software security basics
TRANSCRIPT
CY L. SOFTWARE SECURITY BASICS
By CY L. https://github.com/cyl337
Photo Credit: Yuri Samoilov CC BY 2.0
To provide a brief introduction on software security
and web attacks
To raise security awareness in program design and
implementation
OBJECTIVES OF THIS SHARING
By CY L. https://github.com/cyl337 2
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 3
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 4
Functionality concerns Correctness
e.g. Searching function should return results based
on user input
Security concerns Preventing Undesired Behaviour
e.g. Searching function should NOT reveal Admin
password
WHAT IS SOFTWARE SECURITY?
By CY L. https://github.com/cyl337 5
Stealing Information
Breach of Confidentiality
Modifying Information or functionality
Breach of Integrity
Denying Access
Breach of Availability
UNDESIRED BEHAVIOURS
By CY L. https://github.com/cyl337 6
In this session we will focus on
Reduce vulnerability caused by defects in design and implementation
Avoid web attack in particular
Other areas not covered
Low level attack (Buffer overflow)
Static Analysis and Symbolic Execution
Defensive measures like Anti-virus, Firewalls
Usability security like Authentication, Secure Browsing
SESSION’S FOCUS
By CY L. https://github.com/cyl337 7
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 8
Cross-Site Scripting (XSS)
SQL Injection
Cross-Site Request Forgery (CSRF)
COMMON WEB ATTACKS
By CY L. https://github.com/cyl337 9
COMMON WEB ATTACKS
Cross-Site Scripting
(XSS)
By CY L. https://github.com/cyl337 10
Subvert Same Origin Policy
Trick user’s browser into believing origin of malicious
script is trusted server
Malicious script executed with access privilege
granted to trusted server
CROSS-SITE SCRIPTING (XSS)
By CY L. https://github.com/cyl337 11
CROSS-SITE SCRIPTING (XSS)
Browser
Attacker.com
Trusted.com
1. Inject
malicious script
4. Execute
malicious script
as though trusted
server meant us
to run it
By CY L. https://github.com/cyl337 12
Counter-measures
Validate user input before publish
Sanitizing
Filter out all scripts (e.g. <script>, <javascript>)
… but there are ways to circumvent
White List
Instead of full markup language support, use a
simple restricted subset, e.g. markdown
CROSS-SITE SCRIPTING (XSS)
By CY L. https://github.com/cyl337 13
COMMON WEB ATTACKS
SQL Injection
By CY L. https://github.com/cyl337 14
Inject SQL statements into parameters of original
query statement
Programs confused input data as code and execute
malicious SQL statements
SQL INJECTION
By CY L. https://github.com/cyl337 15
SQL INJECTION
http://xkcd.com/327/
By CY L. https://github.com/cyl337 16
String sql =
"select * from user where
username='" + username +"' and
password='" + password + "'";
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
SQL INJECTION
By CY L. https://github.com/cyl337 17
SQL INJECTION
select * from user where
username='anyone' or 1=1;
-- ' and password='whocares';
select * from user where
username= 'anyone' or 1=1;
DROP TABLE Users;
-- ' and password='whocares';
By CY L. https://github.com/cyl337 18
Counter-measures
Validate user input
Whitelist
Blacklist
Remove special SQL characters (e.g. ‘ ; - \)
Escaping
Escape special SQL characters
SQL INJECTION
By CY L. https://github.com/cyl337 19
Counter-measures
Prepared Statement (Parameterized Queries)
String sql = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt =
conn.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();
SQL INJECTION
By CY L. https://github.com/cyl337 20
Counter-measures
Limit privileges
Limit user’s access right per DB table
SQL INJECTION
By CY L. https://github.com/cyl337 21
COMMON WEB ATTACKS
Cross-Site Request Forgery
(CSRF)
By CY L. https://github.com/cyl337 22
URLs with side effects
http://bank.com/transfer?amount=99999&to=attacker
Users got tricked to visit the crafted link when
logged in
And make unintended request
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 23
CROSS-SITE REQUEST FORGERY (CSRF)
Browser
Attacker.com
bank.com
User logged on
bank.com
$$$
By CY L. https://github.com/cyl337 24
Counter-measures
Avoid URL with side effect
Check HTTP Referrer
Secretized link
Include a token as parameter in query string
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 25
More information on other common attacks:
https://www.owasp.org/index.php/Top_10_2013-
Top_10
CROSS-SITE REQUEST FORGERY (CSRF)
By CY L. https://github.com/cyl337 26
1. Overview on Software Security
2. Common Web Attacks
3. Secure Programming Practice
AGENDA
By CY L. https://github.com/cyl337 27
A very common source of vulnerability is that
program confused data with instruction
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 28
Trust with Reluctance
Always validate external input
Eliminate input data which may be confused
as instruction
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 29
Client-side validation
Early feedback on user’s mistakes
Better user experience
But it can be circumvented, ALWAYS!
Server-side validation
Gate keeper
Should guard against any invalid input
It can NEVER be replaced by client-side validation,
NOT even partly
SECURE PROGRAMMING PRACTICE
By CY L. https://github.com/cyl337 30
VARIOUS TYPES OF EXTERNAL INPUT
Form field
Query String
Hidden form field
Cookie
Header
AJAX
By CY L. https://github.com/cyl337 31
PRACTICE ON FORM PROCESSING
Servlet / controller /
Managed Bean
Backend
Handler /
Session Bean
External input External input
By CY L. https://github.com/cyl337 32
PRACTICE ON FORM PROCESSING
Problem
Backend expects untainted, trusted valid input
Servlet / controller /
Managed Bean
Backend
Handler /
Session Bean
@tainted
External input
@tainted
External input
By CY L. https://github.com/cyl337 33
PRACTICE ON FORM PROCESSING
Better approach
– Validate external input and only pass validate data to
backend
Servlet / controller /
Managed Bean
With
Validation
Backend
Handler /
Session Bean
@tainted
External input
@untainted
Validated input
By CY L. https://github.com/cyl337 34
Form VO – Untrusted
Backend DTO – Trusted
public String doSubmit() {
if (validate(formVo, request) == PASS) {
backendDto = composeDto(formVo,request);
BackendHandler.process(backendDto);
} else {
// Reject input
}
PRACTICE ON FORM PROCESSING
By CY L. https://github.com/cyl337 35
Software security concern preventing breach of
Confidentiality
Integrity
Availability
Some common web attack and countermeasures
XSS
SQL Injection
CSRF
Principle: Trust with reluctance
Always validate external input
SUMMARY
By CY L. https://github.com/cyl337 36
2013 Top 10 security risks | Open Web Application Security
Project (OWASP)
https://www.owasp.org/index.php/Top_10_2013-Top_10
Software Security online course on Coursera
https://www.coursera.org/course/softwaresec
Badstore - ISO image for demonstrating web application
vulnerabilities
https://www.vulnhub.com/entry/badstore-123,41/
REFERENCE
By CY L. https://github.com/cyl337 37