Type your search keyword, and press enter

The need for Secure Coding in an Enterprise

We live in a global village of interconnected systems that share data and other services. Such an environment calls for heightened awareness around application security. Enterprises should establish a strong application security program and integrate security into the entire software development lifecycle including the design, development, verification, and maintenance processes.

The following in an excellent Infographic from Veracode that talks about Application Security and where the vulnerabilities lie.

Secure Coding and Software Security

Infographic by Veracode Application Security

Resolve Facebook security warnings when a user enables https

Facebook has recently enabled a sitewide https secure login for its users. If you didn’t do so yet, you may want to enable secure login to your Facebook account. When a user who has https enabled and lands on your page or Facebook app, your page maybe generating security warnings about webpage content that was delivered.

The message is “Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage”

Facebook Security Warning message for Applications

The reason for these security warning messages:

  • Cross domain content being pulled together to raise SSL warnings
  • If an FB app does not have the Secure Canvas URL set, the error message will be shown
  • Content coming from FB, host of the third party app and from the host where the content is

Past

  • Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approvied JS and AJAX commands
  • Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc

Now

  • Support for HTML Iframes (inline frames) as display tech for page tabs
  • Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
  • Can use any JS library, Flash, Silverlight
  • Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
  • Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.

Security risks

  • A FB tab can include JS that performs browser redirection to a malicious website
  • If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
  • Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
  • Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php

Recommendations

  • Do not want to run everything over SSL. Expensive from cost and performance perspective
  • Install an SSL cert on the webserver hosting the app files.  Get the SSL cert or the Progressive signed cert – valid for the domain
  • Do not use a self signed certificate
  • Remove http references to content.
  • Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
  • Same for any FB connect code over http
  • Actually best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
  • Populate the Secure Tab URL field or Secure Canvas URL field in the app
  • Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
  • https://apps.facebook.com/contactajit/

 

Resolve Facebook Security Warnings when https is Enabled

This article if focused on Facebook App Security and Facebook https warning. You may have come across the security warning as shown below if your app requires communication over https. This is due to cross domain content that is being pulled together from various sources and combines to raise the SSL warnings. For example, you have content coming from Facebook, the host of the third party app and also from the host of the content (location). Read on to understand what changed on Facebook’s end and how to resolve Security Warnings. Facebook App Security

Past

  • Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approved JS and AJAX commands
  • Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc

Now

  • Support for HTML Iframes (inline frames) as display tech for page tabs
  • Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
  • Can use any JS library, Flash, Silverlight
  • Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
  • Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.
  • Cannot use a self signed certificate

Security risks

  • A FB tab can include JS that performs browser redirection to a malicious website
  • If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
  • Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
  • Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php

Recommendations

  • Do not try to run everything over SSL. This could be expensive solution from cost and performance perspective
  • Install an SSL cert on the webserver hosting the app files. Get the SSL cert or your enterprise signed cert that is valid for the domain
  • Remove http references to content
  • Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
  • Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
  • The same applies for any FB connect code over http
  • The best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
  • Populate the Secure Tab URL field or Secure Canvas URL field in the app

SQL Injection Attacks explained for the Developer

SQL injection attacks have become the most widely exploited security attacks on the Internet as they can usually bypass layers of security such as firewalls and any other network detection sensors. They are used most often to attack databases and for extracting any confidential information such as Social Security Numbers, Credit Card information etc.

According to the Verizon Security report, in 2008 SQL Injection attacks ranked first when using to compromise databases – a staggering 79% of the 285 million records stolen.

SQL Injection attacks metrics

What is a SQL Injection Attack?

SQL Injections happen when some application takes in content from the user and uses that data to construct a SQL statement without validating or sanitizing that content.

For example, let us take a sample SQL query

SELECT * FROM customers WHERE PolicyNum = ‘12345’;

Now, if this query is not properly sanitized, then a malicious attacker can use it to execute arbitrary SQL statements such as

SELECT * FROM customers WHERE PolicyNum = ‘12345’; DROP TABLE customers –‘

In the above statement, the ‘(quotation mark) character terminates the string literal in the SQL statement. The ;(semicolon) indicates it is the end of the current statement. The –(double hash) tells SQL to ignore the rest of the text. In this case, the ‘ character is ignored, which if not would cause a SQL parser error.

How to write Secure Code to prevent SQL Injection attacks?

