Classes of Security Defects PDF

9/29/2016
ClassesofSecurityDefects
Print
TableofContents:
CourseOverviewandObjectives
Understanding the Roots of Security Defects

TheCausesofSoftwareDefects
FunctionalversusSecurityBugs
Defending against Common Security Defects

CrossSite Scripting
DefiningCrossSiteScripting
DefendingagainstCrossSiteScripting
SQL Injection
DefiningSQLInjection
DefendingagainstSQLInjection
Command Injection
DefiningCommandInjection
DefendingagainstCommandInjection
Unprotected Network Traffic
DefiningUnprotectedNetworkTraffic
DefendingagainstUnprotectedNetworkTraffic
Lack of ServerSide Authorization
DefiningLackofServersideAuthorization
DefendingagainstLackofServersideAuthorization
Spoofing
DefiningSpoofing
SpottheBug!
DefendingagainstSpoofing
Information Leakage
DefiningInformationLeakage
DefendingagainstInformationLeakage
LocatingAdditionalResources
Improper Error Handling
DefiningImproperErrorHandling
DefendingagainstImproperErrorHandling
Weak Authentication
DefiningWeakAuthentication
DefendingagainstWeakAuthentication
Weak Data Protection
DefiningWeakDataProtection
DefendingagainstWeakDataProtection
Buffer Overflows
DefiningBufferOverflows
DefendingagainstBufferOverflows
Format String Problems
DefiningFormatStringProblems
DefendingagainstFormatStringProblems
Integer Overflows
DefiningIntegerOverflows
DefendingagainstIntegerOverflows
Improper File Access
DefiningImproperFileAccess
DefendingagainstImproperFileAccess
Improper Use of SSL and TLS
DefiningImproperUseofSSLandTLS
StopandThink!
DefendingagainstImproperUseofSSLandTLS
Unauthenticated Key Exchange
DefiningUnauthenticatedKeyExchange
DefendingagainstUnauthenticatedKeyExchange
Weak Random Number Generation
DefiningWeakRandomNumberGeneration
DefendingagainstWeakRandomNumberGeneration
Race Conditions
DefiningRaceConditions
DefendingagainstRaceConditions
Poor Usability
DefiningPoorUsability
SpottheBug!
https://teamprofessor.absorbtraining.com/courses/clients/378/Courses/SI%20Library/tst201_c_csd_130616_v4/CourseFiles/print.htm
1/74
9/29/2016
DefiningPoorUsability
SpottheBug!
DefendingagainstPoorUsability
CourseSummary
LocatingAdditionalResources(1of3)
LocatingAdditionalResources(2of3)
TEAMMentoreKnowledge
2/74
9/29/2016
Course Overview and Objectives

Thiscourseprovidesalltheinformationrequiredtoassiststudentsindefending
againstcommonsecuritydefects.Studentstakingthiscoursewillbeprovidedwith
backgroundknowledgeonwhyandhowsecuritydefectsareintroducedinto
software.Commonclassesofsecuritydefectsarethenpresentedtothestudents,
eachclassbeingcloselydefinedanddescribed.Alongwithexamplesofreallife
securitybugs,varioustechniquesareoutlinedinordertohelpstudentsspot
commonsecurityissuesinsourcecodeaswellasduringtesting.Additional
mitigationtechniquesandtechnologiesaredescribedforeachclassofsecurity
defect.
Course Prerequisites
Thiscourserequiresthatyoumeetthefollowingprerequisites:
Basicknowledgeofclientserverapplications.
BasicknowledgeofWebapplications.
BasicknowledgeoftheSoftwareDevelopmentLifeCycle.
Basicknowledgeofcryptography.
BasicknowledgeoftheSTRIDEmodel.
Course Objectives
Uponcompletionofthiscourse,youwillbeableto:
Outlinethecommonclassesofsecuritydefects.
Recognizethepotentialimpactofcommonsecuritydefects.
Mapcommonsecuritydefectswithspecifictechnologies.
Identifytheprogrammingerrorsthatareresponsibleforcommonsecuritydefects.
Applycodingbestpracticesinordertoavoidcommonsecurityvulnerabilities.
Findcommonsecuritydefectsinanapplicationssourcecode.
Testsoftwareinordertodetectcommonsecuritybugs.
Narration: Thiscoursewillprovidealltheinformationnecessarytohelpyoucreatearobustdefenseagainstcommonsecurity
defects.Youwillbeprovidedwithbackgroundknowledgeonwhyandhowsecuritydefectsareintroducedinto
software,andyouwillbefamiliarizedwithcommonclassesofvulnerabilities,whichwillbediscussedindepth.You
willbepresentedwithreallifesecuritybugsandwillbeprovidedwithtechniquesandbestpracticesthatwillenable
youandyourteamtoaddressthese.
ThiscourseassumesthatyoupossessbasicknowledgeofclientserverandWebapplications,thatyouarefamiliar
withtheSoftwareDevelopmentLifeCycleandSTRIDEmodel,andthatyouunderstandthebasicsofcryptography.
Uponcompletionofthiscourse,youwillbeabletooutlinethecommonclassesofsecuritydefectsandtheirpotential
impacttoyourapplication.Youwillalsobeabletoidentifyspecifictypesofsecurityvulnerabilitiesassociatedwith
differenttechnologies.Finally,youwillbeabletoapplythestepsnecessarytoavoid,detect,andmitigatecommon
typesofsecuritydefectsinyourapplications.
UnderstandingtheRootsofSecurityDefects
The Causes of Software Defects
Softwaredevelopmentisahumanactivity.Therefore,defects(orbugs)areanunavoidablepartofthe
softwaredevelopmentprocess.Achievingcorrectnessduringagivenphaseofthedevelopmentprocessdoes
notguaranteethatdefectswillnotbeintroducedatalaterstageofasystemslifecycle.
Asamatteroffact,softwaredefectscanbeintroducedatanystageofthedevelopmentlifecycle,dueto:
Incorrect requirements:Gatheringerroneousorincompleterequirementswillcertainlyleadtosoftware
defects.
Improper design:Abadapplicationdesignmay:
Bebasedonmistakenassumptions.
Makesubtledecisionsthathaveadisproportionateeffectinoverallrobustness.
Neglectcertainareasoftheapplication.
Beinsufficientlyclearandconcisefordeveloperstofollow.
Errors in implementation:Codingdefectscanbeintroducedasaresultofmanyfactorsincluding:
Individualprogrammingskill.
Badcodingpractices.
Lackofunderstandingofthedesigndocuments.
Improper verification:Aninefficienttestingprocessthatfailstoverifygeneralprogramcorrectnesswill
causedefectstoremainunnoticedandthereforeunresolved.
Deployment and configuration errors:Insufficientguidanceonhowtodeployandconfigureasystem
cancauseittoworkimproperly.
Lack of maintenance:Inadequatemaintenanceofreleasedsoftwarepreventsusersfromtakingtheproper
measurestomitigatepotentialerrorscontainedinthesoftware.
Functional versus Security Bugs
3/74
9/29/2016
Functional versus Security Bugs

Aswithanyotherhumanactivity,writingsoftwareisnaturallypronetoerror.Therefore,introducingbugsisan
inherentpartofthesoftwaredevelopmentprocess.Functionalandsecuritydefectsbothoriginatefromerrors
thathavebeenintroducedduringoneofthestepsofthesoftwaredevelopmentlifecycle.However,security
defectsmaterializeinadifferentwaythanfunctionaldefectsandoftenhaveamuchgreaterimpactona
productsandanorganizationslife.Whiletraditionalsoftwarebugsusuallyrepresentalackoffunctionalityor
deviationfromtheapplicationsfunctionalrequirements,securitybugscorrespondtoextraandunwanted
capabilitiesthatenableattackerstocompromisethesecurityoftheusersoftheapplication.
Narration: Aprogramsintendedbehaviorisusuallybasedonasetoffunctionalrequirementsthatarederivedfrom
realbusinessneeds.
Thesoftwaresactualbehavior,however,almostneverperfectlycoincideswiththeitsintendedbehavior.
Functionaldefectsrepresentthepartoftheintendedsoftwarebehaviorthatiseithermissingorimproperly
implemented.
Securitydefects,however,resultinextrafunctionalitythattheapplicationexposestomaliciousattackers
whocanuseittocompromisethesystem.
4/74
9/29/2016
DefendingagainstCommonSecurityDefects
CrossSiteScripting
Defining CrossSite Scripting
5/74
9/29/2016
Defining CrossSite Scripting

ThemostprevalentWebvulnerabilityisknownascrosssitescripting,orXSS.Crosssitescripting
vulnerabilitiesarisewhenWebapplicationstakeinputfromusersanddynamicallyincludeitinaWeb
pagewithoutfirstproperlyvalidatingthedata.AlsoknownasscriptinjectionorHTMLinjection,XSS
vulnerabilitiesallowanattackertoexecutearbitrarycommands,suchasJavaScript,anddisplay
arbitrarycontentinavictimsbrowser.AsuccessfulXSSattackleadstoanattackercontrollingthe
victimsbrowseroraccountonthevulnerableWebapplication.TherearetwodifferenttypesofXSS
issues,reflectiveandpersistent.
Applicability
Crosssite
scripting
exploits
attempttorun
malicious
scripts
(JavaScriptor
VBScript)
insidethe
victims
browsers.
Therefore,
crosssite
scripting
vulnerabilities
affectWeb
applications
ingeneral,
regardlessof
thelanguage
theyare
writtenin.
Any
application
thatexhibits
thefollowing
behaviorisat
riskofcross
sitescripting:
TheWeb
application
takesinput
fromtheuser
(datapartof
theHTTP
request).
TheWeb
application
doesnot
checkforthe
validityof
userinput.
TheWeb
application
echoesuser
inputintoa
browser.
Explanation
Potential
Impact
Successfulcrosssitescriptingattackscanhavemanydifferent
outcomesastheyresultintheattackercontrollingthevictims
browser.Classicalattackscenariosusuallyinvolvetheattacker
stealingthevictimssessioncookieandgainingaccesstothe
victimsaccountontheapplication.Thistypicallyopensthedoorto
othermaliciousactionsthatdependonthevulnerableapplications
functionality.Moreadvancedexploitationtechniquesaimat
bypassingthevictimsnetworksecurityandperformingnetwork
levelattacks,suchasportscanningortheexploitationof
unpatchedsystems.
Narration: ThefollowingshowspartoftheASP.NETsourcecodefora"forgottenpassword"feature,alongwith
thecorrespondingWebuserinterface.Thisfeatureallowsuserswhohaveforgottentheirpassword
toretrieveitbyprovidingtheiremailaddress.
Usethedropdownmenubelowtosubmitdifferentstringstotheapplicationandobservethe
resultingbehaviors.
Theemailaddressthatwassubmittedtotheapplicationwasnotfound.Notethattheemailaddress
thatwassubmittedisincludedbytheapplicationintheerrormessage.
ThestringsubmittedalteredtheHTMLoftheresultingpage.Thisusuallyindicatestheexistenceof
amoreimportanttypeofsecurityissue.
Thestringsubmittedtriggeredascriptinjectionbugotherwiseknownasacrosssitescripting
vulnerability.Thisbugcanbeexploitedtoexecutearbitraryscriptsinavictimusersbrowser.
6/74
9/29/2016
vulnerability.Thisbugcanbeexploitedtoexecutearbitraryscriptsinavictimusersbrowser.
Defending against CrossSite Scripting
7/74
9/29/2016
Defending against CrossSite Scripting

Accordingtoastatisticscompiledin2011byVeracode,68%ofWebapplicationstestedacrossvarious
industrieswerefoundtobevulnerabletoCrosssitescriptingbugs.(Source:
http://info.veracode.com/rs/veracode/images/VERACODESOSSV4.PDF).Astheyarethemost
commontypeofWebvulnerabilitiesfoundinthewildandcanpotentiallyhaveaveryhighimpact,itis
crucialtounderstandtherootsofsuchvulnerabilitiesandbefamiliarwithtechniquesandtoolsto
defendagainstthem.
Avoiding
Cross
Site
Scripting
Crosssitescriptingvulnerabilitiesusuallyarisefromthefollowingfalseassumptions:
InputwillnotcontainexecutablecontentsuchasHTML,JavaScript,VBScriptorXML.
Inputwillonlycontaindata.
InputwillonlycontaintheassumedHTMLtags.
Theseassumptionsresultinthefollowinginsecurecodingbehaviors:
AcceptingdatafromWebuserswithoutproperlysanitizingit.
OutputtingofdynamicdatatoWebpageswithoutcheckingfordangerouscharacters/content.
Inordertoavoidcrosssitescriptingvulnerabilities,thefollowingbestpracticesshouldbeapplied:
Perform input validation.
Detectillegalcharactersinuserinput.
UsetheMicrosoftAntiXSSLibrary.
Useallowliststorejectdangerouscharacterssuchas<,>,",'.
Perform output validation.
BeawareofthecontextinwhichinputdatawillbeoutputintoWebpagessuchasHTMLelements,attributes,JavaScript.
EncodealloutputusingtheHtmlEncodeandUrlEncodemethodsoftheMicrosoftAntiXSSlibrary.
Generate secure error messages.
Helpfulerrormessagesthatdontrevealinformationtoanattacker.
Donotechotheuserinputthattriggeredtheerror.
Code
Reviewing
for Cross
Site
Scripting
Testing
for Cross
Site
Scripting
The
above
code
constructs
shouldbe
checked
forXSS
when
code
reviewing.
Alternatively,followthebelowguidelinestodetectCrosssiteScriptingduringtesting:
TestingaWebapplicationforCrosssiteScriptingbugsisfairlysimple.ThegoalistomaketheapplicationoutputHTML/executable
scriptwhenitisnotsupposedto.Todothis,setallinputparametersoftheapplicationtoaknownvaluecontainingHTMLspecific
charactersorexecutablecontentsuchas<SCRIPT>alert('TEST')</SCRIPT>.Thenattempttomaketheapplicationoutputthedata
thatwassubmitted.IfthetestdataisoutputtoaWebpageunchanged,thenyouhaveidentifiedaCrosssiteScriptingbug.Suchtests
canbeperformedbymanuallyinputtingdatathroughthebrowser,byusingsemiautomatedtoolssuchasproxies,orbyusingfully
automatedWebscanners.
ThefollowingtoolscanassistyouintestingforCrosssiteScriptingvulnerabilities:
Webproxies:
BurpProxyAsimple,lightweightbutefficientWebproxytool.
ParosAmorecomprehensiveHTTP/Sproxy.
Webvulnerabilityscanners:
AcunetixWebVulnerabilityScanner.
IBMWatchfireAppScan.
Mitigating
Cross
Site
Scripting
Check That ASP.NET Request Validation Is Enabled.Althoughrequestvalidationisenabledbydefault,youshouldverifythat

requestvalidationiscurrentlyenabledinyourserversMachine.configfileandthatyourapplicationdoesnotoverridethissettinginits
web.configfile.CheckthattheValidateRequestattributeissettotrueasshowninthefollowingexample:
<system.web>
<pagesbuffer="true"validateRequest="true"/>
</system.web>
Use HTTPonly cookies.Inordertohelpmitigatetheriskofcrosssitescripting,afeaturewasintroducedinMicrosoftInternet

Explorer6SP1andisnowsupportedbyallmainstreambrowsersandwebapplicationframeworks.Thisfeatureisanewattributefor
cookies,whichpreventsthemfrombeingaccessedthroughclientsidescripts.AcookiewiththisattributeiscalledanHTTPOnly
cookie.TheuseofHTTPonlycookieshelpstodefendagainstXSSexploitsthatareaimedatstealingsessioncookies.Thefollowing
codesnippetsdemonstratestheuseofHTTPonlycookies:
8/74
9/29/2016
<%@PageLanguage="C#"%>
<scriptrunat="server">
voidPage_Load(objectsender,EventArgse)
{
//CreateanHttpOnlycookie.
HttpCookiecookie=
newHttpCookie("LastVisit",
DateTime.Now.ToString())
cookie.HttpOnly=true
cookie.Name="DateCookieExample"
Response.AppendCookie(cookie)
}
</script>
9/74
9/29/2016
SQLInjection
Defining SQL Injection
SQLinjectionoccurswhenuserinputisusedtobuildSQLqueriesdynamicallywithoutproperly
sanitizingthatinputforSQLspecificcharacters.Asaresult,anattackermightbeabletosubmit
speciallycrafteddatatotheapplicationwhichmodifiesthebehavioroftheSQLquerysubmittedtothe
backenddatabase.
DamagescausedbySQLinjectionarenotlimitedtodisclosingortamperingwithinformationstored
inthedatabase.Inmanycases,anattackercanalsoexecutearbitrarySQLcommandsagainstthe
backenddatabase.
Applicability
Although
Web
applications
aremost
commonly
affectedby
thistypeof
vulnerability,
any
application
thatqueries
abackend
database
basedon
userinput
can
potentially
be
vulnerable
toSQL
injection.
Explanation
Potential
Impact
AsSQLinjectionallowsattackerstomodifythebehaviorofSQL
queries,anattackercouldpotentiallydiscloseortamperwiththe
informationstoredinadatabase.Thisinformationincludesuser
dataandalsosystemdatasuchasdatacontainedinusertables.
Additionally,ifspecialoptions,suchasxp_cmdshell,areenabled
ontheserver,itmightbepossibleforattackerstoelevatetheir
privilegeandrunarbitrarycommandsonthedatabasehost.
Narration: ThefollowingshowspartoftheASP.NETsourcecodeforaforgottenpasswordfeature,alongwith
thecorrespondingWebuserinterface.Thisfeatureallowsuserswhohaveforgottentheirpassword
toretrieveitbyprovidingtheiremailaddress.Astheprovidedcodeshows,theapplicationtakes
inputfromtheemailfieldtocraftanSQLstatementwhichisthenexecutedagainstthebackend
database.Usethedropdownmenutosubmitdifferentinputsandobservetheapplicationsresulting
behavior.
Anemailcontainingtheuserspasswordisbeingsenttotheprovidedemailaddress.
ThestringthatyouhavesubmittedhasmodifiedthebehavioroftheSQLqueryusedbythe
applicationtoretrievetheuserspassword.Theemailwasinfactsenttotheaddressstoredinthe
firstrecordoftheusersdatabasetable.
ThestringthatyouhavesubmittedmodifiesthebehavioroftheapplicationsSQLqueryinsucha
waythatcreditcardnumbersstoredinthecreditcardsdatabasetablecanbedisclosed.
ThestringthatyouhaveenteredmodifiesthebehavioroftheapplicationsSQLquery.Byusingthe
extendedstoredprocedurexp_cmdshell,arbitrarycommandscanbeexecutedonthedatabase
server.Inthiscase,thecommandthatyouhaveenteredshutsdownthemachinethathoststhe
databaseserver.
Defending against SQL Injection
10/74
9/29/2016
Defending against SQL Injection

OWASPTop10rankingfor2010listsSQLInjection,alongwithotherinjectionattacks,asthehighest
securityrisktowebapplications(https://www.owasp.org/index.php/Top_10_2010Main).
Avoiding
SQL
Injection
SQLinjectionvulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
UsergeneratedinputwillnotcontainexecutableSQLstatementsnorescapecharacters.
Inputwillonlycontaindata.
Theseassumptionsleadtothefollowinginsecurecodingbehaviors:
Omissionofinputvalidationandsanitizationcode.
UsingstringconcatenationandstringreplacementtoconstructdynamicSQLstatements.
ThefollowingbestpracticeswillpreventdevelopersfromwritingcodevulnerabletoSQLinjection:
Constrain input.InputusedtobuildSQLstatementsshouldNEVERbetrusted,properinputvalidationshouldbeperformed,onthe
serverside,todetectillegalcharacters.Theallowlistapproachispreferredtoblocklistswhichcancausefalsenegatives.Ratherthan
escaping(SQLencoding)metacharacters,theyshouldjustbeexcludedfromtheallowlist.
Use stored procedures.
ThecorrectuseofstoredprocedureswillpreventyourapplicationfromSQLinjectionvulnerabilities.
Neverencloseuserinputinsidesinglequotes.EnsurethatusergenerateddataispassedasaparametertotheSQLstatement.
Use parameterized queries.Parameterizedqueriesprovideawayforprogrammerstocreateadynamicquerybyspecifyingwhich
partofthequerywillbemadeofuserinput.ThiseffectivelyavoidsSQLInjectionvulnerabilitiesbecausetheusersinputisnotdirectly
insertedintothequerystring.Instead,theusersinputistreatedasanargumentandcannotbemistakenforSQLcode.
Do not echo database errors.Exceptionsshouldbecaughtontheserver,anderrormessagesshouldnotrevealanyuseful
informationtoattackers.EchoingdetailedSQLerrormessagesoftenrevealsthestructureofqueriesthatfailedandinformsmalicious
usersthattheapplicationisvulnerabletoSQLinjection.Echoingdetailederrormessagescouldalsogivetheattackerinsightabout
howtomodifytheinjectedstringsothequeryisexecutedsuccessfully.
Code
Reviewing
for SQL
Injection
Testing
for SQL
Injection
Duringa
code
review,
lookfor
codethat
queries
the
database.
Listed
aboveare
specific
stringsto
checkfor,
depending
onwhat
language
thecodeis
writtenin.
TestinganapplicationforSQLinjectionisnotanoverlycomplextask.ThefollowingstepswillallowtesterstouncoverSQLinjection
vulnerabilitiespresentinyourapplication:
Identify all relevant input vectors.AlltheentrypointstotheapplicationthatinvolveusergenerateddatatocreateSQLqueries

shouldbeidentified.
Submit SQL reserved symbols and keywords to the identified input vectors.Thefollowingstringscanbeused:
1'or1=1
1'or1'=1
admin'
Check the response to see if the supplied input was treated as data or as part of the SQL statement itself.
ThefollowingaretoolsthatcanassistyouwhenlookingforSQLvulnerabilities:
AcunetixWebVulnerabilityScanner.
Mitigating
SQL
Injection
Lockdown the application database accounts.Theprincipleofleastprivilegestatesthataprocessorausermustbegrantedno

morethantheminimumprivilegesnecessarytofunctionproperly.Intheeventofcompromise,thiswilllimitthedamagethatcanbe
performedbyanattacker.Indeed,whenexploitinganSQLinjection,theattackerislimitedtothelevelofprivilegesofthedatabase
accountusedbytheapplicationtoexecutethevulnerableSQLstatement.Thereforeyoushouldneverconnecttothedatabaseusinga
highlyprivilegedaccountsuchasthesaandrootaccounts.Removeaccesstoalluserdefinedtablesinthedatabaseandonlygrant
accessthroughstoredprocedures.
11/74
9/29/2016
Store database connection information in a secure place.

