Web Application Checklist

tukwilagleefulInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 3 χρόνια και 11 μήνες)

134 εμφανίσεις


Page
1

of
8

Web Application Checklist

Prepared by Krishni Naidu


References:

Web application and database security, Darrel E. Landrum, April 2001

Java’s evolving security model: beyond the sandbox for better assurance or a
murkier brew? Matthew J. Herholtz, March 2001

Basics of CGI security: Common Gateway Interface, CGI, at a glance, Jeffrey
McKay, April 2001

CERT: Understanding malicious content mitigation for web developers

Secure a web application, Java style, Michael Cymerman

CERT: Malicious HTML tags embedded in
client web requests

Best practices for web development, Razvan Peteanu

Security Code guidelines (
http://java.sun.com/security/seccodeguide.html
)

Web application security considerations

(
http://www.4.ibm.com/software/webservers/appserver/doc/v35
)

Perl Security: (
http://www.perl.com/pub/doc/manual/ht
ml/pod/perlsec.html
)

Extensible Security architecture for Java, Dan Wallach, Dirk Balfanz, Drew Dean,
Edward Felten


Introduction:

This checklist is to be used to audit a web application.

It is essential that the web application not be evaluated on its ow
n in an e
-
commerce
implementation. The other elements like the operating system, IIS/Apache, the
database, router configuration and firewall configuration needs to be evaluated to
ensure that appropriate steps have been taken to address the risks posed by
numerous vulnerabilities that may be present.


The procedural elements must also not be forgotten e.g. physical security and the
enforcement of the security policy elements such as development standards.


Prior to using this checklist the following should
be considered:



Privacy: It is not possible to highlight all the considerations to be taken into
account when taking into account privacy regulations in the application due to
the numerous country laws that would have to be considered. It is thus the
respon
sibility of the auditor to identify the relevant law that is applicable in the
specific country where the review is occurring and ensure that the application
takes this into account.



Web application as part of ERP package: In some instances the web
applica
tion may be an add on module of an ERP e.g. SAP, Navision, etc. In
such instances it may be important to ascertain the security implications with
the requisite vendor as well as with the in house development team to
ascertain the security implications of t
he modification. The web application
authentication may be a part of the ERP thus it is important to perform the
review together with the security review of the ERP. In such instances it is
also important to ensure that no web user has ERP administrator ac
cess e.g.
SAP ALL access in a SAP environment. ERP security reviews are a
comprehensive subject on their own and thus no attempt has been made in
this checklist to audit the web application part of a ERP. This checklist with
some modification can be used i
n conjunction with a security review of the
ERP.


Page
2

of
8



Database and other elements security; This checklist does not include
database security or security considerations for any of the other elements like
the operating system as these are exhaustive topics that

need their own
checklists.



Programming languages: It is beyond the scope of this paper to provide a
comprehensive listing of all security considerations for all languages used to
create web applications. A listing of security considerations for languages
that
are commonly used is however provided like Java, Perl and CGI. Other
languages not catered for are XML, ActiveX, etc.



Securing the program/web application: This checklist does not address the
aspect of securing the program files at the operating syst
em folder/directory
level. This is an important element to ensure that only the authorised
developer has access to this directory in the development environment. When
the program is moved to the production environment, there should be
adequate controls suc
h as movement by a change control group and the
program files must again be secured such that they may not be modified by
unauthorised persons.

Prior to reviewing the security of the application it is important to ascertain what the
application will be doi
ng e.g. will the application be used to provide clients access to
account information or will the application be used to sell consumer goods via the
Internet.


Checklist:


No.

Control Item

1.


