbutalsotopointout'hotspots'inyourcodethatwouldbenefitfromanadditional,deepermanualreview.
Totestforimpropererrorhandlingdefects,testersshouldlookfortheapplicationfunctionalitythattakesinput.Wheneverthereisawayto
inputdataintotheapplication,itrepresentsaninterfacethatcanbeprobedformoreinformationthroughitserrormessagesor,conversely,
itslackoferrormessages.Thefollowingprocedurewillhelptestersindetectingimpropererrorhandling:
Probe input fields by submitting malformed data.Payattentiontothefollowingpropertiesofthedatasubmitted:
Input length.Trylongstrings.
Input type.Tryinputthatisofadifferenttypethanwhattheapplicationexpects.
Boundary values.Identifytheupperandlowerlimitsofexpecteddatavaluesandtestbyexceedingtheirlimits.
Context.Tryinputtingvaluessuchasmachinenames,usernames,anddomainnames.Theapplicationmaybehavedifferentlywhena
validnameisenteredallowinganattackertoinfersensitiveinformation.
Testersshouldlookforsignsofinformationdisclosureandpoorlyhandlederrorconditions,suchas:
Poorly handled error cases.
Lookfortestcasesthatcausetheapplicationtocrash.
Lookfortestcasesthatputtheapplicationinaninsecurestate.
Revealing error messages.Lookforerrormessagesrevealinganyofthefollowing:
Machinenames.
Filelocations.
Detailsregardingtheinternalconfiguration.
DatasuchasthestructureofSQLqueries,internalIPaddresses,andvalidusernames.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
31/74
9/29/2016
ClassesofSecurityDefects
Mitigating
Improper
Error
Handling
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
32/74
9/29/2016
ClassesofSecurityDefects
WeakAuthentication
33/74
9/29/2016
ClassesofSecurityDefects
Applicability
Explanation
Weak
authentication
vulnerabilities
are
programming
language
independent.
Thekeyfactor
to
determining
whetheran
application
canbe
affectedby
theseissues
isthe
presenceof
an
authentication
featureof
somesort,
suchasa
loginform.All
applications
thatsupport
the
separation
betweena
publicrealm
andaprivate
realmorhave
multipleusers
can
potentiallybe
affectedby
weak
authentication
issues.
Systemsthatsufferfromweakauthenticationcanbecategorizedintothefollowingclasses:
Weakpasswordbased systems
Somesystemsauthenticatetheirusersbyrequestingthemtoprovideapassword.However,thepasswordpolicyenforced
bythesesystemsisnotstrictenoughtoprovideanacceptablelevelofsecurity.Thesepasswordsaretooshort,too
predictable,notrenewedoftenenough,ornottransmittedorstoredsecurely.
Weaksessiontokenbased systems
SomeprotocolssuchasHTTParestatelessandanonymous.Toovercomethislimitation,sessiontokensareincludedin
everyrequestausermakesaftertheuserisauthenticatedbytheserver.However,ifthesesessiontokensarepredictable,it
ispossibleforanattackertohijackliveusersessions.
Informationleaking authentication features
Someauthenticationfeatures,althoughtheyprotecttheirapplicationfromunauthorizedaccess,revealusefulinformationto
potentialattackers.Forexample,theydisplaydifferenterrormessagesorresponsetimesbasedonwhetheravalidoran
invalidusernameisprovided.Thesesystemsareconsideredtobeweakbecausetheyprovideinformationthatcouldbe
usedbyattackerstobruteforcepasswords.
Systems that identify rather than authenticate users
Somesystemsrelyonidentificationdatainordertoauthenticateuntrustedparties.Thesesystemsarepronetospoofing
attacks.
Potential
Impact
Examples
Asweakauthenticationcanallowanattackertoillegallyaccessan
applicationsfunctionality,thepotentialimpactofsuchissuesis
verydependentonthevulnerableprogramsfeatures.By
accessingaccountsofvictimparties(individualsorsystems),
malicioususerscan,inmostcases,elevatetheirprivileges,viewor
modifysensitiveinformation,and,ofcourse,impersonateother
parties.
Server Controller in IBM Lotus Domino asks user for password file (March 2011):TheremoteconsoleintheServer
ControllerinIBMLotusDomino7.xand8.xverifiescredentialsagainstafilelocatedataUNCsharepathnamespecifiedby
theclient,whichallowsremoteattackerstobypassauthentication,andconsequentlyexecutearbitrarycode.
ASP.NET subsystem allows access to another users data (December 2011):TheFormsAuthenticationfeaturein
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
34/74
9/29/2016
ClassesofSecurityDefects
35/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Weak
Authentication
Weakauthenticationvulnerabilitiesusuallyariseasaresultofthefollowing
falseassumptions:
Thestrengthofapasswordisuptouserstodecide.
Onlytheapplicationcanaccessitspasswordstore.
Randomnumberscannotbepredicted.
Identificationdatacanbeusedtoauthenticateaparty.
Certificatescanbesignedbyanybody.
Theseassumptionsresultinthefollowinginsecurebehaviors:
Failuretoenforceastrongpasswordpolicy.
Storageofunprotectedpasswords.
Generationofweaksessiontokens.
Authenticationofpartiesbasedonidentificationdata.
Acceptanceofcertificatesthataresignedbyuntrustedparties.
Bestpracticestoavoidweakauthenticationinclude:
Enforcingastrongpasswordpolicy.Forasample,pleaseseethis
passwordpolicytemplate.
Encryptingorhashingpasswordsforstorage.
UsingbuiltinsessionhandlingmechanismssuchasASP.NET.
Relyingonrealauthenticationdata,suchaspasswords,certificatessigned
bytrustedaCA,andsecuritytokens,toverifyauserorsystemsidentity.
Code
Reviewing for
Weak
Authentication
Whenperformingacodereviewforweakauthenticationissues,youshould
ensurethat:
Testing for
Weak
Authentication
Whentestingforweakauthenticationissues:
Mitigating
Weak
Authentication
Thefollowingareamongthevariousadditionaldefensivemeasuresthatcan
betakentodefendagainstweakauthentication:
Nopasswordsarehardcoded.
Identification,suchasIPaddresses,emailaddresses,orsocialsecurity
numbers,isnotusedtoauthenticateusers.
Codethatcreatespasswordsdoesthisaccordingtothepasswordpolicy.
Failedloginattemptsarehandledinauniformmanner(withthesame
responsetimeandsamemethodoferrorhandling).
Failedloginattemptsarelogged.
Thereislogicforenforcingperiodicpasswordrenewal.
Newpasswordscannotbethesameaspreviouslychosenones.
Passwordsaretransmittedthroughasecurechannel.
Thepasswordresetmechanismissecure.Forexample,itshouldnotbe
possibletoresetalluserspasswordsinanautomatedway.
Thesystemforcesuserstochangethedefaultauthenticationcredentials.
Passwordsarerenderedunreadableusingastrongcryptographic
mechanismsuchasencryptionorhashing.
Codethatcheckscertificatesverifiesthatsignaturesareofatrusted
authority.
Verifythatthesystemforcestheusertochangedefaultusercredentials
uponfirstexecution.
Attempttologinusingdifferentcombinationsofusernamesandpasswords
(bothvalidandinvalid)andinspecterrormessagesaswellasresponse
timesinanattempttodeterminewhethertheapplicationleaksinformation
aboutthevalidityofcredentials.
Monitornetworktrafficatlogintimeinanattempttouncovercredentials
passedincleartext(usingNetMonorWireshark).
Verifythatitisnotpossibletoautomatetheactionofresettingpasswords.
Verifythatpasswordsareresetinasecuremanner.
Locatetheapplicationspasswordstoresandinspectrelevantaccess
controlsettings.
Attempttodecodepasswordsstoredondisktouncoverweakencryptionor
encoding.
Iftheapplicationusescertificates,attempttoauthenticatebyprovidingself
signedcertificates.
Usemultifactorauthentication:
Securitytokens
Biometrics
Onetimepasswords
Usewelltestedtechnologies:
WindowsAuthentication
FormsAuthentication
Databaseencryption
EncryptedFileSystems
Useindustryapprovedprotocols:
Kerberos
SSL/TLS
TACACS
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
36/74
9/29/2016
SSL/TLS
TACACS
RADIUS
ClassesofSecurityDefects
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
37/74
9/29/2016
ClassesofSecurityDefects
WeakDataProtection
38/74
9/29/2016
ClassesofSecurityDefects
Applicability
Explanation
All
applications
can
potentially
beaffected
byweak
data
protection
issues,
regardless
ofthe
language
theyare
writtenin.In
onewayor
another,
software
applications
dealwith
sensitive
datasuch
as
confidential
dataand
critical
application
data(for
example,
theuser
namesand
passwords
ofa
system).
Weakdataprotectionvulnerabilitiesarisefrom:
Improper access control
Accessrightsgovernaccesstoresourceswithinasystem.Itisimperativethatproperaccesscontrolsareutilizedinorder
tograntaccesstosensitivedataonlytoauthorizedparties.
Weak data encryption
Whilecryptographyisessentialtoprotectsecrets,itisnotfoolproof,andaweakcryptographicsystemmightlullusersinto
afalsesenseofsecurity.
Algorithms:Weakencryptionalgorithms,insecureimplementationofstrongcryptographicalgorithms,andcustom
algorithmswillmostcertainlydegradeoverallsystemsecurity,asanattackermightbeabletocracktheencryptionand
retrievesensitivedata.
Key size: Evenifastrongcryptographicalgorithmischosen,aninappropriatelysmallkeysizemightrenderthe
cryptosysteminsecure.Specifically,systemsutilizingasmallkeysizearevulnerabletobruteforceanddictionaryattacks.
Insecure management of cryptographic secrets
Cryptographyreliesonkeys.Ifthekeysarenotstoredandexchangedsecurely,anattackermightbeabletoretrievethe
keyandcompromisethesecurityofthecryptographicsystem.
Potential
Impact
Examples
Weakdataprotectionallowsattackerstoaccessinformationthat
theyshouldnormallybedeniedaccessto.Byaccessingthat
information,attackersmightbeabletoexposeandtamperwith
sensitivedata.Iftheapplicationbasesitssecuritydecisionson
thisinformation,bymodifyingit,anattackermightbeableto
bypasssecuritycontrolsandelevatehisorheraccesslevel.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
39/74
9/29/2016
ClassesofSecurityDefects
40/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Weak
Data
Protection
Weakdataprotectionusuallyarisesasaresultofthefollowingfalseassumptions:
Oncedataisstoredondisk,onlylegitimateuserswillknowitslocationandattempttoaccessit.