Thedatabaseconnectioninformationshouldbestoredinalocationoutsideoftheapplication,suchasaprotectedconfigurationfile
(inthe<connectionStrings>sectionofa.NETapplicationsWeb.configfile)ortheWindowsregistry.IftheWindowsregistryisused,
makeproperuseoftheAccessControlLists(ACL)tosecureregistrykeys.
YoushouldNEVERembedthedatabaseloginusernamesandpasswordsintheapplicationorconnectionstring.
UseintegratedWindowsauthenticationinsteadofthebuiltinSQLauthentication.
AlthoughdatabaseconnectionstringsshouldNOTcontainusernamesnorpasswords,itisgoodpracticetoencryptconnection
stringstoavoidthepossibilityofdisclosingservernamesanddatabasenames.
12/74
9/29/2016
CommandInjection
Defining Command Injection
13/74
9/29/2016
Defining Command Injection

Itisverycommonforapplicationstoacceptusergeneratedinputandactonthisinput.Inanattemptto
reducedevelopmenttime,someapplicationsleveragethefunctionalityofthirdpartycomponentssuch
asOSinterpretersorscriptingengines.Suchapplicationsbuildcommandsbasedonusergenerated
dataandsubmitthemtothirdpartycomponentstobeexecuted.Commandinjectionvulnerabilitiesarise
whentheseapplicationsfailtoproperlyvalidateusergeneratedinputandallowattackerstomodifythe
intendedbehaviorofinterpretedcommands.
Applicability
Command
injection
vulnerabilities
maybe
presentin
applications
thatrelyon
thirdparty
functionality,
suchas
scripting
enginesor
command
interpreters.
Applications
usinganyof
thefollowing
maybe
vulnerableto
command
injection
attacks:
AnOS
command
shell
Abrowser
ASQL
database
server
Anytypeof
scripting
engine(PHP,
Perl,Python
orRuby)
Explanation
Potential
Impact
Examples
Theimpactofcommandinjectionvulnerabilitiesdependsonthe
capabilitiesoftheunderlyingscriptingengineandtheprivilegesof
theuserrunningthecommand.Potentially,theseissuesallowan
attackertorunarbitrarycommandsonthevulnerablesystem,
openingthedoortoawiderangeofmaliciousactions.
STARTTLS plaintext command injection (October 2011):STARTTLSisanextensiontoplaintextcommunication

protocolsthatoffersawaytoupgradeaplaintextconnectiontoanencrypted(TLSorSSL)connectioninsteadofusinga
separateportforencryptedcommunication.SomeimplementationsofSTARTTLScontainavulnerabilitythatcouldallowa
remoteunauthenticatedattackertoinjectcommandsduringtheplaintextprotocolphasethatwillbeexecutedduringthe
ciphertextprotocolphase.
VMWare Tools (December 2010):AvulnerabilityintheinputvalidationofVMwareToolsallowsforinjectionof
commands.Theissuecouldallowauseronthehosttoexecutecommandsontheguestoperatingsystemwithroot
privileges.
Cisco Nexus OS (October 2011):CiscoNexusOSispronetomultiplelocalcommandinjectionvulnerabilities.Alocal
attackercanexploittheseissuestoexecutearbitrarycommandswithadministrativeprivileges.
Mac OS X Java Command Injection(October 2010):AvulnerabilitywasreportedinJavaonMacOSX.Alocaluser
cancreateaperuserJavasharedarchivethat,whenloadedbythetargetuser,willexploitacommandinjectionflawin
updateSharingDtoexecutearbitrarycommandsonthetargetsystemwiththeprivilegesofthetargetuser.
Narration: ThefollowingASP.NETapplicationisaWebbasednetworkmanagementtool.Thisapplication,
throughaWebinterface,allowsuserstoperformmultiplenetworkmaintenancerelatedtasks,
includingmodifyingthenetworknameoftheserverrunningtheapplication.Usetheprovideddrop
downmenutosubmitdifferentstringstotheapplicationandobservetheresultingbehaviors.
Thestringthatyouhaveselectedisavalidmachinename.Asaresult,thecomputernamehas
beensuccessfullymodified.
Thestringthatyouhaveselectedisnotavalidmachinename,thereforethecomputernamehasnot
beenset.
Thestringthatyouhaveselectedwasacommandinjectionattackandsuccessfullyexecutedonthe
14/74
9/29/2016
Thestringthatyouhaveselectedwasacommandinjectionattackandsuccessfullyexecutedonthe
server.Theampersandisametacharacterinotherwords,itisacharacterthathasaspecial
meaningtotheWindowscommandlineinterpreter.Theampersandisusedtoappendcommandsin
theWindowscommandshell.Astheapplicationdidnotproperlyvalidateuserinput,ashutdown
commandwasappendedtotheoriginalcommand,andtheserverwassuccessfullyturnedoff.
Defending against Command Injection

Commandinjectionvulnerabilitiesallowattackerstoexecutearbitrarycommandsonthevictimhost.In
ordertodefendagainstsuchcriticalissues,itisessentialtounderstandhowtoavoid,detect,and
mitigatecommandinjectionvulnerabilities.
Avoiding
Command
Injection
Commandinjectionvulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
Inputwillonlycontainvaliddata.
Usergeneratedinputwillnotcontainmetacharacters,suchassemicolons,singlequotationmarks,orampersands.
Suchassumptionsleadtothefollowinginsecurebehaviors:
Placingcommandsandusergenerateddatainlinenexttoeachother.
Omissionofinputvalidationandsanitizationcode.
Thefollowingbestpracticeswillavoidcommandinjectionvulnerabilities:
Constrain input.Usergeneratedinputpassedtocommandinterpretersorscriptingenginesshouldneverbetrusted.Properinput
validationshouldbeperformedtodetectillegalcharacters.Theallowlistapproachispreferredtoblocklistswhichcancausefalse
negatives.Ratherthanescapingmetacharacters,theyshouldjustnotbeaddedtothelistofallowedcharacters.
Take appropriate action when the data is invalid.Therearedifferentapproachestodealingwithchecksthatfail.Thefollowingare

notmutuallyexclusive:
Signaltheerror.Becarefulnottogivetheattackertoomuchinformationregardingthenatureoftheerror.
Logtheerror.Becarefulthattheloggingprocessisnotitselfvulnerable.
Modifythedatasoitisvalid.
Output validation.Outputvalidationisperformedbyencodingunsafeoutput.Forexample,ASP.NETapplicationsshouldusethe
HtmlEncodemethodtowritetextoutputtoaWebpage.Thisprincipleshouldbefollowedifthedataiscomingfromtheuserinterface,
adatabase,oralocalfile.HttpUtility.URLEncodeshouldbeusedtoencodeURLstringsthatareconstructedbasedonuntrustedinput.
Code
Reviewing
for
Command
Injection
The
above
table
showsthe
constructs
tocheck
inorderto
detect
command
injection
during
code
review.
Testing
for
Command
Injection
Command injection vulnerabilities can also be uncovered during testing.Alltheentrypointstotheapplicationshouldfirstbe

identified.Testersshouldthenfindoutwhatkindofcommandinterpreterthesuppliedinputgetspassedoffto.Eachmetacharacterfor
thatcommandinterpretershouldthenbetested.Theinputshouldbechoseninsuchaway,thatifitworks,somethingmeasurablewill
happen.Forinstance,iftheuserinputispassedtotheWindowscommandline,thenoneampersandfollowedbyanothercommand,
suchasaping,canbeaddedtotheinput.Anetworkmonitoringtoolwilltellyouwhetherthepingcommandexecutedsuccessfully.If
theapplicationisrunningonamachinebehindafirewallthatblockstheping,acommandsuchasshutdowncanbeusedinstead.
ThefollowingtoolsautomatethiskindoftestingforWebbasedapplications:
HPWebInspect.
Mitigating
Command
Injection
Apply the principle of least privilege.Theprincipleofleastprivilegeshouldbeappliedtoensurethatonlytheminimumnecessary

privilegesaregiventotheapplicationandtoanythirdpartycomponentsitisusing.Intheeventofasuccessfulcommandinjection,
thisensuresthatonlycommandsallowedbythelevelofprivilegeenjoyedbytheapplicationwillexecuteproperly.Followingthe
principleofleastprivilegeeffectivelylimitstheextentofasuccessfulcommandinjectionattack.
Use Access Control Lists (ACLs).ProperlyconfiguringACLswillalsopreventresourcesthattheapplicationdoesnotneedfrom

beingaccessedintheeventofasuccessfulattack.
15/74
9/29/2016
UnprotectedNetworkTraffic
Defining Unprotected Network Traffic
Networktrafficissaidtobeunprotectedwhensensitiveorothersystemcriticaldataistransmittedin
cleartextoverinsecurenetworkchannels.Manynetworkprotocols,nowadays,protectcommunications
byencryptingnetworktrafficusingstrongcryptographicmethods.Althoughthesesecurealternatives
exist,someapplicationsarestillusingprotocolssuchasSMTP,IMAP,POP,HTTP,FTP,IRC,TELNET
andmanymorethatoperatebysendingdataunencrypted.Asaresult,datatransferredusingthese
methodscaneasilybeintercepted,viewedandmodifiedbyanattackerplacedbetweentwo
communicatingparties.
Applicability
All
applications
sendingdata
overthe
network,
regardlessof
the
programming
language
used,might
potentiallybe
affectedby
unprotected
network
trafficissues.
Explanation
Potential
Impact
Examples
Bytransmittingdataoverthenetworkincleartext,applications
allowattackerstoviewandmodifyinformationtransmitted
betweencommunicatingparties.Additionally,attackerscan
potentiallyimpersonateentitiestakingpartinacommunication
andperformManintheMiddleattacks.
Cisco Unified Communications Manager sends passwords in cleartext (March 2009):Avulnerabilitywas

reportedinCiscoUnifiedCommunicationsManagerbecauseofwhicharemoteusermonitoringthenetworkcouldobtain
criticalpasswords.TheIPPhonePersonalAddressBook(PAB)Synchronizerfeaturesentcertainpasswordsoverthe
networkincleartext.Aremoteusermonitoringthenetworkcouldobtainthepasswordsandthenusethepasswordstogain
completeadministrativeaccesstothetargetCiscoUnifiedCommunicationsManagersystem.
Apple WebKit sends authentication information in cleartext (February 2011):Incertaincircumstances,Apple
WebKitmaysendsNTLMcredentialsinplaintext.ThiscouldallowamaninthemiddleattackertoviewtheNTLM
credentials.TheexactconditionswhichledtothisvulnerabilitywerenotdisclosedinordertoprotectusersofWebKit.
Narration: Whentwopartiescommunicateoveranuntrustedchannel,itistheirresponsibilitytosecurethe
datatheytransmit.
Ifthisisnotdone,attackerscaneasilyinterceptdataexchangedontheseinsecurenetworksusing
widelyavailablenetworkmonitoringtools.
Wiredandwirelessnetworksareequallyatriskwhenitcomestoeavesdroppingandmaninthe
middleattacks.
Defending against Unprotected Network Traffic
16/74
9/29/2016
Defending against Unprotected Network Traffic

Astheimportanceofcomputersinhumanlifeisincreasingconstantly,moreandmorenetworkenabled
applicationsarereliedupontohandlesensitivedata.Developersareoftennotawareofhoweasyitis
toeavesdropandmodifytrafficonanetwork.Inordertodefendagainsttheseabuses,itiscrucialto
properlysecuredatathatistransmittedonthewire,aswellastodetectandmitigateanyinstancesof
unprotectednetworktrafficinexistingcode.
Avoiding
Unprotected
Network
Traffic
Unprotectednetworktrafficvulnerabilitiesariseasaresultofthefollowingfalse
assumptions:
Attackerscannotintercept(ortamperwith)datasentacrossthenetwork.
Attackerscannotspooftheidentityofoneofthetwoparties.
Attackerscannottakeexistingdatafromadatastreamandreplayit.
Attackerscannothijackanestablishedconnection.
Suchassumptionsturnintothefollowinginsecurebehaviors:
Usingweakornoencryptiontoprotectdatasentoverthenetwork.
Usingweakauthenticationmechanisms.
Inordertoavoidunprotectednetworktrafficvulnerabilities,thefollowingbest
practicesshouldbeapplied:
Use established cryptographic solutions to ensure the confidentiality
and the integrity of data sent across the network.Applicationsshoulduse
industrystandardcryptographicsolutionstoensurethatattackerscannotread
datatransferredfromonepartytoanother.Usingasigningmechanismisone
methodtoascertainwhetherthetransferreddatahasbeenalteredornot.
WindowsprovidesasetofcryptographicAPI(CryptoAPI)thatallows
applicationstoexchangedatainasecureenvironmentoverinsecurechannels
suchastheInternet.
Use strong authentication mechanisms.Theapplicationshouldensure
thatthetwopartiescommunicatingarewhatorwhotheyclaimtobe.Industry
standardauthenticationprotocolssuchasKerberos,shouldbeusedwhen
possibletoensureproperauthentication.
Practice secure key management.UsetheWindowsDataProtectionAPI
toensurethatcryptographickeysaresecurelystored.
Use industryrecognized block ciphers.Symmetriccryptographyis
usuallypreferredoverasymmetriccryptographyforitsbetterperformance.
Therearetwotypesofsymmetricciphers:blockciphersandstreamciphers.
Streamciphersshouldnotbeusedastheyareknowntohaveweaknesses.
Code
Reviewing
for
Unprotected
Network
Traffic
Whencodereviewingforunprotectednetworktraffic,youshould:
Identifyallnetworkbasedentrypointsoftheapplication.
Ensurethatallcommunicationsareencryptedfromandtotheseentrypoints.
Askyourselfthefollowingquestions:
Istheapplicationsendingunencrypteddataonthenetwork?
Istheapplicationusingindustryrecognizedsolutionstoencryptdataorisit
usingacustomsolution?
Whichunderlyingcryptographiccipheristheapplicationusing?
Istheapplicationusingablockcipher?Ifyesfindoutwhatmodeofoperation
isbeingused.
Testing for
Unprotected
Network
Traffic
Inordertodetectunprotectednetworktrafficduringtesting,youshould
determinewhethertheapplicationisencryptingdatabeforesendingitonthe
network.YoucanusethefollowingtooltodetermineifthedataisSSL
encrypted:
ssldumpanSSLv3/TLSnetworkprotocolanalyzer.
Mitigating
Unprotected
Network
Traffic
Use Virtual Private Network (VPN) to protect network traffic.

Bypipingnetworktrafficintoasecurechannel,theneedforanapplicationto
securetrafficonitsownisreduced.VPNsusecryptographictunnelingprotocols
toensuretheconfidentialityandtheintegrityofthedatasentacrossseparate
networks.
Use SSL tunneling.
DatasentthroughSSLtunnelsisencryptedusingastrongcryptographic
protocolthatensurestheconfidentialityandtheintegrityofthedata.Asaresult,
forcingtheapplicationtosenddataoveraclienttoserverencryptedSSLtunnel
mitigatesunprotectednetworktrafficissues.
17/74
9/29/2016
LackofServerSideAuthorization
Defining Lack of Serverside Authorization
Authorizationistheprocessofallowingordisallowingactorsofasystem,suchasusersorprocesses,
accesstoresourcesofthesamesystem.Authorizationisacrucialcomponentofanapplications
securitysinceitenablestheconceptofseparateuseraccountsandprivatedata.Implementing
authorizationonaclientserverarchitecturecanbeverydifficultasthesystemisdividedintwoseparate
entities,oneofthemnamelytheclientbeinguntrusted.Inordertoensurethataccesstoresources
respectspermissionsspecifiedontheserver,authorizationmustbedoneserverside.Lackofserver
sideauthorization,asthetermsuggests,happenswhenanapplicationdoesnotproperlyenforce
permissionsontheserver.Thistypeofvulnerabilitycanpotentiallyallowattackerstoillegallyaccess
protectedresourcesofthesystem.
Applicability
Explanation
Allclient
server
applications,
regardlessof
the
programming
language
used,might
potentially
lackserver
side
authorization.
Lackofserversideauthorizationfallsunderthefollowingcategories:
Clientside authorization.Applicationsaresometimesdesignedbasedontheassumptionthatdatasentbyasoftware
clientcannotbetamperedwithbeforeitreachestheserver.Asaresult,accesscontrolsareimplementedontheclient
insteadofbeingenforcedserverside.However,tamperingwithaclientisaverycommonpracticeandattackersoften
developtoolssuchasproxiesormodifiedclientsinordertobypasstheseclientsiderestrictions.Clientsideauthorization
cantakedifferentforms,including:
Permissionsenforcedontheclient.
Disabledfunctionalitiesontheclient.
Missing authorization.Whenauthorizationisnotpresent,thesecurityoftheapplicationusuallyreliesuponitsobscurity
andthefactthatmalicioususersdonotknowtherequiredinformationtosendtotheserverinordertoaccesssensitive
resources.Theproblemisthatthisinformationcanbedeterminedbynumerousmeans,suchasreverseengineeringthe
applicationorbysimplyguessingtheappropriatedatatosend.Severalbadpracticescontributetotheproblemofmissing
authorization,includingtheuseof:
Magic URLs.ThepracticeofrelyingonURLparameterstopassprogramdataisreferredtoasusingMagicURLs.
PassingidentifyinginformationoranysessionvariablesthroughtheURLopensanavenueformalicioususerstotamper
withdatawhichtheyshouldnotbeabletomodify.
Hidden form fields.AswithmagicURLs,usinghiddenfieldstopassprogramdatarelatedtotheuserssessionallows
attackerstomodifytheinformationbeforesendingittotheserver.
Forceful browsing.Forcefulbrowsingispossiblewhensystemsassumethatonlycertainuserswillknowessential
piecesofinformationrequiredtoaccesssensitiveresourcesandfunctionalities.Theseessentialpiecesofinformationoften
includedatasuchasfilenames,directories,andURLparameters.Unfortunately,thisinformationisoftenpredictableor
easilyobtainablethroughinformationdisclosurevulnerabilities.Therefore,itisfrequentlypossibleforanunauthorizeduser
toillegallyaccessprivilegedresourcesbysimplylearningthenecessaryparameters.
Potential
Impact
Examples
Whenclientserverapplicationsdonotenforceauthorizationon
theserverside,amalicioususermayaccessandmodify
informationthatshouldnotbeaccessibleinthefirstplace.
Attackerscantakeadvantageoflackofserversideauthorizationto
exercisefunctionalitiesrequiringelevatedprivileges,suchas
administrativetasks.
IBM Proventia Network Mail Security System (September 2010):LackofServersideauthorizationintheLocal

ManagementInterface(LMI)ontheIBMProventiaNetworkMailSecuritySystem(PNMSS)appliancewithfirmwarebefore
2.5allowsremoteauthenticateduserstoreadarbitraryfilesviaasimpledirectorytraversal.Exampleofaccessinga
configurationfileontheserver:domain.com/sla/index.php?l=/../../../../../../../../etc/php.ini.
Insecure webserver on HP LaserJet P3015 Printer (January 2012):TheHPChaiSOE/1.0embeddedwebserveron
certainHPJetDirectprintersdonotperformadequateserversideauthorizationcheckswhichallowsapotentialattackerto
gainreadonlyaccesstodirectoriesandfilesoutsideofthewebroot,suchasconfigurationfilesandcacheddocuments.
Informationobtainedfromanaffectedhostmayfacilitatefurtherattacksagainstthehost.Exploitationofthisflawistrivial
usingcommonwebserverdirectorytraversaltechniques.
Defending against Lack of Serverside Authorization
18/74
9/29/2016
Defending against Lack of Serverside Authorization

