Sunday, May 22, 2016

Saving SEC (Security Exchange Commission) one Google search at a time.

Saving SEC (Security Exchange Commission) one Google search at a time.

Can't really say this was a Google dork since I wasn't querying Google with a special search string. What happened was I was searching Google with my eyes wide open. I noticed in my search results that one of the items returned did not look like it belonged. Out of curiosity, I click on it. It took me a little while to realize what I was looking at.  An SEC document that a business had submitted that includes among other data  the business's bank name, the ABA (account routing number) and the account number and names of officials at the business. Enough information to make an attempt at hacking the bank account either thru a software or social engineering vulnerability that any good hacker could try.

The vulnerability was easy enough to prevent. Using OWASP Top Ten 2013 this vulnerability is A5 Security Misconfiguration, folders where the  documents were stored had public access when the permissions should have been restricted. 

But here is the point. Easy vulnerabilities are not easy to keep in front of developers and system admins. Organizations need to keep security in front of their IT staff. One easy way to do this is support organizations like OWASP and promote them to your staff. OWASP has lots of training, chapters meeting, etc that can help keep security in front of IT folks.

How do you or who do you notify that an organization has a cyber vulnerability? In my case, this wasn't easy. The SEC has the contact webmaster link. This wasn't really a website issue. The SEC website does have contact list but nothing on that page refers you to cyber vulnerabilities issues. I finally decided to use the SEC Tips, Complaints, and referrals website. I have checked and the vulnerability has been fixed. I have not received any correspondence from the SEC thanking me or telling me the vulnerability is fix.

Questions, 
* Should organizations include a link if a visitor to the site sees something wrong with a website instead of the webmaster? 
* What about alerting an organization to any security vulnerability? 
* Should the US government and or commercial businesses have one common website to alert to for cyber issues? 

We have the CVE but it isn't designed to alert organizations of a vulnerability while keeping the information private while the vulnerability is being fix. 

* Is this something that open source project can help with?

Here is one of the documents I found. I have XXXX out information on the company, people names, and bank account information, and other IRS identifying information. I do undestand that some of the information in this document is public knowledge of a public traded company of the exchange. ABA and account number and bank names are should not be public information.

-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 2001,MIC-CLEAR
Originator-Name: webmaster@www.sec.gov
Originator-Key-Asymmetric:
 MFgwCgYEVQgBAQICAf8DSgAwRwJAW2sNKK9AVtBzYZmr6aGjlWyK3XmZv3dTINen
 TWSM7vrzLADbmYQaionwg5sDW3P6oaM5D3tdezXMm7z1T+B+twIDAQAB
MIC-Info: RSA-MD5,RSA,
 MmS+lC5NujlDHwNjUELz3rLoMclvZ1nv4FS4aXJun+eNFZUZDpGo2eb7jUUMOpEs
 +b8xOtqa7/rPIkNQdE7oGA==

<SEC-DOCUMENT>0001131312-07-000011.txt : 20070201
<SEC-HEADER>0001131312-07-000011.hdr.sgml : 20070201
<ACCEPTANCE-DATETIME>20070201154033
ACCESSION NUMBER: 0001131312-07-000011
CONFORMED SUBMISSION TYPE: 424B3
PUBLIC DOCUMENT COUNT: 2
FILED AS OF DATE: 20070201
DATE AS OF CHANGE: 20070201

FILER:

COMPANY DATA:
COMPANY CONFORMED NAME: XXXXX OIL & GAS
CENTRAL INDEX KEY: 0009999999
STANDARD INDUSTRIAL CLASSIFICATION: OIL AND GAS FIELD EXPLORATION SERVICES [1382]
IRS NUMBER: 200069999
STATE OF INCORPORATION: DE
FISCAL YEAR END: 1231

FILING VALUES:
FORM TYPE: 424B3
SEC ACT: 1933 Act
SEC FILE NUMBER: 333-999999
FILM NUMBER: 075999999

BUSINESS ADDRESS:
STREET 1: xxxxxxxxxxx
STREET 2: xxxxxxxxxxx
CITY: DALLAS
STATE: TX
ZIP: 9999999
BUSINESS PHONE: xxxxxxxxx