Theapplicationfileswillbeaccessedonlybytheintendedusers.
Theapplicationcannotbereverseengineered.
Suchassumptionsleadtothefollowinginsecurepractices:
Insecureuseofcryptography.
ImproperuseoftheAccessControlLists(ACLs).
Insecuremanagementofcryptographicsecrets.
Thefollowinglistoutlinessomeofthemorecommonstrategiesforavoidingweakdataprotection:
Employ existing data protection technologies.Someoperatingsystems,suchasWindows,providesolutionsfordataprotection.
KnownastheDataProtectionAPI(DPAPI),thisfunctionalityinWindowsallowsapplicationstorelyonWindowsforstoringand
handlingsensitive,cryptographic,orotherimportantdatabothondiskandinmemory.
Avoid handling data that requires extra protection.Unlessdictatedbyapplicationrequirementsanddesign,avoidstoringor
handlinginformationthatrequiresextraprotection.Applicationsshouldhandleonlythedatawhichtheyareobligedtohandle.
Do not hardcode secrets into the applications codebase.Secretsthatarehardcodedintoanapplicationmayberevealed
throughtheuseofreverseengineering.Therefore,anydeterminedattackerwillbeabletogainaccesstothesesecrets.
Use established cryptographic solutions.WindowsprovidesasetofcryptographicAPIsthatapplicationscanusetoavoidthe
pitfallsofimplementingcryptographicalgorithms.KnownasCryptoAPI,thislibrarycontainsallindustryrecognizedencryptionand
hashingfunctions.
Use access controls that are enforced by the operating system.UseAccessControlLists(ACLs)toensurethatonly
authorizedpartieshaveaccesstoprotectedresources.ApplytheprincipleofleastprivilegewhencreatingtheappropriateACLfor
eachprotectedresource.Usingthisprinciple,grantreadand/orwriteaccessonlytothepartiesthatrequireit.
Code
Reviewing
for Weak
Data
Protection
Testing
for Weak
Data
Protection
Inorderto
detectweak
data
protection,a
codereview
should
checkfor
the
existenceof
codethat
enforces
proper
access
controls.
Codethat
createsfiles
orother
objectsand
doesnotset
access
control
shouldbe
lookedat.
Additionally,
codethat
configures
ACLs
shouldbe
inspectedto
determine
whetherthe
ACLsare
set
accordingto
the
sensitivityof
thedata
theyprotect.
Followthestepsbelowtodetectweakdataprotectionduringtesting:
Identifywhatneedstobeprotected.
Rememberthatevenasmallpieceofunprotectedsensitivedatacancompromisethesecurity
oftheapplication.
Verifythatproperencryptionisutilizedandnotsomekindofsecuritythroughobscurity.
Verifythatapropercryptographicalgorithmwithanappropriatekeysizeisselected.
Customencryptionalgorithmsarenotasthoroughlytestedaspubliconesare,sotheytend
tobeinsecure.
Examineallcryptographickeysizesthatareusedwithintheapplication.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
41/74
9/29/2016
ClassesofSecurityDefects
Examineallcryptographickeysizesthatareusedwithintheapplication.
Ensurethatthelengthofallkeysisappropriate.
Verifythattheimplementationoftheselectedalgorithmisfreefromimplementationerrors.
Evenifcorrectcryptographyisinplace,validatethatdatadoesnotstaydecryptedlongerthanitneedstobeandthatnodecrypted
temporarycopiesareleftinthefilesystemorinswapspace.
Verifythatloggingandothererrorreportingmechanismsdonotrevealpartsofsensitivedata.
VerifythatproperACLsareinplacefortheresourcesthatneedtobeprotected.
Lookforhardcodedsecrets.TheStringstooltoolcanbeusedforretrievingallANSIandUNICODEstringsfromabinaryimage.
Examinefilesystemlocationssuchastheapplicationfolderandtemporarydirectoryforanydatathatneedstobeprotected.Repeat
theprocedureforanyrelatedregistrykeys.
Examinetheoutputofthelogsforanysensitiveinformationleakage.
Usingsystemandnetworkmonitoringtools,verifythatnosensitiveinformationiscopiedortransmittedinaninsecuremanner.
Mitigating
Weak
Data
Protection
Usetheseapproachestomitigateweakdataprotection:
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
42/74
9/29/2016
ClassesofSecurityDefects
BufferOverflows
43/74
9/29/2016
ClassesofSecurityDefects
Applicability
Buffer
overflowsare
inherentto
programming
languages
thatallow
developersto
performtheir
ownmemory
management,
suchasC,
C++,and
assembly.
These
languages
are
consideredto
havebetter
performance,
thereforethey
arevery
popular.
Itisnot
surprising
thatbuffer
overflowsare
oneofthe
most
frequently
encountered
software
bugs.
Languages
thatuse
garbage
collection
andthatdo
notallowfor
direct
memory
management
suchasC#
andJavaare
not
vulnerableto
buffer
overflow
attacks.
However,as
theycan
interoperate
withnative
code,these
languages
canstill
produce
applications
thatare
proneto
buffer
overflows.
Explanation
Potential
Impact
Examples
Asuccessfulbufferoverflowattackcanforceaprograminto
executingarbitrarycode.Inthissituation,coderunswiththelevel
ofprivilegegrantedtotheexploitedprogram.Asaresult,the
potentialimpactofthistypeofvulnerabilityisindirectrelationto
thecapabilitiesoftheexploitedhost.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
44/74
9/29/2016
ClassesofSecurityDefects
TCPport5631permitsafixedlengthbufferoverflowduringtheauthenticationprocess.
Cisco WebEx Player is found to have a buffer overflow (October 2011):CiscospopularWebExconferencing
productcontainsvulnerabilitieswhichallowaremoteusertosupplyaspeciallycrafted'.wrf'filethatwilltriggerabuffer
overflowandexecutearbitrarycodeonthetargetsystemwiththeprivilegesofthevictimuser.
Microsoft OS products are vulnerable to buffer overflows (October 2008):TheServerserviceinMicrosoft
Windows2000SP4,XPSP2andSP3,Server2003SP1andSP2,VistaGoldandSP1,Server2008,and7PreBetaallows
remoteattackerstoexecutearbitrarycodeviaacraftedRPCrequestthattriggerstheoverflowduringpathcanonicalization.
Narration: ThestackisaLastIn,FirstOutdatastructureusedformemorymanagement.Itissegmentedinto
frames,whicheachcorrespondtoaprogramfunctioncall.Eachframealsocontainsinformation
suchasparametersandlocalvariablesofthefunction,apointertothepreviousframe,andthe
savedreturnaddress.Whentheamountofdatawritteninalocalbufferexceedstheamountof
memoryallocatedforthisbuffer,criticalportionsofthestackcanbeoverwritten,whichcouldcause
aprogramcrash.Bysubmittingcarefullycrafteddatatotheapplication,anattackercanoverwrite
thereturnaddressofthevulnerablefunctionandcausetheexecutionflowoftheprogramtobe
redirectedtoanarbitrarymemorylocation.Ifthislocationiscontrolledbytheattacker,the
applicationcanpotentiallybeforcedtoexecutearbitrarycode,therebycompromisingthesystem.
Pleasespecifythestringthatyouwouldliketocopyintothedestinationbuffer.
Theamountofdatasubmittedwasnotlargeenoughtooverflowthebuffer.Therefore,theprogram
continuesnormally.
Thecharacterstringsubmittedtotheapplicationwaslongerthan16characterstherefore
overflowingthebuffer.However,thereturnaddresswasnotoverwrittenwithavalidmemory
address,andthiscausedamemoryaccessviolation.
Congratulations,thebufferwassuccessfullyoverflowedandtheexecutionflowwasredirectedtothe
buffer.Welldone!
45/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Buffer
Overflows
Bufferoverflowvulnerabilitiesarearesultofthefollowingfalseassumptions:
Parameterswillneverexceedthemaximumsizeoftheirdestinationbuffer.
Thereisnosecurityconcernwithusingthisfunction.
Theseassumptionsresultinthefollowinginsecurecodingbehaviors:
Processinginputwithoutproperboundschecking.
Usingvulnerablefunctionswhensaferalternativesexist.
Bestpractices:
ReplaceunsafeCfunctionswithsafeones.TheSDLrequirementscontaina
comprehensivelistofbannedAPIcalls,alongwithsaferalternatives.
Verifyloopsareproperlyterminatedandarrayindexesarewithinbounds
WatchoutforOffbyoneerrors,astheycanbeverysubtleanddifficulttodetect,
yetcanstilltriggerabufferoverflow.
ReplaceCbufferswiththeirC++equivalentsorcorrespondingSTLcontainers,
asappropriate.Thisisnotasteptobeundertakenlightly,asthechangesrequired
toanexistingcodebasecanbeveryextensive.
Propersecurityawarenessmustexistwithinyourproductteam.Ideally,
everyonewillbefamiliarwithatleasttheimpactofabufferoverflow.
Code
Reviewing
for Buffer
Overflows
Inordertodetectbufferoverflowsduringcodereview:
Use static analysis tools to scan the applications source code.Anumberof
thesetoolsexistforCandC++.Whiletheseautomatedtoolsarenotguaranteedto
catcheveryerror,theycanbeoftremendoususecatchingtheeasytospoterrors.
UsePREfixandPREfasttoanalyzeyoursourcecode.
Testing
for Buffer
Overflows
Whenperformingblackboxtestingonanapplicationforbufferoverflows:
Performfuzz testing.Investigatepotentialcrashestodeterminethepresenceof
bufferoverflowbugs.
Use AppVerifier.Thistoolaruntimeverificationtoolforunmanagedcode.It
assistsdevelopersinquicklyfindingsubtleprogrammingerrorsthatcanbe
extremelydifficulttoidentifywithnormalapplicationtesting.
Mitigating
Buffer
Overflows
Evenproperlytestedsystemsdesignedandimplementedwithsecurityinmindcan
containexploitablebufferoverflows.Therefore,propercountermeasuresshould
beputinplaceinordertomitigatepotentialbufferoverflows:
Use DataExecutionPrevention.Thefirststeptowardsmitigatingbuffer
overflowsismakingthestackandtheheapnonexecutable.OnWindows,this
featureiscalledDataExecutionProtection(DEP).Similarsolutionsexistforother
operatingsystemsaswell.Thistechnologythwartsthemajorityofattacks.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
46/74
9/29/2016
ClassesofSecurityDefects
Itshouldbenotedthattheabovetechniques,whileuseful,canbebypassed(as
hashappenedwithexploitsfoundinthewild).Therefore,detectionandprevention
stillremainkeyinasuccessfulbufferoverflowdefense.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
47/74
9/29/2016
ClassesofSecurityDefects
FormatStringProblems
48/74
9/29/2016
ClassesofSecurityDefects
Applicability
Format
stringbugs
canbe
encountered
inanytype
of
application.
