software security basics

CY L. SOFTWARE SECURITY BASICS

By CY L. https://github.com/cyl337

Photo Credit: Yuri Samoilov CC BY 2.0

To provide a brief introduction on software security

and web attacks

To raise security awareness in program design and

implementation

OBJECTIVES OF THIS SHARING

By CY L. https://github.com/cyl337 2

1. Overview on Software Security

2. Common Web Attacks

3. Secure Programming Practice

AGENDA

By CY L. https://github.com/cyl337 3

1. Overview on Software Security

2. Common Web Attacks

3. Secure Programming Practice

AGENDA

By CY L. https://github.com/cyl337 4

Functionality concerns Correctness

e.g. Searching function should return results based

on user input

Security concerns Preventing Undesired Behaviour

e.g. Searching function should NOT reveal Admin

password

WHAT IS SOFTWARE SECURITY?

By CY L. https://github.com/cyl337 5

Stealing Information

Breach of Confidentiality

Modifying Information or functionality

Breach of Integrity

Denying Access

Breach of Availability

UNDESIRED BEHAVIOURS

By CY L. https://github.com/cyl337 6

In this session we will focus on

Reduce vulnerability caused by defects in design and implementation

Avoid web attack in particular

Other areas not covered

Low level attack (Buffer overflow)

Static Analysis and Symbolic Execution

Defensive measures like Anti-virus, Firewalls

Usability security like Authentication, Secure Browsing

SESSION’S FOCUS

By CY L. https://github.com/cyl337 7

1. Overview on Software Security

2. Common Web Attacks

3. Secure Programming Practice

AGENDA

By CY L. https://github.com/cyl337 8

Cross-Site Scripting (XSS)

SQL Injection

Cross-Site Request Forgery (CSRF)

COMMON WEB ATTACKS

By CY L. https://github.com/cyl337 9

COMMON WEB ATTACKS

Cross-Site Scripting

(XSS)

By CY L. https://github.com/cyl337 10

Subvert Same Origin Policy

Trick user’s browser into believing origin of malicious

script is trusted server

Malicious script executed with access privilege

granted to trusted server

CROSS-SITE SCRIPTING (XSS)

By CY L. https://github.com/cyl337 11

CROSS-SITE SCRIPTING (XSS)

Browser

Attacker.com

Trusted.com

1. Inject

malicious script

4. Execute

malicious script

as though trusted

server meant us

to run it

By CY L. https://github.com/cyl337 12

Counter-measures

Validate user input before publish

Sanitizing

Filter out all scripts (e.g. <script>, <javascript>)

… but there are ways to circumvent

White List

Instead of full markup language support, use a

simple restricted subset, e.g. markdown

CROSS-SITE SCRIPTING (XSS)

By CY L. https://github.com/cyl337 13

COMMON WEB ATTACKS

SQL Injection

By CY L. https://github.com/cyl337 14

Inject SQL statements into parameters of original

query statement

Programs confused input data as code and execute

malicious SQL statements

SQL INJECTION

By CY L. https://github.com/cyl337 15

SQL INJECTION

http://xkcd.com/327/

By CY L. https://github.com/cyl337 16

String sql =

"select * from user where

username='" + username +"' and

password='" + password + "'";

stmt = conn.createStatement();

rs = stmt.executeQuery(sql);

SQL INJECTION

By CY L. https://github.com/cyl337 17

SQL INJECTION

select * from user where

username='anyone' or 1=1;

-- ' and password='whocares';

select * from user where

username= 'anyone' or 1=1;

DROP TABLE Users;

-- ' and password='whocares';

By CY L. https://github.com/cyl337 18

Counter-measures

Validate user input

Whitelist

Blacklist

Remove special SQL characters (e.g. ‘ ; - \)

Escaping

Escape special SQL characters

SQL INJECTION

By CY L. https://github.com/cyl337 19

Counter-measures

Prepared Statement (Parameterized Queries)

String sql = "SELECT * FROM User WHERE userId = ? ";