MAIL ADDRESS:
STREET 1: xxxxxxxxxx
STREET 2: xxxxxxxxxx
CITY: DALLAS
STATE: TX
ZIP: 999999
</SEC-HEADER>
<DOCUMENT>
<TYPE>424B3
<SEQUENCE>1
<FILENAME>prossup4.htm
<DESCRIPTION>SUPPLEMENT # 4
<TEXT>
<HTML>
<HEAD>
<META CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="Microsoft Word 11.0">
<TITLE>PROSSUP4</TITLE>
</HEAD>
<BODY>
<CENTER><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=1 WIDTH=1300>
<TR><TD WIDTH="43%" VALIGN="TOP">
<P ALIGN="LEFT">Prospectus Supplement No. 4</TD>
<TD WIDTH="14% "VALIGN="TOP"></TD>
<TD WIDTH="43%" VALIGN="TOP">Filed pursuant to Rule 424(b)(3)</TD>
</TR>
<TR><TD WIDTH="43%" VALIGN="TOP">
<P ALIGN="LEFT">To Prospectus dated September 26, 2006</TD>
<TD WIDTH="14% "VALIGN="TOP"></TD>
<TD WIDTH="43%" VALIGN="TOP">File No. 333-131275</TD>
</TR>
</TABLE>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">&nbsp;</P>
<P ALIGN="LEFT">&nbsp;</P>
<B><P ALIGN="CENTER">xxxxxxxxxx, INC.</P>
</B><P ALIGN="CENTER"></P>
<P ALIGN="JUSTIFY">This document supplements the prospectus dated September 26, 2006, as supplemented on November 21, 2006, December 14, 2006 and January 9, 2007, relating to the offer and sale of a minimum of 350,000 up to a maximum of 2,000,000 shares of our common stock.  This prospectus supplement is incorporated by reference into the prospectus.  This prospectus supplement is not complete without, and may not be delivered or utilized except in connection with, the prospectus, including any amendments or supplements to the prospectus.</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Second Closing, Continuing Offering and Subsequent Closings</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">Following the receipt and acceptance on January 26, 2007 of subscriptions in a total amount of $2,008,111 for 286,873 shares of our common stock pursuant to the terms of our offering subject of the prospectus, xxxxxx scheduled a second closing of the offering. All subscriptions subject to the accepted agreements were for cash.</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">The second closing took place on January 29, 2007. At the second closing xxxxxx issued 286,873 shares of its common stock in accordance with the instructions of the subscribers and issued instructions to the escrow agent to disburse proceeds of the subscriptions in the amount of $1,750,153 to the company. The remaining $227,578 of funds in the escrow account were distributed at the second closing to Network 1 Financial Services, Inc., the underwriter of the offering, in accordance with the terms of underwriting agreement as described at pages 16-17 of the prospectus ("PLAN OF DISTRIBUTION - Underwriting Agreement"), as follows: $111,719 in commissions, $55,859 of expense reimbursement and $60,000 in financial advisory and investment banking fees. At the second closing, xxxxxx also issued to the underwriters in accordance with the terms of the underwriting agreement, an Underwriter's Warrant to purchase 6,593 shares of xxxxx common stock at a price of $8.75 per share to be exercisable for a peri
od beginning six months after the final closing of the offering and expiring on December 28, 2009.</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">The offering with respect to the remaining 1,276,220 shares of xxxxx's common stock being offered pursuant to the prospectus will continue in accordance with the "PLAN OF DISTRIBUTION" as described at pages 16-18 of the prospectus until the receipt and acceptance of the maximum offering of 2,000,000 shares or March 26 (which date may be extended by us for up to an additional 60 days) whichever occurs first - unless earlier terminated. One or more interim closings may take place between the second and final closing. We have scheduled another closing for February 28, 2007 and have set February 16, 2007 as the date by which subscriptions must be received in order to be included in such closing, provided documentation is in order and funds received by the closing. Subscriptions received after the cutoff date which are not able to be closed on by the scheduled closing date will continue to be deposited in the xxxxx escrow account at Sterling Trust Company pending their acceptance and disbursement
 in the context of subsequent closings. Terms of the continuing offering will be the same as the terms prior to the second closing, with a per share price of $7.00 and a 100 share minimum.</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Market for Common Stock</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">Shares of our common stock commenced trading on the American Stock Exchange on January 3, 2007 under the ticker symbol <B>ZN</B>. Since then and through the January 29, 2007 the highest sales price was $14.05 and the lowest sales price was $7.05. See Supplement No. 2 at page 2 ("American Stock Exchange Listing and Commencement of Trading").</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">Following the second closing there are approximately 2,800 holders of record of our common stock.</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Use of Proceeds</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">As described above, upon our instructions at the initial closing, the escrow agent released the $2,008,111 of funds in the escrow account as follows: $227,578 to the underwriter in payment of $111,719 of commissions, $55,859 of expenses and a $60,000 financial advisory investment banking fee due underwriter in accordance with the terms of the underwriting agreement. The remaining $1,750,153 were released to the company for use by the company for the purposes and in the amounts described at pages 7-9 of the prospectus ("USE OF PROCEEDS"). These funds have been deposited in interest bearing accounts in our depository banks in the United States and xxxxx pending their use in furtherance of our plan of operations as described in the prospectus at pages 11-13 ("PLAN OF OPERATIONS AND MANAGEMENT'S DISCUSSION" "-- Basic Plan" and "-- Milestones for the Plan of Operations") and in accordance with