club-hack-magazine-43.pdf
TRANSCRIPT
-
8/12/2019 club-hack-magazine-43.pdf
1/18
www.chmag.in Aug2013| Page- 1
-
8/12/2019 club-hack-magazine-43.pdf
2/18
www.chmag.in Aug2013| Page- 2
-
8/12/2019 club-hack-magazine-43.pdf
3/18
www.chmag.in Aug2013| Page- 3
Oracle Hardening - Part 2
Introduction
While Oracle is designed "secure by
default," this article explores a variety of
those defaults and administrative
approaches that help to minimize
vulnerabilities. Please remember that the
strategies discussed here are presented as
options to consider rather than definitive
rules to apply. In previous article (June
2013 issue) I went through OS level
permissions for securing Oracle databases; I
will be taking you a step closer towards
Oracle Hardening to make it hard for
perpetrators to break into the system. Focus
will be on the parameters you need toconsider and explanation on what the
parameter does; why it should be changed;
and how it can be done. Oracle security
parameters will be covered in this part.
Abstract
Following template will be used for each
parameter:
WHAT: This will explain what theparameter is used for and where it can be
found;
WHY: The reason you should consider
changing/not-changing it;
VERSION: Versions of Oracle it is
applicable for;
COMMAND: The command to help you
make the changes (wherever applicable);
Thumb-rule: The Information security
clichs (wherever applicable);
Recommended settings: Table ofrecommended settings mostly combined for
multiple parameters that are of similar type.
(wherever applicable);
Solution
As mentioned above lets start with
important OS security parameters in Oracle
Database:
O7_DICTIONARY_ACCESSIBILITY
WHAT: Controls restrictions onSYSTEM privileges. If the parameter is
set to true, access to objects in the SYS
schema is allowed. The default setting is
false.
P.S:System privileges that allow accessto objects in "any schema" are not
allowed access to objects in the SYS
schema WHY: Unauthorized/ Inadvertent
access and changes to SYSTEM
Thumb-rule:Least privileges VERSION:ALL Command: Login as SYSDBA and
execute ALTER SYSTEM command as:
-
8/12/2019 club-hack-magazine-43.pdf
4/18
www.chmag.in Aug2013| Page- 4
ALTER SYSTEM SET
O7_DICTIONARY_ACCESSIBILITY =
true SCOPE=spfile
_TRACE_FILES_PUBLIC
WHAT: Some errors in Oracle lead togeneration of Trace files. We can
generate them forcefully after enabling
SQL_TRACE parameter. All trace files
are logged in USER_DUMP_DEST or
BACKGROUND_DUMP_DEST
parameter.
In general all trace files have read and
write permission for Oracle software
owner and group of Oracle installationhas permission of read only. Other users
dont have privilege of read. Trace files
can be found at
/opt/oracle/ora11g/admin/orcl/udump.
Oracle applies this permission using
hidden parameter called
_TRACE_FILES_PUBLIC. Due to this
parameter trace files dont have read
permission to other users or public.
P.S: Default value of_TRACE_FILES_PUBLIC is FALSE. It
is not recommended to change value.
WHY: Trace files may containimportant information about database
security or some sensitive details of
data.
Thumb-rule:Need-to-know privileges VERSION:ALL Commands: Login as SYSDBA and
execute ALTER SYSTEM command as:
ALTER SYSTEM SET
_trace_files_public = TRUE
SCOPE=SPFILE
P.S: After changing
_TRACE_FILES_PUBLIC
parameter to TRUE. Newly
generated trace will have read
permission granted to other users
and public.
USER_DUMP_DEST
WHAT: Specifies the directory wherethe server will write debugging trace
files on behalf of a user process. Value
should never be set to *
WHY: Trace files may containimportant information about database
security or some sensitive details of
data.
VERSION:ALL
Commands:The parameter can be setin the initialisation file as
user_dump_dest = 'directory'
e.g. user_dump_dest =
'R:\Oracle\Admin\NT92001\udump';
This parameter can be also set at system
level
E.g. ALTER SYSTEM SET
user_dump_dest = 'Q:\Udump';
UTL_FILE_DIR
WHAT: Specifies one or moredirectories that Oracle should use for
PL/SQL file I/O. Value should never be
set to *
WHY:All users can read or write to allfiles specified by this parameter.
Therefore this value means that the
package UTL_FILE can be used to writeto any directory in the system where
oracle has write permissions. GREAT!!