Applications invoke interpreters, including SQL or LDAP. These interpreters take commands and data and execute the instructions. Injection happens when user input crosses the line between code and data where an attacker sends malicious data or commands into the application, tricking it into behaving differently. Attackers could modify queries to gain access to unauthorized information or corrupt the data store.

  • Validate input to verify user data cannot modify the meaning of commands and database queries.
  • The account used to access the database must have the minimum amount of privileges required by the application. Do not use an administrator account. Enforce least privilege when connecting to databases and other backend systems.
  • Use stored procedures and parameterized queries to bind all supplied variables in the SQL query. The results of the query must match what was expected.
  • A secured file system is a good alternative to store database credentials.

Parameterized Queries: Validate all parameters carefully to ensure they cannot modify the query. Treat all input variables as data only (i.e. bind all variables).

  • String concatenation must not be used to build SQL queries.
  • Treat embedded quotes etc as simple characters and not SQL and the input parameter value as mere data.
  • Use strongly typed parameterized queries, such as SqlCommand with SqlParameter or an Object Relational Mapping (ORM) technique like Hibernate in .NET.

Stored Procedures: Applications pass parameters to stored procedures. Stored procedures return result sets and/or output parameters. By using stored procedures, SQL expertise is moved to the database and developers no longer have to generate dynamic SQL in their code.

  • .NET: Use SqlCommand with CommandType.StoredProcedure
  • ASP: Use Server.CreateObject with command type: adCmdStoredProc

Connection Strings: A connection string or URL contains the attributes required for an application to access a database. Anyone with access to code or configuration files where connection strings are usually stored, and network access to the database(insider threat) can use credentials to attack the database or steal information.

  • Encrypt connection strings and store them in the registry on Windows platform using aspnet_setreg.exe.
  • Use the DPAPI (Data Protection API) in the .NET framework to encrypt/decrypt connection strings from web.config file.
  • Limited database account: The account used to access the database must have the minimum amount of privilege required by the application. Only grant execute permissions to specific stored procedures in the database and provide no direct table access. This limits the damage that an attacker can do if an attack successfully reaches the database.

Direct object references: Do not expose internal object references (ids) to users. This could be in the form of hidden fields or other form parameters in the URL. A malicious attacker can manipulate these references and possibly access records outside of their authorization scope for the next request. Database references commonly exposed include Primary/foreign keys, column names, and table names.

  • Use restrictions in “where” clause to enforce access control. Such restrictions ensure ‘expected’ relationships remain true such as the current user is owner of referenced account.

Example: A Quote table with quoteID primary key and userID foreign key

    SELECT * FROM quote WHERE quoteID = {current quote id} is dangerous
    SELECT * FROM quote WHERE quoteID = {current quote id} AND userID ={current user id} limits queries to current user where {current user id} is coming from the session.

    The results of the query must match what was expected. If a single record was expected, then ensure that only one record was obtained. Validate results returned from database to see if they match, check for error codes, and handle any exceptions.

    Using SHODAN to find insecure Servers, Routers and gain ROOT access

    SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well.
    Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:
    apache
    How about finding only apache servers running version 2.2.3?
    apache 2.2.3
    You can also narrow down the results using the following search parameters:
    country:2-letter country code
    hostname:full or partial host name
    net:IP range using CIDR notation (ex: 18.7.7.0/24 )
    port:21, 22, 23 or 80
    For example: get all web (port:80) hosts running ‘apache’ in switzerland (country:CH) that also have ‘.ch’ in any of their domain names:
    apache country:CH port:80 hostname:.ch

    SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. SHODAN is the brainchild of John Matherly aka @achillean

    Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:

    apache

    You can also narrow down the results using the following search parameters:

    country:2-letter country code

    hostname:full or partial host name

    net:IP range using CIDR notation (ex: 18.7.7.0/24 )

    port:21, 22, 23 or 80

    How about something really bad. Hopefully, the webmasters below are taking steps to upgrade from IIS 4

    Get all web (port:80) hosts running ‘IIS 4.0’ in United States (country:US)

    IIS 4.0 country:US port:80

    Gain root shell access exploiting built in shell (ash)

    The query below is not confirmed but shows the power of SHODAN. Thanks to HDMoore

    http://shodan.surtri.com/?q=port:23+”list+of+built-in+commands”