the "USE OF PROCEEDS" section at pages 7-9 of the prospectus. </P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Submission of Application for Asher-Menasseh Exploration License</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">On January 31, 2007, xxxxxx filed an application with the xxxxx Petroleum Commission for a petroleum exploration license, tentatively denominated the xxxxxxxx License, on approximately 81,000 acres north of xxxxxxx's 99,000 acre xxxxxx License. The acreage subject to application includes primarily acreage which was subject to xxxxx's xxxxxxxxxx Permit as reduced in accordance with the provisions of the xxxxxx Petroleum Law, together with a small addition of acreage abutting to the north of the lands subject to the Asher Permit. </P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">The application was submitted in accordance with the terms of xxxx's xxxx Permit, together with xxxxx's Final Report and Prospect Identification, upon the termination of the xxxxx Permit on January 31. In the context of the<FONT SIZE=3> </FONT>application, xxxxx proposed a work program to include the acquisition of 20 kilometers of new seismic lines in the xxxxxxx (xxxxx Heights) region and the drilling of a test well, tentatively designated the xxxxxxx #1, to the Triassic formation.</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">xxxxx's application is subject to the review and approval of the xxxxx Petroleum Commissioner, in consultation with the statutory Petroleum Council. xxxx does not know when the Commissioner and Council will consider the application or what the results of such consideration will be.</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">See  the  prospectus  at  pages  43-44  ("BUSINESS AND PROPERTIES -- Properties") and at page 45 ("--xxxxxx's Petroleum Law -- Preliminary Permit" and "-- License").</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">A map of the lands subject to the license application overlaid on the boundaries of the xxxxx Permit and the company's xxxxxx License follows:</P>
<P ALIGN="LEFT"></P>
<P ALIGN="CENTER"><img src="image26.jpg" WIDTH=443 HEIGHT=539></P>
<P ALIGN="LEFT"></P>
<B><U><P ALIGN="JUSTIFY">Related Party Transactions</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">On January 17, 2007, following the initial closing and in accordance with its terms, we repaid Ms. xxxxxxxxx, one of our shareholders, the $75,000 outstanding principal balance outstanding under the credit facility extended by Ms. xxxxxxx to the company, together with accrued interest thereon. See prospectus at page 30 ("CERTAIN RELATIONSHIPS AND RELATED PARTY TRANSACTIONS").</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">On January 18, 2007, following approval by the Audit Committee, we repaid xxxxxxx Resources, Inc., a company owned by xxxxxxx, our Chief Executive Officer, the remaining $32,000 principal balance outstanding under a loan facility extended by xxxxx to xxxxx, together with accrued interest thereon.. See prospectus at page 28 ("CERTAIN RELATIONSHIPS AND RELATED PARTY TRANSACTIONS").</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Amendment to Bylaws</P>
</B></U><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">On January 24, 2007, our board of directors amended our bylaws by adding a provision clarifying that shares in xxxxxx did not have to be represented by physical certificates, but could be represented by book entries in our stock register only. Since the initial closing on December 29, 2006, our stock register is being maintained by our registrar and stock transfer agent, Registrar and Transfer Company Cranford, New Jersey.    See    prospectus at    page 38    ("DESCRIPTION OF SECURITIES    --  Amendments"    "-- Transfer Agent and Registrar").</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">Modification of the Subscription Agreement</P>
<P ALIGN="JUSTIFY"></P>
</B></U><P ALIGN="JUSTIFY">The subscription agreement has been amended to read as shown on the two pages following this one.</P>
<P ALIGN="JUSTIFY"></P>
<B><P ALIGN="JUSTIFY">Investing in our common stock is very risky.  See "Risk Factors" commencing at page 2 of the prospectus to read about the risks that you should consider before buying shares of our stock.</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">Neither the U.S. Securities and Exchange Commission nor any state securities commission has approved or disapproved of these securities or determined if the prospectus or any prospectus supplement is truthful or complete.  Any representation to the contrary is a criminal offense.</P>
<P ALIGN="LEFT"></P>
</B><P ALIGN="CENTER">The date of this prospectus supplement is February 1, 2007.</P>
<P ALIGN="LEFT"></P>
<HR>
<B><I><FONT FACE="Wide Latin" SIZE=4><P ALIGN="CENTER">xxxx&amp; Gas, Inc.</P>
</I></FONT><FONT SIZE=3><P ALIGN="CENTER">REVISED SUBSCRIPTION AGREEMENT (and Substitute IRS Form W-9)</P>
<P ALIGN="CENTER">&nbsp;</P>
</FONT><U><FONT SIZE=1><P ALIGN="JUSTIFY">INVESTOR PROFILE:  (Please completely fill all items below)</P></B></U></FONT>
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=680>
<TR><TD VALIGN="TOP">
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">TITLE OF ACCOUNT__________________________________________________________________________________________</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">MAIL ADDRESS (Street, City, State, Zip)__________________________________________________________________________</P>
<P ALIGN="RIGHT">                                                                                                                                                              </P>
<P ALIGN="JUSTIFY">NAME OF BENEFICIAL OWNER/PURCHASER___________________________________________________________________</P>
<P ALIGN="JUSTIFY">                                                                                                                                                                                           How many years at home address?____</P>