VERSION:ALL Commands:The parameter can be set
in the initialisation file as utl_file_dir =
'directory'
-
8/12/2019 club-hack-magazine-43.pdf
5/18
www.chmag.in Aug2013| Page- 5
P.S: Quite often databases have the
utl_file_dir is set to the
user_dump_dest. If this is the case
then it should be possible to be
able to read trace files you
wouldn't ordinarily have access toUTL_FILE_DIR and
USER_DUMP_DEST should not be
same.
RESOURCE_LIMIT
WHAT: Specifies whether resourcelimits are enforced in database profiles.
Value should be set to TRUE
WHY:This is not a security issue but aperformance issue. Limits specified in
profiles will not be applied to users.
VERSION:ALL Commands:This parameter can be set
at system level.
E.g. ALTER SYSTEM SET
RESOURCE_LIMIT = TRUE;
TRANSACTION_AUDITING
WHAT: TRANSACTION_AUDITINGto be set to TRUE. Oracle generates a
special redo record that contains the
user logon name user name the session
ID some operating system information
and client insformation. For each
successive transaction. Oracle generates
a record that contains only the session
ID. These subsequent records link back
to the first record which also containsthe session ID
WHY:Redo log will not be generated ifset to false. Useful if you are using redo
log analysis tools.
VERSION:ALL Commands:This parameter can be set
at system level
E.g. ALTER SYSTEM SET
TRANSACTION_AUDITING = TRUE;
REMOTE_OS_AUTHENT
WHAT: REMOTE_OS_AUTHENTspecifies whether remote clients will be
authenticated with the value of the
OS_AUTHENT_PREFIX parameter.
WHY: Allowing the OS to control OSauthentication without intervention can
be very risky.
VERSION:ALL Commands:This parameter can be set
at system level
E.g. ALTER SYSTEM SET
REMOTE_OS_AUTHENT= FALSE;
P.S: The remote_os_authent
parameter has been deprecated in
Oracle 11g, and a safer method is
now used.
These are some of the important OS
parameters; we will focus on permissions onOracle tables and packages in next article.
About the Author
Ajinkya Patilhttp://avsecurity.in
Ajinkya is an Information Security professional
with experience in conducting Web application
security, IT governance reviews, Network
security, Database and OS. He holds a CISA
(Associate of ISACA) certification, Information
Security Management certification. He also listed
in Hall of Fame of Blackberry (RIM).
http://avsecurity.in/http://avsecurity.in/http://avsecurity.in/ -
8/12/2019 club-hack-magazine-43.pdf
6/18
www.chmag.in Aug2013| Page- 6
DSCI Security
Framework for ISO27001 Implementers
DSCI (Data Security Council of India), a
NASSCOM body, has been setup as an
independent Self-Regulatory organization to
promote data protection, develop security
and privacy best practices & standards and
encourage the Indian industries to
implement the same1.
DSCI has developed best practices for data
protection in the form of two frameworks:-
1. The Privacy Framework;2. The Security Framework.
We will discuss the DSCI Security
Framework (DSF from here onwards) for
now (discussion on Privacy Framework will
come in subsequent articles) and its
relevance for ISO 27001 implementers.
The DSF have been developed in the form of
16 disciplines across 4 layers each that need
to be implemented / established in order to
help organizations implement information
1http://www.dsci.in/about-us
security. The discipline centric approach
helps in aligning an organizations thought
process to the market and helps in putting
up a maturity based approach for bothimplementation and assessments.
The 16 disciplines are as follows:-
1. Security Strategy and Policy (SSP)2. Security Organizations (SEO)3. Asset Management (ASM)4. Governance Risk and Compliance
(GRC)
5. Infrastructure Security (INS)6. Application Security (APS)7. Secure Content Management (SCM)8. Threat and Vulnerability
Management (TVM)
9. User Access and PrivilegeManagement (UAP)
10.Business Continuity and DisasterRecovery Management (BDM)
-
8/12/2019 club-hack-magazine-43.pdf
7/18
www.chmag.in Aug2013| Page-7
11. Security Audit and Testing (SAT)12.Security Monitoring and Incident
Management (MIM)
13.Physical and Environmental Security(PEN)
14.Third Party Security Management(TSM)15.Personnel Security (PES)16.Data Security (DSC)
The four layers in which each
discipline has been divided into are:-
1) ApproachAn attempt has been made to describe
the discipline and to set the expectations
and the rationale behind inclusion of the
same;
2) StrategyPolicy statements pertaining to
implementation of the discipline has
been provided in this section to help
management (senior / middle) in
putting up appropriate direction
towards successful implementation of
the discipline;
3) Best PracticesThis section details some of the best
practices that have been observed over a
period of time across industries
pertaining to this discipline;
4) MaturityThis section identifies & articulates
some characteristics of the disciplinethat showcases the evolution of the same
in an organization;
Benefits of DSCI Privacy and Security
Frameworks:-
1. The discipline based approach helpsalign an organization to the market
realities;
2. The layered approach helps inimplementation and in client assurance;
in light of the recent regulations,
security and privacy implementations
have been implemented in many
organizations across the country, both
towards due diligence and to provide
appropriate assurance to clients
regarding the security and privacy of
their data.