Whilethey
carrytheir
mostcritical
impactwhen
encountered
in
applications
writtenin
C/C++,they
canproduce
undesired
sideeffects
in
languages
suchasC#,
Java,PHP,
orPython.
Explanation
Potential
Impact
Examples
Theimpactofformatstringattacksvaries:
Information Leakage:Usingcarefullycraftedformatstrings,
informationcanbereadfromthestack.Thiscanleadto
disclosureofsensitiveinformationthatcanbeusedtoescalatean
attack.
Denial of Service:Improperhandlingofformatstringsmay
leadtoaprogramcrash.Iftheprograminquestionacceptsthe
inputfromananonymousclientfromthenetwork,theeffectscan
bedevastating.
Elevation of Privilege:Programcrashescanleadtoexecution
ofarbitrarycode,compromisingthesecurityoftheprogram.Ifthe
vulnerableprogramisrunningwithadministrativeprivileges,a
completeoperatingsystemcompromisemayoccur.
Narration: Formatstringattacks,astheirnamesuggests,targetfunctionsthattakeformatstringsas
arguments,suchastheClanguageprintffamilyoffunctions.
Formatspecifiersembeddedwithintheseformatstringsdescribehowtoprocesssubsequent
parametersofthefunction.Iftheseparametersarenotproperlyvalidated,itispossibletoforcethe
applicationtodeviatefromitsintendedbehavior.
Byprovidingaccesstovaluesstoredonthestack,theseattackscanhavemanydifferenteffects,
rangingfromerroneousprogrambehaviorandprogramcrashestoinformationdisclosureand
executionofarbitrarycode.
Pleaseselecttheformatstringthatyouwouldliketopasstotheprintffunction.
Theformatstringpassedwastheexpectedonetheprogramcontinuesnormally.
Theformatstringpassedtotheprintffunctionallowedthepasswordtobereadfrommemory,thus
enablinginformationdisclosure.
Theformatstringpassedtotheprintffunctionallowedanattackertooverwriteanarbitrarymemory
location,whichcouldpotentiallyallowtheattackertoexecutemaliciouscode.
49/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Format
String
Problems
FormatStringvulnerabilitiesariseasaresultofthefollowingfalseassumptions:
Theinputwillalwaysbeoftheexpectedformat.
Therearenosecurityconcernswithformatstrings.
Theseassumptionsresultinthefollowinginsecurecodingbehaviors:
Processinginputwithoutproperlyvalidatingit.
Useinsecureformatstringconstructs.
BestPractice:
Neverpassuserinputdirectlytoaformattingfunction.
Replaceunsafeconstructswithmoresecureequivalents.
Usemanagedcodewhereverpossibleasittendstobelessvulnerableto
formatstringissues.
Code
Reviewing
for
Format
String
Problems
Duringacodereviewitisrelativelysimpletodetectformatstringproblems.Scan
fortheusageoffunctionsknowntobevulnerabletoformatstringattacks.In
particular,lookforconstructssuchas:
printf(user_input)
fprintf(STDOUT,user_input)
andverifywhethertheycouldallowspeciallycraftedinputto:
Revealinformationwhoseaddressinstoredonthestack.
Writetounexpectedmemorylocations.
Overflowabuffer.
Dependingonthedevelopmentenvironment,compilerflagscanalsohelpwiththe
discoveryofformatstringflaws.
Testing
for
Format
String
Problems
Inordertodetectformatstringvulnerabilitiesduringtesting,lookforanysituation
whereformatcontrolspecifiers(intheappropriatelanguage)canbeincludedas
partoftheuserinput.Includestringssuchas%xand%swhereverpossible.Input
mayincludeunexpectedsourcesofuserinputsuchasfilenames,environment
variables,andlocalizationfiles.Iftheapplicationreturnsunexpectedhexadecimal
characterswithanyoftheseteststrings,thenthereisaformatstringproblemtobe
investigated.
Mitigating
Format
String
Problems
Avoidtheprintffamilyoffunctionswheneverpossible.Forexample,ifyouare
usingC++thenusestreamoperatorsinstead.Ifyoumustuseprintf,orarelated
function,thenbesuretouseaformatcontrolstringtoreferenceanyusersupplied
data.ForCcode,thissolutioncanbeimplementedbysimplyreplacing
printf(user_controlled_string)withprintf(%s,user_controlled_string).
Similarmeasurescanbeimplementedinotherlanguagessusceptibletoformat
stringissues.
Whendealingwithlocalizationfiles,youcanmitigateFormatStringissuesby
limitingthelocalestovalidvalues.Formoreinformationonsuchlocalization
issues,see"WriteItSecure:FormatStringsandLocaleFiltering".
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
50/74
9/29/2016
ClassesofSecurityDefects
IntegerOverflows
Defining Integer Overflows
Computersusefixedwidthgroupsofbitstorepresentnumerictypes.Representingnumbersinthis
fashionimpliesthatanynumberofagivennumerictypemusthaveavaluethatisbetweenthetypes
minimumandmaximumvalues.
Ifanumbersvalueexceedstheminimumormaximumvaluesforthenumberstype,thenumbersvalue
willbewrappedaround.Thisbehaviorisknownasintegeroverflow.
Applicability
Explanation
Owingtothe
natureof
computers
andhowthey
represent
numbers,
integer
overflows
plague
almostall
programming
languages.
Highly
vulnerable
languages
includeC
andC++,but
theproblem
canappear
withvarying
impactto
languages
suchasC#,
VisualBasic,
Javaand
Perl.
Duetothefixedwidthnatureofdatatypes,numbersaretreatedasthoughdistributedaroundawheelratherthanalonga
line.
Potential
Impact
Examples
Integeroverflowsmayresultinmanydifferentoutcomesranging
frommiscalculationsanddenialofservicetobufferoverflowsand
remotecodeexecution.Forinstance,ifthecalculationofa
memorypointerisaffectedbyanintegeroverflow,anattackermay
exploitthisweaknesstoeitherreadsensitiveinformationor
overwritecriticaldata.
Narration: Wenormallythinkofintegersaslyingonanumberlinethatextendsindefinitelyinbothdirections.
Computershowevermuststorenumbersinalimitedamountofspace.
Therefore,whenrepresentinganinteger,thereisamaximumandminimumvaluethatcomputers
areabletorepresent.
Whenanintegervariableisincrementedbeyondthelargestpossiblevalue,thevalueofthatvariable
wrapsaroundandbecomesthesmallestpossiblevalue.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
51/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Integer
Overflows
Inordertoavoidintegeroverflowvulnerabilitiesinyoursoftware:
Code
Reviewing
for Integer
Overflows
Testing
for Integer
Overflows
The
above
table
showsthe
constructs
tocheck
inorderto
detect
integer
overflows
during
code
review.
Testingforintegeroverflowscanbeperformedviaseveralways:
Fuzz testing.Fuzztestinghasanexcellenthistoryofuncoveringdifficulttofindoverflowerrors.Thisisbecausefuzzingnaturally
forcesunexpectedintegervaluesthattheprogrammermightnothaveoriginallyconsidered.Carefullyexaminefuzztestingresults
foranyoverflowconditions.Tracetheflowofdatabackfromthepointoferrorandidentifywhatinputcausedheintegeroverflow
condition.
Mitigating
Integer
Overflows
Thereareseveralwaystomitigateintegeroverflows,including:
Fail securely.Handleanyexceptionsthatresultfromanintegeroverflowinasecuremanner.Ignoringorsimplynotcatchingsuch
exceptionsmayaidanattackerintocompromisingthetargetapplication.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
52/74
9/29/2016
ClassesofSecurityDefects
ImproperFileAccess
Defining Improper File Access
Improperfileaccessdefectsincludeallthosevulnerabilitiesthatstemfromcarelessinteractionwiththe
filesystem,suchasraceconditionsinnonatomicfileoperations,impropervalidationofuntrustedinput
usedingenerationoffilenamesandpaths,andfalseassumptionsaboutthenatureoffilesystem
objectsaccessedbytheapplication.
Applicability
Explanation
All
languages
thatprovide
filesystem
object
access
primitives
andall
applications
thataccess
thefile
systemare
potentially
vulnerable
tothis
categoryof
defects.
Timeofcheck/Timeofuse (TOCTOU):Improperfileaccessvulnerabilitiescanstemfromfileoperationsthatappear
atomic,wheninrealitytheyarenot.Theseraceconditionsallowanattackertoviolatetheprogramsexpectationsbetween
twofileoperationsincloseproximity.Forexample,anapplicationthatlogssensitivedatamightfirstcheckwhetherthelog
filealreadyexists,decidingtoproceedonlyifitdoesnotexistbycreatingitwithrestrictiveACLs.Inthissituation,an
attackercouldcreatethefilewithlessrestrictiveACLsduringthetimewindowbetweenthecheckoperationandthelog
creation,allowingitscontentstobeaccessibletoanyone.
Untrusted input:Applicationsconstructingfilenamesandpathsbasedonuntrustedinputcanbevulnerabletopath
modificationattackssuchasdirectorytraversals(thatis,theadditionofanarbitrarynumberofpathmodifiersthatbreakoff
ananticipateddirectory)andnetworkfileredirection(thatis,theinsertionofa\\computername\UniversalNaming
Convention(UNC)prefixtoredirectafilerequesttoanarbitrarynetworklocation).
Unexpected file system objects:MostfilesystemAPIscanbeusedtooperateonobjectsthatarenotnecessarily
files,suchasjunctionpointsandsymboliclinks(typesoffileshortcutsdirectlysupportedbythefilesystem),MSDOS
devicenames(suchasCOM1andLPT1),andinterprocesscommunicationandsynchronizationobjects(suchasnamed
pipesandevents).
Potential
Impact
Examples
Improperfileaccessvulnerabilitiescanallowattackerstoaccess,
modify,anddeleteprotectedfiles,andtocrashanapplication
thataccessesafilesystemobjectofatypedifferentthan
expected.
53/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Improper
File
Access
Timeofcheck/Timeofusebestpractices:
Lockfilesbeforeperformingsequencesofnonatomicfileoperations.
Neverusethesamefilenamewithmorethanonefileoperationobtainafile
handleinsteadandoperateonthehandle.