Lackofserversideauthorizationcanhaveaveryhighimpactonanapplicationssecuritysinceitallows
attackerstoaccessprotectedresourcesandpotentiallyelevatetheirprivileges.Itiscrucialto
understandtheneedforproperserversideauthorizationandtoknowthetechniquesthatwillallowyou
toavoid,detectandmitigatethesevulnerabilities.
Avoiding
Lack of
Serverside
Authorization
Lackofserversideauthorizationusuallyarisesasaresultofthefollowingfalseassumptions:
Theclientcannotbemodified.
Thedatasentbytheclientcannotbemodified.
Theappropriatedatarequiredtoperformprivilegedactionsisunpredictable.
Suchassumptionsresultinthefollowinginsecurebehaviors:
Relyingonclientsideauthorization.
Storingsessionrelatedvariablesontheclient.
Trustingdataoriginatedfromtheclient.
Relyingonobscuritytoprotecttheapplication'sresources.
Inordertoavoidlackofserversideauthorizationapplythefollowingbestpractices:
Do not trust data coming from the client.Anydataoriginatedfromtheclientshouldbevalidatedontheserver.Malicioususers
caneasilyinterceptandmodifytrafficsentfromtheclientbrowser.Therefore,developersshouldneverembedcriticalapplicationdata
inclientsidevariablessuchasGETorPOSTparametersorHTTPheaders.Instead,onlypasssessionidentifierstotheclientand
keep all other session related data on the server.
Use builtin ASP.NET authorization features.TheASP.NETroleprovider(inconjunctionwiththeASP.NETmembership
provider)isafeaturethatenablesASP.NETdeveloperstocreateWebsitesthatallowuserstocreateanaccountwithasiteandtobe
assignedrolesforauthorizationpurposes.FormoreinformationreadHowto:UsetheASP.NETRoleproviderwithaService.
Code
Reviewing
for Lack of
Serverside
Authorization
Testing for
Lack of
Serverside
Authorization
When
performing
acode
review,
lookfor
codethat
uses
magic
URLsand
other
places
wherethe
client
mightbe
granted
toomuch
trust.Look
for
constructs
aslistedin
theabove
table.
Todetectthelackofserversideauthorizationduringtesting:
CheckALLfeaturesoftheapplicationtoensurethatONLYauthenticateduserscanaccessprotectedmaterial.
CheckALLfeaturesforforcefulbrowsingissues:determinetheappropriateparametersrequiredtoaccessprotectedresourcesand
replaythoseparametersinthecontextofalessprivilegedorunauthenticatedsession.Ifthoseresourcescanbeaccessed,thereis
mostlikelyalackofserversideauthorizationproblem.
Checkthattheapplicationdoesnotrelyonclientsidevalidation:useaWebproxytointerceptandmodifyHTTPrequeststobypass
clientsiderestrictions.
UsethefollowingWebproxiestofacilitateyourtesting:
BurpProxyasimpleandlightweightproxytool.
ParosamorecomprehensiveHTTP/Sproxy.
TestallWebinput,includingforms,withmaliciousinput.InspectthecontentofallformsandfieldsoftheWebapplication.Lookfor
hiddenfields:checkthecontentofanyHTMLsentbacktotheclientforthetextHIDDENwithinanHTMLinputelement.
Thefollowingtoolscanassistyouinfindingandmodifyingformfieldsbeforesubmittingthem:
TamperIEEnablesHTMLformtampering.
PaesslerSiteInspectorCrossbrowserWebdevelopertools.
Mitigating
Lack of
Serverside
Authorization
URL authorization.URLauthorizationrulescanbespecifiedperURLintheWeb.configfileofASP.NETapplications.Thefollowing
configurationallowsauthenticatedusersanddeniesanonymoususersaccess:
<authorization>
<allowusers="*"/>
<denyusers="?"/>
</authorization>
Formoreinformation,seetheASP.NETAuthorizationdocumentation.
Sandboxing the application.Sandboxingtheapplicationlimitsthedamagesthatcanbedoneiftheapplicationisvulnerable.
Runningtheapplicationinarestrictedsecurityenvironmentwillpreventanattackerfromaccessingresourcesonthehostsystemthat
19/74
9/29/2016
Runningtheapplicationinarestrictedsecurityenvironmentwillpreventanattackerfromaccessingresourcesonthehostsystemthat
areoutsidethescopeoftheapplication.
20/74
9/29/2016
Spoofing
Defining Spoofing
Inthecontextofcomputersecurity,spoofingdescribestheabilityofoneentitytosuccessfullyassume
theidentityofanotherentity.Thisattackiscommonlyusedbymaliciousindividualstogainextra
privilegesinsystemswheretheyhavelimitedprivilegesornoprivilegesatall.
Applicability
Explanation
Asthe
successof
spoofing
attacksrelies
onpoor
authentication
or
authorization
betweentwo
entities,such
attackscan
beobserved
inanysystem
involving
multiple
entities,
regardlessof
thelanguage
itwaswritten
in.These
entitiescould
beeither
users,
applications,
ornetwork
hosts.
Spoofingcanbeofthefollowingtypes:
Network spoofing.Networkspoofingoccurswhenanattackertransmitsroguepacketsthatpretendtobecomingfroma
different,spoofed,hostby,forexample,forgingthesourceIPaddressofthenetworkpacket.Mostconnectionlesstransport
protocolssuchasUserDatagramProtocolhavenobuiltinmechanismforfightingagainstspoofing.Ontheotherhand,
connectionbasedprotocols,suchasTransmissionControlProtocol,makespoofingmuchhardertoachievebutnot
impossible.
Application spoofing.Applicationspoofingoccurswhenanattackercreatesanapplicationwiththesoleintentofposingas
anothertrustworthyapplication.Thisisdonebydeceivingusersintotrustingtheattackersapplicationasmuchastheytrust
thespoofedapplication.
User spoofing.Userspoofingoccurswhenanattackerassumestheidentityofanotherpersonorsystem,withtheintentof
abusingthevictimstrustinthesystem,and/orthesystemstrustinthevictimforothermaliciouspurposes.
Potential
Impact
Examples
Spoofingvulnerabilitiesallowmaliciousindividualsorsystemsto
poseaslegitimateones.Dependingontheleveloftrustgrantedby
thevictimsystemtoitsusers(whetherhumanorsoftware),the
consequencesofthesevulnerabilitiescanbedisastrous.
Weak UI elements enable spoofing via KDE SSL Wrapper:TheKDESSLWrapperAPIdoesnotuseacertainfont

whenrenderingcertificatefieldsinasecuritydialog,whichallowsremoteattackerstospoofthecommonname(CN)ofa
certificateviarichtext.
Microsoft Windows allows IPv4 restriction bypass via spoofing:SomeversionsofMicrosoftWindowsallowremote
attackerstobypassintendedIPv4sourceaddressrestrictionsviaamismatchedIPv6sourceaddressinatunneledISATAP
packet,aka"ISATAPIPv6SourceAddressSpoofingVulnerability.
Spot the Bug!
21/74
9/29/2016
Spot the Bug!
Narration: Spoofingoccurswhenanentitymasqueradesitselfasanotherentityinanattempttoperformother
maliciousandunauthorizedactions.Spoofingispossiblebecauseapplicationsfailtoproperly
authenticatepartiestheycommunicatewith.Thefollowingscenariowilldemonstratehowspoofing
ofaWebsitecanbeachieved.
Usethebrowsercontrolstovisitwww.microsoft.com.
ThehomepageofMicrosoft.comisshowninthebrowserwindow.
Usingthenetworkmonitoringtool,observethecontentsoftheDNSresponsethatmaps
www.microsoft.comtoitsIPaddress.
Thenamewww.microsoft.comcorrespondstotheIPaddress207.46.19.254.
UsetheDNSspoofingtooltoaltertheDNSresponse.
Usethebrowseragaintovisitwww.microsoft.com.
Aswecanseehere,thelegitimateserverwasspoofedbytamperingwiththeDNSresponse
packets.Althoughthebrowser'saddressbarpointstothecorrectURL,thereturnedpagedoesnot
belongtotheintendedapplication.
Defending against Spoofing

22/74
9/29/2016
Defending against Spoofing

Spoofingvulnerabilitiescanallowmaliciousentitiestoposeaslegitimateones,itisthereforeimportant
thatanapplicationproperlyauthenticatesnetworkhosts,applications,anduserspriortoengagingany
typeoftrustedcommunications.Asthesevulnerabilitiescanexposeanapplicationsdataand
functionalitytounauthorizedindividuals,understandinghowtodetect,avoid,andmitigatespoofing
issuesiscrucialtoanapplicationssecurity.
Avoiding
Spoofing
Thereareseveralfalseassumptionsthatmayleadtospoofing:
Allhostsonthesamesubnetaretrusted.
ThehostnameorIPaddressofaremotehostcanbetrusted.
Anentitysnameissufficienttoverifyitsidentity.
Theseassumptionsmayresultinthefollowingnegativeoutcome:
Entitiesaretrustedwithoutproperauthentication.
Thefollowingarebestpracticestoavoidspoofing:
Perform strong authentication of remote hosts.Useestablishedsolutions
suchasSSL/TLSorIPSectocertifytheidentityofremoteparties.
Perform strong authentication of applications.Useindustryrecognized
cryptographicsolutionstoprove:
Theidentityofyourapplicationstoendusersorothersystems.
Theidentityofthirdpartycomponentsthatyourapplicationsrelyon.
Enforce user authentication and authorization.Ensurethatuser
authenticationbestpracticesarefollowedwhenauthenticatingusers.Formore
information,gotoDefendingagainstWeakAuthentication.
Code
Reviewing
for
Spoofing
Whencodereviewingfornetworkspoofing:
Identifycodethat:
Initiatesconnectionstoremotehosts.
Acceptsconnectionsfromremotehosts.
Assessthesensivityofthefeaturebeingreviewed:
Isitapublicfeatureorisitrestrictedtospecificentities?
Forprotectedfunctionality,verifythatconnectionsareestablishedonlyafterthe
remotehosthasbeenproperlyauthenticated:
Isauthenticationperformedatall?
Whatevidenceistheapplicationcheckingforauthentication?
Acertificate?
Ausernameandapassword?
AnIPaddress?
Ahostname?
Forcodethatisexecutedafterauthentication,verifythattheremotesystemisnot
grantedtoomuchtrust:
Howisthehostidentifiedbytheapplication(afterauthentication)?
Usingasecuritytoken?
UsingthehostsIPaddress?
Usingthehostsname?
Whencodereviewingforapplicationspoofing:
IdentifycodethatloadsorstartsthirdpartybinariessuchasEXEs,DLLs,
COM/ActiveXobjects.
Determinehowtheapplicationverifiesthosebinariesidentities:
Byname?
Bylocation?
Byhash?
Bydigitalsignature?
Testing
for
Usethefollowingapproacheswhentestingforpotentialspoofingvulnerabilities:
Whenspoofingnetworkhosts,createabogusclientandabogusserverinan
23/74
9/29/2016
for
Spoofing
Whenspoofingnetworkhosts,createabogusclientandabogusserverinan
attempttoproxythecommunicationbetweentherealclientandtherealserver.
Whenspoofingexecutablecontent,createaboguscomponentandaskthe
applicationtoexecuteit.
Whenspoofingusers,logintothesystemandattempttoposeasotherusersin
thesystem.
Whentestingfornetworkspoofing:
Checkwhethertheapplicationusesastrongcryptographicsolution,suchas
certificates,toauthenticatenetworkhosts.
Attempttoimpersonatealegitimatehostafterithasbeenauthenticatedandsee
whethertheapplicationagreestocommunicatewithit.
Whentestingforapplicationspoofing:
Replacebinariesthattheapplicationexpectsbyspoofedonesanddetermine
whatevidenceitischeckingforauthentication.
Onceyouhavedeterminedtheevidence,attempttoforgeit.
Iftheapplicationuseshashes,locatewheretheapplicationstoresthemand
replacethemwithforgedones.
Whentestingforuserspoofing:
PleasegotoDefendingagainstWeakAuthenticationfordetailedstepsfortesting
userauthenticationfeatures.
Mitigating
Spoofing
Spoofingvulnerabilitiescanbemitigatedthroughapproachessuchas:
Using firewalls to limit network connectivity.Createappropriatefirewall
rulestolimitaccesstonetworkenabledsoftware.
Setting appropriate ACLs on executable content such as libraries or EXE
files.Ensurethatonlyadministratorsareabletooverwritefilesthatare
executable.
24/74
9/29/2016
InformationLeakage
Defining Information Leakage

25/74
9/29/2016
Defining Information Leakage

Informationleakagevulnerabilitiesarethosesecuritydefectsthatcauseadisclosureofdataleadingto
abreachofsecuritypolicy.Thisdatacanbeeithertheendgoalofanattacker,suchassensitive
customerdata,orinternalinformationabouttheapplicationwhichcouldassisttheattackerin
compromisingthesystem.Informationleakagecanhappenintwoways:
Accidentally:
Thedataisconsideredvaluable,butitisrevealedanywaybyalogicalorfunctionaldefectinthe
application.Thistypeofscenariooftenoccurswhenthereisalackofunderstandingofattacker
techniquesandapproaches.
Intentionally:Thereisamismatchbetweenhowendusersanddesignersoftheapplicationconsider
therevealeddata.Thisscenarioofteninvolvesprivacyissues.
Applicability
Explanation
Information
leakageis
aproblem
thatcan
occurwith
any
language
orplatform.
Some
languages,
however,
provide
more
verbose
error
messages
than
others.
Thiscan
exacerbate
theeffectof
such
issuesif
these
messages
reveal
information
about
application
internals.
Any
application
thatstores
or
processes
sensitive
information
ofanytype
maybe
susceptible
to
information
disclosure
issues.
Therearecountlesswaysinformationcanbedisclosedtoanattacker.Someofthemorenotableonesinclude:
Side channels.Sidechannelsarecomponentsofasystemthatdiscloseinformationthattheywerenotdesignedto
reveal.Forexample,consideraloginformthattakeslongertorespondtoanincorrectpasswordwhentheinitialcharacter
isincorrect.Theresponsetimeoftheformcanbemeasuredbyanattacker,whichmeanstheloginformcanactasaside
channelrevealinginformationaboutuserspasswords.
Overly verbose error messages. Errormessagesthatrevealtoomuchinformationtoanattackerareproblematic.This

doesnotmeanthaterrormessagesmustbegenericorunhelpful,butratherthattheyshouldbebeneficialtonormal
users,whilenotdisclosinginformationthatcouldbehelpfultoanattacker.
False assumptions about what is viewable or accessible to clients.ViewablelocationsmayincludeHTMLsource

code,cookievalues,orhiddenfilesordirectoriesonaserverandinmemoryonaclientmachine.
Improperly configured appliances.Manyimproperlyconfiguredroutersorproxyserversinadvertentlyreveal

informationaboutusersonalocalnetwork.ThisinformationmayincludeMACaddresses,machinenames,andIP
addresses.
References to paths and process stack layout.Knowledgeaboutfilepaths,filelocations,andstackinformationcan

allbeusedbyanattackertocarryoutotherattacksthatarerelatedtoordependonthisinformation.Forexample,an
applicationmightbeusingavulnerablelibrary,andthisinformationcouldbediscoveredbyanattackerwhoforcescertain
errorconditions.
Potential
Successfulinformationleakageattackscanhavemanydifferent
26/74
9/29/2016
Potential
Impact
Successfulinformationleakageattackscanhavemanydifferent
impacts.Theprimaryrisk,however,isthedisclosureof
informationthatshouldnotberevealed.Thismightinclude
customersPersonallyIdentifiableInformation(PII),intellectual
property,tradesecrets,andconfidentialconversations.
Revealingsensitiveinformationtoanattackerisbadenough,
butinadditionthisinformationoftenincludespasswordsor
sessionIDswhichenableanattackertoescalatehisorher
privilegesonanapplicationorsystem.
Examples
Skype Discloses IP Addresses to Remote Users (December 2011):Aninformationleakagevulnerabilitywas

discoveredintheWindowsclientforSkypewhichallowedaremoteusertoinitiateaSkypecalltoatargetuserand
determinethetargetuser'sIPaddress.Theproblemwasfurtherexacerbatedbythefactthattheremoteuserdidnotneed
tobeonthetargetuser'scontactlistandcouldalsoterminatethecallbeforethetargetuser'sSkypeapplicationhadthe
chanceofindicatinganincomingcall.ThisvulnerabilitycouldbeusedtogeolocateSkypeuserswithouttheir
knowledge.
Asterisk Discloses Username Validity to Remote Users (June 2011):Asterisk,anopensourcetele
communicationsplatform,hadaninformationdisclosurevulnerabilitywhichwascausedduetothefactthatthesystem
respondeddifferentlytoinvalidSIPusernamethanitrespondedtoavalidSIPusernames.Thisallowedremoteusersto
determinevalidSIPusernamesonthesystemwhichcouldbeusedtolaunchaccountlockoutandbruteforcingattacks.
Norton Mobile Security Discloses Potentially Sensitive Information (November 2010):Avulnerabilitywas
reportedinNortonMobileSecurityBetaforAndroidwhichallowedotherapplicationsonthedevicetoaccesspotentially
sensitiveinformationfromtheNortonMobileSecuritylogfiles.Thisinformationcouldalsoincludetheuser'swipe/lock
credentials.
Defending against Information Leakage

27/74
9/29/2016
Defending against Information Leakage

Toeffectivelydefendagainstinformationleakageissues,youneedtounderstandwhattypeofdataisof
interesttoattackersandhowanapplicationwillrevealit.Armedwiththisknowledge,youwillbeableto
properlyavoid,detect,andmitigatethesecommonvulnerabilities.
Avoiding
Information
Leakage
Informationleakagevulnerabilitiesusuallyariseasaresultofthefollowingfalseassumptions:
Itisbesttoprovideasmanydetailederrormessagesaspossible.
Attackerswillnotthinktolookinaspecificfile,directory,ormemorylocation.
Acertainpieceofdataisnotusefultoanattacker.
Theapplicationssecuritydefensescannotbebreached.
Outputtingoverlydetailederrormessages.
Relyingonsecuritythroughobscurity.
Leavingsensitivedataunprotectedineasytofindlocations.
Storingnonessentialsensitiveinformation.
Inordertoavoidinformationleakageissues,youshouldfollowthebelowbestpractices:
Issuehelpfulerrormessagesthatdonotdiscloseunnecessaryinformation.Avoidoutputting:
Filenames.
Pathnames.
Versionnumbers.
Stacktraces.
Minimizethenumberoflocationswheresensitivedataisusedandstored.Assumeanattackerhasfullknowledgeofthesystemor
application.
Storesensitiveinformationusingappropriatesecuritymechanismsthathelppreventunauthorizedaccess.Useaccesscontrol
mechanismsandencryptionasappropriate.
Code
Reviewing
for
Information
Leakage
Testing for
Information
Leakage
Theabove
constructs
shouldbe
checked
whencode
reviewing
touncover
information
leakage
bugs.
Inordertodetectinformationleakageissuesduringtesting:
Forceasmanyerrorconditionsaspossibletodeterminewhatinformationitmightreveal.Inspect:
Programmemory
Files(temporaryfiles,logfiles)
Registrykeys
Errormessages
UseNTSD,FileMon,andRegMontoinspecttheprogramsinternals.
Exploretheapplicationwithnonprivilegedaccountsandseewhattheapplicationdivulges.Examinewhateverdatayouhave
available,suchasHTMLsourcecode.
Anotherworthwhiletestistosimulateastolenlaptopscenario.Allowtheapplicationtoberunonacomputerforafewweeks,and
thenattempttoviewthedataonthecomputerinthewaythatalaptopthiefwouldhavetodoso.Trydualbootingorbootingadifferent
OSinordertoaccessdataindifferentways.
Mitigating
Information
Leakage
Design error messages to be helpful to users but not attackers.

Ensurethaterrormessagesdonotdirectlyorindirectlydiscloseinformationthatattackersmightfinduseful.
Avoid collecting sensitive data when unnecessary.
Onlycollecttheminimumamountofdataneededtomeetyourbusinessobjectives.Donotstorethisdatalongerthanisrequired.
Minimize the use of sensitive data.
Avoidusingsensitivedatainplaceswhereitisnotneeded.
Limit access to your application.
Restrictunauthenticatedaccesstoyourapplicationtothestrictminimum.
Locating Additional Resources

28/74
9/29/2016

InformationLeakageAhighleveloverviewofinformationleakage.
BestPracticeswithCustomErrorPagesAshortpieceaboutcreatingsecurecustomerrorpages.
WritingErrorMessagesforSecurityFeaturesbyEverettMcKayTipsforwritinghelpfulerror
messagesthatdonotdisclosetoomuchinformation.
19DeadlySinsofSoftwareSecuritybyMichaelHowardetal.(ISBN:0072260858).
29/74
9/29/2016
ImproperErrorHandling
Defining Improper Error Handling
Errorhandlingisthemechanismthatdealswiththeoccurrenceofconditionsthatchangethe
applicationsnormalexecutionflow.Errorhandlingcodeisoftenoverlookedandsuffersfromalackof
attentionwhenitcomestodesigningandimplementingit.Impropererrorhandlingoccurswhencode
failstoadequatelyhandleanerrorconditionencounteredbytheapplication.Asaresultofimproper
errorhandling,anapplicationmayenteravulnerablestateandcrash.Insecurelydesignederror
messagesthatrevealvaluableinformationtopotentialattackersarealsoconsideredasimpropererror
handling.
Applicability
Allcomputer
programsare
requiredto
handleerror
conditionsin
orderto
operate
properly.In
thissense,all
typesof
applications
canpotentially
beaffectedby
impropererror
handling
vulnerabilities.
Explanation
Potential
Impact
Examples
Anoverlydetailederrormessagemaydisclosesensitivesecurity
information.Amalicioususermaythenusethedatacontainedin
sucherrormessagestobettertargethisorherattacksonthe
application.Failingtoproperlyhandleerrorsmayalsocausethe
applicationtoterminate,therebycausingadenialofservice.
Improper error handling in libvirt (May 2011)Thedaemoninlibvirt,avirtualizationAPI,beforeversion0.9.0didnot

usethreadsafeerrorreporting,whichallowedremoteattackerstocauseadenialofservicebycausingmultiplethreadsto
reporterrorsatthesametime.
Error inside error handler in HP OpenView Network Node Manager (June 2010):Abufferoverflowintheerror
handlingfunctionalityinHPsOpenViewNetworkNodeManager(OVNNM)7.51and7.53allowsremoteattackersto
executearbitrarycode.
Microsoft Fixes ASP.NET ZeroDay Flaw (September 2010):Duetoimpropererrorhandlingduringencryption
paddingverificationinASP.NET,anattackercouldreaddata,suchastheviewstate,whichwasencryptedbytheserver.
Thisvulnerabilitycouldalsobeusedfordatatampering,which,ifsuccessfullyexploited,couldbeusedtodecryptand
tamperwiththedataencryptedbytheserver.
Narration: ThefollowingASP.NETapplicationisaWebbulletinboardsystemthatallowsuserstoreadand
postmessages.Usetheprovideddropdownmenutosubmitdifferentinputstotheapplicationand
observetheresultingbehaviors.
ThevalueoftheURLparameterthatyouhaveselectedisavalidmessageID.
ThevalueoftheURLparameterthatyouhaveselectedisnotavalidmessageID.
ThesinglequotecharactersubmittedtotheapplicationcausedittooutputadetailedSQLerror,
informingpotentialattackersabouttheexistenceofanSQLinjectionflaw,butalsorevealingthe
structureoftheSQLstatementusedbytheapplicationtoquerythedatabase.Thisisveryvaluable
informationtoanattacker,anditcanbeusedtodriveverydamagingattacks,suchastheoneshown
here.
Defending against Improper Error Handling