Improvements Wishlist:-
1. A maturity model would be a welcomemove (e.g., similar to ISM3 & SSE-
CMM)
2. Awareness on the eco-system needs tobe strengthened (expect more traction in
coming days as the system is new).
DSF and ISO 27001
For ISMS implementers, the frameworkputs up important guidance towards
implementation; In other words, the DSF
can be used to implement an ISO
27001:2005 compliant ISMS. A partial
mapping table of DSF disciplines vis--vis
ISO 27001 has been presented below (NB -
this is not an exhaustive list and has been
provided as an illustration):-
-
8/12/2019 club-hack-magazine-43.pdf
8/18
www.chmag.in Aug2013| Page- 8
Image Credits
1) DSF (DSCI Security Framework) BookImage -
http://images.nasscom.org/sites/defaul
t/files/imagecache/product_full/researchreports/images/DSF.jpg
2) http://www.dsci.in/sites/default/files/Security_homepage_0.jpg
Information Sources
1) http://www.dsci.in2) http://www.ism3.com3) http://csrc.nist.gov/groups/SMA/fasp/
documents/incident_response/SSAIRB
SP/SSECMMv2Final.pdf
Disclaimer
The opinions and viewpoints expressed here
are personal.
About the Author
M.S.Sripati, CISA
Sripati is an information security processconsultant & software developer with an overall
experience of 8+ years, doing ISO 27001 & HIPA
compliant ISMS Implementation, Risk
Assessment and Management. He is a self-driven
professional who continuously keeps himself
abreast of the latest happenings & regulations by
being part of & participating in various
information security forums. Check out his site
http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdfhttp://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/SSAIRBSP/SSECMMv2Final.pdf -
8/12/2019 club-hack-magazine-43.pdf
9/18
www.chmag.in Aug2013| Page- 9
Viproy - VoIP PenetrationTesting and Exploitation Kit
IntroductionViproy is developed to improve quality of
SIP Penetration Tests. It's a collection of
Metasploit Framework modules focused on
SIP tests, it can be used with Metasploit
Framework Github edition or Metasploit
Framework Pro edition. It has 10 differentmodules to test target SIP servers with
authentication and fuzzing support. Also
Viproy has a SIP library to extend
Metasploit Framework REX library.
Description of Modules:
1) OPTIONOptions module can be used to discovertarget SIP services and devices.
2) REGISTERRegister module can be used to discover
target SIP services and devices too. Also
Register module can register a client, a
service or test a valid account.
3) INVITEInvite module is prepared to test call
features of target SIP services. Invite
spoofing, billing or CDR bypass using
custom proxy headers, Invite based DoS
attacks and sample call tests can be
performed using Invite module.
4) ENUMERATOREnumerator module is prepared to
enumerate of users and internal
numbers of target SIP servers.
Enumeration step of the SIP pen-test
could be performed with a user list file
or numeric user range.
5) BRUTE FORCEBrute force module is prepared to
perform advanced password attacks
against SIP services. Password attacks
could be initiated using user list files,
numeric ranges and passwords file.Password attack operations can be
customized easily, for example It can be
used to initiate password attacks to a
target user with a passwords file, to a
numeric range or user list with a few
specific passwords.
-
8/12/2019 club-hack-magazine-43.pdf
10/18
www.chmag.in Aug2013| Page- 10
6) MESSAGEMessage module is prepared to test
message features of SIP services.
Message support is required to test
value added services and service
operations of SIP operators. It supports
message spoofing, simple fuzz features
and message based DoS attacks.
7) PORT SCANNERPort scanner module can test
registration features of SIP proxies. It
can perform SIP bounce attacks to
discover 3rd party SIP servers using
target SIP services.