Pathmodificationbestpractices:
Nevertrustfilenamesandpathsnotunderdirectcontroloftheapplication.
Whenobtainingand/orcreatingafilenameorpathfromuntrustedsources,
resolvethenameorpathfirsttoitscanonicalform,andthenvalidateit.
Unexpectedfilesystemobjectsbestpractices:
Beforeoperatingonafilesystemobject,alwaysvalidateitsactualtypeagainst
theexpectedtypebymeansoftheGetFileType()API.
Code
Reviewing
for
Improper
File
Access
Testing
for
Improper
File
Access
Mitigating
Improper
File
Access
Mostofthecausesofimproperfileaccessissuescanbecontrolledbypreventing
unauthorizedusersfromtamperingwiththefilesaccessedbytheapplication.A
convenientwaytoachievethisgoalistoconfinecriticalfileoperationstoa
protectedfoldersuchastheuserfolder(\DocumentsandSettings\<username>),
whichbydefaultonlyallowsaccesstothecurrentuserandtomembersofthe
Administratorsgroup.
Isthefilenameoriginatingfromanuntrustedsource,orcanitbemanipulatedby
anuntrustedparty?
Isthefilenamegoingtobeusedwithmorethanonefileoperation?
Canthefilebeaccessedormodifiedbyunauthorizedusers?
MSDOSdevicenamessuchasAUX,CON,LPT1,C:,andvariantssuchas
PRN.txtand..\..\AUX.
Pathmodifierssuchas..\andalternativestreamnamessuchasfile.txt::$DATA.
UNCprefixesandsuffixessuchas\\<computername>andcomputername\ipc$.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
54/74
9/29/2016
ClassesofSecurityDefects
ImproperUseofSSLandTLS
Defining Improper Use of SSL and TLS
SSL,anditssuccessorTLS,areindustryacceptedclientservercryptographicprotocols,designedto
allowsecuretransmissionofdatabyreplacingstandardTCPsockets.Thesetechnologiesencryptdata
traffic,performintegritychecking,andofferthecapabilityforeachofthetwocommunicatingpartiesto
authenticatetheother.However,ifusedimproperly,thesetechnologiescanbecomeineffectiveand
furthermore,canofferafalsesenseofsecuritytotheirusers.
Applicability
AsSSL/TLSis
usedtosecure
network
communications,
improperuseof
SSL/TLSusually
affectsclient
server
applications.
However,
HTTPS,which
relieson
SSL/TLSto
secureWeb
traffic,mandates
astrictersetof
securityrules
andisnotprone
tosuch
problems.
Improperuseof
SSL/TLSdoes
notapplyto
applicationsthat
donotrelyon
network
connectivityto
operate.
Explanation
SSL/TLSisaprotocolthatisusedtopreventattackersfromreadingormodifyingcommunicationbetweenaclientandaserver.
Inaddition,itprovidesameansforbothcommunicatingpartiestoauthenticateeachother.Asisthecasewithmostofthe
existingprotocols,SSL/TLSincludesoptionalrecommendationsuchastheuseofserversideauthentication.Whenserver
sideauthenticationisnotenabled,itispossibleforanattackertoimpersonatetheserveandperformamaninmiddleattack.
Whenthistypeofattacksucceeds,anattackercanviewandmodifydatatransferredbetweentheclientandtheserver.While
SSL/TLScanbeconsideredcryptographicallysecureprotocol,improperuseofitcannullifyitssecurity.
Potential
Impact
Examples
ImproperuseofSSL/TLSallowsanattackertoimpersonate
communicatingparties,getaccesstosensitiveinformationandtamper
withdatawhileitisbeingtransmitted.
55/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Improper
Use of
SSL and
TLS
AsolutionintegratingSSL/TLSmightcontainoneormoreflawssuchas:
Useofweakcryptography.
Impropervalidationofcertificates.
Weakauthentication.
Inordertoavoidtheaboveissues,anapplicationmustmakesurethat:
Theciphersuiteusedissecure.
CertificatesaresignedbyatrustedCertificateAuthority.
Thehostnamecontainedintheservercertificatematchesservershostname.
Thecertificatehasnotexpiredorhasnotbeenrevoked.
Individualdatafieldswithinthesecuritycertificatevalidatecorrectly.
Code
Reviewing
for
Improper
Use of
SSL and
TLS
InordertodetectimproperuseofSSL/TLSduringcodereview,examineall
networkinputpointsthatuseSSL/TLS.Foreachofthesepoints:
Testing
for
Improper
Use of
SSL and
TLS
WhentryingtodetectimproperuseofSSLandTLSduringtesting,thereare
severaltoolsthatcanhelpautomateamaninthemiddleattackagainstHTTPS,
includingdsniff,Ettercap,andWireshark.
Verifytheuseofastrongcryptographicsuite.Thiscanoftenbeaccomplished
bysearchingforthestringsSSLandTLSinacaseinsensitivemanner.
VerifythatacommercialPKIisused.IfaproperPKIisnotusedandcertificates
aremanagedinanadhocway,thenverifythatcertificatesarecheckedagainstas
welldefinedallowlist.
Verifythatthecodechecksifcertificatesarewithinthevaliditytimeperiod.
Verifythatchecksifdatacontainedwithinsubfieldsisbothsyntacticallycorrect
andsemanticallyvalid.
TotestfortheuseofaCertificateRevocationList(CRL)ortheOnlineCertificate
StatusProtocol(OCSP),monitoralltrafficfromanapplicationforanextended
periodoftime.Checkdestinationprotocolsandaddressesagainstalistofknown
values.IfOCSPisenabled,checkforoneOSCPrequestperauthentication.Note
thatCRLcheckscanbemadequiteinfrequentlyonceaweekisnotuncommon
withtheresultsbeingcached.Therefore,donotexpecttoseemuchtrafficwhen
lookingforCRLuse.
Mitigating
Improper
Use of
SSL and
TLS
Thefollowingextradefensivestepscanbetakeninordertomitigateimproperuse
ofSSL/TLS:
Monitornetworktrafficforsuspiciousactivity.
PeriodicallyaudityourapplicationtoensurethatitSSLisbeingusedproperly.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
56/74
9/29/2016
ClassesofSecurityDefects
UnauthenticatedKeyExchange
Defining Unauthenticated Key Exchange
Softwaredevelopersareoftenadvisedbysecurityexpertsnevertobuildtheirowncryptographic
algorithms.Toagreatextent,developmentteamshavenotroubleadheringtothisadvice,asitis
usuallylessefforttofindanduseasuitablethirdpartysolution.However,evenwhenusingawell
writtensolution,therearestillmanyissuestobeawareof.Oneofthemostcommonmistakesisto
incorrectlyinitializenewsessionsforsecurecommunications.Inparticular,itiscommonfordevelopers
toestablishasessionkeyinaninsecuremanner,leavingthesessioninitializationvulnerableto,for
example,manintheMiddleattacks.
Applicability
Unauthenticated
keyexchange
canhappenwith
any
programming
languageand
anysystem.The
only
requirementis
thatthe
application
establishesa
secure
communication
channelwith
somethirdparty
usingashared
key.Whensuch
achannelisnot
setupina
securefashion,
anydata
transmitted
throughthis
channelmay
become
compromised.
Explanation
Potential
Impact
Examples
UnauthenticatedkeyexchangeproblemsallowManintheMiddle
attacks,inwhichattackersareabletoobservesupposedlysecure
communicationsbetweentwoparties.Thisistypicallydoneby
spoofingtheidentityofbothpartiessothatbothincorrectlythinkthey
arespeakingtotheotherparty.Thisallowstheattackertoobserve
confidentialinformationsentbetweenthetwoparties,withtheoption
totamperwiththedatawhileintransit.
Remote Desktop Protocol Server Private Key Disclosure Vulnerability (May 2005):InMicrosoftRemoteDesktop
ServeravulnerabilitypresentsitselfbecauseaprivatekeythatisusedtosigntheTerminalServerpublickeyishardcodedina
DLL.Thiscanallowtheattackertodisclosethekeyandcalculateavalidsignaturetocarryoutmaninthemiddleattacks.An
attackercouldthereforecausetheclienttoconnecttoaserverundertheircontrolandsendtheclientapublickeytowhichthey
possesstheprivatekey.
SSH Tectia Server Insecure Private Key Permissions (July 2005):SSHTectiaServer4.3.1andearlier,andSSHSecure
ShellforWindowsServers,usesinsecurepermissionswhengeneratingtheSecureShellhostidentificationkey,whichallows
localuserstoaccessthekeyandspooftheserver.
Narration: Let'ssaythatAlicehasnevercommunicatedpreviouslywithBob.
Oneofthetwopartiesneedstogenerateasharedsymmetrickeytosendtotheother.Alice
generatesthesecretkeyandsendsittoBoboveraninsecurechannel.
Unfortunately,Evecapturesthekeyandmakesacopyofit.AllcommunicationsbetweenAliceand
BobarenowcompromisedbecauseEvecandecrypteachmessage,modifyit,andthenreencrypt
itwithoutthetwopartiesknowing.
57/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Unauthenticated
Key Exchange
Unauthenticatedkeyexchangevulnerabilitiesusuallyariseasaresultof
thefollowingfalseassumptions:
Usingthirdpartycryptographysolutionsensuressecurity.
Authenticationcanoccuraftersessioninitialization.
Theseassumptionsleadtothefollowinginsecurecodingbehaviors:
Allowingsessioninitializationwithoutproperauthentication.
Allowingauthenticationtooccuraftersessioninitialization.
Bestpractices:
Useofftheshelfcryptographysolutions.
Authenticatepriortosessioninitializationandkeyexchange.
Useaprofessionalcryptographerwhenbuildingcustomcryptographic
solutions.
Code Reviewing
for
Unauthenticated
Key Exchange
Usethefollowingstepstodetectunauthenticatedkeyexchangeduring
codereview:
Testing for
Unauthenticated
Key Exchange
Testingisnottherecommendedplacefordetectingproblemswith
unauthenticatedkeyexchange.Itismucheasiertospotsuchissuesusing
codereview.
Mitigating
Unauthenticated
Key Exchange
Therearenospecificmitigationsthatcanbeusedtohelpaddress
unauthenticatedkeyexchangeissues.
Identifynetworkcommunicationpointswhereprotectionisarequirement,
orshouldbearequirement.
Foreachofthesepoints,determinewhatauthenticationprotocolisused
duringsessioninitialization,ifany.
Verifytheauthenticationprotocolresultsinasessionkeybylookingat
theprotocoloutputs.Ifnot,verifythattheprotocolisauthenticatingthedata
fromthekeyexchangeandthattheotherpartyisuniquelyidentified.Asthis
isverydifficulttodo,relyonaprofessionalcryptographer.
