Friday, February 13, 2009

Notes on first 9 CWE/Sans errors.

Note from Fred: Please forgive the formatting on this post...I copied and pasted from a Word doc to share with a friend of mine and the formatting didn't translate very well. I don't want to delete the post and too lazy to reformat everything so I'm leaving as-is.


1) CWE20- Improper input validation.
a. Summary
i. Prevalence – High
ii. Remedy Cost – Low
iii. Frequency - often
b. The number 1 killer of healthy software
c. SSL does not protect you from some injection attacks
d. Validate your input. Use an “accept known good” strategy – reject all input that doesn’t conform and assume all input is malicious
e. For example:
i. if you have a numeric identifier and you shouldn’t allow alphanumeric
ii. Entering a negative number instead positives and a bank balance is credited instead of deducted
iii. Passing in a size into a method that creates an array. If the size = 0, an array of length 0 would be created and if any items are attempted to be added to the array, an exception would occur.
f. Input can arrive via Form fields or input parameters on web service clients
g. Many common vulnerabilities can be thwarted using proper validations
h. Applicable to all computer languages
i. Likelihood of occurrence – High
j. XSS (CWE-79) or SQL Injection (CWE-89) are 2 consequences in a failed input mechanism.
k. Solution? Validation framework (Spring) combined with client side UI validation frameworks such as you get from a JS library like Dojo or GWT or Flex.
i. Apache Commons Validator (http://commons.apache.org/validator/) – which is what I think Struts used
ii. Try to check client side as much as possible to reduce server processing
iii. Ajax libraries – should look at these calls also and provide server side checks since these can open an application up to DOM based XSS attacks. A lot of times, Ajax libraries gather data and replace a DIV tag with data. If an attacker can inject some javascript in there or similar code, then XSS will be a problem.
l. Validate entries as separate entities and then validate combined. Sometimes individual entities pass but when combined it can transform into something else that doesn’t pass.
m. Code examples:
i. Check on client via regular expression, javascript, Flex properties, JSTL
ii. Check on server side via validation frameworks like Spring, PHP framework
iii. You have a form field that is SSN: make sure it has 3 digits, 2 digits and 3 digits: \d{3}-\d{2}-\d{4}
iv. Only allow alphanumeric characters with 40 characters in length.
n. Ff
o. Ff
p.
2) CWE-116 - http://cwe.mitre.org/top25/#CWE-116 – Improper encoding or escaping of output
a. Summary
i. Prevalence – high
ii. Remedy Cost – low
iii. Frequency – often
b. Likelihood of exploit – Very high
c. Root of most injection attacks. This is due to the fact that the nature of injection involves the violation of structured messages.
d. Attack: Attacker modifies commands sent to other components inserting malicious commands
e. Solution: When program generates output to other components in the form of messages such as queries or requests, it needs to separate control information from metadata.
f. Caution: be care in Web applications of this type of attacks where encoding can come into play for a variety of inputs: URIs, CSS attributes or HTML body.
g. Examples:
i. Getting a variable from the request and display on a webpage without properly escaping. String email = request.getParamter(‘email’); Email = email;
ii. Replacing characters with %7c (looking for and ; characters can help prevent chain-of-command attacks since OS’s can separate commands by these characters.)
iii. Replacing < or looking for these types of characters in inputs.
iv. Wikis can be especially vulnerable since they allow a subset of HTML characters as input for formatting. Use strict whitelists for this type of checking.
v. Input validation is not always sufficient. In the case of SQL injection, the last name O’Reilly would pass initial validation since it is a common last name. However, the “’” character would be stripped since it is a common SQL injection character but if this is done, the last name is altered and that may not be sufficient.
h. ??? – Look at Java encoding and escaping. For example, when inserting text into XML or HTML code, the HTML must be preserved so you would put in < instead of < href="http://cwe.mitre.org/top25/#CWE-89">http://cwe.mitre.org/top25/#CWE-89 – SQL Injection
a. Summary
i. Prevalence – high
ii. Remedy Cost - low
iii. Frequency – often
b. Likelihood of exploit – Very high
c. Targets data rich applications that store and retrieve data from a database.
d. This attack results in the 3 classic security characteristics:
i. Confidentiality – if an attacker can read your sensitive DB information
ii. Authentication – an attacker can use these attacks to assume the role of a user, even more devastating if user has admin privs
iii. Integrity – If attacker can modify data as well as read, then the data can be changed resulting in low integrity.
e. Solutions: ORMs such as Hibernate that build SQL based upon the HQL that you build.
f. Solution: use parameterized queries
g. Solution: use stored procs.
h. Solution: replace ‘ with “
i. Solution:reduce dynamic generations of SQL query strings. If you do make sure to scrub parameters supplied to DAO classes to reduce injection attacks. Since the DAOs execute on the server side, you don’t have to worry about CWE 602
j. Proper output encoding is best defense for SQL injection
k. Examples:
i. Take for example the following SQL: SELECT * FROM ITEMS WHERE OWNER= ? AND ITEMNAME = ?
ii. If the user enters: name’ or ‘a’=’a for itemname then the query becomes: SELECT * FROM ITEMS WHERE OWNER=’wiley’ AND ITEMNAME = ‘name’ or ‘a’=’a’
l. Java’s security traps have SQL injection at the top of the list. Researchers are using the Findbugs Eclipse plug in to scan for vulnerabilities