PreparedStatement prepStmt =

conn.prepareStatement(selectStatement);

prepStmt.setString(1, userId);

ResultSet rs = prepStmt.executeQuery();

SQL INJECTION

By CY L. https://github.com/cyl337 20

Counter-measures

Limit privileges

Limit user’s access right per DB table

SQL INJECTION

By CY L. https://github.com/cyl337 21

COMMON WEB ATTACKS

Cross-Site Request Forgery

(CSRF)

By CY L. https://github.com/cyl337 22

URLs with side effects

http://bank.com/transfer?amount=99999&to=attacker

Users got tricked to visit the crafted link when

logged in

And make unintended request

CROSS-SITE REQUEST FORGERY (CSRF)

By CY L. https://github.com/cyl337 23

CROSS-SITE REQUEST FORGERY (CSRF)

Browser

Attacker.com

bank.com

User logged on

bank.com

$$$

By CY L. https://github.com/cyl337 24

Counter-measures

Avoid URL with side effect

Check HTTP Referrer

Secretized link

Include a token as parameter in query string

CROSS-SITE REQUEST FORGERY (CSRF)

By CY L. https://github.com/cyl337 25

More information on other common attacks:

https://www.owasp.org/index.php/Top_10_2013-

Top_10

CROSS-SITE REQUEST FORGERY (CSRF)

By CY L. https://github.com/cyl337 26

1. Overview on Software Security

2. Common Web Attacks

3. Secure Programming Practice

AGENDA

By CY L. https://github.com/cyl337 27

A very common source of vulnerability is that

program confused data with instruction

SECURE PROGRAMMING PRACTICE

By CY L. https://github.com/cyl337 28

Trust with Reluctance

Always validate external input

Eliminate input data which may be confused

as instruction

SECURE PROGRAMMING PRACTICE

By CY L. https://github.com/cyl337 29

Client-side validation

Early feedback on user’s mistakes

Better user experience

But it can be circumvented, ALWAYS!

Server-side validation

Gate keeper

Should guard against any invalid input

It can NEVER be replaced by client-side validation,

NOT even partly

SECURE PROGRAMMING PRACTICE

By CY L. https://github.com/cyl337 30

VARIOUS TYPES OF EXTERNAL INPUT

Form field

Query String

Hidden form field

Cookie

Header

AJAX

By CY L. https://github.com/cyl337 31

PRACTICE ON FORM PROCESSING

Servlet / controller /

Managed Bean

Backend

Handler /

Session Bean

External input External input

By CY L. https://github.com/cyl337 32

PRACTICE ON FORM PROCESSING

Problem

Backend expects untainted, trusted valid input

Servlet / controller /

Managed Bean

Backend

Handler /

Session Bean

@tainted

External input

@tainted

External input

By CY L. https://github.com/cyl337 33

PRACTICE ON FORM PROCESSING

Better approach

– Validate external input and only pass validate data to

backend

Servlet / controller /

Managed Bean

With

Validation

Backend

Handler /

Session Bean

@tainted

External input

@untainted

Validated input

By CY L. https://github.com/cyl337 34

Form VO – Untrusted

Backend DTO – Trusted

public String doSubmit() {

if (validate(formVo, request) == PASS) {

backendDto = composeDto(formVo,request);

BackendHandler.process(backendDto);

} else {

// Reject input

}

PRACTICE ON FORM PROCESSING

By CY L. https://github.com/cyl337 35

Software security concern preventing breach of

Confidentiality

Integrity

Availability

Some common web attack and countermeasures

XSS

SQL Injection

CSRF

Principle: Trust with reluctance

Always validate external input

SUMMARY

By CY L. https://github.com/cyl337 36

2013 Top 10 security risks | Open Web Application Security

Project (OWASP)

https://www.owasp.org/index.php/Top_10_2013-Top_10

Software Security online course on Coursera

https://www.coursera.org/course/softwaresec

Badstore - ISO image for demonstrating web application

vulnerabilities

https://www.vulnhub.com/entry/badstore-123,41/

REFERENCE

By CY L. https://github.com/cyl337 37