<P ALIGN="JUSTIFY">HOME (BENEFICIAL) ADDRESS                                                                                                                              </P>
<P ALIGN="JUSTIFY">(If different from mail address)____________________________________________________________________________________</P>
<P ALIGN="JUSTIFY"></P>
</B><P ALIGN="JUSTIFY">Under Federal Law, we are now required to obtain photo identification of investors.  Please indicate below and attach to this subscription form the identification you are providing (by filling in the ID number).  Your photo information will remain strictly confidential and will not be used for any purpose other than your purchase of Shares.  </P>
<B><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">PASSPORT #______________ or DRIVER'S LICENSE #_________________ STATE____ or  OTHER:_________#___________</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">DATE OF BIRTH ______________ SS# or TAX ID#_______________ MARITAL STATUS________ # OF DEPENDENTS____</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">PHONE: (W)__________________________(H) _________________________________ (M) _______________________________   </P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">EMAIL:______________________________________________________________________________________________________</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">EMPLOYER  _____________________________________ BUSINESS________________ POSITION _______________#YRS___</P>
</B><P ALIGN="LEFT"></P>
<B><P ALIGN="LEFT">ANNUAL INCOME ______________ NET WORTH _____________ LIQUID NET WORTH _____________TAX RATE____%</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">PRINCIPAL BANK NAME ______________________________________INVESTMENT EXPERIENCE (# OF YEARS) ______</P>
</B><P ALIGN="LEFT">(All the financial information above is required by the Patriot Act and new rules of the National Association of Securities Dealers.)</FONT></TD>
</TR>
</TABLE>

<FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">JOINT INVESTOR: (Fill out if applicable)</P></B></U></FONT>
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=679>
<TR><TD VALIGN="TOP">
<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">PASSPORT #______________ or DRIVER'S LICENSE #_________________ STATE____ or  OTHER:_________#__________</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">DATE OF BIRTH ______________ SS# or TAX ID#__________________ EMAIL_______________________________________</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="LEFT">EMPLOYER  _____________________________________ BUSINESS________________ POSITION _______________#YRS___</B></FONT></TD>
</TR>
</TABLE>

<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">INVESTMENT:&#9;&#9;&#9;&#9;&#9;&#9;&#9;WIRE TRANSFER (Instructions on reverse side)</P></B></FONT>
<P ALIGN="CENTER"><CENTER><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=675>
<TR><TD WIDTH="54%" VALIGN="TOP">
<FONT SIZE=1><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">Shares Purchased ____________ Dollar Amount $___________</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">5</FONT><FONT SIZE=1> Initial Purchase  </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 2nd  </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 3rd  </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 4th   </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> 5th  </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> __th</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="LEFT"></P>
<P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> CHECK ENCLOSED            CHECK NUMBER ________</FONT></TD>
<TD WIDTH="46%" VALIGN="TOP">
<FONT SIZE=1><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">SENDING BANK ___________________________</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">City_______________ST___Phone_____________</P>
<P ALIGN="LEFT"></P>
<P ALIGN="JUSTIFY">WIRE #_________________DATE SENT _______</FONT></TD>
</TR>
</TABLE>
</CENTER></P>

<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<U><P ALIGN="JUSTIFY">CERTIFICATE DELIVERY ELECTION </B>(Please choose one of the three following options)<B>:</P>
</B></U></FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> PHYSICAL DELIVERY:  </B>Please<B> </B>deliver the physical certificate representing my Shares to the mailing address above.</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> NETWORK 1 ACCOUNT: </B>Please send me documents to open a Network 1 account and electronically deposit my Shares with the transfer agent so they can be transferred into such an account after being issued. </P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><B><FONT SIZE=1> OTHER BROKER ACCOUNT: </B>Please send my Shares to my brokerage account:</P>
<P ALIGN="JUSTIFY">  </P>
<P ALIGN="JUSTIFY">  FIRM NAME_________________________________Address__________________________City_______________ST____Zip______</P>
<P ALIGN="JUSTIFY">  NAME ON MY ACCOUNT_________________________________________________________ACCT#_____________</P>
<B><U><P ALIGN="LEFT"></P>
<HR>
<P ALIGN="LEFT">xxxxxx OIL &amp; GAS, INC. Subscription Agreement...Page 2</P>
<P ALIGN="JUSTIFY"></P>
<P ALIGN="JUSTIFY">ACCOUNT CLASSIFICATION</U>:  </P>
</B></FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> INDIVIDUAL&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> JTWROS &#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> ESTATE  </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> IRA/KEOGH&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> TEN COM&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> CORP (Supply corp resolution)</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> CUST/UGMA (STATE:_______)   </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> TRUST (Supply trust agreement)&#9;</FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> PARTNERSHIP (Supply partnership agreement)</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> OTHER:______________________________ (e.g. Investment Club, Sole Proprietor, Non-profit, Pension Plan, Profit Sharing Plan)</P>
</FONT><FONT FACE="Wingdings 2" SIZE=1><P ALIGN="JUSTIFY">5</FONT><FONT SIZE=1> IF FIDUCIARY, STATE NAMES OF PRINCIPAL OFFICERS:_______________________________________________________</P>
<B><U><P ALIGN="LEFT">&nbsp;</P>
<P ALIGN="JUSTIFY">ARE YOU A U.S. CITIZEN?  </B></U></FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1>YES     </FONT><FONT FACE="Wingdings 2" SIZE=1>5</FONT><FONT SIZE=1> NO                IF NO, PLEASE INDICATE COUNTRY:<B><U> </B></U>___________________________</P>
<P ALIGN="JUSTIFY"></P>
<B><P ALIGN="JUSTIFY">BROKER-DEALER/REGISTERED REPRESENTATIVE DATA </B>(broker-dealer use only)<B>: </P></B></FONT>
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=696>
<TR><TD VALIGN="TOP">
<FONT SIZE=1><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">Broker-Dealer NASD Firm Name: ________________________ Registered  Representative:_____________________________________</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">Address: _______________________________________ Phone:______________Email:________________________________________</FONT></TD>
</TR>
</TABLE>