Assumingthereisakeyexchange,checkthatitisusedforongoing
protectionofthecommunication.
Ensurethattheauthenticationmessagescannotbespoofed.For
example,ifpublickeydigitalsignaturesareused,thenverifytheother
partiesidentitybyusingaPKIsolutionorbycheckingagainstastaticlistof
knowntrustedkeys.
Ifauthenticationcanbeattacked,checkwhetheronlythefirstsuccessful
connectionisvulnerable,orwhetherallfutureconnectionsarevulnerable.
Thelattersituationisclearlymoreproblematicthantheformer.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
58/74
9/29/2016
ClassesofSecurityDefects
WeakRandomNumberGeneration
Defining Weak Random Number Generation
ARandomNumberGenerator(RNG)isadevicethatcanproduceaseriesofnumbersthatlackany
pattern.AweakRNGisonethatmayappeartoproduceaseriesofrandomnumbers,butinactuality
producesaseriesthatcontainssubtlepatternsorrelations.SinceRNGsareakeycomponentinmany
securitysystemslikeencryptionalgorithms,itisimportantforRNGstobestrongandnothave
predictablevalues.
ComputersoftenusePseudorandomNumberGenerators(PRNGs)tosimulateanRNG.PRNGsusea
seedvalueasastartingpointforgeneratingaverylongsequenceofseeminglyrandomnumbers.
PRNGscanbeeitherweakorstrong,dependingonhoweasyitisforanattackertopredictnumbers
generatedbythePRNG.
Applicability
Applicationsof
alltypesrely
onRNGsfor
thesecurityof
their
cryptosystems.
Any
application
thatdoesone
ofthe
followingisat
riskof
misusing
RNGs:
The
application
usesanRNG
aspartofa
cryptosystem.
The
application
usesanRNG
toseedthe
valuefora
PRNG.
The
application
generates
sessionIDs,
usersIDs,or
tokensthatare
meanttobe
unpredictable.
Explanation
Potential
Impact
Examples
Randomnumbergeneratorsareusedtogeneratemanykindsofsecurityrelateddataincludingcryptographickeysand
sessionidentifiers.AnattackerwhocanpredictnumbersgeneratedbyanRNG,evenwithonlyslightprobabilityofsuccess,
canoftenleveragethisinformationtobreachthesecurityofsystems.EvenworseiswhenanRNGisnotevenused,which
makesattackingsuchsystemssignificantlyeasier.Thisisoftenthecasewhenhardcodedorsequentialvaluesareused
ratherthanvaluesgeneratedbyastrongRNG.
SuccessfulattacksagainstweakRNGscanhavemanydifferent
outcomes,dependingonhowtherandomnumberswerebeing
usedinthefirstplace.WhenanRNGisusedforsessionoruser
IDs,thenasuccessfulattackallowstheattackertogainaccessto
thevictimusersaccount.WhenanRNGisreliedonforthe
encryptionofconfidentialdata,asuccessfulattackagainsttheRNG
canrevealthehiddeninformationandevenallowtheattackerto
altertheinformation.WhenanRNGisusedinconjunctionwith
digitalcertificates,asuccessfulattackagainsttheRNGallowsthe
victimsidentitytobespoofed.
Qnap Storage Devices use weak key generation methods (September 2009):SomeQnapStorageDevicesusethe
randlibraryfunctiontogenerateacertainrecoverykey,whichmakesiteasierforlocaluserstodeterminethiskeyviaabrute
forceattackleadingtounauthorizeddecryptionoftheharddiskbyattackers.
Linux distros prone to weak random number generation weakness (September 2009):Theget_random_int
functionintheLinuxkernelbefore2.6.30producesinsufficientlyrandomnumbers,whichallowsattackerstopredictthe
returnvalue,andpossiblydefeatprotectionmechanismsbasedonrandomization,viavectorsthatleveragethefunction's
tendencytoreturnthesamevalueoverandoveragainforlongstretchesoftime.
59/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Weak
Random
Number
Generation
RNGrelatedvulnerabilitiesariseasaresultofthefollowingfalseassumptions:
Agivenvalue,suchasasessionID,willnotchangeafteritisset.
BuildingasecureRNGiseasy.
BuildingacustomRNGismoresecure.
IfyougenerateafewvalueswithanRNGandtheyappeartobeevenlydistributed,thentheresprobablynothingtoworryabout.
Thebuiltinfunctionforrandomnumbersforagivenlanguagemustbesecure.
AfixedvaluecanbeusedtoseedanRNG,aslongasitiskeptsecret.
Theseassumptionsoftenleadtothefollowinginsecurecodebehaviors:
UsingpredictablevaluesforsessionIDs.
HavingfalseconfidenceinaHomeGrownRNG.
RelyingonweakRNGsbuiltintothelanguage.
Hardcodingseedvalues.
Bestpractices:
Nevertrustinputfromtheuser,includingvaluessuchassessionIDs.
Neverwriteyourowncryptographicfunctions,includinganRNG.
NeverusebuiltinRNGsinanyparticularlanguageunlessyouaresuretheyarestrong.
UsecryptographicRNGs.
UseaTrueRNGsourcetoseedvaluesforstrongPRNGs.
SDL requirement:WhenusinganRNGforcryptographicpurposes,useeitherRtlGenRandom,CryptGenRandom,rand_s,or
RNGCryptoServiceProvider(formanagedcode).
SDL requirement:Whengeneratingdatafrompasswords,useastandardkeyderivationfunction(KDF):CryptDeriveKey.
Code
Reviewing
for Weak
Random
Number
Generation
When
detecting
weakPRNGs
duringcode
review,check
theabove
constructs.
Whilecode
reviewing,
checkforany
usesofthe
builtinRNGs
listedinthe
chart.Also
checkthe
valuesused
toseed
Cryptographic
RNGs.ATrue
RNGsource
shouldbe
usedtoseed
a
Cryptographic
RNG.
Testing for
Weak
Random
Number
Generation
TestingaWebapplicationforweakRNGsrequiresspecialattention.LookforidentifierssuchassessionIDs,userIDs,andtokensthat
aresequentialorhaveothernoticeablepatterns.Automatedtoolscanbeusedtogeneratealargenumberofsuchidentifiersthatcanthen
beanalyzedindependently.ForWebapplications,besuretolookathiddenparameters,sessioncookiesandnamesassignedtofile
uploads.
ThefollowingtoolcanassistyouwhentestingforweakRNGs:
WebScarab:Abasicproxytoolthatcanreplayrequestsandprovidebasicanalysisofresponseparameters.
Mitigating
Weak
Random
Number
Generation
#include<wincrypt.h>
voidGetRandomBytes(BYTE*pdBuffer,DWORDdwLen)
{
HCRYPTPROVhProvider
if(!CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT))
ExitProcess((UINT)1)
if(!CryptGenRandom(hProvider,dwLen,pdBuffer))
ExitProcess((UINT)1)
...
}
With.NETcode,youshouldusecodesimilartothefollowingC#example.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
60/74
9/29/2016
ClassesofSecurityDefects
try
{
byte[]b=newbyte[32]
newRNGCryptoServiceProvider().GetBytes(b)
//bcontains32bytesofrandomdata
}catch(CryptographicExceptione)
{
//Error
}
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
61/74
9/29/2016
ClassesofSecurityDefects
RaceConditions
Defining Race Conditions
Araceconditionoccurswhentwodifferentexecutioncontextsareabletomodifyaresourceatthesame
time,therebyinterferingwithoneanother.Developersoftenassumethatashortsequenceof
instructionsorAPIcallswillbeperformedatomically,whileinrealityanotherprocessorthreadislikely
togetatimeslicebeforethesequencecompletes.Inapplicationsecurity,aspecifickindofrace
conditionoccurswhenanattackerisabletoaccessaresourcebetweenthetimethisresourceis
checkedandthetimeitisused.Thistypeofissueisreferredtoastimeofchecktotimeofuse,or
TOCTOU.
Applicability
Explanation
Itis
possible
tocreate
race
conditions
inany
language.
Although
highlevel
languages
thatdonot
support
threadsor
forked
processes
willnotbe
vulnerable
tosome
race
condition
problems,
malicious
usersmay
stillbe
ableto
perform
other
typesof
TOCTOU
attacks.
Thefollowingaredifferenttypesofsituationsthatwillinevitablyleadtoraceconditionproblems:
Programming with side effects.Sideeffectprogrammingoccurswhenafunctionoranexpressionmodifiesashared
resourcebeforereturning.Forexampleafunctionmaymodifyaglobalorastaticvariableinadditiontoreturningavalue.
Problemsarisewhentwothreadsareinthefunctionatonce.Letusconsiderafunctionthatpopsthefrontelementofa
listafterhavingcheckedthatthelistisnotempty.Onethreadmaypassthecheck,whileanothermaypopthelast
elementofthelist.Therefore,whenthefirstthreadattemptstopopanelementfromthelist,becausethelistisempty,the
routinewillfail,potentiallyputtingtheapplicationinavulnerablestate.Thisisparticularlyconcerningforrealtimeor
criticalapplicationswhich,whenmalfunctioning,mayendangerhumanlifeandhaveseriousconsequences.
Potential
Impact
Raceconditionsmightcausemultiplethreadsorprocessesto
fightforthesameresourceorwaitforalockwhilethe
applicationisinadeadlockstate.Suchissueswillusuallyresult
inadenialofservice.
Ifanattackersucceedsingettingbetweenthetimeofcheck
andthetimeofuseofacriticalsystemresourceandreador
modifythisresource,thisoftenallowstheattackertobypassa
securityrestrictionandelevatehisorherprivilegesonthe
vulnerablesystem.
Examples
62/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Race
Condition
Problems
Raceconditionissuesusuallyariseasaresultofthefollowingfalseassumptions:
Asequenceofinstructionswillbeperformedatomically.
Anattackerwillnotbeabletogetbetweenthetimearesourceischeckedand
thetimetheresourceisused.
Onlyonethreadatatimewillexecuteafunctionscode.
Theseassumptionsleadtofollowinginsecurecodingbehavior:
Programmingwithsideeffects.
Implementingnonreentrantcode.
Omittosecurecriticalobjectsbetweentimeofuseandtimeofcheck.
Thefollowingbestpracticesshouldbeappliedtoavoidraceconditionproblems:
Achievethread safety through the use of reentrant code:
Codeshouldbeabletobeexecutedbymultiplethreadsandprocesses
simultaneously.Threadsynchronizationcanbeachievedthroughtheuseofthe
interlockedfamilyoffunctions,mutexes,semaphores,orcriticalsections.