Requirements phase

Ensure that the user requirements specificatio
ns include the following items:



Whethe爠the assets have been identified



How the application will be used



Identifying the use牳, thei爠牯les and 物ghts

=
autho物zation=and=
authentication
=


Legal and business issues

=
suppo牴=fo爠non
J
牥pudiationI=audit=t牡ilI=
digital=signatu牥sI=st牯ng=enc特ption
=

=
=
gava
=
䕮su牥=that=the=gava=application=is=sandboxedK
=
䕮su牥=that=the=javeKsecu物tyI=javaKsecu物tyKacl=and=javaKsecu物tyKinte牦aces=
packages=a牥=牵nK
=
oun=the=application=with=the=following:
=


java

ajavaKsecu物tyKdebug=h
敬e
=
This=will=output=the=牥sults=of=Checkpe牭ission=callsI=loading=and=g牡nting=
policiesI=dumps=of=牥levant=domains=and=othe爠info牭ationK=oeview=the=output=
to=ensu牥=that=it=is=app牯p物ate=in=te牭s=of=secu物tyK
=
䕮su牥=that=the=卥cu牥oandom=class=is=used=t
o=c牥ate=牡ndom=numbe牳K
=
Asce牴ain=if=fo牭=based=authentication=o爠basic=authentication=is=being=usedK=ff=it=
is=fo牭=based=authenticationI=ensu牥=that=sensitive=fo牭s=a牥=p牯tected=via=
use物ds=and=passwo牤sK
=
卩nce=use物ds=and=passwo牤s=a牥=passed=in=the=cl
ea爠ensu牥=that=卓p=is=usedK
=
䕮su牥=that=the=code=includes=a=line=that=does=not=pe牭it=access=if=the=
authentication=fails=and=牥tu牮s=the=use爠to=the=login=fo牭=again=eKgK:
=
LL=if=the=use爠is=not=authenticated
=
if=⠠!isAuthenticated=Kbooleansalue⠩E)
=
{
=
=

Page
3

of
8


// process the unathenticated request

unauthenticatedUser (response, requested Page) ;

}

Ensure that code exists to store the user authentication information inside a
session variable e.g.

// create a session

session + request.getSession ( True);


// conve
rt the Boolean to a Boolean

Boolean booleanIsAuthenticated + new Boolean( isAuthenticated) ;


// store the Boolean value to the session

session.putValue(


Constants.AUTHENTICATION,

BooleanIsAuthenticated) ;

Ensure that the classes available to the vir
tual machine are limited. Review the
classpath to ensure that unnecessary entries are removed.

Ensure that the code does not have access to third party tools or extraneous
code.

Review the various sensitive beans to ensure that the EJB’s deployment
desc物p
to爠has=the=following=code:
=
⡡ccessCont牯l䕮t物es
=
a䕆AriT=xadminist牡to牳=basicrse牳
=
Theoest物ctedMethod=xadminist牡to牳]
=
⤠;=end=accessCont牯l䕮t物es
=
This=ensu牥s=that=only=the=administ牡to牳=have=access=to=the=牥st物cted=methodK
=
oeview=the=weblogicKp牯pe
牴ies=file=to=ensu牥=that=only=autho物sed=
administ牡to牳=a牥=listed=in=the=administ牡to牳=g牯upK
=
䕮su牥=that=the=javaKsecu物tyKacl=package=is=used=to=g牡nt=pe牭issions=and=add=
new=use牳K
=
oeview=all=use爠pe牭issions=using=the=following:
=
䉯olean=isoeadcileAu
tho物zed===accessiistKcheck健牭ission=⠪rse爬
=
oeadcile⤠;
=
䕮su牥=that=use爠pe牭issions=a牥=app牯p物ate=eKgK=only=the=designe爠has=access=
to=the=owne爠objectK
=
䕮su牥=that=the=secu物ty=manage爠has=been=enabledK
=
䕮su牥=that=non=final=public=static=va物ables=a
牥=not=used=since=the牥=is=no=way=
to=check=whethe爠the=code=that=changes=such=va物ables=has=the=app牯p物ate=
pe牭issionsK
=
䕮su牥=that=the=scope=of=methods=and=fields=a牥=牥duced=as=much=as=possibleK
=
䕮su牥=that=develope牳=have=牥f牡ined=f牯m=using=public=me
thodsLfieldsK
=
䕮su牥=that=any=public=method=that=has=access=to=andL=modifies=sensitive=
states=includes=a=secu物ty=checkK
=
䕮su牥=that=adequate=steps=have=been=taken=to=p牥vent=against=package=
inse牴ion=eKgK:
=


add line to java.secu物ty p牯pe牴ies file

package
.defeinition=Package#1 [, Package#2,….., Package#n]
=


Place the package’s class in a sealed JAR file
=
䕮su牥=that=the=following=line=has=been=added=to=the=javaKsecu物ty=p牯pe牴ies=file=
to=p牯tect=package=acesses:
=
Package.access=Package#1 [,Package#2,…….,Packa
来⍮g
=
䕮su牥=that=objects=a牥=made=immutableK
=
䕮su牥=that=the牥=is=no=牥tu牮=of=a=牥fe牥nce=to=an=inte牮al=a牲ry=that=contains=
sensitive=dataK
=

Page
4

of
8

Ensure that user given array of objects is not stored directly.