<B><FONT SIZE=1><P ALIGN="LEFT"></P>
</FONT><FONT FACE="Times" SIZE=1><P ALIGN="LEFT">IRS FORM W-9 CERTIFICATION: &#9;&#9;&#9;</P></B></FONT>
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=696>
<TR><TD VALIGN="TOP">
<FONT SIZE=1><P ALIGN="LEFT">Under penalties of perjury, I certify that:</P>
<OL>

<P ALIGN="LEFT"><LI>The Internal Revenue Service does not require your consent to any provision of this document other than the certifications required to avoid backup withholding;</LI></P>
<P ALIGN="LEFT"><LI>The number shown on this form is my correct taxpayer identification number, and I am not subject to backup withholding because: (a) I am exempt from backup withholding; (b) I have not been notified by the Internal Revenue Service (<B>IRS</B>) that I am subject to backup withholding as a result of a failure to report; or (c) the (<B>IRS</B>) has notified me that I am no longer subject to backup withholding; and</LI></P>
<P ALIGN="LEFT"><LI>I am a U.S. person (including a U.S. resident alien).</LI></P></OL>

<B><P ALIGN="LEFT">The Internal Revenue Service does not require your consent to any provision of this document other than the certifications required to avoid backup withholding</B>.  If exempt, indicate type of entity:______________</FONT></TD>
</TR>
</TABLE>

<B><FONT SIZE=1><P ALIGN="JUSTIFY"></P>
<U><P ALIGN="LEFT">PURCHASE AGREEMENT:</P>
</B></U><P ALIGN="JUSTIFY">The Investor named above, by payment of <U>a wire transfer or check payable to</U> <B>xxxxxx &amp; GAS ESCROW ACCOUNT</B>, hereby subscribes for shares of common stock, $.01 par value ("the Shares") indicated above (minimum purchase of 100 shares at a purchase price of $7.00 per Share) of xxxxxxx &amp; Gas, Inc. If the dollar amount and number of Shares do not match, the dollar amount shall govern.  No fractional Shares shall be purchased and any excess funds representing fractional Shares shall be returned to the Investor. By such payment, the named Investor acknowledges receipt of the Prospectus and any supplements, the terms of which govern the investment in the Shares.   <B>The date of this agreement is:</B> ______________.</P>
<P ALIGN="JUSTIFY"></P>
<B><U><P ALIGN="JUSTIFY">SIGNATURES</B>:</U> By signing below, I/we represent that I/we have relied on the information set forth in the Prospectus, as and if amended or supplemented and free writing prospectuses on file with the Securities and Exchange Commission, and on no other statement whatever, whether written or oral.   The information set forth above (including the IRS Form W-9 Certification and SS# or Tax ID#) is true and correct.</P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">Signatures - Registered Owner: ________________-____________&#9;Co-Owner: _________________________________</P>
<P ALIGN="LEFT">&nbsp;</P>
<P ALIGN="LEFT">PRINTED NAME(S):____________________________________&#9;&#9;    __________________________________</P>
<B><U><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">ACCEPTANCE--xxxxxxx &amp; GAS, INC. </U>  &#9;</B>Signature:_________________________________________________ </P>
<P ALIGN="LEFT"></P>
<P ALIGN="LEFT">&#9;&#9;&#9;&#9;&#9;&#9;&#9; Name:________________________Title_____________Date_______</P>
<B><U><P ALIGN="LEFT"></P>
<P ALIGN="LEFT">SUBMITTAL INSTRUCTIONS:</P></B></U></FONT>
<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=7 WIDTH=686>
<TR><TD WIDTH="48%" VALIGN="TOP">
<B><FONT SIZE=1><P ALIGN="LEFT">Subscription Agreements and Checks (payable to xxxxxxx &amp; Gas Escrow Account).....Send to:</P>
</B><P ALIGN="LEFT">     xxxxxxxxxxxxx, Inc.,  </P>
<P ALIGN="LEFT">     Corporate Securities Department</P>
<P ALIGN="LEFT">     xxxxxxxxxxxxxxx, </P>
<P ALIGN="LEFT">     xxxxxxxxxxxxxxx</P>
<P ALIGN="LEFT">     Phone xxxxxxxxxxxx  Fax xxxxxxxxxxxxx  </FONT></TD>
<TD WIDTH="52%" VALIGN="TOP">
<B><FONT SIZE=1><P ALIGN="LEFT">Wire Transfers:</P>
<P ALIGN="LEFT"></P>
</B><P ALIGN="LEFT">     xxxxxxxx, xxxxxx, xx</P>
<P ALIGN="LEFT">     ABA Routing No. xxxxxxxxxx</P>
<P ALIGN="LEFT">     Account No. xxxxxxxxx </P>
<P ALIGN="LEFT">     Acct: xxxxxxxxxxx. </P>
<P ALIGN="LEFT">               FBO: xxxxxxxxxxxx Escrow Acct</FONT></TD>
</TR>
</TABLE>