Guard against the lack of or the improper locking of shared resources:
Ifanunhandledexceptionisthrownwhileholdingalockonanobject,any
othercodethatrequiresaccesstothisobjectwillenteradeadlockcondition.The
responsibilityofacquiringorreleasingalockmaybegiventoanobjectsothat
whenthestackunwinds,thedestructorofthisobjectwillreleasethelock.
Multiplelocksshouldbereleasedintheoppositeorderinwhichtheywere
acquired.
Minimizethetaskstobedonewhileholdingalocksothatotherthreadsmay
gainaccesstotheresource.Sincesystemcallsmaytakemillionsofinstructionsto
complete,donotdependonthemtocompleteexecutionbeforeanother
applicationisallowedtoexecute.
Supply the access controls at creation time:
InWindows,asecuritydescriptorcanbeattachedtoafileatcreationtime.
Supplyingtheaccesscontrolsatcreationtimeeliminatesraceconditionsthatmay
haveoccurredbetweencreationandapplyingtheaccesscontrol.
Use the CREATE_NEW flag when creating a new file:
CallingtheCreateFileAPIwiththeCREATE_NEWflagwillfailifthefile
alreadyexistsandwillthereforeavoidraceconditionsbetweencheckingwhether
anobjectexistsandcreatinganewone.
Check GetLastError():
Ifanapplicationneedstocreateadirectorythatanattackerhasalready
created,theGetLastError()APIfunctionwillreturnERROR_ALREADY_EXISTS.
Code
Reviewing
for Race
Condition
Problems
Inordertodetectraceconditionproblems,codereviewsshouldpayparticular
attentiontothefollowing:
When more than one thread or process accesses the same resource:
Investigatetheresourcelockingandunlockingmechanism.
Verifythatproperexceptionhandingisinplace.
When temporary files are created in common areas:
VerifythattheO_EXCLoptionisusedwhenevertheCopen()functionis
called.
VerifythattheCREATE_NEWflagisusedwheneverCreateFileiscalled.
Verifythatfilenamesareunpredictable.
Verifythataccesscontrollistsarespecifiedatcreationtime.
Identify places where nonreentrant code is used in multithreaded
applications.
Thefollowingstaticanalysistoolsmayalsohelpyouinuncoveringrace
conditions:
Coverity Prevent:Staticcodeanalysistoolthatfindsconcurrencydefects
(raceconditions,deadlocks,andthreadblocks)inmultithreadedapplications
developedinC,C++andJava.
Fortify Static Code Analysis (SCA):Staticcodeanalysistoolthatidentifies
softwarevulnerabilitiessuchasraceconditionsinC/C++,C#,Java,ASP.NET,
VB.NET,JSP,JavaScriptandXML.
Testing for
Race
Condition
Problems
Raceconditionscanbedifficulttofindthroughtesting.Asageneralrule,testers
shouldfindthreadsandprocessesthatcompeteforthesameresourcesand
determinewaystomodify:
The established order in which they access these resources.
The resources themselves.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
63/74
9/29/2016
ClassesofSecurityDefects
Mitigating
Race
Condition
Problems
Inordertomitigateagainstraceconditionproblems:
Create temporary files in places to which nonprivileged users do not have
access:
Usersshouldnotbeabletoaccessnortamperwithtemporaryfilesusedbythe
application.
Prevent files from being tampered with:
TheWindowsintegritymechanismcanbeusedtorestrictsaccesspermissions
oflesstrustworthyapplicationsbyassigningintegritylevelstoapplication
processesandsecurableobjects.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
64/74
9/29/2016
ClassesofSecurityDefects
PoorUsability
65/74
9/29/2016
ClassesofSecurityDefects
Applicability
Explanation
Poor
usabilitycan
befoundin
applications
builtinany
language
andforany
environment.
Any
application
thatallows
onetomake
security
decisions,
either
explicitlyor
implicitly,is
atriskof
lettingits
usersleave
theirsystem
insecure
becauseof
poor
usability.
Poorusabilityisusuallytheresultofalackofunderstandingoftheapplication'susers.Theseuserscangenerallybe
classifiedintotwogroups:administratorsandregularusers.Administratorswanttomakesuretheycanmanagetheir
systemseffectivelyandsecurely.Theyalsowantaccesstocriticaldatatohelpthemmakegoodsecuritydecisionsand
shouldbetrustedtodoso.Regularusers,however,wanttobesafebuttheyusuallydonothavethenecessaryskillsto
makegoodsecuritydecisions,evenwhenprovidedwithhelpfuldata.
Adequatelypresentingsecurityrelatedinformationtoyouruserscanbesurprisinglydifficult.Applicationsfrequently:
Provide too little information.Thismakesitespeciallydifficultforadministratorstomakeappropriatesecurity
decisionsfortheirorganization.
Provide too much information.Thismakesitespeciallydifficultforregularuserstomakedecisionsastheinformation
isoverwhelminganddoesnotallowthemtoreachtheirsimplesecurityobjectives.
Present too many messages.Bothadministratorsandusersgrowtiredofalertsandwarningmessagesandwill
eventuallyjuststartautomaticallyclicking"Yes"or"OK"withouttakingintoaccountthecontentofthemessage.
Present inaccurate or generic information.Thisisveryannoyingbecauseusersarethenforcedtomakean
uninformeddecision.Thisisverydangerousbecauseusersarethenforcedtomakeanuninformeddecision.Errorcodes
canbehelpfultoadministrators,butwithoutanyexplanatorytext,endusersarelikelytobecomeconfusedandfrustrated.
Potential
Impact
SSL
Certificate
Prompt
Example
Everytimeuserslowersecuritysettingstomakeanapplication
moreusable,theyexposethemselvestopotentialattacks.Poor
usabilitycanthereforebethoughtofasaprecursortojustabout
anytypeofvulnerabilityandopenthedoortomanyattacks.For
example,disablingcumbersomeauthenticationmechanismscan
leadtoidentityspoofingandrepudiationproblems.Ignoring
confusingdialogboxeswhichcontaincertificateinformationcan
leadtodatatamperingandinformationdisclosure.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
66/74
9/29/2016
ClassesofSecurityDefects
SSL
Certificate
Installation
Example
Narration: Poorusabilityoftenleadstousersmakingpoorsecuritydecisions.Thefollowingprogramisan
instantmessagingclientcalledCorpIM.Usetheprovidedcontrolstointeractwiththeapplication
andobserveitsbehaviorwhileitattemptstoperformafiletransfer.
Thefiletransferisterminated.Thisisasafedecisionsinceitisnotpossibletoidentifythesenderof
thefileorthetypeoffiletobetransferred.
Althoughthefiletransfersucceeded,youchosenottoopenthefile.Thisisasafedecisionbecause
theapplicationdidnotallowyoutodeterminewhattypeoffilewastobetransferredtothelocal
machine.
Thetransferredfileisinfactamaliciousprogramandhascompromisedyoursystem.Accepting
thetransferandopeningthefileiswhatmostuserswouldhavedoneastheapplicationdoesnot
providetheuserwiththeinformationnecessarytomakeeducatedsecuritydecisions.This
informationincludestheidentityofthesenderofthefile,thetypeoffiletobetransferred,and
securitywarningsaboutthepotentialrisksofdownloadingandopeninganarbitraryfileonthelocal
machine.
67/74
9/29/2016
ClassesofSecurityDefects
Avoiding
Poor
Usability
Poorusabilityissuesusuallyariseasaresultofthefollowingfalseassumptions:
Userswillinteractwiththesysteminthesamewaydevelopersdo.
Securityismoreimportantthanusability.
Regularusersmakesecuritytheirpriority.
Theseassumptionsleadtothefollowinginsecurecodinganddesignbehaviors:
Generatingerrormessagesthataretailoredforadeveloper,notauser.
Givingprecedencetosecurityconcernsoverusabilityconcerns.
Providinginsecuresettingsbydefault.
Bestpractices:
Thinklikeauserbyconsideringwhatinformationanadministratorwouldwant
presentedandwhatinformationanenduserwouldwantpresented.
Createdialogboxes,warnings,anderrormessagesthatprovidetheright
amountofinformationforadministratorsandendusers.Clearlyindicatethe
consequencesoftheuserssecuritydecisions.
Providesecuresettingsbydefault.
Code
Reviewing
for Poor
Usability
Codereviewingisveryeffectiveatidentifyingmanytypesofvulnerabilities,
however,itisnotasusefulastestingwhenitcomestousabilityissues.Developers
thatrelyontheirownintuitionforhowsecurityandusabilityshouldinteractwill
generallygetitwrong.However,codereviewingcanstillhelpinsomeareas.In
particular,whilecodereviewing,dothefollowing:
WhenexaminingUserInterface(UI)code,focusonthesecurityoptions.Note
whatthedefaultsettingsare.Alsolookforsimplewaystodisableorbypass
securitysettings,forexample,byusingotheruserssettings.
Whenreviewingcodethatauthenticatesotherpartiesorsystems,examinewhat
happenswhentheotherpartycannotbeproperlyauthenticated.Isitstillpossible
tocontinuewithouttheauthentication?Whatoptionsarepresentedtousersin
suchascenario?
Testing
for Poor
Usability
Testingisthebesttimetodetectpoorusabilityissues.However,theprocessfor
testingforpoorusabilityissuesisusuallydifferentfromnormaltestingactivities.
Whentestingforusability,observeactualusersoftheapplication,workinginpairs,
astheygothroughthesystem,especiallyforthefirsttime.Besuretheusers
encounterthesecurityfunctionalitythatyouareinterestedintesting.Thisisoften
accomplishedbyprovidinguserswithasetoftaskstocomplete,butnotproviding
themwithspecificdetailsonhowtodoso.Thisallowsyoutogetfeedbackonhow
usersinteractwithsecurityfeaturesandmessagesinarealisticmanner.
Dependingonyouraudience,itissometimesusefultoreleasealphaandbeta
versionsoftheapplicationpriortoitsfinalrelease.Usersbenefitbygainingearly
accesstoyourapplicationwhileyoucanbenefitbygainingfeedbackonusability,
amongstotherthings.
Manyofthebasicprinciplesofusabilitytestingapplywhentestingsecurityaspects
aswell.AgoodreferenceforusabilityingeneralisthebookUsabilityEngineering
byJacobNielsen(ISBN:0125184069).