If serialisation is used ensure the following pre
cautions are taken:



䕮su牥 that the t牡nsient keywo牤 is used fo爠fields that contain
di牥ct handles to system 牥sou牣es and that contain info牭ation
牥lative to an add牥ss space.



䕮su牥 that a class defines its own dese物alising method and that
the Object
InputValidation inte牦ace is used to validate inva物ants.



If a class defines its own se物alising method, ensu牥 that it does not
pass an inte牮al a牲ry to an DataInput/DataOutput method that
takes an a牲ry.



䕮su牥 that byte st牥ams a牥 enc特pted.



If unt牵s
ted code has a 牥st物ction in c牥ating an object, ensu牥 that
the unt牵sted code has the same 牥st物ction when it dese物alises the
object.

䕮su牥 that native methods a牥 eamined fo爠the following:



What they 牥tu牮



What they take as pa牡mete牳



Whethe爠they

bypass secu物ty checks



Whethe爠they a牥 public o爠p物vate



Whethe爠they contain method calls which bypass package
bounda物es, thus bypassing package p牯tection

䕮su牥 that sensitive info牭ation such as c牥dentials is kept in mutable data
types.

䕮su牥 mess
age digests o爠digital signatu牥s a牥 used to p牯tect the integ物ty of
sensitive data.




偲Pvileged code

䕮su牥 that p物vileged code is as sho牴 as possible. 偲Pvileged code when 牵n
can access any 牥sou牣e within the code that it does not have pe牭issions

to
access.

䕮su牥 that tainted va物ables a牥 not used within the p物vileged code when used
with public methods. 䕮su牥 that p物vate methods a牥 used and can not be
called f牯m outside the class.

䕮su牥 code is w牡pped in a p物vileged block when the code p
e牦o牭s tasks
that would not no牭ally be allowed by an applet o爠unt牵sted code.




健牬

䕮su牥 that the sc物pt is 牵n in tainted mode. This is done by using the


command=line=flagK=
=
oun=the=following=sc物pt=to=check=whethe爠a=va物able=contains=tainted=da
ta:
=
卵b=is|tainted={
=
oetu牮=!=eval={
=
Join (‘ ‘,@_), kill 0;
=

=

=
}
=
Any=p牥sence=of=tainted=data=anywhe牥=within=an=exp牥ssion=牥nde牳=the=whole=
exp牥ssion=taintedK
=
ff=data=has=to=be=untainted=ensu牥=that=the=
LKHL
=
command=is=not=used=as=this=
command=lets=e
ve特thing=th牯ughK
=
Ensure that for “Insecure $ENV{PATH}” messages, the $ENV{‘PATH’} is set to
a=known=valueK=䕡ch=di牥cto特=in=the=path=must=be=only=w物table=to=the=owne爠
and=the=g牯upK
=
䕮su牥=that=the=va物ables=such=as=fc匬=Ca偁TeI=䕎s=and=䉁午|䕎s=a牥=

leted=since=these=a牥=牵n=untaintedK=The=sc物pt=is=as=follows:
=
aelete=]䕎s筱w⡉c匠Ca偁Te=䕎s=䉁午|䕎s⥽)====@=Make=B䕎s=

Page
5

of
8

safer

Ensure that file tests for taintedness are performed for user supplied filenames.

Ensure that a child has been forked using the op
en syntax that connects the
parent and the child via a pipe. The child has less privilege compared to the
parent and thus is safer to use. It is thus safer to open or pipe a file from
setuid/setgid.