8) DDOS AMPLIFICATIONDDoS testing module prepared to
initiate DDoS attack demos based on
SIP error messages. SIP servers send
error messages 10+ times for bogus
requests. DDoS module can send IP
spoofed SIP requests to target SIP
services and initiate an attack to 3rd
party victims.
9) PROXYProxy module is prepared to test SIP
clients and SIP services with MITM
proxy features. It supports basic search
& replace functions to test SIP services.
Also it can be used to add new features
to SIP clients, such as invite spoofing,
proxy headers and fuzzing.
10) TRUST ANALYZER
Trust analyzer module is prepared to
test trust relationships of SIP trunks.
SIP trunks trust each other in UDP
based communications. This module can
send IP spoofed invite or message
requests to targets to determine trusted
SIP trunks. When a trusted SIP trunk
detected, it can send spoofed call and
message to target SIP clients. Also it has
simple fuzzing support to test target SIP
clients using trust relationship.
About the Author
Fatih [email protected]
Fatih Ozavci is Sr. Security Consultant of
Sense of Security, Australia. He is author of
Viproy VoIP Penetration and Exploitation
Testing Kit, also he has published a paper
about Hacking of SIP Trust Relationships.
He has discovered many unknown private
security vulnerabilities, design and protocol
flaws in VoIP environments for his
customers. Also he analyzes VoIP design and
implementation flaws, and helps to improve
VoIP infrastructures as a service. While
Fatih's primary expertise is in VoIP
penetration testing, mobile applicationtesting and IPTV testing, he is also well
versed at network penetration testing, web
application testing, reverse engineering,
fuzzing and exploit development. He is one
of the speakers of Defcon 21, Blackhat 2013,
Cluecon 2013 and Athcon 2013.
mailto:[email protected]:[email protected]:[email protected] -
8/12/2019 club-hack-magazine-43.pdf
11/18
www.chmag.in Aug2013| Page- 11
Network Security
Basics Part-2This section will demonstrate common
information security problems mapped with
OSI seven layers and evaluate the same for
solutions to secure the organisations
information resources.
Layer 1 - Physical Layer
The physical layer is responsible forthe physical communication
between end devices .
The logical first step in securing ourinformation is to insure that the
physical resources are not
compromised.
Quite often, technologists fail torecognize the importance of the
simple measures, like properly
locking storage units, server
cabinets, equipment rooms andoffice spaces.
Gaining access to resources is thefirst step in compromising them.
Where is the information stored and
who might have physical access to it?
Typically, efforts to physically secureinformation are a shared
responsibility between technologists
and those who manage the facility in
which the information resides.
In some organizations, you musthave a card key, hardware key,
biometric access to enter areas
where sensitive information can be
accessed.
Even with the resources physicallylocked, they are at risk.
Social engineering is a form ofinfiltration that takes advantage of
common social interaction to gain
physical access. Environmental factors should alsobe considered.
In extreme circumstances, a gooddisaster recovery plan is essential in
the event that information resources
are compromised.
Off-site data storage, assetinventories and vendor contacts are
critical to knowing what to replace,
where to get replacements and how
to restore access.
Physical Layer Vulnerabilities
Loss of Power Loss of Environmental Control Physical Theft of Data and Hardware
-
8/12/2019 club-hack-magazine-43.pdf
12/18
www.chmag.in Aug2013| Page- 12
Physical Damage or Destruction ofData And Hardware
Unauthorized changes to thefunctional environment (data
connections, removable media,
adding/removing resources) Disconnection of Physical Data
Links
Undetectable Interception of Data Keystroke & Other Input Logging
Physical Layer Controls
Locked perimeters and enclosures Electronic lock mechanisms for
logging & detailed authorization
Video & Audio Surveillance PIN & password secured locks Biometric authentication system Training users against Social
Engineering
Physical locks, both on equipmentand facilities housing the equipment,
are imperative to keep intruders out.
In order to use information one
must have access to it.
Building up good Disaster RecoveryPlanLayer 2 - Data Link Layer
Data Link Layer is responsibility isto place frames on the network
medium and insure that delivery is
error free. This is where the MAC
(hardware) address of
communication devices is utilized
and checksums for error in deliveryare applied.
A device that runs on promiscuousmode when used with packet filter
can be helpful for analysers and
hackers as well to analysis traffic for
flow analysis, problem
determination and code debugging.
A hacker prefers using software tospoof a MAC address, capturing
traffic destined for a specific
machine. In either event, contained
in the traffic could be important data
or even usernames and passwordsfor access to even more sensitive
information.