30/74
9/29/2016
Defending against Improper Error Handling

Sinceimpropererrorhandlingmayhavedireconsequences,itisessentialtounderstandthedifferent
variantsofthistypeofvulnerabilityandtoknowwhichpracticesmaybeusedtodefendagainstthem.
Avoiding
Improper
Error
Handling
Impropererrorhandlingusuallyarisesfromthefollowingbadassumptions:
Errorhandlingcodeisofsecondaryimportance.
Errorhandlingcodecanbeaddedafterthecorrespondingfunctionalityisimplemented.
Errorhandlingcodecanbewrittenaftertestingexposeserrors.
Errormessagesneedtobeasdetailedaspossibleforreportinganddebuggingpurposes.
Suchassumptionsturnintothefollowinginsecurebehaviors:
Yielding too much information.Applicationsthatreturnerrormessagescontaininginformationthatisrevealingtoanattackerexpose
themselvestofurtherandmoreeducatedattacks.Whilerevealingdetailedinformationonwhatpartoftheapplicationfailedmaybegood
fromausabilityperspective,malicioususersmayusethisinformationtobettertargettheirattacks.
Ignoring errors.Errorreturnvaluesindicateafailureconditiontherefore,everytimeitisappropriate,theapplicationshouldcheck
functionreturnvalues.Forinstance,consideracalltofopen()thatfails,eitherbecauseaccessisdeniedorbecausethefiledoesnotexist.
Iftheerrorisnothandled,allfollowingcallstofunctionssuchasfwrite()orfread()willfailtoo.Asaresultofreadingdataanddereferencing
thedata,theapplicationwillmostlikelycrash.
Misinterpreting errors.Althoughsomefunctionsmayreturnbizarreerrorvalues,theapplicationneedstodetectpreciselywhicherror
hasoccurredpriortobeingabletohandleit.Forinstance,ifanapplicationmisinterpretsatrivial,recoverableerrorasacritical,non
recoverableone,itmightbepossibleforanattackertolaunchaDenialofServiceattackagainstit.
Employing useless error values.Somefunctionsmaysimplyreturnnoerrorvalues.Forexample,considertheCstandardruntime
strncpyfunctionthatonlyreturnsapointertothedestinationbuffer.Ifabufferoverflowoccurred,thefunctionwouldonlyreturnapointerto
theoverflowedbuffer.
Handling the wrong exceptions.Developerssometimeswritecodetocatchagiventypeofexception,whileinfact,anothertypeof
exceptionwillbethrown.Asaresult,theseexceptionswillnotbecaughtandwillcausetheprogramtoenteravulnerablestatewhichcan
inturnbeexploitedbyanattacker.
Handling all exceptions.Providingagenericexceptionhandlerthathandlesallexceptionsresultsinmaskingerrorspresentinthe
code.Pretendingthatanexceptionneverhappenedisdangerousasitmightcauseerrorstobeleftunaddressedormightcascadethrough
theapplicationwithdisastrouseffects.
Thefollowingbestpracticeswillpreventimpropererrorhandling:
Handletheappropriateexceptionsinyourcode.
Ensurethatyoucheckreturnvalueswhenappropriate.
Ensurethatinformationthatmayberevealingtotheattackerisnotdisclosed.
Code
Reviewing
for
Improper
Error
Handling
Testing
for
Improper
Error
Handling
Whencode
reviewingfor
impropererror
handling
vulnerabilities,
checkforthe
constructs
listedinthe
abovetable.
Useautomatedstaticcodeanalysistoolstohelpyoufindvulnerabilitiesinyourcode.Whilestaticanalysistoolscannotreplaceamanual
review,theyareagoodcomplementandcanbeusedtofindalargenumberofvulnerabilitiesatonce.Thesetoolscanalsobeusedto
buildacomprehensivemodelofthecodeincludingdataflowandcontrolflow.Usetheseresultsnotonlytofixthediscovered
vulnerabilitiesbutalsotopointout'hotspots'inyourcodethatwouldbenefitfromanadditional,deepermanualreview.
Totestforimpropererrorhandlingdefects,testersshouldlookfortheapplicationfunctionalitythattakesinput.Wheneverthereisawayto
inputdataintotheapplication,itrepresentsaninterfacethatcanbeprobedformoreinformationthroughitserrormessagesor,conversely,
itslackoferrormessages.Thefollowingprocedurewillhelptestersindetectingimpropererrorhandling:
Probe input fields by submitting malformed data.Payattentiontothefollowingpropertiesofthedatasubmitted:
Input length.Trylongstrings.
Input type.Tryinputthatisofadifferenttypethanwhattheapplicationexpects.
Boundary values.Identifytheupperandlowerlimitsofexpecteddatavaluesandtestbyexceedingtheirlimits.
Context.Tryinputtingvaluessuchasmachinenames,usernames,anddomainnames.Theapplicationmaybehavedifferentlywhena
validnameisenteredallowinganattackertoinfersensitiveinformation.
Testersshouldlookforsignsofinformationdisclosureandpoorlyhandlederrorconditions,suchas:
Poorly handled error cases.
Lookfortestcasesthatcausetheapplicationtocrash.
Lookfortestcasesthatputtheapplicationinaninsecurestate.
Revealing error messages.Lookforerrormessagesrevealinganyofthefollowing:
Machinenames.
Filelocations.
Detailsregardingtheinternalconfiguration.
DatasuchasthestructureofSQLqueries,internalIPaddresses,andvalidusernames.
31/74
9/29/2016
Mitigating
Improper
Error
Handling
Use global exception handlers.Globalexceptionhandlerscatchexceptionsthatarenothandledinyourcode.ASP.NETapplications

canuseanapplicationlevelglobalerrorhandlerinGlobal.asaxtocatchallerrorsthatarenothandledinyourcode.Followingsuch
practicewillensurethatdetailederrorinformationisnotreturnedtotheclient.Allexceptionsshouldberecordedintheeventlogforlater
analysis.Codesimilartothefollowingcanbeused:
<%@ApplicationLanguage="C#"%>
<%@ImportNamespace="System.Diagnostics"%>
<scriptlanguage="C#"runat="server">
voidApplication_Error(objectsender,EventArgse)
{
//Addtheappropriateloggingcode
Response.Write("Wearesorry,butwecannotcompleteyourrequest.Pleasetryagainlater!")
Server.ClearError()
}
</script>
Use the customErrors element in ASP.NET applications.Errorpagesareusedwhentheapplicationneedsaglobalexceptionhandler

oritisexpectedthatfailuresmayhappen.UsethecustomErrorselementinyourapplicationsweb.configtoconfigurecustomHTTPerror
pages.
<customErrorsmode="On"defaultRedirect="ErrDefault.aspx">
<errorstatusCode="401"redirect="ErrUnauthorized.aspx"/>
<errorstatusCode="404"redirect="ErrPageNotFound.aspx"/>
<errorstatusCode="500"redirect="ErrServer.htm"/>
</customErrors>
32/74
9/29/2016
WeakAuthentication
Defining Weak Authentication

33/74
9/29/2016
Defining Weak Authentication

Authenticationistheprocessofverifyingthatsomeoneorsomethingisinfactwhotheyclaimtobe.As
such,authenticationisthefirstlineofdefenseinprotectinganapplicationagainstmaliciousindividuals
attemptingtoaccessprotectedresources.
Whenanapplicationperformsweak(easilybypassed)authentication,itcanbepossiblefor
unauthorizeduserstoaccessprotecteddataandperformawiderangeofmaliciousactions.
Applicability
Explanation
Weak
authentication
vulnerabilities
are
programming
language
independent.
Thekeyfactor
to
determining
whetheran
application
canbe
affectedby
theseissues
isthe
presenceof
an
authentication
featureof
somesort,
suchasa
loginform.All
applications
thatsupport
the
separation
betweena
publicrealm
andaprivate
realmorhave
multipleusers
can
potentiallybe
affectedby
weak
authentication
issues.
Systemsthatsufferfromweakauthenticationcanbecategorizedintothefollowingclasses:
Weakpasswordbased systems
Somesystemsauthenticatetheirusersbyrequestingthemtoprovideapassword.However,thepasswordpolicyenforced
bythesesystemsisnotstrictenoughtoprovideanacceptablelevelofsecurity.Thesepasswordsaretooshort,too
predictable,notrenewedoftenenough,ornottransmittedorstoredsecurely.
Weaksessiontokenbased systems
SomeprotocolssuchasHTTParestatelessandanonymous.Toovercomethislimitation,sessiontokensareincludedin
everyrequestausermakesaftertheuserisauthenticatedbytheserver.However,ifthesesessiontokensarepredictable,it
ispossibleforanattackertohijackliveusersessions.
Informationleaking authentication features
Someauthenticationfeatures,althoughtheyprotecttheirapplicationfromunauthorizedaccess,revealusefulinformationto
potentialattackers.Forexample,theydisplaydifferenterrormessagesorresponsetimesbasedonwhetheravalidoran
invalidusernameisprovided.Thesesystemsareconsideredtobeweakbecausetheyprovideinformationthatcouldbe
usedbyattackerstobruteforcepasswords.
Systems that identify rather than authenticate users
Somesystemsrelyonidentificationdatainordertoauthenticateuntrustedparties.Thesesystemsarepronetospoofing
attacks.
Potential
Impact
Examples
Asweakauthenticationcanallowanattackertoillegallyaccessan
applicationsfunctionality,thepotentialimpactofsuchissuesis
verydependentonthevulnerableprogramsfeatures.By
accessingaccountsofvictimparties(individualsorsystems),
malicioususerscan,inmostcases,elevatetheirprivileges,viewor
modifysensitiveinformation,and,ofcourse,impersonateother
parties.
Server Controller in IBM Lotus Domino asks user for password file (March 2011):TheremoteconsoleintheServer
ControllerinIBMLotusDomino7.xand8.xverifiescredentialsagainstafilelocatedataUNCsharepathnamespecifiedby
theclient,whichallowsremoteattackerstobypassauthentication,andconsequentlyexecutearbitrarycode.
ASP.NET subsystem allows access to another users data (December 2011):TheFormsAuthenticationfeaturein
34/74
9/29/2016
ASP.NET subsystem allows access to another users data (December 2011):TheFormsAuthenticationfeaturein

theASP.NETsubsysteminallversionsoftheMicrosoft.NETFrameworkallowsremoteauthenticateduserstoobtainaccess
toarbitraryuseraccountsviamaliciouslymodifiedvalidusernames.
IBM (November 2011):IBMsTS3100andTS3200TapeLibraryExpressproductsdonothandleinvalidauthentication
attemptssecurely.ByrepeatedlysendingaspeciallycraftedHTTPrequest,aremoteattackercouldexploitthisvulnerability
togainunauthorizedaccesstotheWebmanagementconsoletherebybypassingauthentication.
Defending against Weak Authentication

35/74
9/29/2016
Defending against Weak Authentication

Asauthenticationisthefirstlineofdefensethatanapplicationhasagainstoutsiders,itiscrucialthatit
ensuresthatonlytheauthorizedusershaveaccesstoprotectedfeatures.Inthissense,understanding
howtoavoid,detect,andmitigateweakauthenticationissuesiskeytoanapplicationssecurity
Avoiding
Weak
Authentication
Weakauthenticationvulnerabilitiesusuallyariseasaresultofthefollowing
falseassumptions:
Thestrengthofapasswordisuptouserstodecide.
Onlytheapplicationcanaccessitspasswordstore.
Randomnumberscannotbepredicted.
Identificationdatacanbeusedtoauthenticateaparty.
Certificatescanbesignedbyanybody.
Theseassumptionsresultinthefollowinginsecurebehaviors:
Failuretoenforceastrongpasswordpolicy.
Storageofunprotectedpasswords.
Generationofweaksessiontokens.
Authenticationofpartiesbasedonidentificationdata.
Acceptanceofcertificatesthataresignedbyuntrustedparties.
Bestpracticestoavoidweakauthenticationinclude:
Enforcingastrongpasswordpolicy.Forasample,pleaseseethis
passwordpolicytemplate.
Encryptingorhashingpasswordsforstorage.
UsingbuiltinsessionhandlingmechanismssuchasASP.NET.
Relyingonrealauthenticationdata,suchaspasswords,certificatessigned
bytrustedaCA,andsecuritytokens,toverifyauserorsystemsidentity.
Code
Reviewing for
Weak
Authentication
Whenperformingacodereviewforweakauthenticationissues,youshould
ensurethat:
Testing for
Weak
Authentication
Whentestingforweakauthenticationissues:
Mitigating
Weak
Authentication
Thefollowingareamongthevariousadditionaldefensivemeasuresthatcan
betakentodefendagainstweakauthentication:
Nopasswordsarehardcoded.
Identification,suchasIPaddresses,emailaddresses,orsocialsecurity
numbers,isnotusedtoauthenticateusers.
Codethatcreatespasswordsdoesthisaccordingtothepasswordpolicy.
Failedloginattemptsarehandledinauniformmanner(withthesame
responsetimeandsamemethodoferrorhandling).
Failedloginattemptsarelogged.
Thereislogicforenforcingperiodicpasswordrenewal.
Newpasswordscannotbethesameaspreviouslychosenones.
Passwordsaretransmittedthroughasecurechannel.
Thepasswordresetmechanismissecure.Forexample,itshouldnotbe
possibletoresetalluserspasswordsinanautomatedway.
Thesystemforcesuserstochangethedefaultauthenticationcredentials.
Passwordsarerenderedunreadableusingastrongcryptographic
mechanismsuchasencryptionorhashing.
Codethatcheckscertificatesverifiesthatsignaturesareofatrusted
authority.
Verifythatthesystemforcestheusertochangedefaultusercredentials
uponfirstexecution.
Attempttologinusingdifferentcombinationsofusernamesandpasswords
(bothvalidandinvalid)andinspecterrormessagesaswellasresponse
timesinanattempttodeterminewhethertheapplicationleaksinformation
aboutthevalidityofcredentials.
Monitornetworktrafficatlogintimeinanattempttouncovercredentials
passedincleartext(usingNetMonorWireshark).
Verifythatitisnotpossibletoautomatetheactionofresettingpasswords.
Verifythatpasswordsareresetinasecuremanner.
Locatetheapplicationspasswordstoresandinspectrelevantaccess
controlsettings.
Attempttodecodepasswordsstoredondisktouncoverweakencryptionor
encoding.
Iftheapplicationusescertificates,attempttoauthenticatebyprovidingself
signedcertificates.
Usemultifactorauthentication:
Securitytokens
Biometrics
Onetimepasswords
Usewelltestedtechnologies:
WindowsAuthentication
FormsAuthentication
Databaseencryption
EncryptedFileSystems
Useindustryapprovedprotocols:
Kerberos
SSL/TLS
TACACS
36/74
9/29/2016
SSL/TLS
TACACS
RADIUS
37/74
9/29/2016
WeakDataProtection
Defining Weak Data Protection

38/74
9/29/2016
Defining Weak Data Protection

Whileitiscommonpracticetoencryptsensitivedatatransmittedoveranetwork,developersoften
overlookencryptionoflocaldatastorage.Onaverage,dataspendsmoretimebeingprocessedand
storedlocallythantransmittedoveranetwork.Therefore,itisimportanttoensuretheconfidentialityand
integrityofdatastoredinlocationssuchassystemmemory,harddrives,theWindowsregistryorina
database.Weakdataprotectionallowsattackerstocompromisethestoreddataandpossiblythe
securityofthewholeapplication.
Applicability
Explanation
All
applications
can
potentially
beaffected
byweak
data
protection
issues,
regardless
ofthe
language
theyare
writtenin.In
onewayor
another,
software
applications
dealwith
sensitive
datasuch
as
confidential
dataand
critical
application
data(for
example,
theuser
namesand
passwords
ofa
system).
Weakdataprotectionvulnerabilitiesarisefrom:
Improper access control
Accessrightsgovernaccesstoresourceswithinasystem.Itisimperativethatproperaccesscontrolsareutilizedinorder
tograntaccesstosensitivedataonlytoauthorizedparties.
Weak data encryption
Whilecryptographyisessentialtoprotectsecrets,itisnotfoolproof,andaweakcryptographicsystemmightlullusersinto
afalsesenseofsecurity.
Algorithms:Weakencryptionalgorithms,insecureimplementationofstrongcryptographicalgorithms,andcustom
algorithmswillmostcertainlydegradeoverallsystemsecurity,asanattackermightbeabletocracktheencryptionand
retrievesensitivedata.
Key size: Evenifastrongcryptographicalgorithmischosen,aninappropriatelysmallkeysizemightrenderthe
cryptosysteminsecure.Specifically,systemsutilizingasmallkeysizearevulnerabletobruteforceanddictionaryattacks.
Insecure management of cryptographic secrets
Cryptographyreliesonkeys.Ifthekeysarenotstoredandexchangedsecurely,anattackermightbeabletoretrievethe
keyandcompromisethesecurityofthecryptographicsystem.
Potential
Impact
Examples
Weakdataprotectionallowsattackerstoaccessinformationthat
theyshouldnormallybedeniedaccessto.Byaccessingthat
information,attackersmightbeabletoexposeandtamperwith
sensitivedata.Iftheapplicationbasesitssecuritydecisionson
thisinformation,bymodifyingit,anattackermightbeableto
bypasssecuritycontrolsandelevatehisorheraccesslevel.
SCADA Systems hacked by Stuxnet worm (July 2010):SiemensSimaticWinCCandPCS7SCADAsystemusesa

hardcodedpassword,whichallowslocaluserstoaccessabackenddatabaseandgainprivileges,asdemonstratedin
thewildinJuly2010bytheStuxnetworm.
Folder Lock uses weak encryption for passwords (August 2008):FolderLockispronetoaninformation
disclosurevulnerabilitybecauseitstorespasswordsintheRegistryandusesweakencryption(ROT25)forprotection.
Thisallowslocaladministratorstodecryptthepasswordsofotherusers.
39/74
9/29/2016
Defending against Weak Data Protection

40/74
9/29/2016
Defending against Weak Data Protection

Weakdataprotectionvulnerabilitiescanpotentiallyallowattackerstoaccessbothconfidentialand
criticalapplicationdata.Sucheventswillinevitablycauseabreachofsecuritypolicy.Inordertoprevent
thistypeofsituation,itiscrucialtorecognizetheproperstepsforavoiding,detecting,andmitigating
weakdataprotectionissues.
Avoiding
Weak
Data
Protection
Weakdataprotectionusuallyarisesasaresultofthefollowingfalseassumptions:
Oncedataisstoredondisk,onlylegitimateuserswillknowitslocationandattempttoaccessit.
Theapplicationfileswillbeaccessedonlybytheintendedusers.
Theapplicationcannotbereverseengineered.
Suchassumptionsleadtothefollowinginsecurepractices:
Insecureuseofcryptography.
ImproperuseoftheAccessControlLists(ACLs).
Insecuremanagementofcryptographicsecrets.
Thefollowinglistoutlinessomeofthemorecommonstrategiesforavoidingweakdataprotection:
Employ existing data protection technologies.Someoperatingsystems,suchasWindows,providesolutionsfordataprotection.
KnownastheDataProtectionAPI(DPAPI),thisfunctionalityinWindowsallowsapplicationstorelyonWindowsforstoringand
handlingsensitive,cryptographic,orotherimportantdatabothondiskandinmemory.
Avoid handling data that requires extra protection.Unlessdictatedbyapplicationrequirementsanddesign,avoidstoringor
handlinginformationthatrequiresextraprotection.Applicationsshouldhandleonlythedatawhichtheyareobligedtohandle.
Do not hardcode secrets into the applications codebase.Secretsthatarehardcodedintoanapplicationmayberevealed
throughtheuseofreverseengineering.Therefore,anydeterminedattackerwillbeabletogainaccesstothesesecrets.
Use established cryptographic solutions.WindowsprovidesasetofcryptographicAPIsthatapplicationscanusetoavoidthe
pitfallsofimplementingcryptographicalgorithms.KnownasCryptoAPI,thislibrarycontainsallindustryrecognizedencryptionand
hashingfunctions.
Use access controls that are enforced by the operating system.UseAccessControlLists(ACLs)toensurethatonly
authorizedpartieshaveaccesstoprotectedresources.ApplytheprincipleofleastprivilegewhencreatingtheappropriateACLfor
eachprotectedresource.Usingthisprinciple,grantreadand/orwriteaccessonlytothepartiesthatrequireit.
Code
Reviewing
for Weak
Data
Protection
Testing
for Weak
Data
Protection
Inorderto
detectweak
data
protection,a
codereview
should
checkfor
the
existenceof
codethat
enforces
proper
access
controls.
Codethat
createsfiles
orother
objectsand
doesnotset
access
control
shouldbe
lookedat.
Additionally,
codethat
configures
ACLs
shouldbe
inspectedto
determine
whetherthe
ACLsare
set
accordingto
the
sensitivityof
thedata
theyprotect.
Followthestepsbelowtodetectweakdataprotectionduringtesting:
Identifywhatneedstobeprotected.
Rememberthatevenasmallpieceofunprotectedsensitivedatacancompromisethesecurity
oftheapplication.
Verifythatproperencryptionisutilizedandnotsomekindofsecuritythroughobscurity.
Verifythatapropercryptographicalgorithmwithanappropriatekeysizeisselected.
Customencryptionalgorithmsarenotasthoroughlytestedaspubliconesare,sotheytend
tobeinsecure.
Examineallcryptographickeysizesthatareusedwithintheapplication.
41/74
9/29/2016
Examineallcryptographickeysizesthatareusedwithintheapplication.
Ensurethatthelengthofallkeysisappropriate.
Verifythattheimplementationoftheselectedalgorithmisfreefromimplementationerrors.
Evenifcorrectcryptographyisinplace,validatethatdatadoesnotstaydecryptedlongerthanitneedstobeandthatnodecrypted
temporarycopiesareleftinthefilesystemorinswapspace.
Verifythatloggingandothererrorreportingmechanismsdonotrevealpartsofsensitivedata.
VerifythatproperACLsareinplacefortheresourcesthatneedtobeprotected.
Lookforhardcodedsecrets.TheStringstooltoolcanbeusedforretrievingallANSIandUNICODEstringsfromabinaryimage.
Examinefilesystemlocationssuchastheapplicationfolderandtemporarydirectoryforanydatathatneedstobeprotected.Repeat
theprocedureforanyrelatedregistrykeys.
Examinetheoutputofthelogsforanysensitiveinformationleakage.
Usingsystemandnetworkmonitoringtools,verifythatnosensitiveinformationiscopiedortransmittedinaninsecuremanner.
Mitigating
Weak
Data
Protection
Usetheseapproachestomitigateweakdataprotection:
Encrypt storage medium.Deploydiskencryptionsoftwareformediumswhereprotecteddataistobestored.Forinstance,encrypt

theoperatingsystempartitionwhereimportantapplicationfilesaresaved.
Use Windows Vista integrity levels.WindowsVistaprovidesabuiltinmechanismtoensurethatprocessesoflowerintegritycannot

accessresourcesofhigherintegrity.Whilethissolutionisaimedatprotectingoperatingsystemfiles,anapplicationcanutilizethis
mechanismtopreventunauthorizedaccessofsensitivedata.
42/74
9/29/2016
BufferOverflows
Defining Buffer Overflows