Since backticks are also vulnerable to call the shell, en
sure that the shell is
never called. The script to ensure that backticks are performed safely are as
follows:

Use English;

Die “Can’t fork: $!” unless defined $pid = open (KID, “
J
=
|”);
=
ff=⠤pid⤠=笠===================@pa牥nt
=
thile=⠼䭉a[⤠=={
=
@=do=somethin
g
=
}
=
close=䭉a;
=
素else={
=
my=]temp===⠤䕕faI=A䕇fa⤻
=
A䕕fa===Arfa;
=
A䕇fa===Adfa;=========@======initg牯ups=⠩Ealso=called;
=
@Make=su牥=p物vs=a牥=牥ally=gone
=
⠤䕕faI=A䕇fa⤠==]temp
=
die “Can’t drop privileges”
=
unless=Arfa====A䕕fa==☦CAdfa=eq=A䕇fa;
=
Aenv筐{Te素
= “/’bin:/usr/bin”;
=
exec ‘myprog’, ‘arg1’, ‘arg2’
=
or die “can’t exec myprog: $!”;
=
}
=
䕮su牥=that=a=simila爠st牡tegy=as=above=is=used=fo爠globK
=

=
=
Cgi
=
Asce牴ain=how=often=Cdf=hacking=tools=a牥=牵n=to=dete牭ine=vulne牡bilities=and=
whethe爠the牥=is=a=p牯cess=to
=
fix=the=vulne牡bilities=identified=by=the=hacking=
toolsK=Tools=such=as=thiske爠⡒ain=co牲rst=偵ppy⤠o爠wCdfchk=can=be=used=to=
asce牴ain=vulne牡bilitiesK
=
䕮su牥=that=the牥=is=a=p牯cess=to=keep=up=to=date=with=new=
vulne牡bilitiesLpatches=and=updates=and=fix
=
them=as=app牯p物ateK
=
ff=the=Cdf=p牯g牡ms=a牥=used=to=c牥ate=o爠open=filesI=ensu牥=that=the=following=
is=obse牶ed:
=


Error handling code is included to warn if the file isn’t actually a file,
cannot=be=c牥ated=o爠openedI=al牥ady=existsI=牥qui牥s=diffe牥nt=

牭issionsI=etcK
=


䕮su牥 that files a牥 not w物tten to wo牬d w物teable o爠wo牬d 牥adable
di牥cto物es.



䕮su牥 that the files UMA卋Sa牥 eplicitly set.



䕮su牥 that the file pe牭issions a牥 set as 牥st物ctively as possible.



Ensure that the file’s name does not
have=metacha牡cte牳=in=itK=ff=the=
file=is=c牥ated=on=the=fly=ensu牥=that=the牥=is=a=sc牥ening=p牯cess=to=
filte爠out=metacha牡cte牳K
=


䕮su牥 that sc物pts not in use a牥 deleted.



䕮su牥 that CGIW牡p is utilized to allow gene牡l use牳 access to
CGI sc物pts and

HTML fo牭s without comp牯mising the secu物ty of
the web se牶e爮



䕮su牥 that sc物pts a牥 牵n using the pe牭ission of the use爠who

Page
6

of
8

owns the script and not the userid of the httpd process.

If CGI scripts are downloaded from the web ensure that the following
checks
are made:



Compleity of the sc物pt

=
mo牥=p牯blems=if=mo牥=complexK
=


Whethe爠it 牥ads o爠w物tes files on the host system. 偲Pg牡ms with 牥ad
files may violate access 牥st物ctions o爠pass sensitive info牭ation to
hacke牳. 偲Pg牡ms that w物te files may

modify o爠damage documents o爠
int牯duce T牯jans.



Inte牡ctions with othe爠p牯g牡ms on the system e.g. with sendmail. Is
the inte牡ction secu牥



Whethe爠it 牵ns with suid p物vileges. This should not be pe牭itted.



Whethe爠the autho爠validates use爠input f牯m
fo牭s. This is an indication
that secu物ty is being conside牥d.



Whethe爠eplicit path names a牥 used when invoking ete牮al
p牯g牡ms. The 偁TH envi牯nment va物able is insecu牥 if used to
牥solve pa牴ial path names.

If coding in C ensu牥 that the develope爠
has taken into account buffe爠
ove牦lows.

䕮su牥 that unchecked 牥mote use爠input is not passed to a shell command.

Risky C commands a牥 the popen⠩( eec⠩( and in 健牬 the system⠩( eec⠩(
piped open and eval⠩(function.

