Secure Coding - Web Application Security Vulnerabilities and Best Practices
6 likes5,075 views
The document discusses secure coding principles and vulnerabilities in different programming languages. It provides examples of vulnerabilities in PHP, JavaScript, Ruby, Struts, and C. Key secure coding principles discussed include minimizing the attack surface, establishing secure defaults, least privilege, defense in depth, and failing securely. Specific vulnerabilities addressed include PHP hash collisions, PHP remote code execution, JavaScript type issues, Ruby system commands, and Struts dynamic method invocation.
![JavaScript
Types Differences
{} + {} = NaN
{} + [] = 0
[] + {} = "[object Object]"
[] + [] = ""
{} - 1 = -1
[] - 1 = -1
-1 + {} = "-1[object Object]"
-1 + [] = "-1"](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/85/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-32-320.jpg)
![JavaScript
Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")
[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$
$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$
$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.
$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=
$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+
$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+
$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.
$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__
+"("+$.__$+""+$.$__+$.___+")"+""")())();
!
// equal to
!
alert(1);](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/85/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-33-320.jpg)
Secure Coding - Web Application Security Vulnerabilities and Best Practices
- 1. Secure Coding Web Application SecurityVulnerabilities and Best Practices
- 3. Is it this?
- 4. ...or this?
- 6. Security Principles • Minimise Attack Surface Area • Establish Secure Defaults • Principle of Least Privilege • Principle of Defence in Depth • Fail Securely • Separation of Duties • Avoid Security by Obscurity • Keep Security Simple • Fix Security Issues Correctly
- 7. Minimise Attack Surface • Every feature or technology is a risk. • Secure development is all about reducing the risk by minimising the attack surface.
- 9. Establish Secure Defaults • By default a system should be secure out- of-the-box. • It should be up to the user to reduce their security if allowed.
- 10. Trust Morpheus!
- 11. Principle of Least Privilege • Use the least possible privilege to perform the required business task.
- 12. Don’t be the luser!
- 13. Principle of Defence in Depth • Always consider that upper layers are already compromised.
- 14. This is how we do it.
- 15. Fail Securely • Code fails regularly.
- 16. Fail Securely isAdmin = true; ! try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator"); } catch (Exception ex) { log.write(ex.toString()); }
- 17. Separation of Duties • Some roles have different levels of trust than normal users.
- 18. Hell yeah!?!
- 19. Avoid Security By Obscurity • Security By Obscurity is a weak security control. • Security By Obscurity depends on knowledge.
- 20. Don’t be like Dawson!
- 21. Keep Security Simple • Simplicity leads to better understanding the system and its constraints.
- 22. Please!
- 23. Fix Security Issues Correctly • Understand the root cause of the problem. • Identify the the pattern of the problem. • Some issues are wide-spread across the code base. • Develop a Fix • Develop Tests
- 24. Fix Security Issues Correctly PHP Hash Collision DOS(CVE-2011-4885) • Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables • Solution: max_input_vars was introduced to limit the number of variables that can be used in a request
- 25. Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830) if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC); } ! ... code removed ... ! PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC) { ! ... code removed ... ! if (is_array) { ! ... code removed ... ! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } ! ... code removed ... ! symtable1 = Z_ARRVAL_PP(gpc_element_p); ! ... code removed ... ! }
- 26. Fix Security Issues Correctly PHP Remote Code Execution(CVE-2012-0830) • Vulnerability occurs when max_input_vars is exceeded and the variable is an array. • Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable. • If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.
- 28. Rails/Grails/MVC • Model/View/Controller and scaffolding paradigm is often abused.
- 29. Python • Python has a funny way of dealing with different data types.
- 31. JavaScript Type Problems • JavaScript has loose semantics on its types.
- 32. JavaScript Types Differences {} + {} = NaN {} + [] = 0 [] + {} = "[object Object]" [] + [] = "" {} - 1 = -1 [] - 1 = -1 -1 + {} = "-1[object Object]" -1 + [] = "-1"
- 34. C • In C the type system is completely arbitrary. You can do whatever you like with pointers.
- 35. Ruby • The Ruby language supports the use of system commands. • Kernel.system provides means of injecting malicious input into the application to bypass security measures.
- 36. Struts • Struts allows you to do dynamic method invocation • http://host/struts2_security_vulnerability/ changepassword!changePassword.action? newPassword=my_new_password&username=bruce • <init-param> <param- name>struts.enable.DynamicMethodInvocation</ param-name><param-value>false</param- value></init-param>
- 37. Thanks!