Data Link Layer Vulnerability
Examples
MAC Address Spoofing (stationclaims the identity of another)
VLAN circumvention (station mayforce direct communication with
other stations, bypassing logicalcontrols such as subnets and
firewalls.)
ARP Poisoning attack. Spanning Tree errors may be
accidentally or purposefully
introduced, causing the layer two
environments to transmit packets in
infinite loops.
In wireless media situations, layertwo protocols may allow free
connection to the network by
unauthorized entities, or weak
authentication and encryption may
allow a false sense of security.
Switches may be forced to floodtraffic to all VLAN ports rather than
selectively forwarding to the
appropriate ports, allowing
interception of data by any device
connected to a VLAN.
Data Link Layer Controls
MAC Address Filtering- Identifyingstations by address and cross-
referencing physical port or logical
access
-
8/12/2019 club-hack-magazine-43.pdf
13/18
www.chmag.in Aug2013| Page- 13
Layer 2 switches provide the abilityto create logically separate LANs on
the same physical device, called
VLANs. Using traffic and protocol
access control lists or filters provides
us with some form of protection atthis layer.
Quality-of-Service marking andprioritization control protocols give
us the ability to control and better
utilize existing bandwidth. This is
typically accomplished using
appropriate class-of-service or
differentiated services code point
(DSCP) values.
Disabling untrusted Layer 2 portswill reduce traffic to and from hosts.
Disable the default VLAN 1 port [5].As you tighten up your defences at
Layer 2, you will need to leave a port
open for management purposes,
preferably out-of-band.
Do not always use VLANs to enforcesecure designs. Layers of trust
should be physically isolated from
one another, with policy engines
such as firewalls between. Wireless applications must be
carefully evaluated for unauthorized
access exposure. Built-in encryption,
authentication, and MAC filtering
may be applied to secure networks.
Telnet capabilities should becompletely filtered if not required.
Layer 3 - Network Layer
Network layer is used to determinethe best path from source to
destination host on a network.
IP addresses are assigned andutilized at this layer for unique
identification. For communication
with internet public IP address
should be assigned. This address
allows a system to contact the
outside world and allows the outside
world to contact the host. It is logical
to consider this border to our system
vulnerable.
Network Layer Vulnerabilities
Route spoofing - propagation of falsenetwork topology
IP Address Spoofing- false sourceaddressing on malicious packets
Identity & Resource ID Vulnerability- Reliance on addressing to identify
resources and peers can be brittleand vulnerable
Network Layer Controls
Route policy controls - Use strictanti-spoofing and route filters at
network edges
Firewalls with strong filter & anti-spoof policy
ARP/Broadcast monitoring software Implementations that minimize the
ability to abuse protocol features
such as Broadcast Network Address Translation (NAT)
is a service that temporarily assigns
a private IP address to a public IP
address. In this sense, for a time,
there is a one-to-one relationship
between a private and a public
address. It is necessary to lease a
pool of public IP address for NAT to
work.
Port Address Translations (PAT), onthe other hand, allows a single public
IP address to be bound to multiple
virtual ports. In this way, multiple
networked hosts can share a single
public identity on the Internet,
providing a more cost effective and
secure solution. In either event, the
-
8/12/2019 club-hack-magazine-43.pdf
14/18
-
8/12/2019 club-hack-magazine-43.pdf
15/18
www.chmag.in Aug2013| Page- 15
Overloading of transport-layermechanisms such as port numbers
limit the ability to effectively filter
and qualify traffic.
Transmission mechanisms can besubject to spoofing and attack basedon crafted packets and the educated
guessing of flow and transmission
values, allowing the disruption or
seizure of control of
communications.
Transport Layer Controls
Strict firewall rules limiting access tospecific transmission protocols and
subprotocol information such asTCP/UDP port number or ICMP
type
Stateful inspection at firewall layer,preventing out-of-state packets,
illegal flags, and other phony
packet profiles from entering the
perimeter
Stronger transmission and layersession identification mechanisms to
prevent the attack and takeover of
communications
Prioritization based on applicationallows us to better control and utilize
our bandwidth. Better control
measures offer a more secure a level
of service.
Further securing of this layer cantake place by using a secure form of
TCP.
Extended Three-way Handshakeextends traditional TCPhandshaking techniques to deliver
negotiation data and key exchange
data.
State Transition is a secure TCPmethod that utilizes host state to
differentiate authorized
transmissions.
Data integrity can be achievedthrough MAC (Message
Authentication Code) to identify if
an attacker has modified data.
Data confidentiality can be achievedthrough encryption and must beaddressed at the same time as data
integrity.