<P ALIGN="LEFT"></P>
<P ALIGN="LEFT"></P></BODY>
</HTML>
</TEXT>
</DOCUMENT>
<DOCUMENT>
<TYPE>GRAPHIC
<SEQUENCE>2
<FILENAME>image26.jpg
<DESCRIPTION>GRAPHIC FOR SUPPLEMENT # 4
</DOCUMENT>
</SEC-DOCUMENT>
-----END PRIVACY-ENHANCED MESSAGE-----




Tuesday, December 1, 2015

Privacy, Breadcrumbs and Personally identifiable information (PII)



I am reading “Programming Windows Store Apps with HTML and CSS by Kraig Brockschmidt. It’s a good book and better still you can get the ebook/pdf version for free (http://blogs.msdn.com/b/microsoft_press/archive/2012/10/29/free-ebook-programming-windows-8-apps-with-html-css-and-javascript.aspx).

The author Kraig Brockschmidt has a section about adding code to a demo app (Here my AM!) to share a photo and a geo location.  I came onto the following text (“And if you still think I’ve given you coordinates to my house, the ones shown here will send you some miles down the road where you’ll make a fine acquaintance with the Tahoe National Forest.”). His newer version of the book he has his house coordinates blurred out so we can’t see them.

Let’s look at his remark and see how true it is from a privacy perspective. First is what do we actual know.

* His name Kraig Brockschmidt.
* A good guess is he works for Microsoft Software.
* We know he lives close to Tahoe National Forest.
* A quick look up in Google/Bing we see that the main address for Tahoe National Forest  is Lake Tahoe, CA 96140.
* We now know that another good guess is he lives in the state of California.

Now lets go back to our favorite search tool and see how difficult it is to learn what Kraig’s physical address is since he won’t give us his geo coordinates to his house. Maybe we want to borrow a cup of sugar and share some Microsoft love,

First we can just search for his name and state to see what we get.  Our first entry in our results list is a web site (http://www.kraigbrockschmidt.com) a quick look around and we know its Kraig’s web site. We can see references to California and his books.  On his about-page we see a reference to that he and his wife moved to Nevada City, CA in 2011. So now we know his state, and city.

Using his own web site, LinkedIn and O’Reilly we see that his current employer is Microsoft Software as a program manager.

So now we have his city, state and employer. We just need to get his physical house address. Not to worry a quick web search and we will be at his house in a few minutes to borrow that cup of sugar.

We can use http://www.zabasearch.com (zaba search can be totally free if you sign in using Facebook) or if we want we can use a paid service like http://www.intelius.com/. Now we have his physical house address and phone number.

I am not going to post his actual home address or his phone number in this blog post. I just look and I have enough sugar so I don’t need to borrow a cup.
Unfortunately what works to find Kraig’s home address also works to find my home address, I also check on a few friends living in Owasso, Depew Ok and I was quickly able to get their home addresses and phone numbers.

The issue here is a hard one to solve. We want to be connected to people. Easiest way is using the Internet.  We want and need the Internet to help with our own personal branding. We need and want to show our professional work. Some of us want to discuss our spiritual paths, political views, etc. with friends and others. That causes us grief since one web site may not give a view of who we are but we leave enough breadcrumbs for sites like ZABA Search and state and federal government web sites to collect data on us. Remember we don't want our physical address known to everyone on the Internet but we do want police, fire services to be able to quickly find us.

We find ourselves in an uncomfortable position of wanting to control what we can’t.