43/74
9/29/2016
Defining Buffer Overflows

Abufferoverflowisananomalousconditionthatariseswhenaprogramattemptstowritemoredata
thanthereismemoryallocatedforabuffer.Bufferoverflowsusuallyresultincriticalmemorylocations
beingoverwritten,causingtheprogramtocrash.Inaddition,assomeofthesememorylocationscontrol
theflowofexecutionoftheprogram,bufferoverflowscanallowattackerstoforcetheapplicationinto
executingarbitrarycode.
Applicability
Buffer
overflowsare
inherentto
programming
languages
thatallow
developersto
performtheir
ownmemory
management,
suchasC,
C++,and
assembly.
These
languages
are
consideredto
havebetter
performance,
thereforethey
arevery
popular.
Itisnot
surprising
thatbuffer
overflowsare
oneofthe
most
frequently
encountered
software
bugs.
Languages
thatuse
garbage
collection
andthatdo
notallowfor
direct
memory
management
suchasC#
andJavaare
not
vulnerableto
buffer
overflow
attacks.
However,as
theycan
interoperate
withnative
code,these
languages
canstill
produce
applications
thatare
proneto
buffer
overflows.
Explanation
Potential
Impact
Examples
Asuccessfulbufferoverflowattackcanforceaprograminto
executingarbitrarycode.Inthissituation,coderunswiththelevel
ofprivilegegrantedtotheexploitedprogram.Asaresult,the
potentialimpactofthistypeofvulnerabilityisindirectrelationto
thecapabilitiesoftheexploitedhost.
Symantec pcAnywhere allows anyone to execute code on your PC (January 2012):SymantecspcAnywhere

productallowsuserstoremotelyconnecttotheircomputerandcontainsaseverebufferoverflowvulnerabilitywhichallows
unauthenticatedremoteuserstoexecutearbitrarycodeonthetargetmachine.Thisismadepossiblebecauseaserviceon
TCPport5631permitsafixedlengthbufferoverflowduringtheauthenticationprocess.
44/74
9/29/2016
TCPport5631permitsafixedlengthbufferoverflowduringtheauthenticationprocess.
Cisco WebEx Player is found to have a buffer overflow (October 2011):CiscospopularWebExconferencing
productcontainsvulnerabilitieswhichallowaremoteusertosupplyaspeciallycrafted'.wrf'filethatwilltriggerabuffer
overflowandexecutearbitrarycodeonthetargetsystemwiththeprivilegesofthevictimuser.
Microsoft OS products are vulnerable to buffer overflows (October 2008):TheServerserviceinMicrosoft
Windows2000SP4,XPSP2andSP3,Server2003SP1andSP2,VistaGoldandSP1,Server2008,and7PreBetaallows
remoteattackerstoexecutearbitrarycodeviaacraftedRPCrequestthattriggerstheoverflowduringpathcanonicalization.
Narration: ThestackisaLastIn,FirstOutdatastructureusedformemorymanagement.Itissegmentedinto
frames,whicheachcorrespondtoaprogramfunctioncall.Eachframealsocontainsinformation
suchasparametersandlocalvariablesofthefunction,apointertothepreviousframe,andthe
savedreturnaddress.Whentheamountofdatawritteninalocalbufferexceedstheamountof
memoryallocatedforthisbuffer,criticalportionsofthestackcanbeoverwritten,whichcouldcause
aprogramcrash.Bysubmittingcarefullycrafteddatatotheapplication,anattackercanoverwrite
thereturnaddressofthevulnerablefunctionandcausetheexecutionflowoftheprogramtobe
redirectedtoanarbitrarymemorylocation.Ifthislocationiscontrolledbytheattacker,the
applicationcanpotentiallybeforcedtoexecutearbitrarycode,therebycompromisingthesystem.
Pleasespecifythestringthatyouwouldliketocopyintothedestinationbuffer.
Theamountofdatasubmittedwasnotlargeenoughtooverflowthebuffer.Therefore,theprogram
continuesnormally.
Thecharacterstringsubmittedtotheapplicationwaslongerthan16characterstherefore
overflowingthebuffer.However,thereturnaddresswasnotoverwrittenwithavalidmemory
address,andthiscausedamemoryaccessviolation.
Congratulations,thebufferwassuccessfullyoverflowedandtheexecutionflowwasredirectedtothe
buffer.Welldone!
Defending against Buffer Overflows

45/74
9/29/2016
Defending against Buffer Overflows

Bufferoverflowvulnerabilitiesposeacriticalthreattoasystemssecurity,and,whenexploited,theycan
beverydamaging.Itisthereforeimperativetoproperlydefendagainstbufferoverflowsbyfollowinga
comprehensivestrategyforavoiding,detecting,andmitigatingtheseissuesinyoursoftware.
Avoiding
Buffer
Overflows
Bufferoverflowvulnerabilitiesarearesultofthefollowingfalseassumptions:
Parameterswillneverexceedthemaximumsizeoftheirdestinationbuffer.
Thereisnosecurityconcernwithusingthisfunction.
Processinginputwithoutproperboundschecking.
Usingvulnerablefunctionswhensaferalternativesexist.
Bestpractices:
ReplaceunsafeCfunctionswithsafeones.TheSDLrequirementscontaina
comprehensivelistofbannedAPIcalls,alongwithsaferalternatives.
Verifyloopsareproperlyterminatedandarrayindexesarewithinbounds
WatchoutforOffbyoneerrors,astheycanbeverysubtleanddifficulttodetect,
yetcanstilltriggerabufferoverflow.
ReplaceCbufferswiththeirC++equivalentsorcorrespondingSTLcontainers,
asappropriate.Thisisnotasteptobeundertakenlightly,asthechangesrequired
toanexistingcodebasecanbeveryextensive.
Propersecurityawarenessmustexistwithinyourproductteam.Ideally,
everyonewillbefamiliarwithatleasttheimpactofabufferoverflow.
Code
Reviewing
for Buffer
Overflows
Inordertodetectbufferoverflowsduringcodereview:
Use static analysis tools to scan the applications source code.Anumberof
thesetoolsexistforCandC++.Whiletheseautomatedtoolsarenotguaranteedto
catcheveryerror,theycanbeoftremendoususecatchingtheeasytospoterrors.
UsePREfixandPREfasttoanalyzeyoursourcecode.
In addition to using static analysis tools, all source code should be

subjected to code review by developers familiar with security issues.This
willhelpeliminatesubtledefectsthatmightnothavebeencaughtbyanalysis
software.Thefocusshouldbeonfunctionsandtypesofoperationsthatare
commonlyfoundtobevulnerable,including:
Arrayinitializations.Lookforstringssuchasintx[20],inty[64][5].
Formatstrings.Lookforfunctionsandstringssuchasprintf(),fprintf(),%x,%s.
Vulnerablefunctions.Lookforfunctionssuchasstrcpy(),strcat(),andsprintf().
Testing
for Buffer
Overflows
Whenperformingblackboxtestingonanapplicationforbufferoverflows:
Performfuzz testing.Investigatepotentialcrashestodeterminethepresenceof
bufferoverflowbugs.
Use AppVerifier.Thistoolaruntimeverificationtoolforunmanagedcode.It
assistsdevelopersinquicklyfindingsubtleprogrammingerrorsthatcanbe
extremelydifficulttoidentifywithnormalapplicationtesting.
Disassemble the binary.Trytolocatedangerouscodeconstructsand

dangerousAPIcallsinthedisassembledprogram.
Debug the application.Stepthroughtheprogramwithadebuggerwhilelooking

fordangerouscodepaths.
Mitigating
Buffer
Overflows
Evenproperlytestedsystemsdesignedandimplementedwithsecurityinmindcan
containexploitablebufferoverflows.Therefore,propercountermeasuresshould
beputinplaceinordertomitigatepotentialbufferoverflows:
Use DataExecutionPrevention.Thefirststeptowardsmitigatingbuffer
overflowsismakingthestackandtheheapnonexecutable.OnWindows,this
featureiscalledDataExecutionProtection(DEP).Similarsolutionsexistforother
operatingsystemsaswell.Thistechnologythwartsthemajorityofattacks.
Use Address Space Layout Randomization.Anothermitigationtechnologyis

AddressSpaceLayoutRandomization(ASLR).Thistechniquerandomizesthe
baseaddressesoftheexecutableimage,thestack,andtheheap,makingitvery
difficultforanattackertopredicttheexecutionenvironmentofhisexploit.
Turn on the /GS security check.VisualStudioimplementsstackprotection
46/74
9/29/2016
Turn on the /GS security check.VisualStudioimplementsstackprotection

throughtheuseofthe/GSswitch.Thisswitchplacesacanarybetweenlocal
variablesandthereturnaddress.Ifthecanaryisoverwritten,theprogramissimply
terminated.
Itshouldbenotedthattheabovetechniques,whileuseful,canbebypassed(as
hashappenedwithexploitsfoundinthewild).Therefore,detectionandprevention
stillremainkeyinasuccessfulbufferoverflowdefense.
47/74
9/29/2016
FormatStringProblems
Defining Format String Problems

48/74
9/29/2016
Defining Format String Problems

Formatstringvulnerabilitiesresultfromimproperuseoffunctionsthatexpecttobepassedcontroldata
(formatstrings),suchastheClanguagefunctionsoftheprintffamily.Formatstringvulnerabilitiescan
havevaryingimpact,rangingfrominformationdisclosuretocompleteprogramcompromise.Thefirst
recordedinstanceofformatstringsbeingutilizedasanattackvectorwasin1999.Whileformatstring
attacksarerelativelyeasytodetect,theyarestillencountered,albeitnotasfrequentlyasbufferoverflow
vulnerabilities.
Applicability
Format
stringbugs
canbe
encountered
inanytype
of
application.
Whilethey
carrytheir
mostcritical
impactwhen
encountered
in
applications
writtenin
C/C++,they
canproduce
undesired
sideeffects
in
languages
suchasC#,
Java,PHP,
orPython.
Explanation
Potential
Impact
Examples
Theimpactofformatstringattacksvaries:
Information Leakage:Usingcarefullycraftedformatstrings,
informationcanbereadfromthestack.Thiscanleadto
disclosureofsensitiveinformationthatcanbeusedtoescalatean
attack.
Denial of Service:Improperhandlingofformatstringsmay
leadtoaprogramcrash.Iftheprograminquestionacceptsthe
inputfromananonymousclientfromthenetwork,theeffectscan
bedevastating.
Elevation of Privilege:Programcrashescanleadtoexecution
ofarbitrarycode,compromisingthesecurityoftheprogram.Ifthe
vulnerableprogramisrunningwithadministrativeprivileges,a
completeoperatingsystemcompromisemayoccur.
Sudo vulnerable to format string vulnerability (January 2012):AvulnerabilitywasreportedinSudowhichallowsa

localusertosupplyaspeciallycraftedcommandlineargumenttotriggeraformatstringflawandexecutearbitrary
commandsonthetargetsystemwithrootprivileges.Thefactthatthisvulnerabilitycouldbeexploitedbylocalusers
regardlessofwhethertheywerelistedinthesudoersfilefurtherexacerbatedtheissue.
Mac OS X Format String Flaw in PackageKit (January 2011):Aremoteuserwiththeabilitytoconductamaninthe
middleattackcantriggeraformatstringflawinMacOSXPackageKit'shandlingofdistributionscriptstoexecutearbitrary
codewhenSoftwareUpdatechecksfornewupdates.
VMware Remote Console (April 2010):AremoteusercancreatespeciallycraftedHTMLthat,whenloadedbythe
targetuserwilltriggeraformatstringflawintheVMwareRemoteConsole(VMrc)andexecutearbitrarycodeonthetarget
system.Thecodewillrunwiththeprivilegesofthetargetuser.
Narration: Formatstringattacks,astheirnamesuggests,targetfunctionsthattakeformatstringsas
arguments,suchastheClanguageprintffamilyoffunctions.
Formatspecifiersembeddedwithintheseformatstringsdescribehowtoprocesssubsequent
parametersofthefunction.Iftheseparametersarenotproperlyvalidated,itispossibletoforcethe
applicationtodeviatefromitsintendedbehavior.
Byprovidingaccesstovaluesstoredonthestack,theseattackscanhavemanydifferenteffects,
rangingfromerroneousprogrambehaviorandprogramcrashestoinformationdisclosureand
executionofarbitrarycode.
Pleaseselecttheformatstringthatyouwouldliketopasstotheprintffunction.
Theformatstringpassedwastheexpectedonetheprogramcontinuesnormally.
Theformatstringpassedtotheprintffunctionallowedthepasswordtobereadfrommemory,thus
enablinginformationdisclosure.
Theformatstringpassedtotheprintffunctionallowedanattackertooverwriteanarbitrarymemory
location,whichcouldpotentiallyallowtheattackertoexecutemaliciouscode.
Defending against Format String Problems

49/74
9/29/2016
Defending against Format String Problems

Formatstringbugsarerelativelyeasytodetect.Nevertheless,theyoftenappearinotherwisewell
constructedandrobustsoftware,andcanhaveasevereimpact,sometimescausingcompletesecurity
compromise.Inordertodefendsuccessfullyagainstformatstringbugs,specialcaremustbetakento
avoidintroducingthem,aswellasdetectingalreadyexistingonesandplacepropermitigationsshould
someremaininthefinalproduct.
Avoiding
Format
String
Problems
FormatStringvulnerabilitiesariseasaresultofthefollowingfalseassumptions:
Theinputwillalwaysbeoftheexpectedformat.
Therearenosecurityconcernswithformatstrings.
Processinginputwithoutproperlyvalidatingit.
Useinsecureformatstringconstructs.
BestPractice:
Neverpassuserinputdirectlytoaformattingfunction.
Replaceunsafeconstructswithmoresecureequivalents.
Usemanagedcodewhereverpossibleasittendstobelessvulnerableto
formatstringissues.
Code
Reviewing
for
Format
String
Problems
Duringacodereviewitisrelativelysimpletodetectformatstringproblems.Scan
fortheusageoffunctionsknowntobevulnerabletoformatstringattacks.In
particular,lookforconstructssuchas:
printf(user_input)
fprintf(STDOUT,user_input)
andverifywhethertheycouldallowspeciallycraftedinputto:
Revealinformationwhoseaddressinstoredonthestack.
Writetounexpectedmemorylocations.
Overflowabuffer.
Dependingonthedevelopmentenvironment,compilerflagscanalsohelpwiththe
discoveryofformatstringflaws.
Testing
for
Format
String
Problems
Inordertodetectformatstringvulnerabilitiesduringtesting,lookforanysituation
whereformatcontrolspecifiers(intheappropriatelanguage)canbeincludedas
partoftheuserinput.Includestringssuchas%xand%swhereverpossible.Input
mayincludeunexpectedsourcesofuserinputsuchasfilenames,environment
variables,andlocalizationfiles.Iftheapplicationreturnsunexpectedhexadecimal
characterswithanyoftheseteststrings,thenthereisaformatstringproblemtobe
investigated.
Mitigating
Format
String
Problems
Avoidtheprintffamilyoffunctionswheneverpossible.Forexample,ifyouare
usingC++thenusestreamoperatorsinstead.Ifyoumustuseprintf,orarelated
function,thenbesuretouseaformatcontrolstringtoreferenceanyusersupplied
data.ForCcode,thissolutioncanbeimplementedbysimplyreplacing
printf(user_controlled_string)withprintf(%s,user_controlled_string).
Similarmeasurescanbeimplementedinotherlanguagessusceptibletoformat
stringissues.
Whendealingwithlocalizationfiles,youcanmitigateFormatStringissuesby
limitingthelocalestovalidvalues.Formoreinformationonsuchlocalization
issues,see"WriteItSecure:FormatStringsandLocaleFiltering".
50/74
9/29/2016
IntegerOverflows
Defining Integer Overflows
Computersusefixedwidthgroupsofbitstorepresentnumerictypes.Representingnumbersinthis
fashionimpliesthatanynumberofagivennumerictypemusthaveavaluethatisbetweenthetypes
minimumandmaximumvalues.
Ifanumbersvalueexceedstheminimumormaximumvaluesforthenumberstype,thenumbersvalue
willbewrappedaround.Thisbehaviorisknownasintegeroverflow.
Applicability
Explanation
Owingtothe
natureof
computers
andhowthey
represent
numbers,
integer
overflows
plague
almostall
programming
languages.
Highly
vulnerable
languages
includeC
andC++,but
theproblem
canappear
withvarying
impactto
languages
suchasC#,
VisualBasic,
Javaand
Perl.
Duetothefixedwidthnatureofdatatypes,numbersaretreatedasthoughdistributedaroundawheelratherthanalonga
line.
Potential
Impact
Examples
Integeroverflowsmayresultinmanydifferentoutcomesranging
frommiscalculationsanddenialofservicetobufferoverflowsand
remotecodeexecution.Forinstance,ifthecalculationofa
memorypointerisaffectedbyanintegeroverflow,anattackermay
exploitthisweaknesstoeitherreadsensitiveinformationor
overwritecriticaldata.
Ariane 5 (June 4, 1996):AnintegeroverflowbugintheAriane5spacerocketonboardsystem,causedthevehicleto

steeroffcourseandselfdestruct39secondsafterlaunch,costingmoreU.S.$500million(R&Dcostsforthisparticular
missionreachuptoU.S.$10billion).Formoreinformationonthisincident,readthefullreportfromtheInquiryBoard
establishedforthisaccidentbytheEuropeanSpaceAgency.
MS05026HTML Help (June 14, 2005):AnintegeroverflowvulnerabilitywithinHTMLhelpallowedforremote
exploitation.Formoreinformationonthisvulnerability,readtheMS05026securitybulletin.
MS06026Windows Graphics Rendering Engine (June 13, 2006):AnintegeroverflowvulnerabilitywithinWindows
GraphicsRenderingEngine,specificallythehandlingofWindowsMediaFiles,allowedforremoteexploitation.Formore
informationonthisvulnerability,readtheMS06026securitybulletin.
MS07043OLE Automation (August 14, 2007):AnintegeroverflowwithinOLEAutomationallowedforremote
exploitation.Formoreinformationonthisvulnerability,readtheMS07043securitybulletin.
Narration: Wenormallythinkofintegersaslyingonanumberlinethatextendsindefinitelyinbothdirections.
Computershowevermuststorenumbersinalimitedamountofspace.
Therefore,whenrepresentinganinteger,thereisamaximumandminimumvaluethatcomputers
areabletorepresent.
Whenanintegervariableisincrementedbeyondthelargestpossiblevalue,thevalueofthatvariable
wrapsaroundandbecomesthesmallestpossiblevalue.
Defending against Integer Overflows
51/74
9/29/2016
Defending against Integer Overflows

Integeroverflowsaresomeofthesubtlestbugstospot.Nevertheless,theirimpactcanbequitesevere,
oftenallowingforcompletesecuritycompromise.Usethefollowingstrategiestodefendyourteam's
productagainstsuchvulnerabilities.
Avoiding
Integer
Overflows
Inordertoavoidintegeroverflowvulnerabilitiesinyoursoftware:
Use the SafeInt class (C++ Language).Developedtoeliminatemanyofthecomplexitiesassociatedwithintegerarithmetic,

SafeIntworksbyoverloadingmostcommonoperatorsandisdesignedsothatitisveryeasytoincorporateintoalreadyexisting
code.
Use the IntSafe library (C Language).TheIntSafelibraryconsistsofacollectionofCfunctionstoperformsafeintegerarithmetic.

IntSafeincludestwocategoriesoffunctions:thosethatperformmathematicaloperations,andthosethatperformcastingoperations.
Allarithmeticisperformedonunsignedvalues.Whenworkingwithsignedvalues,onemustfirstconvertthemtounsignedvalues
beforeusinganyIntSafefunctions.
Code
Reviewing
for Integer
Overflows
Testing
for Integer
Overflows
The
above
table
showsthe
constructs
tocheck
inorderto
detect
integer
overflows
during
code
review.
Testingforintegeroverflowscanbeperformedviaseveralways:
Varying input sizes.Itisnotuncommonthatthewrongnumericdatatypeisusedtorepresentthelengthofaninputstring.Try

feedingtheapplicationinputofsizesthatcancauseerrors.Forinstance,stringsofsize127,128,255,32K,32K+1,64K,and64K+1
canoftencauseproblems.
Fuzz testing.Fuzztestinghasanexcellenthistoryofuncoveringdifficulttofindoverflowerrors.Thisisbecausefuzzingnaturally
forcesunexpectedintegervaluesthattheprogrammermightnothaveoriginallyconsidered.Carefullyexaminefuzztestingresults
foranyoverflowconditions.Tracetheflowofdatabackfromthepointoferrorandidentifywhatinputcausedheintegeroverflow
condition.
Mitigating
Integer
Overflows
Thereareseveralwaystomitigateintegeroverflows,including:
Use the checked keyword in C#.Thecheckedkeywordwillallowthe.NETCLRtoraiseanexceptionifanintegeroverflow

occurs.However,extracaremustbetakenwhenhandlingsuchexceptions.
Validate input. Validateinputforlength,datatype,andcontents.Verifythatallinputisvalidatedaccordingtoitsuse.
Fail securely.Handleanyexceptionsthatresultfromanintegeroverflowinasecuremanner.Ignoringorsimplynotcatchingsuch
exceptionsmayaidanattackerintocompromisingthetargetapplication.
52/74
9/29/2016
ImproperFileAccess
Defining Improper File Access
Improperfileaccessdefectsincludeallthosevulnerabilitiesthatstemfromcarelessinteractionwiththe
filesystem,suchasraceconditionsinnonatomicfileoperations,impropervalidationofuntrustedinput
usedingenerationoffilenamesandpaths,andfalseassumptionsaboutthenatureoffilesystem
objectsaccessedbytheapplication.
Applicability
Explanation
All
languages
thatprovide
filesystem
object
access
primitives
andall
applications
thataccess
thefile
systemare
potentially
vulnerable
tothis
categoryof
defects.
Timeofcheck/Timeofuse (TOCTOU):Improperfileaccessvulnerabilitiescanstemfromfileoperationsthatappear
atomic,wheninrealitytheyarenot.Theseraceconditionsallowanattackertoviolatetheprogramsexpectationsbetween
twofileoperationsincloseproximity.Forexample,anapplicationthatlogssensitivedatamightfirstcheckwhetherthelog
filealreadyexists,decidingtoproceedonlyifitdoesnotexistbycreatingitwithrestrictiveACLs.Inthissituation,an
attackercouldcreatethefilewithlessrestrictiveACLsduringthetimewindowbetweenthecheckoperationandthelog
creation,allowingitscontentstobeaccessibletoanyone.
Untrusted input:Applicationsconstructingfilenamesandpathsbasedonuntrustedinputcanbevulnerabletopath
modificationattackssuchasdirectorytraversals(thatis,theadditionofanarbitrarynumberofpathmodifiersthatbreakoff
ananticipateddirectory)andnetworkfileredirection(thatis,theinsertionofa\\computername\UniversalNaming
Convention(UNC)prefixtoredirectafilerequesttoanarbitrarynetworklocation).
Unexpected file system objects:MostfilesystemAPIscanbeusedtooperateonobjectsthatarenotnecessarily
files,suchasjunctionpointsandsymboliclinks(typesoffileshortcutsdirectlysupportedbythefilesystem),MSDOS
devicenames(suchasCOM1andLPT1),andinterprocesscommunicationandsynchronizationobjects(suchasnamed
pipesandevents).
Potential
Impact
Examples
Improperfileaccessvulnerabilitiescanallowattackerstoaccess,
modify,anddeleteprotectedfiles,andtocrashanapplication
thataccessesafilesystemobjectofatypedifferentthan
expected.
Linux logrotate file name vulnerability (April 2011):Theshred_filefunctioninlogrotate.cinlogrotate3.7.9and

earliermightallowcontextdependentattackerstoexecutearbitrarycommandsviashellmetacharactersinalogfilename.
RealPlayer Predictable Temporary Filename Lets Remote Users Execute Arbitrary Code (February 2011):A
remoteusercancreatespeciallycraftedHTMLthat,whenloadedbythetargetuser,willexploitthepredictabletemporary
filenamesusedtostorereferencestoRealMediafilesandusetheOpenURLinPlayerBrowser()functiontoexecute
arbitrarycodeonthetargetsystem.Thecodewillrunwiththeprivilegesofthetargetuser.
Defending against Improper File Access