䕮su牥 that backtick quotes a牥 a
voided.




Malicious HTML tags embedded in client web 牥quests

䕮su牥 that the牥 is a p牯cess whe牥by web develope牳 ensu牥 that
dynamically gene牡ted pages do not contain undesi牥d tags.

䕮su牥 the牥 is a p牯cess fo爠develope牳 to 牥st物ct va物ables to tho
se
cha牡cte牳 that a牥 eplicitly allowed and to check those va物ables du物ng the
gene牡tion of the output page.

䕮su牥 that the develope牳 follow the two p牯cesses above.




Malicious content mitigation

䕮su牥 that the cha牡cte爠set encoding fo爠each page

gene牡ted by the web
se牶e爠is eplicitly set.

䕮su牥 that the develope牳 have a defined p牯cess to identify special
cha牡cte牳 and filte爠them out. List of special cha牡cte牳 a牥 as follows:



<



>



&



“ “
=



=


space and tab



new line



%



semicolon, pa牥nthesis, cu
牬y b牡ces



!



ampersand’
=
䕮su牥=that=dynamic=output=elements=a牥=encodedK
=
䕮su牥=that=dynamic=content=filte物ng=is=implemented=on=the=output=sideK
=
䕮su牥=that=the牥=is=a=p牯cess=to=ca牥fully=examine=cookies=that=a牥=accepted=
and=that=filte物ng=techniques=ar
e=used=to=ve物fy=that=they=a牥=not=sto物ng=
malicious=contentK
=
Ensure that encoding is also applied to URL’s and HTML pages.
=

Page
7

of
8

8.


Testing of Application

Ensure that the application is tested using application scanners like AppScan
from Sanctum, Retina from eE
ye, and Web Inspect from SPI Dynamics.

9.


Privacy

Ensure that the application deals with the application and handling of private
data as defined by the country’s specific laws and regulations.
=
㄰N
=
=
䕮su牥=that=the牥=is=a=p牯cess=whe牥by=application=develope牳=
a牥=keeping=
ab牥ast=of=new=vulne牡bilities=by=fo爠eKgK=subsc物bing=to=mailing=lists=like=C䕒TK
=
ㄱN
=
=
aocumentation
=
䕮su牥=that=the=system=is=adequately=documentedK=The=documentation=should=
include:
=


se牶e爠and application settings



牥sou牣e pe牭issions



what the
sensitive 牥sou牣es a牥



how to pe牦o牭 ope牡tions o爠changes the 物ght way

ㄲ1


Anonymous access

䕮su牥 that all pieces of functionality use p牯pe爠authentication 牡the爠than
anonymous authentication.

ㄳ1


Testing

䕮su牥 at the testing stage the牥 is adequate te
sting of the authentication and
ACL’s.
=
ㄴN
=
=
Application=logins
=
䕮su牥=that=the=code=is=not=牵n=using=the=suid=牯otLadminist牡to爠accountK=Also=
the=application=must=not=be=牵n=using=the=database=administ牡to爠account=eKgK=
卑i=sa=accountK
=
ㄵN
=
=
d䕔I=偏協=☠䕮c特pti

=
䕮su牥=that=d䕔=is=not=used=to=send=sensitive=data=as=the=info牭ation=is=logged=
in=clea爠text=even=if=卓p=is=usedK=卓p=only=enc特pts=data=in=t牡nsit=

=
not=at=the=
destination=pointK=
=
ff=偏協=is=used=the=eTT倠body=is=not=loggedK=eoweve爠the=偏協=method=st
楬氠
sends=data=is=clea爠textI=thus=enc特ption=is=vitalK
=
䕮su牥=that=enc特ption=is=used=fo爠sensitive=data=at=the=application=levelK
=
ㄶN
=
=
fncoming=data
=
䕮su牥=that=the=develope爠has=fully=conside牥d=the=implications=of=incoming=
data=in=te牭s=of=the=roiI=method
I=cookieI=eTT倠eeade牳=and=data=fieldsK=
䕮su牥=such=scena物os=have=been=app牯p物ately=tested=in=te牭s=of=the=
following:
=


if the URL is changed can the client access anothe爠use牳 session

䕮su牥 that the application has been tested to ensu牥 that incoming da
ta fields
can not ove牦low buffe牳 o爠append to an 卑L statement ⡥ecute code on the
卑L se牶e爩r

ㄷ1


Client keeping impo牴ant data

䕮su牥 that the application does not 牥ly on the client keeping info牭ation such
as :



Hidden fo牭 fields



偡牡mete牳

䕮su牥 th
at any info牭ation, which is capable of being changed by the client, is
sto牥d on the se牶e爠side.

