The message is “Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage”

The reason for these security warning messages:

• Cross domain content being pulled together to raise SSL warnings
• If an FB app does not have the Secure Canvas URL set, the error message will be shown
• Content coming from FB, host of the third party app and from the host where the content is

Past

• Use Facebook tabs using FBML (Facebook Markup Language), derived from HTML and using FB approvied JS and AJAX commands
• Custom app inside standard FBML tab. External data requested by app. Tech limitations – proxied through FB, broke JS, tracking pixels etc

Now

• Support for HTML Iframes (inline frames) as display tech for page tabs
• Supporting this XFBML and JS dev kit – works in FB Iframes and independent web pages
• Can use any JS library, Flash, Silverlight
• Apps such as all those silly games people play on Facebook often use IFrames rather than HTML so they can take advantage of Web technologies such as Flash
• Access Facebook over a secure connection using HTTPS – knee jerk reaction. The highest priority that needs encryption are the session credentials.

Security risks

• A FB tab can include JS that performs browser redirection to a malicious website
• If exposing apps as FB tabs using Iframes, need to watch out for any form submissions and other interactions that bypass proxies for example – FB blocking at work case
• Whole thing started by FireSheep – hijack a user session and take over the account because the session data was being transmitted unecrypted and was sniffable over wifi
• Rogue Apps – http://www.readwriteweb.com/archives/how_safe_are_facebook_applications.php

Recommendations

• Do not want to run everything over SSL. Expensive from cost and performance perspective
• Install an SSL cert on the webserver hosting the app files.  Get the SSL cert or the Progressive signed cert – valid for the domain
• Do not use a self signed certificate
• Remove http references to content.
• Add https references when its known https code. Example: using the jquery from googleapis.com ajax library
• Same for any FB connect code over http
• Actually best way is to use protocol relative URL. Start it with // – ensure content is loaded from the same protocol as the parent page. That way when someone does visit your content via http:// the content you are embedding doesn’t unnecessarily get encrypted.
• Populate the Secure Tab URL field or Secure Canvas URL field in the app
• Don’t need SSL certs for every client, but if you get a valid SSL for your domain and host all the content on them, can host multiple client’s iframe(s) content
• https://apps.facebook.com/contactajit/

According to the Verizon Security report, in 2008 SQL Injection attacks ranked first when using to compromise databases – a staggering 79% of the 285 million records stolen.



What is a SQL Injection Attack?

SQL Injections happen when some application takes in content from the user and uses that data to construct a SQL statement without validating or sanitizing that content.

For example, let us take a sample SQL query

SELECT * FROM customers WHERE PolicyNum = ’12345′;

Now, if this query is not properly sanitized, then a malicious attacker can use it to execute arbitrary SQL statements such as

SELECT * FROM customers WHERE PolicyNum = ’12345′; DROP TABLE customers –’

In the above statement, the ‘(quotation mark) character terminates the string literal in the SQL statement. The ;(semicolon) indicates it is the end of the current statement. The –(double hash) tells SQL to ignore the rest of the text. In this case, the ‘ character is ignored, which if not would cause a SQL parser error.

How to write Secure Code to prevent SQL Injection attacks?

Applications invoke interpreters, including SQL or LDAP. These interpreters take commands and data and execute the instructions. Injection happens when user input crosses the line between code and data where an attacker sends malicious data or commands into the application, tricking it into behaving differently. Attackers could modify queries to gain access to unauthorized information or corrupt the data store.

• Validate input to verify user data cannot modify the meaning of commands and database queries.
• The account used to access the database must have the minimum amount of privileges required by the application. Do not use an administrator account. Enforce least privilege when connecting to databases and other backend systems.
• Use stored procedures and parameterized queries to bind all supplied variables in the SQL query. The results of the query must match what was expected.
• A secured file system is a good alternative to store database credentials.

Parameterized Queries: Validate all parameters carefully to ensure they cannot modify the query. Treat all input variables as data only (i.e. bind all variables).

• String concatenation must not be used to build SQL queries.
• Treat embedded quotes etc as simple characters and not SQL and the input parameter value as mere data.
• Use strongly typed parameterized queries, such as SqlCommand with SqlParameter or an Object Relational Mapping (ORM) technique like Hibernate in .NET.