Think java is not SQL injection resistant?

rs = stmt.executeQuery(“select * from users where uname = ‘” + uName+ “’”);

4) CWE-79 - http://cwe.mitre.org/top25/#CWE-79 – Failure to preserve web page structure (XSS)
a. Summary
i. Prevalence – high
ii. Remedy Cost - low
iii. Frequency - often
b. Duplicating of client side validations on the server side seems to be a common remedy.
c. Most prevalent and dangerous vulnerabilities
d. Software developer discipline is very important to thwart XSS attacks
e. Attackers can inject JS and other code directly into the webpages that you generate
f. CWE116 – using proper output encoding can aid in XSS attacks. Most effective solution
g. Solution: set UTF-8 for your browser encoding so the browser doesn’t have to guess which encoding to use and allow yourself open to XSS
h. Solution/Example: (stored XSS) we have a web app that contains text areas that take free-form comments, etc. I can enter the following text: “
” and save. Once I bring up that record again, it brings the text into the web page and an alert box will pop up that says “Hello”.
i. Solution: (Reflected XSS) – attacker emails or posts a link to a site that contains malicious commands in the URL. When the user visits the link, the offending code can cause cookie or other private information to transfer to the attacker.
j. Solution: Practice the least privileges for users. If a superuser is subjected to a stored XSS attack, the dynamic content could provide very sensitive data from the superuser to the attacker.
k. Solution: scrub HTTP request parameters against white lists to detect common XSS exploits coming in from a URL. For example, if a web page accepts a user id from request parameters, if it contains standard text, that’s OK. However, if an attacker adds in source code or Javascript, the web page will not display the text, but execute the script.
l. Research: this blog: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss details research on Java frameworks to see how they do in preventing XSS attacks.
i. Solution: instead of using JSP EL (expression language) use JSTL such as c:out. Also see: note: still if a developer scrubs outkput for HTML, javascript, this can be prevented. http://www.owasp.org/index.php/J2EE_Bad_Practices:_JSP_Expressions
ii. Problems reported with Spring MVC (form:input / form:error) appears to be fixed
try { firstname = request.getParameter("firstname"); }
catch (Exception e) { e.printStackTrace(); }
userName = firstname;
...
pw.print(" Thanks for your feedback, " + userName + "! ");
This code allows an attacker to spit back code to the browser. For example:

5) CWE 78 - http://cwe.mitre.org/top25/#CWE-78 Failure to preserve OS command structure (OS Command injection)
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Medium
iii. Frequency - often
b. Allows attackers to execute unexpected, dangerous commands directly to the OS.
c. Leads to vulnerabilities in which the attacker does not direct access to the OS
d. Exacerbated if rule of least privilege is not followed
e. Proper encoding that supports OS commands can lessen damages
f. Java example: use the runtime.exec command to run OS commands:
initCmd = System.getProperty(“init_cmd”);
runtime.exec(initCmd);
6) CWE 319 - http://cwe.mitre.org/top25/#CWE-319 Cleartext transmission of sensitive information
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Medium
iii. Frequency - Sometimes
b. Susceptible to sniffers when you send sensitive information across a network
c. Solution: encrypt
d. Solution: Use SSL from beginning to end, not just the initial login page
e. More info: Security Now podcasts on cryptography
f. Tools – TrueCrypt
g. From OWASP:
i. Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Encryption (usually SSL) must be used for all authenticated connections, especially Internet-accessible web pages, but backend connections as well. Otherwise, the application will expose an authentication or session token. In addition, encryption should be used whenever sensitive data, such as credit card or health information is transmitted. Applications that fall back or can be forced out of an encrypting mode can be abused by attackers.
ii. Common errors include the use of weak or deprecated SSL ciphers which can be broken and subject to man in the middle attacks. Most web servers, by default, allow insecure SSL ciphers such as SSLv2
h.
7) CWE 352 - http://cwe.mitre.org/data/definitions/352.html Cross - site Request Forgery
a. Summary
i. Prevalence – High
ii. Remedy Cost – High
iii. Frequency - Often
b. Attacker tricks a user into activating a request that goes to another site. It looks like the user is the one who initiated the request when in reality it was the attacker. If there is no way to authenticate a request was intentionally sent by a user, it will be possible for an attacker to trick the client into submitting a request to the web server.
c. May not seem like a big deal but the attacker can assume all authority on a particular site that the user has
d. Especially handy if the user has admin privs – Employ rule of least privilege
e. XSS worms that stampede through very large websites in minutes is CSRF combined with XSS
f. CSRF – can be done with image loads, via a URL, or XMLHttpRequest
g. Results? – data disclosures, unintentional code execution.
h. Solution: ensure your defenses are up to date to thwart XSS attacks CWE79
i. Example: Fusion News (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1703) example allows attackers to add user accounts. If an admin is logged in, a comment in an img tag calls index.php tag that creates a new account each time the admin goes to the page with the img tag
j. Solution: Do not use GET requests for any request that changes state
8) CWE 362 – Race Conditions http://cwe.mitre.org/data/definitions/362.html
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Med to High
iii. Frequency - Sometimes
b. Occurs in multi threaded applications
c. Denial of service and data corruption are normal attacks
d. Use thread safe capabilities
e. Avoid shared resources across threads
f. Solution: avoid threading for other multitasking solutions like queues.
9) CWE 209 – Error message information leak - http://cwe.mitre.org/data/definitions/209.html
a. Summary
i. Prevalence – High
ii. Remedy Cost – Low
iii. Frequency - Often
b. Using chatty error messages could disclose secrets to attackers
c. Solution: ensure error messages only contain the minimal amount of information
d. Solution: log more detailed information in log files. Be careful that log files cannot be read by attackers. Don’t log passwords in log files
e. Avoid messaging that may tip off attackers such as “password is invalid”. That could tip the attacker that the userid is valid and give them more information.
f. A SQL injection attack may not succeed but error information displayed as a result could give the attacker more information to launch a more focused attack
g. Example: Java – try catch blocks that System.out.println the actual message that goes back to the screen in an error message. Handle exceptions internally
Risky Resource Management.
10) Failure to constrain operations with the bounds of a memory buffer - http://cwe.mitre.org/top25/index.html#CWE-119
a. Summary
i. Prevalence – High
ii. Remedy Cost – Low
iii. Frequency – Often
b. Buffer overflows
c. Java is supposedly note susceptible to BO but applets and other attached technologies like Java Web start and more importantly the Java runtime environment are.
i. Java simply does not provide any way to store data into memory that has not been properly allocated.
d. Problems when software written in C/C++ are more susceptible
11) CWE-642 – External control of critical state data http://cwe.mitre.org/top25/#CWE-642
a. Summary
i. Prevalence – High
ii. Remedy Cost – Medium
iii. Frequency – Often
b. Revolves around the persisting of data not saved into a database but in other stores:
i. Cookies
ii. Hidden form fields
iii. Profiles
iv. Configuration files
v. Registry keys
vi. Input parameters on the URL
c. Apache Tomcat servers if not configured correctly can suffer from this attack.
i. Disable shutdown port
ii. Remove example applications that ship with Tomcat installation
iii. Force Tomcat to not cache content requiring authentication