Mitigating
Poor
Usability
Poorusabilitycancauseuserstolowersecurity.This,inturn,makestheusermore
susceptibletocertainattacks,dependingonwhichsecuritysettingswerelowered.
Withoutknowingthespecificsofwhatthreatmaybeanissue,thebestmitigationis
simplytobuildanotherwisesecureapplication.
Thoughnotamitigationperse,anothertechniquethatcansignificantlyhelp
addresspoorusabilityissuesistoincludeasimplewaytoupdatetheapplication
tothemostrecentversion.Thisisoftenaccomplishedbyincludingtheabilityto
automaticallycheckfor,andpossiblyinstall,newupdates.Then,whenusability
issuesareuncovered,itisarelativelystraightforwardprocesstoprovideupdates
thataddresstheissues.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
68/74
9/29/2016
ClassesofSecurityDefects
Course Summary
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
69/74
9/29/2016
ClassesofSecurityDefects
Course Summary
Outline the
Common
Classes of
Security
Defects
Therearemanydifferentclassesofsecuritydefects,anditisimportantfordevelopersto
understandthemallinordertocreatesoftwarewhichisofthehighestsecurityquality.Each
sectionofthiscoursecoversoneofthecommonclassesofsecuritydefects.Thecomplete
courseprovidesyouwithacomprehensiveoverviewofallofthesecommonclasses.
Recognize the
Potential
Impact of
Common
Security
Defects
Eachclassofsecuritydefectcanhaveadifferentimpactonyourapplications,andthuson
yourcustomers.Thiscourseprovidesyouwiththeinformationneededtounderstandthe
potentialimpactofeverycommonclassofsecuritydefect.
Map Common
Security
Defects with
Specific
Technologies
Manysecuritydefectsaretiedtospecifictechnologies.Forexample,SQLinjection
vulnerabilitiesareuniquetodatabasedrivenapplications.Itisimportanttounderstand
whichvulnerabilitiesmaypresentthemselvesinthetechnologiesyouareusinginorderto
avoidthem.Thiscourseprovidesinformationonmappingcommonsecuritydefectswith
specifictechnologiessothatyoucanprotectagainstthemwhenworkingwiththose
technologies.
ClickheretoreviewCROSSSITESCRIPTING.
ClickheretoreviewSQLINJECTIONVULNERABILITIES.
ClickheretoreviewCOMMANDINJECTION.
ClickheretoreviewUNPROTECTEDNETWORKTRAFFIC.
ClickheretoreviewLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewSPOOFINGVULNERABILITIES.
ClickheretoreviewINFORMATIONLEAKAGE.
ClickheretoreviewIMPROPERERRORHANDLING.
ClickheretoreviewWEAKAUTHENTICATION.
ClickheretoreviewWEAKDATAPROTECTION.
ClickheretoreviewBUFFEROVERFLOWS.
ClickheretoreviewFORMATSTRINGPROBLEMS.
ClickheretoreviewINTEGEROVERFLOWS.
ClickheretoreviewIMPROPERFILEACCESS.
ClickheretoreviewIMPROPERUSEOFSSL.
ClickheretoreviewUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewRACECONDITIONPROBLEMS.
ClickheretoreviewPOORUSABILITY.
ClickheretoreviewthepotentialimpactofCROSSSITESCRIPTING.
ClickheretoreviewthepotentialimpactofSQLINJECTIONVULNERABILITIES.
ClickheretoreviewthepotentialimpactofCOMMANDINJECTION.
ClickheretoreviewthepotentialimpactofUNPROTECTEDNETWORKTRAFFIC.
ClickheretoreviewthepotentialimpactofLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewthepotentialimpactofSPOOFINGVULNERABILITIES.
ClickheretoreviewthepotentialimpactofINFORMATIONLEAKAGE.
ClickheretoreviewthepotentialimpactofIMPROPERERRORHANDLING.
ClickheretoreviewthepotentialimpactofWEAKAUTHENTICATION.
ClickheretoreviewthepotentialimpactofWEAKDATAPROTECTION.
ClickheretoreviewthepotentialimpactofBUFFEROVERFLOWS.
ClickheretoreviewthepotentialimpactofFORMATSTRINGPROBLEMS.
ClickheretoreviewthepotentialimpactofINTEGEROVERFLOWS.
ClickheretoreviewthepotentialimpactofIMPROPERFILEACCESS.
ClickheretoreviewthepotentialimpactofIMPROPERUSEOFSSL.
ClickheretoreviewthepotentialimpactofUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewthepotentialimpactofWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewthepotentialimpactofRACECONDITIONPROBLEMS.
ClickheretoreviewthepotentialimpactofPOORUSABILITY.
ClickheretoreviewthemappingofCROSSSITESCRIPTINGtospecifictechnologies.
ClickheretoreviewthemappingofSQLINJECTIONVULNERABILITIEStospecific
technologies.
ClickheretoreviewthemappingofCOMMANDINJECTIONtospecifictechnologies.
ClickheretoreviewthemappingofUNPROTECTEDNETWORKTRAFFICtospecific
technologies.
ClickheretoreviewthemappingofLACKOFSERVERSIDEAUTHORIZATIONto
specifictechnologies.
ClickheretoreviewthemappingofSPOOFINGVULNERABILITIEStospecific
technologies.
ClickheretoreviewthemappingofINFORMATIONLEAKAGEtospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERERRORHANDLINGtospecific
technologies.
ClickheretoreviewthemappingofWEAKAUTHENTICATIONtospecifictechnologies.
ClickheretoreviewthemappingofWEAKDATAPROTECTIONtospecifictechnologies.
ClickheretoreviewthemappingofBUFFEROVERFLOWStospecifictechnologies.
ClickheretoreviewthemappingofFORMATSTRINGPROBLEMStospecific
technologies.
ClickheretoreviewthemappingofINTEGEROVERFLOWStospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERFILEACCESStospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERUSEOFSSLtospecifictechnologies.
ClickheretoreviewthemappingofUNAUTHENTICATEDKEYEXCHANGEtospecific
technologies.
ClickheretoreviewthemappingofWEAKRANDOMNUMBERGENERATIONtospecific
technologies.
ClickheretoreviewthemappingofRACECONDITIONPROBLEMStospecific
technologies.
ClickheretoreviewthemappingofPOORUSABILITYtospecifictechnologies.
Identify the
Programming
Errors
Responsible
for Common
Security
Defects
Manyofthecommonsecuritydefectscanbetracedtospecificprogrammingerrorsmadeby
developersduringimplementation.Understandingtheseprogrammingerrorsandtheimpact
theycanhaveonsecurityisessentialtodevelopingqualitysoftware.Thiscoursegivesan
overviewoftheseprogrammingerrorssothatdeveloperscanavoidmakingthesemistakes
inthefuture.
ClickheretoreviewthepotentialimpactofCROSSSITESCRIPTING.
ClickheretoreviewthepotentialimpactofSQLINJECTIONVULNERABILITIES.
ClickheretoreviewthepotentialimpactofCOMMANDINJECTION.
ClickheretoreviewthepotentialimpactofUNPROTECTEDNETWORKTRAFFIC.
ClickheretoreviewthepotentialimpactofLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewthepotentialimpactofSPOOFINGVULNERABILITIES.
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
70/74
9/29/2016
ClassesofSecurityDefects
ClickheretoreviewthepotentialimpactofLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewthepotentialimpactofSPOOFINGVULNERABILITIES.
ClickheretoreviewthepotentialimpactofINFORMATIONLEAKAGE.
ClickheretoreviewthepotentialimpactofIMPROPERERRORHANDLING.
ClickheretoreviewthepotentialimpactofWEAKAUTHENTICATION.
ClickheretoreviewthepotentialimpactofWEAKDATAPROTECTION.
ClickheretoreviewthepotentialimpactofBUFFEROVERFLOWS.
ClickheretoreviewthepotentialimpactofFORMATSTRINGPROBLEMS.
ClickheretoreviewthepotentialimpactofINTEGEROVERFLOWS.
ClickheretoreviewthepotentialimpactofIMPROPERFILEACCESS.
ClickheretoreviewthepotentialimpactofIMPROPERUSEOFSSL.
ClickheretoreviewthepotentialimpactofUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewthepotentialimpactofWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewthepotentialimpactofRACECONDITIONPROBLEMS.
ClickheretoreviewthepotentialimpactofPOORUSABILITY.
Apply Coding
Best Practices
to Avoid
Common
Security
Vulnerabilities
Inanefforttoimprovetheoverallsecurityqualityofsoftware,asetofcodingbestpractices
hasbeencreatedwithintheindustry.Employingthesebestpracticeswhendeveloping
softwarecanhelpyoutoavoidmostcommonsecurityvulnerabilities.Thiscourseoutlines
thesecodingbestpracticesandrelatesthemtothecommonsecurityvulnerabilitieswhich
theyhelpavoid.
Find Common
Security
Defects in an
Application's
Source Code
Reviewingsourcecodeisanimportanttaskincreatingqualitysoftware.Whilethesereviews
focusongeneralsoftwaredefects,theyshouldcovercommonsecuritydefectsaswell.This
courseprovidesguidanceonhowtofindthesecommonsecuritydefectsinanapplications
sourcecode.
Test Software
in Order to
Detect
Common
Security Bugs
Testingisthelastqualitycheckinthedevelopmentofsoftware.Itisimportantthattesting
activitiesincludecaseswhichwilldetectthepresenceofanycommonsecuritydefects.This
courseprovidesyouwithguidanceonhowtotestsoftwareinordertodetectthesecommon
securitybugs.
ClickheretoreviewcodingbestpracticeswhichhelpavoidCROSSSITESCRIPTING.
ClickheretoreviewcodingbestpracticeswhichhelpavoidSQLINJECTION
VULNERABILITIES.
ClickheretoreviewcodingbestpracticeswhichhelpavoidCOMMANDINJECTION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidUNPROTECTEDNETWORK
TRAFFIC.
ClickheretoreviewcodingbestpracticeswhichhelpavoidLACKOFSERVERSIDE
AUTHORIZATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidSPOOFING
VULNERABILITIES.
ClickheretoreviewcodingbestpracticeswhichhelpavoidINFORMATIONLEAKAGE.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERERROR
HANDLING.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKAUTHENTICATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKDATAPROTECTION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidBUFFEROVERFLOWS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidFORMATSTRING
PROBLEMS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidINTEGEROVERFLOWS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERFILEACCESS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERUSEOFSSL.
ClickheretoreviewcodingbestpracticeswhichhelpavoidUNAUTHENTICATEDKEY
EXCHANGE.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKRANDOMNUMBER
GENERATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidRACECONDITION
PROBLEMS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidPOORUSABILITY.