Stored Procedures: Applications pass parameters to stored procedures. Stored procedures return result sets and/or output parameters. By using stored procedures, SQL expertise is moved to the database and developers no longer have to generate dynamic SQL in their code.

• .NET: Use SqlCommand with CommandType.StoredProcedure
• ASP: Use Server.CreateObject with command type: adCmdStoredProc

Connection Strings: A connection string or URL contains the attributes required for an application to access a database. Anyone with access to code or configuration files where connection strings are usually stored, and network access to the database(insider threat) can use credentials to attack the database or steal information.

• Encrypt connection strings and store them in the registry on Windows platform using aspnet_setreg.exe.
• Use the DPAPI (Data Protection API) in the .NET framework to encrypt/decrypt connection strings from web.config file.
• Limited database account: The account used to access the database must have the minimum amount of privilege required by the application. Only grant execute permissions to specific stored procedures in the database and provide no direct table access. This limits the damage that an attacker can do if an attack successfully reaches the database.

Direct object references: Do not expose internal object references (ids) to users. This could be in the form of hidden fields or other form parameters in the URL. A malicious attacker can manipulate these references and possibly access records outside of their authorization scope for the next request. Database references commonly exposed include Primary/foreign keys, column names, and table names.

• Use restrictions in “where” clause to enforce access control. Such restrictions ensure ‘expected’ relationships remain true such as the current user is owner of referenced account.

Example: A Quote table with quoteID primary key and userID foreign key

SELECT * FROM quote WHERE quoteID = {current quote id} is dangerous
SELECT * FROM quote WHERE quoteID = {current quote id} AND userID ={current user id} limits queries to current user where {current user id} is coming from the session.

The results of the query must match what was expected. If a single record was expected, then ensure that only one record was obtained. Validate results returned from database to see if they match, check for error codes, and handle any exceptions.

SHODAN lets you find servers/ routers/ etc. by using the simple search bar up above. Most of the data in the index covers web servers at the moment, but there is some data on FTP, Telnet and SSH services as well. SHODAN is the brainchild of John Matherly aka @achillean

Lets say you want to find servers running the ‘Apache’ web daemon. A simple attempt would be to use:

apache

You can also narrow down the results using the following search parameters:

country:2-letter country code

hostname:full or partial host name

net:IP range using CIDR notation (ex: 18.7.7.0/24 )

port:21, 22, 23 or 80

How about something really bad. Hopefully, the webmasters below are taking steps to upgrade from IIS 4

Get all web (port:80) hosts running ‘IIS 4.0′ in United States (country:US)

IIS 4.0 country:US port:80

Gain root shell access exploiting built in shell (ash)

The query below is not confirmed but shows the power of SHODAN. Thanks to HDMoore

http://shodan.surtri.com/?q=port:23+”list+of+built-in+commands”

• jCryption encrypts on the client with Javascript and decrypts on the server with PHP.
• A keypair is automatically generated on every request to send data by the user. This adds an extra layer of security.
• jCryption was build on top of the Multiple-Precision library and uses Barrett Modular Reduction library as well.
• It is completely free and has been dual licensed under the MIT and GPL licenses.
• Has been tested and works with all modern browsers such as Firefox 3, Chrome, Opera 9+ and legacy browsers such as IE6.

Caution when considering jCryption

• jCryption must not be used as a replacement for SSL as it currently does not provide authentication and no protection against MITM (Man-in-the-middle) attacks.
• Because the encryption is performed on the client side, if the client has disabled javascript and that maybe the case in some corporate environments, the form data will be sent unencrypted.
• File uploads are also not encrypted because of performance reasons as there is no fast way of accessing and applying encryption to data inside a file.

jCryption is hosted on Google Code and is available for download.

Still not convinced? Check out the jCryption demo.

Click here to view the embedded video.

Instead, if you’re a developer, fill out the form at https://services.google.com/fb/forms/wavesignupfordev/

Or, if you’re not a developer, fill out the form at https://services.google.com/fb/forms/wavesignup/

These are the only ways to get a Google Wave account.

PS, the Wave blog has the latest on roughly when to expect accounts:

* For developers –

http://googlewavedev.blogspot.com/2009/07/google-wave-sandbox-update.html

* For non-developers –

http://googlewavedev.blogspot.com/2009/07/google-wave-updates-from-todays.html