d. Stateless protocol such as HTTP, if you want to persistent stateful information across pages, the data must be stored somewhere. Therefore, it exposes it to a malicious attacker.
e. Solution: do not store information on the client without encryption and integrity checking.
f. Solution: store state information only on the server side
g. Solution: use a framework that maintains state information for you
h. Potential attacks:
i. Shopping cart is affected when price modification occurs to a hidden form field
i. Solution implementation: Use Spring Web Flow / MVC coupled with Acegi Security to implement remember-me authentication
12) CWE 73 – External Control of File Name or Path http://cwe.mitre.org/top25/#CWE-73
a. Summary
i. Prevalence – High
ii. Remedy Cost – Medium
iii. Frequency – Often
b. When using outside or user supplied input to construct file names, an attacker can use combinations of “../” to make the system navigate outside of the intended directory.
c. If you let a user specify an external URL from which your application will download code, this sets up for worms and Trojans.
d. Solution: run only as lowest level privileged user.
e. Use whitelists to that limit characters such as “../”
f. Example:
g. Af
h.
13) CWE 426 – Untrusted search path http://cwe.mitre.org/top25/#CWE-426
a. Summary
i. Prevalence – Low
ii. Remedy Cost – Medium
iii. Frequency – Rarely
b. When locating critical system resources when running applications, for example properties files or code libraries, an attacker tries to modify the path to point to their versions. This could lead to malicious activities.
c. Solution: when running another program or accessing a file, use a fully qualified path name.
d. Solution: be careful to avoid system PATH variables when executing external programs or config files
e. Sanitize directory or folder paths when doing these activities
f. Example: if you run a program to access $PATH/file/program.sh and the attacker modifies PATH, then they could point to their application and run it with raised privileges.
14) CWE 94 – Failure to control generation of code (code injection) –
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – High
iii. Frequency – Sometimes
b. If you have any code that dynamically generates code, an attacker can inject their own to alter the intended control flow of the software.
c. If you have an application that accepts as input actual source code, then you set yourself up for this attack.
d. Important to note that all injections differs from buffer overflows since buffer overflows require some other further issue to gain execution.
e. Example – by using encoding characters, an attacker could inject code where a programmer would only expect a string.
15) CWE 494 – Download of code without integrity check http://cwe.mitre.org/top25/#CWE-494
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Medium to High
iii. Frequency – Rarely
b. When downloading code to execute from a remote location, make sure to verify the origin and integrity of code
c. Attacker can use DNS spoofing, compromise the host server, or modify the code in transit.
d. Solution: use encrypted channels when accessing remote code, for example thru the Java URL objects.
e. If your software provides a solution to download code, make sure to digitally sign your code. I think even in Vista, you can do this to prevent the nasty Unauthorized message that makes people not trust your software.
f. Could this become more important of have higher rates of frequency for SaaS or Mobile computing?
16) CWE 404 – Improper resource release or shutdown http://cwe.mitre.org/top25/#CWE-404
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Medium
iii. Frequency – Rarely
b. Likelihood of exploit – Low to medium
c. Solution: use technologies that automatically garbage collect.
d. Solution: be sure to clean up unneeded cookie data. Is it possible to delete cookies?
e. Solution: be sure to clean up yourself by deleting unneeded records in databases, freeing unneeded resources, setting objects to null.
i. In Java, in DAO’s, make sure to use Spring JDBC to clean up for you or make sure to free DB connections from the pools. Otherwise, users can be denied access due to exhausted connections.
f. This is a common problem in general system performance but an attacker could get a resource leak to intentionally happen, then they could launch a DoS attack.
g. Apache Tomcat is vulnerable here – If you don’t configure your tomcat logging appropriately via logging.properties, then you could fill up catalina.out and degregade performance.
17) CWE 665 – Improper Initialization - http://cwe.mitre.org/top25/#CWE-665
a. Summary
i. Prevalence – Medium
ii. Remedy Cost – Low
iii. Frequency – Sometimes
b. Likelihood of exploit – medium
c. Problem: software the fails to properly initialize variables that lead to garbage or unintended values in variables when first using them.
d. Solution: use languages that must provide initializers like Java.
e. Solution: Use Eclipse IDE or similar when coding. The code assist tools contained within these modern IDEs alert programmers to conditions such as these. The compiler will not allow you to move forward until variables are properly initialized.
f. Solution: follow good programming practices about declaring and initializing variables just before first use. Don’t declare all variables at the top of the code block.
18) CWE 682 – Incorrect calculations
a. Summary
i. Prevalence – High
ii. Remedy Cost – Low
iii. Frequency – Often
b. Likelihood of exploit – high
c.
19)
20)
21) Action items:
a. Maybe talk about last 3 as a group
b. Mike to come up with examples for the last 3
c. Code snippets
d. Config files files examples
e. Cookie setting examples
f. Send me some branding stamps for OWASP. Powerpoint branding

No comments:

Post a Comment