ㄸ1


䱯杳

䕮su牥 that logs a牥 c牥ated and that the info牭ation p牯vided by the logs a牥
useful i.e. p牯vide sufficient detail.


Page
8

of
8

19.


ASP/JSP

Ensure that sensitive

credential information such as username/password
combinations for accessing the following:



membe牳hip di牥cto物es



database connection st物ngs

a牥 not ha牤coded in the page.

㈰2


䕸tensions

䕮su牥 that file etensions a牥 not available on the se牶e爠side. If
the hacke爠
asks fo爠the file specifically instead of the including page, will be se牶ed
possible sensitive info牭ation.

㈱2


HTML Comments left in p牯duction code

䕮su牥 that no sensitive info牭ation is included in the HTML comments, which
a牥 embedded in the

HTML o爠client sc物pt. 䔮g.



Connection st物ng that was once pa牴 of a se牶e爠side sc物pt and
commented out. Th牯ugh editing this can 牥ach the client sc物pt and
thus be t牡nsmitted to the b牯wse爮

㈲2


䕲牯爠Messages

䕮su牥 that e牲r爠messages do not 牥veal
sensitive info牭ation, which can be
used to facilitate an attack against the o牧anisation. Fo爠e.g.:



physical paths



platfo牭 a牣hitectu牥

Review the e牲r爠牥lated configu牡tion of the se牥爠and how e牲r牳 a牥 handled
by the application. Unde爠II匬 ensu牥 t
hat the gene物c e牲r爠option is chosen
instead of send detailed A卐Se牲r爠message to client ⡤efault⤮

㈳2



Relationship with QA and code 牥views

䕮su牥 that the牥 is close continuous wo牫ing 牥lationship between QA and the
development team, such that any s
ecu物ty 牥lated issues discove牥d by QA a牥
fo牷a牤ed timeously to the development team to fi.

䕮su牥 that code 牥views a牥 pe牦o牭ed and that issues 牡ised du物ng the code
牥view a牥 adequately fied.

㈴2


Wiza牤 gene牡ted o爠sample code

䕮su牥 that the牥 i
s a p牯cess to 牥view wiza牤 gene牡ted o爠sample code to
asce牴ain whethe爠they include ha牤coded c牥dentials to access 牥sou牣es e.g.
databases.

Alte牮atively 牥view wiza牤 gene牡t4ed o爠sample code to ensu牥 that the牥 is
no ha牤coded c牥dentials.

㈵2


C/C+
+

卩nce C/C++ does not deal with buffe爠ove牦lows, the p牯g牡mme爠is left to
implement this. Anothe爠p牯blem is the fo牭at st物ng attacks. 䕮su牥 that the牥
a牥 p牯pe爠code 牥views to identify insecu牥 p牡ctices and that the issues
牡ised have been fied.

Test for unsafe constructs using tools like L0pht’s SLINT.
=
䕮su牥=that=all=input=a牧uments=a牥=checked=fo爠validityK
=
䕮su牥=that=the=system⠩EcallI=shell⠩E=popen=and=exec*p=is=not=usedK
=
䕮su牥=that=scanf=is=not=used=to=牥ad=anything=as=its=behaviou爠when=
given=a=
st物ng=that=does=not=match=the=fo牭at=expected=is=undefinedK
=
䕮su牥=that=envi牯nment=va物ables=a牥=actively=checked=fo爠validityK
=
䕮su牥=that=all=functions=a牥=checked=fo爠valid=牥tu牮sK
=
䕮su牥=that=bina物es=a牥=st物ppedK
=
㈶2
=
=
卓p
=
䕮su牥=卓p=is=used=t
o=p牯vide=enc特ption=fo爠in
J
t牡nsit=elementsK
=
=