Sunday, August 17, 2014

UnHandled exceptions and secure coding

We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.

This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.

One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”

Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.

All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.

A few suggestions on exception handling in a more secure way.

  1. Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.
  2. Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.
  3. Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.
  4. Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.
  5. Make sure programmers are not using the anti-pattern of “exception swallowing”


Summary:

How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception.

Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack.

Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged.


References:
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
http://www.oracle.com/technetwork/java/seccodeguide–139067.html
http://en.wikipedia.org/wiki/Error_hiding



Exception: www.movies.com
Server Error in ‘/’ Application.
1. In GetTheaterShowTimes()

2. Passed movieId: 

3. Passed zipCode: 74012

6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012

7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012

10. forceRetrieve = True

11. resultsDoc == null? False

12. Trying to get results from file system!


Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
  at System.Xml.XmlTextReaderImpl.ParseElementContent()
  at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
  at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
  at System.Xml.XmlDocument.Load(XmlReader reader)
  at System.Xml.XmlDocument.Load(String filename)
  at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
  at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.ApplicationException:
1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 1
2. Trying to get results from file system!
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)   at System.Xml.XmlTextReaderImpl.ParseElementContent()   at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)   at System.Xml.XmlDocument.Load(XmlReader reader)   at System.Xml.XmlDocument.Load(String filename)   at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254   at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372


Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: [ApplicationException:

1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 12. Trying to get results from file system!

Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372] Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649 Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446

Thursday, June 12, 2014

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  


Tuesday, June 10, 2014

Privacy and the internet

A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.


Internet Privacy Tips Statistics 2014This Infographic was published on AnsonAlex.com

Here is the last Inforgraphic on Privacy I have for this blog post.

Sunday, May 11, 2014

Tulsa School of Dev



Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...http://tulsaschoolofdev.com

Client Side Coding - JavaScript

JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.

The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.

Detection of DOM-based XSS can be challenging. This is cause by the following reasons.

• JavaScript is often obfuscated to protect intellectual property.
• JavaScript is often compressed out of concerned for bandwidth.

In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed.

Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.

Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing.

First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.

Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.

Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.

Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.

Code examples of JavaScript vulnerabilities.

<html>
<script type=”text/javascript”>
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>

Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.

Another example:

  1. var url = document.location.url;
  2. var loginIdx = url.indexOf(‘login’);
  3. var loginSuffix = url.substring(loginIdx);
  4. url = ‘http://mySite/html/sso/’ + loginSuffix;
  5. document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.

If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.

References:



  • http://docstore.mik.ua/orelly/web/jscript/ch20_04.html 
  • https://www.owasp.org/index.php/CRV2_SourceSinkRev
  • https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll
  • https://www.owasp.org/index.php/Static_Code_Analysis
  • http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf
  • http://www.jshint.com/about/ https://github.com/mozilla/doctorjs

Saturday, March 8, 2014

OWASP Wins SC Magazine 2014 Editor's Choice Award


On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor’s Choice award. This was the final award of the evening and presented directly from Illena Armstrong, VP, editorial, SC Magazine.

For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!



http://owasp.blogspot.com/2014/03/owasp-wins-sc-magazine-2014-editors.html

Wednesday, January 15, 2014

RSA, NSA, OWASP Continued


Bruce Schneier, a well respected security expert has written an essay that has an opposing view of the NSA and why the NSA surveillance program is not good security. I don't always agree with Mr. Schneier but he does make some good points and as a very respected security expert I think its good the read his essay. I am not re-printing it here but here is the link.

http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/

You can subscribe to Mr.Schneier security newsletter here…on the web at <http://www.schneier.com/crypto-gram.html>. 


On another subject here is a podcast where I was interview about the project I am leading with OWASP concerning the Code Review Guide book.

http://trustedsoftwarealliance.com/2014/01/13/appsec-usa-2013-larry-conklin-and-the-code-review-book-project/