53/74
9/29/2016
Defending against Improper File Access

Anumberoftechniqueswhichhavebeenperfectedovertimesincetheinceptionofthefirstfilesystem
accessrelatedvulnerabilitiescanbeusedtodefendagainstimproperfileaccessvulnerabilities.
Avoiding
Improper
File
Access
Timeofcheck/Timeofusebestpractices:
Lockfilesbeforeperformingsequencesofnonatomicfileoperations.
Neverusethesamefilenamewithmorethanonefileoperationobtainafile
handleinsteadandoperateonthehandle.
Pathmodificationbestpractices:
Nevertrustfilenamesandpathsnotunderdirectcontroloftheapplication.
Whenobtainingand/orcreatingafilenameorpathfromuntrustedsources,
resolvethenameorpathfirsttoitscanonicalform,andthenvalidateit.
Unexpectedfilesystemobjectsbestpractices:
Beforeoperatingonafilesystemobject,alwaysvalidateitsactualtypeagainst
theexpectedtypebymeansoftheGetFileType()API.
Code
Reviewing
for
Improper
File
Access
When code reviewing to detect improper file access issues,askyourselfthe

followingquestions,foreachI/Ofunctioncall,particularlythosesupplyinga
filenameasargument:
Testing
for
Improper
File
Access
When testing for improper file access issues,trytotriggerdirectorytraversal

orunexpectedfiletypeaccessintheapplicationbyspecifyingthefollowingfor
eachinputthatinfluencesafilenameorpathhandledbytheapplication:
Mitigating
Improper
File
Access
Mostofthecausesofimproperfileaccessissuescanbecontrolledbypreventing
unauthorizedusersfromtamperingwiththefilesaccessedbytheapplication.A
convenientwaytoachievethisgoalistoconfinecriticalfileoperationstoa
protectedfoldersuchastheuserfolder(\DocumentsandSettings\<username>),
whichbydefaultonlyallowsaccesstothecurrentuserandtomembersofthe
Administratorsgroup.
Isthefilenameoriginatingfromanuntrustedsource,orcanitbemanipulatedby
anuntrustedparty?
Isthefilenamegoingtobeusedwithmorethanonefileoperation?
Canthefilebeaccessedormodifiedbyunauthorizedusers?
MSDOSdevicenamessuchasAUX,CON,LPT1,C:,andvariantssuchas
PRN.txtand..\..\AUX.
Pathmodifierssuchas..\andalternativestreamnamessuchasfile.txt::$DATA.
UNCprefixesandsuffixessuchas\\<computername>andcomputername\ipc$.
54/74
9/29/2016
ImproperUseofSSLandTLS
Defining Improper Use of SSL and TLS
SSL,anditssuccessorTLS,areindustryacceptedclientservercryptographicprotocols,designedto
allowsecuretransmissionofdatabyreplacingstandardTCPsockets.Thesetechnologiesencryptdata
traffic,performintegritychecking,andofferthecapabilityforeachofthetwocommunicatingpartiesto
authenticatetheother.However,ifusedimproperly,thesetechnologiescanbecomeineffectiveand
furthermore,canofferafalsesenseofsecuritytotheirusers.
Applicability
AsSSL/TLSis
usedtosecure
network
communications,
improperuseof
SSL/TLSusually
affectsclient
server
applications.
However,
HTTPS,which
relieson
SSL/TLSto
secureWeb
traffic,mandates
astrictersetof
securityrules
andisnotprone
tosuch
problems.
Improperuseof
SSL/TLSdoes
notapplyto
applicationsthat
donotrelyon
network
connectivityto
operate.
Explanation
SSL/TLSisaprotocolthatisusedtopreventattackersfromreadingormodifyingcommunicationbetweenaclientandaserver.
Inaddition,itprovidesameansforbothcommunicatingpartiestoauthenticateeachother.Asisthecasewithmostofthe
existingprotocols,SSL/TLSincludesoptionalrecommendationsuchastheuseofserversideauthentication.Whenserver
sideauthenticationisnotenabled,itispossibleforanattackertoimpersonatetheserveandperformamaninmiddleattack.
Whenthistypeofattacksucceeds,anattackercanviewandmodifydatatransferredbetweentheclientandtheserver.While
SSL/TLScanbeconsideredcryptographicallysecureprotocol,improperuseofitcannullifyitssecurity.
Potential
Impact
Examples
ImproperuseofSSL/TLSallowsanattackertoimpersonate
communicatingparties,getaccesstosensitiveinformationandtamper
withdatawhileitisbeingtransmitted.
Linux logrotate file name vulnerability (April 2011):Theshred_filefunctioninlogrotate.cinlogrotate3.7.9andearlier

mightallowcontextdependentattackerstoexecutearbitrarycommandsviashellmetacharactersinalogfilename.
RealPlayer Predictable Temporary Filename Lets Remote Users Execute Arbitrary Code (February 2011):Aremote
usercancreatespeciallycraftedHTMLthat,whenloadedbythetargetuser,willexploitthepredictabletemporaryfilenames
usedtostorereferencestoRealMediafilesandusetheOpenURLinPlayerBrowser()functiontoexecutearbitrarycodeonthe
targetsystem.Thecodewillrunwiththeprivilegesofthetargetuser.
Stop and Think!

55/74
9/29/2016
Stop and Think!

Consideranapplicationthatusesasecuritymechanismsuchas:
Astrongauthenticationinfrastructure.
Anantivirussystem.
Anencryptedstorage.
Asecurecommunicationprotocol.
Now,considertheusersbehaviorinducedbythesecurityofsuchmechanism:
UsersdeploythesystemontheInternet.
Usersopenarbitraryemailattachmentscarelessly.
Usersstoreconfidentialinformation.
Usersexchangecriticalinformationonthewire.
Finally,imaginethatthesecuritymechanismisdefective.Whatmaliciousactionsdoyouthinkan
attackercouldperformtoabusetheapplicationanditsusers?
Defending against Improper Use of SSL and TLS

UsingSSL/TLScorrectlywithinanapplicationisamultistepprocess.OwingtothefactthatSSL/TLSas
astandardhasmanyoptionalparameters,thesemightbeignoredduringdesignanddevelopment,
lullingtheteamintoafalsesenseofsecurity.Therefore,itisimperativetoavoid,detect,andmitigate
improperuseofSSL/TLS.
Avoiding
Improper
Use of
SSL and
TLS
AsolutionintegratingSSL/TLSmightcontainoneormoreflawssuchas:
Useofweakcryptography.
Impropervalidationofcertificates.
Weakauthentication.
Inordertoavoidtheaboveissues,anapplicationmustmakesurethat:
Theciphersuiteusedissecure.
CertificatesaresignedbyatrustedCertificateAuthority.
Thehostnamecontainedintheservercertificatematchesservershostname.
Thecertificatehasnotexpiredorhasnotbeenrevoked.
Individualdatafieldswithinthesecuritycertificatevalidatecorrectly.
Code
Reviewing
for
Improper
Use of
SSL and
TLS
InordertodetectimproperuseofSSL/TLSduringcodereview,examineall
networkinputpointsthatuseSSL/TLS.Foreachofthesepoints:
Testing
for
Improper
Use of
SSL and
TLS
WhentryingtodetectimproperuseofSSLandTLSduringtesting,thereare
severaltoolsthatcanhelpautomateamaninthemiddleattackagainstHTTPS,
includingdsniff,Ettercap,andWireshark.
Verifytheuseofastrongcryptographicsuite.Thiscanoftenbeaccomplished
bysearchingforthestringsSSLandTLSinacaseinsensitivemanner.
VerifythatacommercialPKIisused.IfaproperPKIisnotusedandcertificates
aremanagedinanadhocway,thenverifythatcertificatesarecheckedagainstas
welldefinedallowlist.
Verifythatthecodechecksifcertificatesarewithinthevaliditytimeperiod.
Verifythatchecksifdatacontainedwithinsubfieldsisbothsyntacticallycorrect
andsemanticallyvalid.
TotestfortheuseofaCertificateRevocationList(CRL)ortheOnlineCertificate
StatusProtocol(OCSP),monitoralltrafficfromanapplicationforanextended
periodoftime.Checkdestinationprotocolsandaddressesagainstalistofknown
values.IfOCSPisenabled,checkforoneOSCPrequestperauthentication.Note
thatCRLcheckscanbemadequiteinfrequentlyonceaweekisnotuncommon
withtheresultsbeingcached.Therefore,donotexpecttoseemuchtrafficwhen
lookingforCRLuse.
Mitigating
Improper
Use of
SSL and
TLS
Thefollowingextradefensivestepscanbetakeninordertomitigateimproperuse
ofSSL/TLS:
Monitornetworktrafficforsuspiciousactivity.
PeriodicallyaudityourapplicationtoensurethatitSSLisbeingusedproperly.
56/74
9/29/2016
UnauthenticatedKeyExchange
Defining Unauthenticated Key Exchange
Softwaredevelopersareoftenadvisedbysecurityexpertsnevertobuildtheirowncryptographic
algorithms.Toagreatextent,developmentteamshavenotroubleadheringtothisadvice,asitis
usuallylessefforttofindanduseasuitablethirdpartysolution.However,evenwhenusingawell
writtensolution,therearestillmanyissuestobeawareof.Oneofthemostcommonmistakesisto
incorrectlyinitializenewsessionsforsecurecommunications.Inparticular,itiscommonfordevelopers
toestablishasessionkeyinaninsecuremanner,leavingthesessioninitializationvulnerableto,for
example,manintheMiddleattacks.
Applicability
Unauthenticated
keyexchange
canhappenwith
any
programming
languageand
anysystem.The
only
requirementis
thatthe
application
establishesa
secure
communication
channelwith
somethirdparty
usingashared
key.Whensuch
achannelisnot
setupina
securefashion,
anydata
transmitted
throughthis
channelmay
become
compromised.
Explanation
Potential
Impact
Examples
UnauthenticatedkeyexchangeproblemsallowManintheMiddle
attacks,inwhichattackersareabletoobservesupposedlysecure
communicationsbetweentwoparties.Thisistypicallydoneby
spoofingtheidentityofbothpartiessothatbothincorrectlythinkthey
arespeakingtotheotherparty.Thisallowstheattackertoobserve
confidentialinformationsentbetweenthetwoparties,withtheoption
totamperwiththedatawhileintransit.
Remote Desktop Protocol Server Private Key Disclosure Vulnerability (May 2005):InMicrosoftRemoteDesktop
ServeravulnerabilitypresentsitselfbecauseaprivatekeythatisusedtosigntheTerminalServerpublickeyishardcodedina
DLL.Thiscanallowtheattackertodisclosethekeyandcalculateavalidsignaturetocarryoutmaninthemiddleattacks.An
attackercouldthereforecausetheclienttoconnecttoaserverundertheircontrolandsendtheclientapublickeytowhichthey
possesstheprivatekey.
SSH Tectia Server Insecure Private Key Permissions (July 2005):SSHTectiaServer4.3.1andearlier,andSSHSecure
ShellforWindowsServers,usesinsecurepermissionswhengeneratingtheSecureShellhostidentificationkey,whichallows
localuserstoaccessthekeyandspooftheserver.
Narration: Let'ssaythatAlicehasnevercommunicatedpreviouslywithBob.
Oneofthetwopartiesneedstogenerateasharedsymmetrickeytosendtotheother.Alice
generatesthesecretkeyandsendsittoBoboveraninsecurechannel.
Unfortunately,Evecapturesthekeyandmakesacopyofit.AllcommunicationsbetweenAliceand
BobarenowcompromisedbecauseEvecandecrypteachmessage,modifyit,andthenreencrypt
itwithoutthetwopartiesknowing.
Defending against Unauthenticated Key Exchange

57/74
9/29/2016
Defending against Unauthenticated Key Exchange

Thereareseveralapproachestodefendagainstunauthenticatedkeyexchange:
Enforcing authentication prior to key exchange.Theapplicationsrequirementsanddesign
documentationestablishamechanismforauthenticatingtheremotepartiesbeforekeyexchangecan
happen.
Detecting unauthenticated key exchange.Codereviewscanhelpinensuringthattheapplication
doesnotrelyonunauthenticatedkeyexchange.Pointswheresessioninitializationisperformedshould
beexaminedtoensurethatkeysarenotexchangedbeforeauthenticationandthattheuniqueidentities
ofparticipantsinthecommunicationarenotpossibletoforge.
Avoiding
Unauthenticated
Key Exchange
Unauthenticatedkeyexchangevulnerabilitiesusuallyariseasaresultof
thefollowingfalseassumptions:
Usingthirdpartycryptographysolutionsensuressecurity.
Authenticationcanoccuraftersessioninitialization.
Allowingsessioninitializationwithoutproperauthentication.
Allowingauthenticationtooccuraftersessioninitialization.
Bestpractices:
Useofftheshelfcryptographysolutions.
Authenticatepriortosessioninitializationandkeyexchange.
Useaprofessionalcryptographerwhenbuildingcustomcryptographic
solutions.
Code Reviewing
for
Unauthenticated
Key Exchange
Usethefollowingstepstodetectunauthenticatedkeyexchangeduring
codereview:
Testing for
Unauthenticated
Key Exchange
Testingisnottherecommendedplacefordetectingproblemswith
unauthenticatedkeyexchange.Itismucheasiertospotsuchissuesusing
codereview.
Mitigating
Unauthenticated
Key Exchange
Therearenospecificmitigationsthatcanbeusedtohelpaddress
unauthenticatedkeyexchangeissues.
Identifynetworkcommunicationpointswhereprotectionisarequirement,
orshouldbearequirement.
Foreachofthesepoints,determinewhatauthenticationprotocolisused
duringsessioninitialization,ifany.
Verifytheauthenticationprotocolresultsinasessionkeybylookingat
theprotocoloutputs.Ifnot,verifythattheprotocolisauthenticatingthedata
fromthekeyexchangeandthattheotherpartyisuniquelyidentified.Asthis
isverydifficulttodo,relyonaprofessionalcryptographer.
Assumingthereisakeyexchange,checkthatitisusedforongoing
protectionofthecommunication.
Ensurethattheauthenticationmessagescannotbespoofed.For
example,ifpublickeydigitalsignaturesareused,thenverifytheother
partiesidentitybyusingaPKIsolutionorbycheckingagainstastaticlistof
knowntrustedkeys.
Ifauthenticationcanbeattacked,checkwhetheronlythefirstsuccessful
connectionisvulnerable,orwhetherallfutureconnectionsarevulnerable.
Thelattersituationisclearlymoreproblematicthantheformer.

CryptographyAPI:NextGenerationDetaileddescriptionsoftheMicrosoftcryptographicfunctions,
interfaces,objects,andotherprogrammingelements.
System.Security.CryptographyNamespaceDocumentationofnamespacethatprovides
cryptographicservices.
58/74
9/29/2016
WeakRandomNumberGeneration
Defining Weak Random Number Generation
ARandomNumberGenerator(RNG)isadevicethatcanproduceaseriesofnumbersthatlackany
pattern.AweakRNGisonethatmayappeartoproduceaseriesofrandomnumbers,butinactuality
producesaseriesthatcontainssubtlepatternsorrelations.SinceRNGsareakeycomponentinmany
securitysystemslikeencryptionalgorithms,itisimportantforRNGstobestrongandnothave
predictablevalues.
ComputersoftenusePseudorandomNumberGenerators(PRNGs)tosimulateanRNG.PRNGsusea
seedvalueasastartingpointforgeneratingaverylongsequenceofseeminglyrandomnumbers.
PRNGscanbeeitherweakorstrong,dependingonhoweasyitisforanattackertopredictnumbers
generatedbythePRNG.
Applicability
Applicationsof
alltypesrely
onRNGsfor
thesecurityof
their
cryptosystems.
Any
application
thatdoesone
ofthe
followingisat
riskof
misusing
RNGs:
The
application
usesanRNG
aspartofa
cryptosystem.
The
application
usesanRNG
toseedthe
valuefora
PRNG.
The
application
generates
sessionIDs,
usersIDs,or
tokensthatare
meanttobe
unpredictable.
Explanation
Potential
Impact
Examples
Randomnumbergeneratorsareusedtogeneratemanykindsofsecurityrelateddataincludingcryptographickeysand
sessionidentifiers.AnattackerwhocanpredictnumbersgeneratedbyanRNG,evenwithonlyslightprobabilityofsuccess,
canoftenleveragethisinformationtobreachthesecurityofsystems.EvenworseiswhenanRNGisnotevenused,which
makesattackingsuchsystemssignificantlyeasier.Thisisoftenthecasewhenhardcodedorsequentialvaluesareused
ratherthanvaluesgeneratedbyastrongRNG.
SuccessfulattacksagainstweakRNGscanhavemanydifferent
outcomes,dependingonhowtherandomnumberswerebeing
usedinthefirstplace.WhenanRNGisusedforsessionoruser
IDs,thenasuccessfulattackallowstheattackertogainaccessto
thevictimusersaccount.WhenanRNGisreliedonforthe
encryptionofconfidentialdata,asuccessfulattackagainsttheRNG
canrevealthehiddeninformationandevenallowtheattackerto
altertheinformation.WhenanRNGisusedinconjunctionwith
digitalcertificates,asuccessfulattackagainsttheRNGallowsthe
victimsidentitytobespoofed.
Qnap Storage Devices use weak key generation methods (September 2009):SomeQnapStorageDevicesusethe
randlibraryfunctiontogenerateacertainrecoverykey,whichmakesiteasierforlocaluserstodeterminethiskeyviaabrute
forceattackleadingtounauthorizeddecryptionoftheharddiskbyattackers.
Linux distros prone to weak random number generation weakness (September 2009):Theget_random_int
functionintheLinuxkernelbefore2.6.30producesinsufficientlyrandomnumbers,whichallowsattackerstopredictthe
returnvalue,andpossiblydefeatprotectionmechanismsbasedonrandomization,viavectorsthatleveragethefunction's
tendencytoreturnthesamevalueoverandoveragainforlongstretchesoftime.
Defending against Weak Random Number Generation

59/74
9/29/2016
Defending against Weak Random Number Generation

ThekeytoavoidingweakRNGsistorecognizesituationsthatrequirestrongrandomnumbersinthe
firstplace.TheseincludesituationswhereyouaregeneratingsessionIDs,userIDs,andseedvalues
forcryptographicfunctions.Havingidentifiedthepropersituations,youmustnextensurethattheRNG
usedisinfactstrong.Forcryptographicapplications,useaspeciallydesignedPRNGknownasa
CryptographicRandomNumberGeneratororCRNG.
Avoiding
Weak
Random
Number
Generation
RNGrelatedvulnerabilitiesariseasaresultofthefollowingfalseassumptions:
Agivenvalue,suchasasessionID,willnotchangeafteritisset.
BuildingasecureRNGiseasy.
BuildingacustomRNGismoresecure.
IfyougenerateafewvalueswithanRNGandtheyappeartobeevenlydistributed,thentheresprobablynothingtoworryabout.
Thebuiltinfunctionforrandomnumbersforagivenlanguagemustbesecure.
AfixedvaluecanbeusedtoseedanRNG,aslongasitiskeptsecret.
Theseassumptionsoftenleadtothefollowinginsecurecodebehaviors:
UsingpredictablevaluesforsessionIDs.
HavingfalseconfidenceinaHomeGrownRNG.
RelyingonweakRNGsbuiltintothelanguage.
Hardcodingseedvalues.
Bestpractices:
Nevertrustinputfromtheuser,includingvaluessuchassessionIDs.
Neverwriteyourowncryptographicfunctions,includinganRNG.
NeverusebuiltinRNGsinanyparticularlanguageunlessyouaresuretheyarestrong.
UsecryptographicRNGs.
UseaTrueRNGsourcetoseedvaluesforstrongPRNGs.
SDL requirement:WhenusinganRNGforcryptographicpurposes,useeitherRtlGenRandom,CryptGenRandom,rand_s,or
RNGCryptoServiceProvider(formanagedcode).
SDL requirement:Whengeneratingdatafrompasswords,useastandardkeyderivationfunction(KDF):CryptDeriveKey.
Code
Reviewing
for Weak
Random
Number
Generation
When
detecting
weakPRNGs
duringcode
review,check
theabove
constructs.
Whilecode
reviewing,
checkforany
usesofthe
builtinRNGs
listedinthe
chart.Also
checkthe
valuesused
toseed
Cryptographic
RNGs.ATrue
RNGsource
shouldbe
usedtoseed
a
Cryptographic
RNG.
Testing for
Weak
Random
Number
Generation
TestingaWebapplicationforweakRNGsrequiresspecialattention.LookforidentifierssuchassessionIDs,userIDs,andtokensthat
aresequentialorhaveothernoticeablepatterns.Automatedtoolscanbeusedtogeneratealargenumberofsuchidentifiersthatcanthen
beanalyzedindependently.ForWebapplications,besuretolookathiddenparameters,sessioncookiesandnamesassignedtofile
uploads.
ThefollowingtoolcanassistyouwhentestingforweakRNGs:
WebScarab:Abasicproxytoolthatcanreplayrequestsandprovidebasicanalysisofresponseparameters.
Mitigating
Weak
Random
Number
Generation
Use Cryptographic Random Number Generators.TheWindowsCryptoAPIprovidestheroutineCryptGenRandom()whichcanbe

implementedbyanycryptographicprovider.CryptGenRandom()isaCRNGthatperiodicallyreseedsusingaTRNGsourceprovidedby
theoperatingsystem.
#include<wincrypt.h>
voidGetRandomBytes(BYTE*pdBuffer,DWORDdwLen)
{
HCRYPTPROVhProvider
if(!CryptAcquireContext(&hProvider,0,0,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT))
ExitProcess((UINT)1)
if(!CryptGenRandom(hProvider,dwLen,pdBuffer))
ExitProcess((UINT)1)
...
}
With.NETcode,youshouldusecodesimilartothefollowingC#example.
60/74
9/29/2016
try
{
byte[]b=newbyte[32]
newRNGCryptoServiceProvider().GetBytes(b)
//bcontains32bytesofrandomdata
}catch(CryptographicExceptione)
{
//Error
}