Layer 5 - Session Layer
Session layer is use to facilitatecommunication with a receiving
device by establishing, maintaining,
synchronizing, controlling and
terminating connections. In short
deals with session handling betweensystems. During this process of
communication, verification of
entities can take place.
Also referred to as Transport LayerSecurity, Secure Socket Layers (SSL)
is a technology designed to confirm
the identity of hosts and servers.
Although called Transport Layer
Security, this function lies just above
the transport layer and is truly
session layer based.
SSL is often the protocol used forsecure credit card transactions on
the Internet. Using server
authentication, a servers identity
can be verified by a Certificate
Authority (CA) using Public Key
cryptography. The same can be
applied using client side
authentication.
SSL uses different ciphers,cryptographic algorithms, to provideencrypted session services. Cipher
suits provide a wide range of
encryption settings.
The SSL Handshake Protocolenables the authenticated client and
server to negotiate which cipher will
-
8/12/2019 club-hack-magazine-43.pdf
16/18
www.chmag.in Aug2013| Page- 16
be used. This helps reducesusceptibility to a man-in-the-
middle attack, so even if the session
gets intercepted, the data would be
protected by encryption.
Session Layer Vulnerabilities
Weak or non-existent authenticationmechanisms
Passing of session credentials suchas user ID and password in the clear,
allowing intercept and unauthorized
use
Session identification may be subjectto spoofing and hijack
Leakage of information based onfailed authentication attempts Unlimited failed sessions allow
brute-force attacks on access
credentials
Session Layer Controls
Encrypted password exchange andstorage
Accounts have specific expirationsfor credentials and authorization
Protect session identificationinformation via
random/cryptographic means
Limit failed session attempts viatiming mechanism, not lockout
Layer 6 - Presentation Layer
Presentation Layer deals withencryption. When the data is
received, what form will it take?Encryption techniques allow us to
scramble the packet contents,
requiring a special code to reveal
them.
The more sophisticated theencryption algorithm, the harder it is
to gain access to the data.
Proper planning is necessary tocalculate security needs and balance
them with resource limitations.
Presentation Layer Vulnerabilities
Poor handling of unexpected inputcan lead to application crashes or
surrender of control to execute
arbitrary instructions.
Unintentional or ill-advised use ofexternally supplied input in control
contexts may allow remote
manipulation or information
leakage.
Cryptographic flaws may beexploited to circumvent privacyprotections
Presentation Layer Controls
Careful specification and checking ofreceived input incoming into
applications or library functions
Separation of user input andprogram control functions- input
should be sanitized and sanity
checked before being passed intofunctions that use the input to
control operation
Careful and continuous review ofcryptography solutions to ensure
current security versus know and
emerging threats.
Layer 7 Application Layer
Application layer is the layer whereservices support user applications,that authentication takes place.
The most common form ofauthentication is username and
password which should have unique
ID and confidential password.
Therefore, it is essential to have
an effective account policy.
-
8/12/2019 club-hack-magazine-43.pdf
17/18
www.chmag.in Aug2013| Page- 17
Encryption of these two credentials,username and password, is also
feasible at this level. Application
layer encryption adds yet another
element of protection.
Application Layer Vulnerabilities
Open design issues allow free use ofapplication resources by unintended
parties
Backdoors and application designflaws bypass standard security
controls
Inadequate security controls forceall-or-nothing approach, resulting
in either excessive or insufficientaccess.
Overly complex application securitycontrols tend to be bypassed or
poorly understood and
implemented.
Program logic flaws may beaccidentally or purposely used to
crash programs or cause undesired
behaviour
Application Layer Controls
Application level access controls todefine and enforce access to
application resources.
Controls must be detailed andflexible, but also straightforward to
prevent complexity issues from
masking policy and implementation
weakness
Standards, testing, and review ofapplication code and functionality-A
baseline is used to measure
application implementation and
recommend improvements
IDS systems to monitor applicationinquiries and activity
Some host-based firewall systemscan regulate traffic by application,
preventing unauthorized or covert
use of the network.
About the Author
Anagha Devale-Vartakhttp://avsecurity.in
Anagha is an Information Security
professional with experience in
Vulnerability Assessment, Web
Application Audit, Database Audit,
Antivirus Review, and Compliance
Audit. She holds CCNA and CEH
certification.
http://avsecurity.in/http://avsecurity.in/http://avsecurity.in/ -
8/12/2019 club-hack-magazine-43.pdf
18/18