|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells
|News||Recommended Links||Cross Site Scripting||CGI and CGI Security||Helping webmasters with hacked sites|
|Browser Security||Chrome Security||Humor||Etc|
There are specific coding practices that needs to be explicitly avoided in order to avoid compromises. For Perl this is mainly connected with the CGI security. The top issues probably include:
For Java this is connected with both applet and server side security.
We tried to evaluate the security of older version of World Account application and hired Sun professional services a year or two ago. They did not do a good job, but still it was better then nothing and I learned a lot. I still have some materials from then and can send them to you if you wish.
From the Open Web Application Security Project
The Open Web Application Security Project (OWASP) has chosen the top ten most critical Web application security vulnerabilities. Unvalidated parameters, broken access control, and broken account and session management were the top three on the list of selections chosen by the open source community project.
The top ten selections by OWASP are:
S5 Hacking and
Securing Web-Based Applications NEW
David Rhoades, Maven Security Consulting
USENIX - LISA '02 - TUTORIALS
S5 Hacking and
Securing Web-Based Applications NEW
David Rhoades, Maven Security Consulting
Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.
Although numerous commercial and freeware tools assist in locating network-level security vulnerabilities, these tools are incapable of locating application-level issues. This course will demonstrate how to identify security weaknesses for Web-enabled services that could be exploited by remote users.
With numerous real-world examples, this informative and entertaining course is based on fact and experience, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce, online banking, shopping, subscription-based services, and any Web-enabled application.
|Assessing Internet Security Risk, Part Five: Custom Web Applications Continued
by Charl van der Walt
last updated October 8, 2002
This article is the fifth and final in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. The fourth installment discussed a relatively unexplored aspect of Internet security, custom Web applications. This article will conclude the discussion of security risks of Web applications.
A detailed discussion of all the possible vulnerabilities associated with custom Web applications would be somewhat beyond the scope of this paper. What I've done instead is to list and describe all the categories. I'll then single out some specific instances and describe them in more detail as examples.
Here then a list of mistakes that are commonly made, even by experienced programmers. Having answered all the other questions from the previous list, we will carefully search for the following common vulnerability categories:
1. Server Application Vulnerabilities:
As with any network service, Web servers are applications that are often exploitable via the known vulnerabilities we discussed in the "Vulnerability Scanning" section in the third installment in this series. Specialized "CGI" scanners like Whisker, Nikto and the appropriately named CGI-Scanner are especially designed to find vulnerabilities in Web servers. We've discussed this concept at length already, so I won't spend much time on it again.
2. Sample Scripts:
Many Web servers and Web development platforms ship with sample applications built in to serve as examples of what can be achieved. These applications are designed to serve as examples only and have not been built with security in mind. Indeed, sample scripts are often blatantly insecure. Once again, most of these scripts are commonly known and can quickly be identified with a CGI scanner.
3. Hidden directories:
Directories that are accessible to the Web server but are considered "hidden" because there are no references or HTTP links to them. Once more, scanners like Nikto and Whisker make short work of discovering such directories through brute force.
4. Administrative Back-ends:
Complex Web sites are often developed by specialists at a high price. To facilitate cost-effective management and updates of such sites the developers often provide an administrative back-end through which the site owner can easily add or modify content without having to understand the HTML and other underlying technologies. Discovering such a back-end (again via brute force) presents an easy vector for Web site defacement and other attacks.
5. Directory Traversal:
A directory traversal attack involves stepping through multiple levels of the file system structure using "..\". This feature is often used by attackers to trick an application into accessing a part of the file system it was never meant to.
6. Input sanitation:
These wise words from my colleague Haroon Meer sum up the problem with input sanitation: "People have been screaming about poor (non) validation of user input for as long as I can remember, so I don't even think that any of the normal excuses apply anymore. By now developers should simply have learned that all user input should be inherently distrusted and therefore sanitized. Unfortunately, most of the sites you come across seem to ignore sanitization of user input completely or do it selectively (often forgetting hidden fields)."
A common mistake in developing Web applications is to make assumptions about the inputs that user will provide, whether it is done manually or via some automated process. Manual inputs include the data entered by users into fields and forms. Automated inputs are submitted without the user being directly involved and include things like cookies, URLs and hidden HTTP fields. Nothing that is provided by the user should ever be trusted and an application that does so is opening itself up to abuse. Possibly the most significant category of attack that stems from inappropriate input sanitation is SQL Injection.
7. State Tracking:
An enormous problem facing any Web application developer is the question of how to keep track of a single user as he or she makes their way through the various areas of the Web site. This is difficult for many reasons. The primary obstacle is the fact that each page of an HTML application and each object on an HTML page is fetched using a new HTTP session. Unlike "stateful" applications like Telnet or FTP, HTTP is stateless and there is no standard way for the application to keep track of a user who has logged in. Mechanisms used for this include cookies, session keys and hidden fields. Mistakes made in the way state is tracked can allow an attacker to "highjack" a session and gain access to applications and data without being properly authenticated.
8. Cross-Site Scripting:
Cross-site scripting (also called XSS) is somewhat different to the other attacks discussed thus far. Rather than attack the server or the application XSS attacks are aimed at the end-user's browser. XSS is not a problem of input sanitation, but rather a problem of output sanitation. It is typically used against sites that redisplay values that are input by the user. If the information presented by the user is not properly sanitized before it is displayed then an attacker may be able to use HTML tags to influence the way it is displayed by the site. This becomes particularly dangerous when the attacker inserts the <SCRIPT> tag, thereby forcing other users' browsers to execute the code the attacker specifies. An easy way to test for this is to insert HTML like this:
If the Web site does not clean this up before displaying it will cause a pop-up message to be displayed by the visitor's browser. Obviously an attacker could do much worse than cause pop-ops, particularly when the site is trusted by other users.
Web Security Assessment Tools
Having looked at a number of different threat categories at a very high level,
Allright, so if you've decided to assess the security of your Web applications and you just can't bear the thought of paying someone like me to do it, what do you need in your tool box? Here's a good start:
This concludes our basic overview of Internet security risk assessments. Certainly, this procedure is a valuable process for anyone who is charged with maintaining the security of a network that is connected to the Internet. While this series should not be taken as a comprehensive, in-depth guide to assessing Internet security risks, we hope that it has given readers an idea of what needs to be taken into account when conducting assessment of the security risks that their Internet-connected network may face.
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017