FortheNISTFIPS140standardwithguidancefortestingthequalityofrandomnumbers,see
SecurityRequirementsforCryptographicModules.
RandomnessRecommendationsforSecurityProvidesrecommendationsforsecurerandom
numbergeneration.
Pseudorandomnumbers:mostlyalineofcodeatatimebyNelsonBeebeAmathematical
introductiontoPRNGs.
CryptGenRandomFunctionTheAPIreferencefortheCryptGenRandomfunction.
RNGCryptoServiceProviderClassACryptographicRNGfor.NET.
61/74
9/29/2016
RaceConditions
Defining Race Conditions
Araceconditionoccurswhentwodifferentexecutioncontextsareabletomodifyaresourceatthesame
time,therebyinterferingwithoneanother.Developersoftenassumethatashortsequenceof
instructionsorAPIcallswillbeperformedatomically,whileinrealityanotherprocessorthreadislikely
togetatimeslicebeforethesequencecompletes.Inapplicationsecurity,aspecifickindofrace
conditionoccurswhenanattackerisabletoaccessaresourcebetweenthetimethisresourceis
checkedandthetimeitisused.Thistypeofissueisreferredtoastimeofchecktotimeofuse,or
TOCTOU.
Applicability
Explanation
Itis
possible
tocreate
race
conditions
inany
language.
Although
highlevel
languages
thatdonot
support
threadsor
forked
processes
willnotbe
vulnerable
tosome
race
condition
problems,
malicious
usersmay
stillbe
ableto
perform
other
typesof
TOCTOU
attacks.
Thefollowingaredifferenttypesofsituationsthatwillinevitablyleadtoraceconditionproblems:
Programming with side effects.Sideeffectprogrammingoccurswhenafunctionoranexpressionmodifiesashared
resourcebeforereturning.Forexampleafunctionmaymodifyaglobalorastaticvariableinadditiontoreturningavalue.
Problemsarisewhentwothreadsareinthefunctionatonce.Letusconsiderafunctionthatpopsthefrontelementofa
listafterhavingcheckedthatthelistisnotempty.Onethreadmaypassthecheck,whileanothermaypopthelast
elementofthelist.Therefore,whenthefirstthreadattemptstopopanelementfromthelist,becausethelistisempty,the
routinewillfail,potentiallyputtingtheapplicationinavulnerablestate.Thisisparticularlyconcerningforrealtimeor
criticalapplicationswhich,whenmalfunctioning,mayendangerhumanlifeandhaveseriousconsequences.
Interaction between files and objects.Someapplicationsrelyoncriticalobjects,suchasfiles,tooperate.Asthese

objectsareessentialfortheapplication,theyareoftencheckedforasecurityproperty(forexampleIntegrity)beforethey
areusedbytheapplication.Ifthissecuritypropertycanbealteredbetweenthetimetheapplicationcheckstheresource
andthetimeitisused,anattackermightbeabletomodifytheoutcomeofacriticaloperation.
Potential
Impact
Raceconditionsmightcausemultiplethreadsorprocessesto
fightforthesameresourceorwaitforalockwhilethe
applicationisinadeadlockstate.Suchissueswillusuallyresult
inadenialofservice.
Ifanattackersucceedsingettingbetweenthetimeofcheck
andthetimeofuseofacriticalsystemresourceandreador
modifythisresource,thisoftenallowstheattackertobypassa
securityrestrictionandelevatehisorherprivilegesonthe
vulnerablesystem.
Examples
Multiple raceconditions discovered in OpenSSL (November 2010):Multipleraceconditionsinssl/t1_lib.cin

OpenSSL0.9.8fthrough0.9.8o,1.0.0,and1.0.0a,whenmultithreadingandinternalcachingareenabledonaTLS
server,mightallowremoteattackerstoexecutearbitrarycodeviaclientdatathattriggersaheapbasedbufferoverflow.
Race condition in Google Chrome (February 2011):RaceconditioninGoogleChromebefore9.0.597.84allows
remoteattackerstoexecutearbitrarycodeviavectorsrelatedtoaudio.
Defending against Race Conditions

62/74
9/29/2016
Defending against Race Conditions

Asraceconditionsmayhavedramaticconsequences,itiscriticaltounderstandhowtodefendagainst
suchproblems.Propertechniquesshouldbeappliedtoavoid,detect,andmitigatetheseissues.
Avoiding
Race
Condition
Problems
Raceconditionissuesusuallyariseasaresultofthefollowingfalseassumptions:
Asequenceofinstructionswillbeperformedatomically.
Anattackerwillnotbeabletogetbetweenthetimearesourceischeckedand
thetimetheresourceisused.
Onlyonethreadatatimewillexecuteafunctionscode.
Theseassumptionsleadtofollowinginsecurecodingbehavior:
Programmingwithsideeffects.
Implementingnonreentrantcode.
Omittosecurecriticalobjectsbetweentimeofuseandtimeofcheck.
Thefollowingbestpracticesshouldbeappliedtoavoidraceconditionproblems:
Achievethread safety through the use of reentrant code:
Codeshouldbeabletobeexecutedbymultiplethreadsandprocesses
simultaneously.Threadsynchronizationcanbeachievedthroughtheuseofthe
interlockedfamilyoffunctions,mutexes,semaphores,orcriticalsections.
Guard against the lack of or the improper locking of shared resources:
Ifanunhandledexceptionisthrownwhileholdingalockonanobject,any
othercodethatrequiresaccesstothisobjectwillenteradeadlockcondition.The
responsibilityofacquiringorreleasingalockmaybegiventoanobjectsothat
whenthestackunwinds,thedestructorofthisobjectwillreleasethelock.
Multiplelocksshouldbereleasedintheoppositeorderinwhichtheywere
acquired.
Minimizethetaskstobedonewhileholdingalocksothatotherthreadsmay
gainaccesstotheresource.Sincesystemcallsmaytakemillionsofinstructionsto
complete,donotdependonthemtocompleteexecutionbeforeanother
applicationisallowedtoexecute.
Supply the access controls at creation time:
InWindows,asecuritydescriptorcanbeattachedtoafileatcreationtime.
Supplyingtheaccesscontrolsatcreationtimeeliminatesraceconditionsthatmay
haveoccurredbetweencreationandapplyingtheaccesscontrol.
Use the CREATE_NEW flag when creating a new file:
CallingtheCreateFileAPIwiththeCREATE_NEWflagwillfailifthefile
alreadyexistsandwillthereforeavoidraceconditionsbetweencheckingwhether
anobjectexistsandcreatinganewone.
Check GetLastError():
Ifanapplicationneedstocreateadirectorythatanattackerhasalready
created,theGetLastError()APIfunctionwillreturnERROR_ALREADY_EXISTS.
Code
Reviewing
for Race
Condition
Problems
Inordertodetectraceconditionproblems,codereviewsshouldpayparticular
attentiontothefollowing:
When more than one thread or process accesses the same resource:
Investigatetheresourcelockingandunlockingmechanism.
Verifythatproperexceptionhandingisinplace.
When temporary files are created in common areas:
VerifythattheO_EXCLoptionisusedwhenevertheCopen()functionis
called.
VerifythattheCREATE_NEWflagisusedwheneverCreateFileiscalled.
Verifythatfilenamesareunpredictable.
Verifythataccesscontrollistsarespecifiedatcreationtime.
Identify places where nonreentrant code is used in multithreaded
applications.
Thefollowingstaticanalysistoolsmayalsohelpyouinuncoveringrace
conditions:
Coverity Prevent:Staticcodeanalysistoolthatfindsconcurrencydefects
(raceconditions,deadlocks,andthreadblocks)inmultithreadedapplications
developedinC,C++andJava.
Fortify Static Code Analysis (SCA):Staticcodeanalysistoolthatidentifies
softwarevulnerabilitiessuchasraceconditionsinC/C++,C#,Java,ASP.NET,
VB.NET,JSP,JavaScriptandXML.
Testing for
Race
Condition
Problems
Raceconditionscanbedifficulttofindthroughtesting.Asageneralrule,testers
shouldfindthreadsandprocessesthatcompeteforthesameresourcesand
determinewaystomodify:
The established order in which they access these resources.
The resources themselves.
63/74
9/29/2016
Attack thread and process synchronization:

Runstressloadstoprobetheapplicationsinternalsynchronizationlogic.
Determinewhethertheapplicationusesnamedsynchronizationobjects.
Createarogueapplicationthatsignalstheseobjects.
Lookfordeadlocksorsecuritymechanismsthatbecomedisabled.
Test for temporary file races:
Monitortheapplicationsaccesstofiles.
Lookcloselyatfilecreationactivity.
Arepredictablefilenamesbeingused?
Arethesefilesbeingcreatedinworldwritableorshareddirectories?
Verifythattheapplicationcheckswhetherafileexistsbeforecreatingit.
Howdoestheapplicationbehaveifthefilealreadyexists?
Checkwhetherproperaccesscontrolissetonthesefiles.
AreACLsconfiguredproperlyonthesefiles?
WhenaretheseACLsconfigured?Aretheysetatfilecreationtimeorlater?
Determinewhetherthereisawindowofopportunityfortamperingwiththese
files.
Isitpossibletowritetothesefilesandchangesomecriticalinformation?
Isitpossibletoreplacethesefileswithlinkstoother(possiblyprotected)files?
Mitigating
Race
Condition
Problems
Inordertomitigateagainstraceconditionproblems:
Create temporary files in places to which nonprivileged users do not have
access:
Usersshouldnotbeabletoaccessnortamperwithtemporaryfilesusedbythe
application.
Prevent files from being tampered with:
TheWindowsintegritymechanismcanbeusedtorestrictsaccesspermissions
oflesstrustworthyapplicationsbyassigningintegritylevelstoapplication
processesandsecurableobjects.
64/74
9/29/2016
PoorUsability
Defining Poor Usability

65/74
9/29/2016
Defining Poor Usability

Atfirstglance,usabilityappearstobeasimplethingtogetrightsincesoftwaredevelopersarealso
usersoftheapplicationandintrinsicallyknowwhatworksforthem.Unfortunately,softwaredevelopers
oftenmakeincorrectassumptionsaboutwhatotheruserswillfindusable.Thisisevenmorelikelyto
occurwithsecurityrelateddesign.Itiseasyfordeveloperstoimplementpoorusabilitywhentryingto
meetdifficultsecurityrequirements.Thisleadstousersbeingpresentedwithsecuritymechanismsthat
areconfusingorintrusive.Asaresult,poorusabilitywilloftenleadtousersmakingpoorsecurity
decisions.
Applicability
Explanation
Poor
usabilitycan
befoundin
applications
builtinany
language
andforany
environment.
Any
application
thatallows
onetomake
security
decisions,
either
explicitlyor
implicitly,is
atriskof
lettingits
usersleave
theirsystem
insecure
becauseof
poor
usability.
Poorusabilityisusuallytheresultofalackofunderstandingoftheapplication'susers.Theseuserscangenerallybe
classifiedintotwogroups:administratorsandregularusers.Administratorswanttomakesuretheycanmanagetheir
systemseffectivelyandsecurely.Theyalsowantaccesstocriticaldatatohelpthemmakegoodsecuritydecisionsand
shouldbetrustedtodoso.Regularusers,however,wanttobesafebuttheyusuallydonothavethenecessaryskillsto
makegoodsecuritydecisions,evenwhenprovidedwithhelpfuldata.
Adequatelypresentingsecurityrelatedinformationtoyouruserscanbesurprisinglydifficult.Applicationsfrequently:
Provide too little information.Thismakesitespeciallydifficultforadministratorstomakeappropriatesecurity
decisionsfortheirorganization.
Provide too much information.Thismakesitespeciallydifficultforregularuserstomakedecisionsastheinformation
isoverwhelminganddoesnotallowthemtoreachtheirsimplesecurityobjectives.
Present too many messages.Bothadministratorsandusersgrowtiredofalertsandwarningmessagesandwill
eventuallyjuststartautomaticallyclicking"Yes"or"OK"withouttakingintoaccountthecontentofthemessage.
Present inaccurate or generic information.Thisisveryannoyingbecauseusersarethenforcedtomakean
uninformeddecision.Thisisverydangerousbecauseusersarethenforcedtomakeanuninformeddecision.Errorcodes
canbehelpfultoadministrators,butwithoutanyexplanatorytext,endusersarelikelytobecomeconfusedandfrustrated.
Potential
Impact
SSL
Certificate
Prompt
Example
Everytimeuserslowersecuritysettingstomakeanapplication
moreusable,theyexposethemselvestopotentialattacks.Poor
usabilitycanthereforebethoughtofasaprecursortojustabout
anytypeofvulnerabilityandopenthedoortomanyattacks.For
example,disablingcumbersomeauthenticationmechanismscan
leadtoidentityspoofingandrepudiationproblems.Ignoring
confusingdialogboxeswhichcontaincertificateinformationcan
leadtodatatamperingandinformationdisclosure.
Internet Explorer SSL/TLS certificate

authentication
Thisdialogboxwaspresentedbyolder
versionsofInternetExplorerwhenthere
wasaproblemauthenticatinganSSL
enabledWebsite.Theproblemwiththis
dialogboxisthattheinformationitgivesis
confusing,andveryfewuserswillknow
howtoaccuratelydeterminewhethera
seriousriskisbeingpresentedornot.
66/74
9/29/2016
SSL
Certificate
Installation
Example
Internet Explorer 4.0 root

certificate installation:Root
certificatesareusedbyWeb
browserstoverifythe
authenticityofallother
certificates.InternetExplorer,
likemostbrowsers,includes
astoreoftrustedroot
certificatesfromtheprimary
CAs.Version4.0ofIEwould
providethefollowingdialog
boxwhenauserattemptedto
importanewrootcertificate.
Toaregularuser,the
cryptographyinformation
meansnothingandisvery
intimidating,whiletoan
administratornoinformation
isprovidedonhowtoconfirm
theCA'sauthenticity.
Fortunately,fromversion5.0
onwards,amuchmore
appropriatedialogboxis
provided.
Spot the Bug!
Narration: Poorusabilityoftenleadstousersmakingpoorsecuritydecisions.Thefollowingprogramisan
instantmessagingclientcalledCorpIM.Usetheprovidedcontrolstointeractwiththeapplication
andobserveitsbehaviorwhileitattemptstoperformafiletransfer.
Thefiletransferisterminated.Thisisasafedecisionsinceitisnotpossibletoidentifythesenderof
thefileorthetypeoffiletobetransferred.
Althoughthefiletransfersucceeded,youchosenottoopenthefile.Thisisasafedecisionbecause
theapplicationdidnotallowyoutodeterminewhattypeoffilewastobetransferredtothelocal
machine.
Thetransferredfileisinfactamaliciousprogramandhascompromisedyoursystem.Accepting
thetransferandopeningthefileiswhatmostuserswouldhavedoneastheapplicationdoesnot
providetheuserwiththeinformationnecessarytomakeeducatedsecuritydecisions.This
informationincludestheidentityofthesenderofthefile,thetypeoffiletobetransferred,and
securitywarningsaboutthepotentialrisksofdownloadingandopeninganarbitraryfileonthelocal
machine.
Defending against Poor Usability

67/74
9/29/2016
Defending against Poor Usability

Thebasiccauseofpoorusabilityisafailuretograsphownormaluserswillinteractwithyour
applicationssecurityfeatures.Thisisacommonproblem,andthenegativeeffectscanbedifficultto
anticipate.Itisimportanttodevotetimeandresourcesintounderstandinghowenduserswillinteract
withthesecurityfeatures.
Avoiding
Poor
Usability
Poorusabilityissuesusuallyariseasaresultofthefollowingfalseassumptions:
Userswillinteractwiththesysteminthesamewaydevelopersdo.
Securityismoreimportantthanusability.
Regularusersmakesecuritytheirpriority.
Theseassumptionsleadtothefollowinginsecurecodinganddesignbehaviors:
Generatingerrormessagesthataretailoredforadeveloper,notauser.
Givingprecedencetosecurityconcernsoverusabilityconcerns.
Providinginsecuresettingsbydefault.
Bestpractices:
Thinklikeauserbyconsideringwhatinformationanadministratorwouldwant
presentedandwhatinformationanenduserwouldwantpresented.
Createdialogboxes,warnings,anderrormessagesthatprovidetheright
amountofinformationforadministratorsandendusers.Clearlyindicatethe
consequencesoftheuserssecuritydecisions.
Providesecuresettingsbydefault.
Code
Reviewing
for Poor
Usability
Codereviewingisveryeffectiveatidentifyingmanytypesofvulnerabilities,
however,itisnotasusefulastestingwhenitcomestousabilityissues.Developers
thatrelyontheirownintuitionforhowsecurityandusabilityshouldinteractwill
generallygetitwrong.However,codereviewingcanstillhelpinsomeareas.In
particular,whilecodereviewing,dothefollowing:
WhenexaminingUserInterface(UI)code,focusonthesecurityoptions.Note
whatthedefaultsettingsare.Alsolookforsimplewaystodisableorbypass
securitysettings,forexample,byusingotheruserssettings.
Whenreviewingcodethatauthenticatesotherpartiesorsystems,examinewhat
happenswhentheotherpartycannotbeproperlyauthenticated.Isitstillpossible
tocontinuewithouttheauthentication?Whatoptionsarepresentedtousersin
suchascenario?
Testing
for Poor
Usability
Testingisthebesttimetodetectpoorusabilityissues.However,theprocessfor
testingforpoorusabilityissuesisusuallydifferentfromnormaltestingactivities.
Whentestingforusability,observeactualusersoftheapplication,workinginpairs,
astheygothroughthesystem,especiallyforthefirsttime.Besuretheusers
encounterthesecurityfunctionalitythatyouareinterestedintesting.Thisisoften
accomplishedbyprovidinguserswithasetoftaskstocomplete,butnotproviding
themwithspecificdetailsonhowtodoso.Thisallowsyoutogetfeedbackonhow
usersinteractwithsecurityfeaturesandmessagesinarealisticmanner.
Dependingonyouraudience,itissometimesusefultoreleasealphaandbeta
versionsoftheapplicationpriortoitsfinalrelease.Usersbenefitbygainingearly
accesstoyourapplicationwhileyoucanbenefitbygainingfeedbackonusability,
amongstotherthings.
Manyofthebasicprinciplesofusabilitytestingapplywhentestingsecurityaspects
aswell.AgoodreferenceforusabilityingeneralisthebookUsabilityEngineering
byJacobNielsen(ISBN:0125184069).
Mitigating
Poor
Usability
Poorusabilitycancauseuserstolowersecurity.This,inturn,makestheusermore
susceptibletocertainattacks,dependingonwhichsecuritysettingswerelowered.
Withoutknowingthespecificsofwhatthreatmaybeanissue,thebestmitigationis
simplytobuildanotherwisesecureapplication.
Thoughnotamitigationperse,anothertechniquethatcansignificantlyhelp
addresspoorusabilityissuesistoincludeasimplewaytoupdatetheapplication
tothemostrecentversion.Thisisoftenaccomplishedbyincludingtheabilityto
automaticallycheckfor,andpossiblyinstall,newupdates.Then,whenusability
issuesareuncovered,itisarelativelystraightforwardprocesstoprovideupdates
thataddresstheissues.