ClickheretoreviewCROSSSITESCRIPTINGinanapplication'ssourcecode.
ClickheretoreviewSQLINJECTIONVULNERABILITIESinanapplication'ssourcecode.
ClickheretoreviewCOMMANDINJECTIONinanapplication'ssourcecode.
ClickheretoreviewUNPROTECTEDNETWORKTRAFFICinanapplication'ssource
code.
ClickheretoreviewLACKOFSERVERSIDEAUTHORIZATIONinanapplication's
sourcecode.
ClickheretoreviewSPOOFINGVULNERABILITIESinanapplication'ssourcecode.
ClickheretoreviewINFORMATIONLEAKAGEinanapplication'ssourcecode.
ClickheretoreviewIMPROPERERRORHANDLINGinanapplication'ssourcecode.
ClickheretoreviewWEAKAUTHENTICATIONinanapplication'ssourcecode.
ClickheretoreviewWEAKDATAPROTECTIONinanapplication'ssourcecode.
ClickheretoreviewBUFFEROVERFLOWSinanapplication'ssourcecode.
ClickheretoreviewFORMATSTRINGPROBLEMSinanapplication'ssourcecode.
ClickheretoreviewINTEGEROVERFLOWSinanapplication'ssourcecode.
ClickheretoreviewIMPROPERFILEACCESSinanapplication'ssourcecode.
ClickheretoreviewIMPROPERUSEOFSSLinanapplication'ssourcecode.
ClickheretoreviewUNAUTHENTICATEDKEYEXCHANGEinanapplication'ssource
code.
ClickheretoreviewWEAKRANDOMNUMBERGENERATIONinanapplication'ssource
code.
ClickheretoreviewRACECONDITIONPROBLEMSinanapplication'ssourcecode.
ClickheretoreviewPOORUSABILITYinanapplication'ssourcecode.
ClickheretoreviewhowtotestsoftwareinordertodetectCROSSSITESCRIPTING.
ClickheretoreviewhowtotestsoftwareinordertodetectSQLINJECTION
VULNERABILITIES.
ClickheretoreviewhowtotestsoftwareinordertodetectCOMMANDINJECTION.
ClickheretoreviewhowtotestsoftwareinordertodetectUNPROTECTEDNETWORK
TRAFFIC.
ClickheretoreviewhowtotestsoftwareinordertodetectLACKOFSERVERSIDE
AUTHORIZATION.
ClickheretoreviewhowtotestsoftwareinordertodetectSPOOFING
VULNERABILITIES.
ClickheretoreviewhowtotestsoftwareinordertodetectINFORMATIONLEAKAGE.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERERROR
HANDLING.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKAUTHENTICATION.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKDATAPROTECTION.
ClickheretoreviewhowtotestsoftwareinordertodetectBUFFEROVERFLOWS.
ClickheretoreviewhowtotestsoftwareinordertodetectFORMATSTRING
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
71/74
9/29/2016
ClassesofSecurityDefects
ClickheretoreviewhowtotestsoftwareinordertodetectFORMATSTRING
PROBLEMS.
ClickheretoreviewhowtotestsoftwareinordertodetectINTEGEROVERFLOWS.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERFILEACCESS.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERUSEOFSSL.
ClickheretoreviewhowtotestsoftwareinordertodetectUNAUTHENTICATEDKEY
EXCHANGE.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKRANDOMNUMBER
GENERATION.
ClickheretoreviewhowtotestsoftwareinordertodetectRACECONDITION
PROBLEMS.
ClickheretoreviewhowtotestsoftwareinordertodetectPOORUSABILITY.
Hacking: The
Art of
Exploitation
Author:JonErickson
The Art of
Software
Security
Assessment:
Identifying
and
Preventing
Software
Vulnerabilities
Authors:MarkDowd,JohnMcDonald,andJustinSchuh
Security
Engineering:
A Guide to
Building
Dependable
Distributed
Systems
Author:RossJ.Anderson
Writing
Secure Code:
Practical
Strategies
and Proven
Techniques
for Building
Secure
Applications
in a
Networked
World
Authors:MichaelHowardandDavidLeBlanc
Ratherthanmerelyshowinghowtorunexistingexploits,authorJonEricksonexplainshow
arcanehackingtechniquesactuallywork.Tosharetheartandscienceofhackinginaway
thatisaccessibletoeveryone,thisbookintroducesthefundamentalsofCprogrammingfrom
ahacker'sperspective.TheincludedLiveCDprovidesacompleteLinuxprogrammingand
debuggingenvironmentallwithoutmodifyingyourcurrentoperatingsystem.Useitto
followalongwiththebook'sexamplesasyoufillgapsinyourknowledgeandexplore
hackingtechniquesonyourown.Getyourhandsdirtydebuggingcode,overflowingbuffers,
hijackingnetworkcommunications,bypassingprotections,exploitingcryptographic
weaknesses,andperhapseveninventingnewexploits.
ThisbookcoversthefullspectrumofsoftwarevulnerabilitiesinbothUNIX/Linuxand
Windowsenvironments.Itdemonstrateshowtoauditsecurityinapplicationsofallsizesand
functions,includingnetworkandWebsoftware.Moreover,itteachesusingextensive
examplesofrealcodedrawnfrompastflawsinmanyoftheindustry'shighestprofile
applications.Thisbookisanunprecedentedresourceforeveryonewhomustdeliversecure
softwareorassurethesafetyofexistingsoftware:consultants,securityspecialists,
developers,QAstaff,testers,andadministratorsalike.
Thisbookiscomprehensiveandcarefullyresearched.Itmakesitclearjusthowdifficultitis
toprotectinformationsystemsfromcorruption,eavesdropping,unauthorizeduse,and
generalmalice.Better,RossAndersonoffersalotofthoughtsonhowinformationcanbe
mademoresecure(thoughprobablynotabsolutelysecure,atleastnotforever)withthehelp
ofbothtechnologiesandmanagementstrategies.Hisworkmakesfascinatingreadingand
willnodoubtinspireconsiderabledoubtinanyonewithinformationtogather,protect,or
makedecisionsabout.
Thisbookdescribeshowtohardenyourapplicationsthroughouttheentiredevelopment
processfromdesigningsecureapplicationstowritingrobustcodethatcanwithstand
repeatedattackstotestingapplicationsforsecurityflaws.Easilydigestedchaptersreveal
provenprinciples,strategies,andcodingtechniques.Theauthorstwobattlescarred
veteranswhohavesolvedsomeoftheindustrystoughestsecurityproblemsprovide
samplecodeinseverallanguages.
Narration: Variousbooksareavailablethatdefineandexplainthefieldofapplicationsecurity.Thesebooksshowtestersand
developershowtheycandevelopsecurecodeandpreventsecurityvulnerabilities.
Clickeachtabtolearnmoreaboutdetailsofavailablebooks.
72/74
9/29/2016
ClassesofSecurityDefects
19 Deadly
Sins of
Software
Security:
Programming
Flaws and
How to Fix
Them
Authors:MichaelHoward,DavidLeBlanc,andJohnViega
The Security
Development
Lifecycle
Authors:MichaelHowardandSteveLipner
Thisessentialbookforallsoftwaredevelopers,regardlessofplatform,language,ortypeof
application,outlinesthe19deadlysinsofsoftwaresecurityandshowshowtofixeachone.
BestsellingauthorsMichaelHowardandDavidLeBlanc,whoteachMicrosoftemployees
howtowritesecurecode,havepartneredwithJohnViega,themanwhouncoveredthe19
deadlyprogrammingsinstowritethismuchneededbook.
Thesoftwareindustryhasbeenstrugglingwithhowtocreateandreleasesoftwarethatis
moresecurityenhancedandreliabletheSecurityDevelopmentLifecycle(SDL)providesa
methodologythatworks.AdaptedfromMicrosoftsstandarddevelopmentprocess,SDLisa
criticalwaytohelpreducethenumberofsecuritydefectsincodeateverystageofthe
developmentprocess,fromdesigntorelease.Inadditiontoabriefhistoryofthemethodology,
thisbookdetailseachstageoftheSDLmethodologyanddiscussesitsimplementation
acrossarangeofMicrosoftsoftware,includingMicrosoftWindowsServer2003,Microsoft
SQLServer2000ServicePack3,andMicrosoftExchangeServer2003ServicePack1,to
helpmeasurablyimprovesecurityfeatures.
CoauthoredbyMichaelHowardandSteveLipner,yougetdirectaccesstoinsightsfrom
Microsoftssecurityteamandlessonsthatarerepeatableandapplicabletosoftware
developmentprocessesworldwide,whetheronasmallscaleorlargescale.Thisbook
includesaCDfeaturingvideosofdevelopertrainingclasses.
How to Break
Software
Security
Authors:JamesA.WhittakerandHerbertH.Thompson
How to Break
Web
Software:
Functional
and Security
Testing of
Web
Applications
and Web
Services
Authors:MikeAndrewsandJamesA.Whittaker
Thisbookisforsoftwaretestersanddevelopers.Itpresentstestingtechniquesthatexpose
securityholescausedbysoftwaredependencies,datadependentweaknessesinsoftware,
applicationdesignflaws,andimplementationrelatedvulnerabilities.Thebookisanindustry
bestsellerandrequiredreadingforsecuritytestersinmanylargesoftwaredevelopment
houses.Over40universitiesrefertothisbookfordevelopingcoursesonsoftwaresecurity
andtesting.
Sinceitsearlydaysasaninformationexchangetoollimitedtoacademe,researchers,andthe
military,theWebhasgrownintoacommerceenginethatisnowomnipresentinallfacetsof
ourlives.MoreWebsitesarecreateddailyandmoreapplicationsaredevelopedtoallow
userstolearn,research,andpurchaseonline.Asaresult,Webdevelopmentisoftenrushed,
whichincreasestheriskofattacksfromhackers.Furthermore,theneedforsecure
applicationshastobebalancedwiththeneedforusability,performance,andreliability.
Inthisbook,WhittakerandAndrewsdemonstratehowrigorouswebtestingcanhelpprevent
andprepareforsuchattacks.Theypointoutthatmethodicaltestingmustincludeidentifying
threatsandattackvectorstoestablishandthenimplementtheappropriatetestingtechniques,
manualorautomated.
Narration: Additionalresourcescontinuedfromthepreviouspage.
Clickeachtabtolearnmoreaboutdetailsofavailablebooks.
73/74
9/29/2016
ClassesofSecurityDefects
Narration:
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
74/74