Not just our physical addresses are hard to keep private but other personal information is under attack as well. Researchers using Facebook found with remarkable accuracy( 93% to 95% ), based on what we mark as likes on Facebook that a wide variety of our personal attributes, from sexual orientation, race, age, political affiliation to intelligence can be predicted.

See (http://www.pnas.org/content/110/15/5802.full.pdf) and you can also go to (http://applymagicsauce.com/test.html) to become part of the study.

These new predictive algorithms are only going to improve in the future. Not just Facebook but also Google, Bing, Yahoo, Amazon and others are paying for predictive algorithm research so businesses can sell us more products and services.

So what is the solution? I don’t know. We want our information out there and businesses are finding more and more ways to get it and to use it. We ourselves give away information for perceived and real benefits like being able to search without paying for Bing or Google or getting good deal on products and services. By leaving breadcrumbs on the Internet and with public data we that we have already provided the ability for someone to build an accurate profile on us is real. 

My recommendation is to pay attention to what you are doing. One example is by default our likes on Facebook is public knowledge. You can in Facebook settings is make this information private. This makes you in charge of your own information. I am not going to kid you; this is not an easy task. You are on a slippery slope and no matter what you do some information on you is always going to be publicly available.

Additional information...
* http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
* https://www.cs.utexas.edu/~shmat/shmat_cacm10.pdf
* http://itlaw.wikia.com/wiki/Personally_identifiable_information

Sunday, August 17, 2014

UnHandled exceptions and secure coding

We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.

This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.

One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”

Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.

All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.

A few suggestions on exception handling in a more secure way.

  1. Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.
  2. Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.
  3. Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.
  4. Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.
  5. Make sure programmers are not using the anti-pattern of “exception swallowing”


Summary:

How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception.

Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack.

Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged.


References:
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
http://www.oracle.com/technetwork/java/seccodeguide–139067.html
http://en.wikipedia.org/wiki/Error_hiding



Exception: www.movies.com
Server Error in ‘/’ Application.
1. In GetTheaterShowTimes()

2. Passed movieId: 

3. Passed zipCode: 74012

6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012

7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012

10. forceRetrieve = True

11. resultsDoc == null? False

12. Trying to get results from file system!


Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
  at System.Xml.XmlTextReaderImpl.ParseElementContent()
  at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
  at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
  at System.Xml.XmlDocument.Load(XmlReader reader)
  at System.Xml.XmlDocument.Load(String filename)
  at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
  at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.ApplicationException:
1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 1
2. Trying to get results from file system!
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)   at System.Xml.XmlTextReaderImpl.ParseElementContent()   at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)   at System.Xml.XmlDocument.Load(XmlReader reader)   at System.Xml.XmlDocument.Load(String filename)   at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254   at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372


Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: [ApplicationException:

1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 12. Trying to get results from file system!

Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372] Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649 Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446

Thursday, June 12, 2014

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  


Tuesday, June 10, 2014

Privacy and the internet

A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.


Internet Privacy Tips Statistics 2014This Infographic was published on AnsonAlex.com

Here is the last Inforgraphic on Privacy I have for this blog post.

Sunday, May 11, 2014

Tulsa School of Dev



Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...http://tulsaschoolofdev.com

Client Side Coding - JavaScript

JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.

The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.

Detection of DOM-based XSS can be challenging. This is cause by the following reasons.

• JavaScript is often obfuscated to protect intellectual property.
• JavaScript is often compressed out of concerned for bandwidth.

In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed.

Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.

Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing.

First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.

Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.

Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.

Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.

Code examples of JavaScript vulnerabilities.

<html>
<script type=”text/javascript”>
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>

Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.

Another example:

  1. var url = document.location.url;
  2. var loginIdx = url.indexOf(‘login’);
  3. var loginSuffix = url.substring(loginIdx);
  4. url = ‘http://mySite/html/sso/’ + loginSuffix;
  5. document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.

If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.

References:



  • http://docstore.mik.ua/orelly/web/jscript/ch20_04.html 
  • https://www.owasp.org/index.php/CRV2_SourceSinkRev
  • https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll
  • https://www.owasp.org/index.php/Static_Code_Analysis
  • http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf
  • http://www.jshint.com/about/ https://github.com/mozilla/doctorjs