SecurityManagement,theFundamentalTradeoffsbyJesperM.JohanssonArticleaboutthe
tradeoffsbetweensecurity,usability,andcost,fromasystemandnetworkadministrationperspective.
WritingErrorMessagesforSecurityFeaturesbyEverettMcKayInformationaboutwriting,
presenting,andtestingsecurityrelatedmessages.
UsabilityofSecurity:ACaseStudybyAlmaWhittenandJ.D.TygarAdiscussionofwhyuser
interfacedesignforsecuritymeritsspecialconsiderations,usingPGP5.0asanexample.
WhyJohnnyCantEncrypt:AUsabilityEvaluationofPGP5.0byAlmaWhittenandJ.D.TygarA
discussionofwhyuserinterfacedesignforsecuritymeritsspecialconsiderations,usingPGP5.0asan
example.
Useit.comUsabilityengineeringWebsitebyJakobNielsen.
68/74
9/29/2016
Course Summary
69/74
9/29/2016
Course Summary
Outline the
Common
Classes of
Security
Defects
Therearemanydifferentclassesofsecuritydefects,anditisimportantfordevelopersto
understandthemallinordertocreatesoftwarewhichisofthehighestsecurityquality.Each
sectionofthiscoursecoversoneofthecommonclassesofsecuritydefects.Thecomplete
courseprovidesyouwithacomprehensiveoverviewofallofthesecommonclasses.
Recognize the
Potential
Impact of
Common
Security
Defects
Eachclassofsecuritydefectcanhaveadifferentimpactonyourapplications,andthuson
yourcustomers.Thiscourseprovidesyouwiththeinformationneededtounderstandthe
potentialimpactofeverycommonclassofsecuritydefect.
Map Common
Security
Defects with
Specific
Technologies
Manysecuritydefectsaretiedtospecifictechnologies.Forexample,SQLinjection
vulnerabilitiesareuniquetodatabasedrivenapplications.Itisimportanttounderstand
whichvulnerabilitiesmaypresentthemselvesinthetechnologiesyouareusinginorderto
avoidthem.Thiscourseprovidesinformationonmappingcommonsecuritydefectswith
specifictechnologiessothatyoucanprotectagainstthemwhenworkingwiththose
technologies.
ClickheretoreviewCROSSSITESCRIPTING.
ClickheretoreviewSQLINJECTIONVULNERABILITIES.
ClickheretoreviewCOMMANDINJECTION.
ClickheretoreviewUNPROTECTEDNETWORKTRAFFIC.
ClickheretoreviewLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewSPOOFINGVULNERABILITIES.
ClickheretoreviewINFORMATIONLEAKAGE.
ClickheretoreviewIMPROPERERRORHANDLING.
ClickheretoreviewWEAKAUTHENTICATION.
ClickheretoreviewWEAKDATAPROTECTION.
ClickheretoreviewBUFFEROVERFLOWS.
ClickheretoreviewFORMATSTRINGPROBLEMS.
ClickheretoreviewINTEGEROVERFLOWS.
ClickheretoreviewIMPROPERFILEACCESS.
ClickheretoreviewIMPROPERUSEOFSSL.
ClickheretoreviewUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewRACECONDITIONPROBLEMS.
ClickheretoreviewPOORUSABILITY.
ClickheretoreviewthepotentialimpactofCROSSSITESCRIPTING.
ClickheretoreviewthepotentialimpactofSQLINJECTIONVULNERABILITIES.
ClickheretoreviewthepotentialimpactofCOMMANDINJECTION.
ClickheretoreviewthepotentialimpactofUNPROTECTEDNETWORKTRAFFIC.
ClickheretoreviewthepotentialimpactofLACKOFSERVERSIDEAUTHORIZATION.
ClickheretoreviewthepotentialimpactofSPOOFINGVULNERABILITIES.
ClickheretoreviewthepotentialimpactofINFORMATIONLEAKAGE.
ClickheretoreviewthepotentialimpactofIMPROPERERRORHANDLING.
ClickheretoreviewthepotentialimpactofWEAKAUTHENTICATION.
ClickheretoreviewthepotentialimpactofWEAKDATAPROTECTION.
ClickheretoreviewthepotentialimpactofBUFFEROVERFLOWS.
ClickheretoreviewthepotentialimpactofFORMATSTRINGPROBLEMS.
ClickheretoreviewthepotentialimpactofINTEGEROVERFLOWS.
ClickheretoreviewthepotentialimpactofIMPROPERFILEACCESS.
ClickheretoreviewthepotentialimpactofIMPROPERUSEOFSSL.
ClickheretoreviewthepotentialimpactofUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewthepotentialimpactofWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewthepotentialimpactofRACECONDITIONPROBLEMS.
ClickheretoreviewthepotentialimpactofPOORUSABILITY.
ClickheretoreviewthemappingofCROSSSITESCRIPTINGtospecifictechnologies.
ClickheretoreviewthemappingofSQLINJECTIONVULNERABILITIEStospecific
technologies.
ClickheretoreviewthemappingofCOMMANDINJECTIONtospecifictechnologies.
ClickheretoreviewthemappingofUNPROTECTEDNETWORKTRAFFICtospecific
technologies.
ClickheretoreviewthemappingofLACKOFSERVERSIDEAUTHORIZATIONto
specifictechnologies.
ClickheretoreviewthemappingofSPOOFINGVULNERABILITIEStospecific
technologies.
ClickheretoreviewthemappingofINFORMATIONLEAKAGEtospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERERRORHANDLINGtospecific
technologies.
ClickheretoreviewthemappingofWEAKAUTHENTICATIONtospecifictechnologies.
ClickheretoreviewthemappingofWEAKDATAPROTECTIONtospecifictechnologies.
ClickheretoreviewthemappingofBUFFEROVERFLOWStospecifictechnologies.
ClickheretoreviewthemappingofFORMATSTRINGPROBLEMStospecific
technologies.
ClickheretoreviewthemappingofINTEGEROVERFLOWStospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERFILEACCESStospecifictechnologies.
ClickheretoreviewthemappingofIMPROPERUSEOFSSLtospecifictechnologies.
ClickheretoreviewthemappingofUNAUTHENTICATEDKEYEXCHANGEtospecific
technologies.
ClickheretoreviewthemappingofWEAKRANDOMNUMBERGENERATIONtospecific
technologies.
ClickheretoreviewthemappingofRACECONDITIONPROBLEMStospecific
technologies.
ClickheretoreviewthemappingofPOORUSABILITYtospecifictechnologies.
Identify the
Programming
Errors
Responsible
for Common
Security
Defects
Manyofthecommonsecuritydefectscanbetracedtospecificprogrammingerrorsmadeby
developersduringimplementation.Understandingtheseprogrammingerrorsandtheimpact
theycanhaveonsecurityisessentialtodevelopingqualitysoftware.Thiscoursegivesan
overviewoftheseprogrammingerrorssothatdeveloperscanavoidmakingthesemistakes
inthefuture.
ClickheretoreviewthepotentialimpactofCROSSSITESCRIPTING.
ClickheretoreviewthepotentialimpactofSQLINJECTIONVULNERABILITIES.
ClickheretoreviewthepotentialimpactofCOMMANDINJECTION.
ClickheretoreviewthepotentialimpactofUNPROTECTEDNETWORKTRAFFIC.
70/74
9/29/2016
ClickheretoreviewthepotentialimpactofINFORMATIONLEAKAGE.
ClickheretoreviewthepotentialimpactofIMPROPERERRORHANDLING.
ClickheretoreviewthepotentialimpactofWEAKAUTHENTICATION.
ClickheretoreviewthepotentialimpactofWEAKDATAPROTECTION.
ClickheretoreviewthepotentialimpactofBUFFEROVERFLOWS.
ClickheretoreviewthepotentialimpactofFORMATSTRINGPROBLEMS.
ClickheretoreviewthepotentialimpactofINTEGEROVERFLOWS.
ClickheretoreviewthepotentialimpactofIMPROPERFILEACCESS.
ClickheretoreviewthepotentialimpactofIMPROPERUSEOFSSL.
ClickheretoreviewthepotentialimpactofUNAUTHENTICATEDKEYEXCHANGE.
ClickheretoreviewthepotentialimpactofWEAKRANDOMNUMBERGENERATION.
ClickheretoreviewthepotentialimpactofRACECONDITIONPROBLEMS.
ClickheretoreviewthepotentialimpactofPOORUSABILITY.
Apply Coding
Best Practices
to Avoid
Common
Security
Vulnerabilities
Inanefforttoimprovetheoverallsecurityqualityofsoftware,asetofcodingbestpractices
hasbeencreatedwithintheindustry.Employingthesebestpracticeswhendeveloping
softwarecanhelpyoutoavoidmostcommonsecurityvulnerabilities.Thiscourseoutlines
thesecodingbestpracticesandrelatesthemtothecommonsecurityvulnerabilitieswhich
theyhelpavoid.
Find Common
Security
Defects in an
Application's
Source Code
Reviewingsourcecodeisanimportanttaskincreatingqualitysoftware.Whilethesereviews
focusongeneralsoftwaredefects,theyshouldcovercommonsecuritydefectsaswell.This
courseprovidesguidanceonhowtofindthesecommonsecuritydefectsinanapplications
sourcecode.
Test Software
in Order to
Detect
Common
Security Bugs
Testingisthelastqualitycheckinthedevelopmentofsoftware.Itisimportantthattesting
activitiesincludecaseswhichwilldetectthepresenceofanycommonsecuritydefects.This
courseprovidesyouwithguidanceonhowtotestsoftwareinordertodetectthesecommon
securitybugs.
ClickheretoreviewcodingbestpracticeswhichhelpavoidCROSSSITESCRIPTING.
ClickheretoreviewcodingbestpracticeswhichhelpavoidSQLINJECTION
VULNERABILITIES.
ClickheretoreviewcodingbestpracticeswhichhelpavoidCOMMANDINJECTION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidUNPROTECTEDNETWORK
TRAFFIC.
ClickheretoreviewcodingbestpracticeswhichhelpavoidLACKOFSERVERSIDE
AUTHORIZATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidSPOOFING
VULNERABILITIES.
ClickheretoreviewcodingbestpracticeswhichhelpavoidINFORMATIONLEAKAGE.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERERROR
HANDLING.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKAUTHENTICATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKDATAPROTECTION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidBUFFEROVERFLOWS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidFORMATSTRING
PROBLEMS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidINTEGEROVERFLOWS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERFILEACCESS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidIMPROPERUSEOFSSL.
ClickheretoreviewcodingbestpracticeswhichhelpavoidUNAUTHENTICATEDKEY
EXCHANGE.
ClickheretoreviewcodingbestpracticeswhichhelpavoidWEAKRANDOMNUMBER
GENERATION.
ClickheretoreviewcodingbestpracticeswhichhelpavoidRACECONDITION
PROBLEMS.
ClickheretoreviewcodingbestpracticeswhichhelpavoidPOORUSABILITY.
ClickheretoreviewCROSSSITESCRIPTINGinanapplication'ssourcecode.
ClickheretoreviewSQLINJECTIONVULNERABILITIESinanapplication'ssourcecode.
ClickheretoreviewCOMMANDINJECTIONinanapplication'ssourcecode.
ClickheretoreviewUNPROTECTEDNETWORKTRAFFICinanapplication'ssource
code.
ClickheretoreviewLACKOFSERVERSIDEAUTHORIZATIONinanapplication's
sourcecode.
ClickheretoreviewSPOOFINGVULNERABILITIESinanapplication'ssourcecode.
ClickheretoreviewINFORMATIONLEAKAGEinanapplication'ssourcecode.
ClickheretoreviewIMPROPERERRORHANDLINGinanapplication'ssourcecode.
ClickheretoreviewWEAKAUTHENTICATIONinanapplication'ssourcecode.
ClickheretoreviewWEAKDATAPROTECTIONinanapplication'ssourcecode.
ClickheretoreviewBUFFEROVERFLOWSinanapplication'ssourcecode.
ClickheretoreviewFORMATSTRINGPROBLEMSinanapplication'ssourcecode.
ClickheretoreviewINTEGEROVERFLOWSinanapplication'ssourcecode.
ClickheretoreviewIMPROPERFILEACCESSinanapplication'ssourcecode.
ClickheretoreviewIMPROPERUSEOFSSLinanapplication'ssourcecode.
ClickheretoreviewUNAUTHENTICATEDKEYEXCHANGEinanapplication'ssource
code.
ClickheretoreviewWEAKRANDOMNUMBERGENERATIONinanapplication'ssource
code.
ClickheretoreviewRACECONDITIONPROBLEMSinanapplication'ssourcecode.
ClickheretoreviewPOORUSABILITYinanapplication'ssourcecode.
ClickheretoreviewhowtotestsoftwareinordertodetectCROSSSITESCRIPTING.
ClickheretoreviewhowtotestsoftwareinordertodetectSQLINJECTION
VULNERABILITIES.
ClickheretoreviewhowtotestsoftwareinordertodetectCOMMANDINJECTION.
ClickheretoreviewhowtotestsoftwareinordertodetectUNPROTECTEDNETWORK
TRAFFIC.
ClickheretoreviewhowtotestsoftwareinordertodetectLACKOFSERVERSIDE
AUTHORIZATION.
ClickheretoreviewhowtotestsoftwareinordertodetectSPOOFING
VULNERABILITIES.
ClickheretoreviewhowtotestsoftwareinordertodetectINFORMATIONLEAKAGE.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERERROR
HANDLING.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKAUTHENTICATION.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKDATAPROTECTION.
ClickheretoreviewhowtotestsoftwareinordertodetectBUFFEROVERFLOWS.
ClickheretoreviewhowtotestsoftwareinordertodetectFORMATSTRING
71/74
9/29/2016
ClickheretoreviewhowtotestsoftwareinordertodetectFORMATSTRING
PROBLEMS.
ClickheretoreviewhowtotestsoftwareinordertodetectINTEGEROVERFLOWS.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERFILEACCESS.
ClickheretoreviewhowtotestsoftwareinordertodetectIMPROPERUSEOFSSL.
ClickheretoreviewhowtotestsoftwareinordertodetectUNAUTHENTICATEDKEY
EXCHANGE.
ClickheretoreviewhowtotestsoftwareinordertodetectWEAKRANDOMNUMBER
GENERATION.
ClickheretoreviewhowtotestsoftwareinordertodetectRACECONDITION
PROBLEMS.
ClickheretoreviewhowtotestsoftwareinordertodetectPOORUSABILITY.
Locating Additional Resources (1 of 3)

Variousbooksareavailablethatdefineandexplainthefieldofapplicationsecurity.Thesebooksshowtestersand
developershowtheycandevelopsecurecodeandpreventsecurityvulnerabilities.
Clickeachtabtolearnmoreaboutdetailsofavailablebooks.
Hacking: The
Art of
Exploitation
Author:JonErickson
The Art of
Software
Security
Assessment:
Identifying
and
Preventing
Software
Vulnerabilities
Authors:MarkDowd,JohnMcDonald,andJustinSchuh
Security
Engineering:
A Guide to
Building
Dependable
Distributed
Systems
Author:RossJ.Anderson
Writing
Secure Code:
Practical
Strategies
and Proven
Techniques
for Building
Secure
Applications
in a
Networked
World
Authors:MichaelHowardandDavidLeBlanc
Ratherthanmerelyshowinghowtorunexistingexploits,authorJonEricksonexplainshow
arcanehackingtechniquesactuallywork.Tosharetheartandscienceofhackinginaway
thatisaccessibletoeveryone,thisbookintroducesthefundamentalsofCprogrammingfrom
ahacker'sperspective.TheincludedLiveCDprovidesacompleteLinuxprogrammingand
debuggingenvironmentallwithoutmodifyingyourcurrentoperatingsystem.Useitto
followalongwiththebook'sexamplesasyoufillgapsinyourknowledgeandexplore
hackingtechniquesonyourown.Getyourhandsdirtydebuggingcode,overflowingbuffers,
hijackingnetworkcommunications,bypassingprotections,exploitingcryptographic
weaknesses,andperhapseveninventingnewexploits.
ThisbookcoversthefullspectrumofsoftwarevulnerabilitiesinbothUNIX/Linuxand
Windowsenvironments.Itdemonstrateshowtoauditsecurityinapplicationsofallsizesand
functions,includingnetworkandWebsoftware.Moreover,itteachesusingextensive
examplesofrealcodedrawnfrompastflawsinmanyoftheindustry'shighestprofile
applications.Thisbookisanunprecedentedresourceforeveryonewhomustdeliversecure
softwareorassurethesafetyofexistingsoftware:consultants,securityspecialists,
developers,QAstaff,testers,andadministratorsalike.
Thisbookiscomprehensiveandcarefullyresearched.Itmakesitclearjusthowdifficultitis
toprotectinformationsystemsfromcorruption,eavesdropping,unauthorizeduse,and
generalmalice.Better,RossAndersonoffersalotofthoughtsonhowinformationcanbe
mademoresecure(thoughprobablynotabsolutelysecure,atleastnotforever)withthehelp
ofbothtechnologiesandmanagementstrategies.Hisworkmakesfascinatingreadingand
willnodoubtinspireconsiderabledoubtinanyonewithinformationtogather,protect,or
makedecisionsabout.
Thisbookdescribeshowtohardenyourapplicationsthroughouttheentiredevelopment
processfromdesigningsecureapplicationstowritingrobustcodethatcanwithstand
repeatedattackstotestingapplicationsforsecurityflaws.Easilydigestedchaptersreveal
provenprinciples,strategies,andcodingtechniques.Theauthorstwobattlescarred
veteranswhohavesolvedsomeoftheindustrystoughestsecurityproblemsprovide
samplecodeinseverallanguages.
Narration: Variousbooksareavailablethatdefineandexplainthefieldofapplicationsecurity.Thesebooksshowtestersand
developershowtheycandevelopsecurecodeandpreventsecurityvulnerabilities.

72/74
9/29/2016

Additionalresourcescontinuedfromthepreviouspage.
19 Deadly
Sins of
Software
Security:
Programming
Flaws and
How to Fix
Them
Authors:MichaelHoward,DavidLeBlanc,andJohnViega
The Security
Development
Lifecycle
Authors:MichaelHowardandSteveLipner
Thisessentialbookforallsoftwaredevelopers,regardlessofplatform,language,ortypeof
application,outlinesthe19deadlysinsofsoftwaresecurityandshowshowtofixeachone.
BestsellingauthorsMichaelHowardandDavidLeBlanc,whoteachMicrosoftemployees
howtowritesecurecode,havepartneredwithJohnViega,themanwhouncoveredthe19
deadlyprogrammingsinstowritethismuchneededbook.
Thesoftwareindustryhasbeenstrugglingwithhowtocreateandreleasesoftwarethatis
moresecurityenhancedandreliabletheSecurityDevelopmentLifecycle(SDL)providesa
methodologythatworks.AdaptedfromMicrosoftsstandarddevelopmentprocess,SDLisa
criticalwaytohelpreducethenumberofsecuritydefectsincodeateverystageofthe
developmentprocess,fromdesigntorelease.Inadditiontoabriefhistoryofthemethodology,
thisbookdetailseachstageoftheSDLmethodologyanddiscussesitsimplementation
acrossarangeofMicrosoftsoftware,includingMicrosoftWindowsServer2003,Microsoft
SQLServer2000ServicePack3,andMicrosoftExchangeServer2003ServicePack1,to
helpmeasurablyimprovesecurityfeatures.
CoauthoredbyMichaelHowardandSteveLipner,yougetdirectaccesstoinsightsfrom
Microsoftssecurityteamandlessonsthatarerepeatableandapplicabletosoftware
developmentprocessesworldwide,whetheronasmallscaleorlargescale.Thisbook
includesaCDfeaturingvideosofdevelopertrainingclasses.
How to Break
Software
Security
Authors:JamesA.WhittakerandHerbertH.Thompson
How to Break
Web
Software:
Functional
and Security
Testing of
Web
Applications
and Web
Services
Authors:MikeAndrewsandJamesA.Whittaker
Thisbookisforsoftwaretestersanddevelopers.Itpresentstestingtechniquesthatexpose
securityholescausedbysoftwaredependencies,datadependentweaknessesinsoftware,
applicationdesignflaws,andimplementationrelatedvulnerabilities.Thebookisanindustry
bestsellerandrequiredreadingforsecuritytestersinmanylargesoftwaredevelopment
houses.Over40universitiesrefertothisbookfordevelopingcoursesonsoftwaresecurity
andtesting.
Sinceitsearlydaysasaninformationexchangetoollimitedtoacademe,researchers,andthe
military,theWebhasgrownintoacommerceenginethatisnowomnipresentinallfacetsof
ourlives.MoreWebsitesarecreateddailyandmoreapplicationsaredevelopedtoallow
userstolearn,research,andpurchaseonline.Asaresult,Webdevelopmentisoftenrushed,
whichincreasestheriskofattacksfromhackers.Furthermore,theneedforsecure
applicationshastobebalancedwiththeneedforusability,performance,andreliability.
Inthisbook,WhittakerandAndrewsdemonstratehowrigorouswebtestingcanhelpprevent
andprepareforsuchattacks.Theypointoutthatmethodicaltestingmustincludeidentifying
threatsandattackvectorstoestablishandthenimplementtheappropriatetestingtechniques,
manualorautomated.
Narration: Additionalresourcescontinuedfromthepreviouspage.
TEAM Mentor eKnowledge

73/74
9/29/2016
TEAM Mentor eKnowledge

Providesfasterandbetterremediationguidancewithinthedevelopersenvironment
TEAMMentorisaninteractiveApplicationSecurityeKnowledgebasewiththousandsofarticlesonhowtoprevent
vulnerabilitiesduringapplicationdevelopment.UseTEAMMentortofindguidanceforimplementingtheapplication
securitycontrolsthatarerelevanttoyourparticularapplicationinyourdevelopmentlanguage.Withoptionalplugins
tothemostpopularStaticandDynamiccodeanalysistools,TEAMMentorprovidesuserswithquickandeasyaccess
tocomprehensivesecurityguidancethatisaccurateandrelevanttospecificcodesecurityquestions.Integrating
securityscanningandguidanceintoadevelopmentworkflowultimatelyresultsinquickerproductionofmoresecure
andstableapplications.
Narration:
74/74

Classes of Security Defects PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Classes of Security Defects PDF

Hochgeladen von

Copyright:

Verfügbare Formate

9/29/2016

Understanding the Roots of Security Defects

Defending against Common Security Defects

Unprotected Network Traffic

Lack of ServerSide Authorization

Improper Error Handling

Weak Data Protection

Format String Problems

Improper File Access

Improper Use of SSL and TLS

Unauthenticated Key Exchange

Weak Random Number Generation

Course Overview and Objectives

Functional versus Security Bugs

Functional versus Security Bugs

Defining CrossSite Scripting

Defining CrossSite Scripting

Defending against CrossSite Scripting

Defending against CrossSite Scripting

Check That ASP.NET Request Validation Is Enabled.Althoughrequestvalidationisenabledbydefault,youshouldverifythat

Use HTTPonly cookies.Inordertohelpmitigatetheriskofcrosssitescripting,afeaturewasintroducedinMicrosoftInternet

Defending against SQL Injection

Defending against SQL Injection

Identify all relevant input vectors.AlltheentrypointstotheapplicationthatinvolveusergenerateddatatocreateSQLqueries

Lockdown the application database accounts.Theprincipleofleastprivilegestatesthataprocessorausermustbegrantedno

Store database connection information in a secure place.

Defining Command Injection

Defining Command Injection

STARTTLS plaintext command injection (October 2011):STARTTLSisanextensiontoplaintextcommunication

Defending against Command Injection

Take appropriate action when the data is invalid.Therearedifferentapproachestodealingwithchecksthatfail.Thefollowingare

Command injection vulnerabilities can also be uncovered during testing.Alltheentrypointstotheapplicationshouldfirstbe

Apply the principle of least privilege.Theprincipleofleastprivilegeshouldbeappliedtoensurethatonlytheminimumnecessary

Use Access Control Lists (ACLs).ProperlyconfiguringACLswillalsopreventresourcesthattheapplicationdoesnotneedfrom

Cisco Unified Communications Manager sends passwords in cleartext (March 2009):Avulnerabilitywas

Defending against Unprotected Network Traffic

Defending against Unprotected Network Traffic

Use Virtual Private Network (VPN) to protect network traffic.

IBM Proventia Network Mail Security System (September 2010):LackofServersideauthorizationintheLocal

Defending against Lack of Serverside Authorization

Defending against Lack of Serverside Authorization

Weak UI elements enable spoofing via KDE SSL Wrapper:TheKDESSLWrapperAPIdoesnotuseacertainfont

Spot the Bug!

Spot the Bug!

Defending against Spoofing

Defending against Spoofing

Defining Information Leakage

Defining Information Leakage

Overly verbose error messages. Errormessagesthatrevealtoomuchinformationtoanattackerareproblematic.This

False assumptions about what is viewable or accessible to clients.ViewablelocationsmayincludeHTMLsource

Improperly configured appliances.Manyimproperlyconfiguredroutersorproxyserversinadvertentlyreveal

References to paths and process stack layout.Knowledgeaboutfilepaths,filelocations,andstackinformationcan

Skype Discloses IP Addresses to Remote Users (December 2011):Aninformationleakagevulnerabilitywas

Defending against Information Leakage

Defending against Information Leakage

Design error messages to be helpful to users but not attackers.

Locating Additional Resources

Locating Additional Resources

Improper error handling in libvirt (May 2011)Thedaemoninlibvirt,avirtualizationAPI,beforeversion0.9.0didnot

Defending against Improper Error Handling

Defending against Improper Error Handling

Use global exception handlers.Globalexceptionhandlerscatchexceptionsthatarenothandledinyourcode.ASP.NETapplications

Use the customErrors element in ASP.NET applications.Errorpagesareusedwhentheapplicationneedsaglobalexceptionhandler