Sunday, August 17, 2014

UnHandled exceptions and secure coding

We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.

This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.

One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”

Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.

All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.

A few suggestions on exception handling in a more secure way.

  1. Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.
  2. Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.
  3. Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.
  4. Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.
  5. Make sure programmers are not using the anti-pattern of “exception swallowing”


Summary:

How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception.

Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack.

Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged.


References:
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
http://www.oracle.com/technetwork/java/seccodeguide–139067.html
http://en.wikipedia.org/wiki/Error_hiding



Exception: www.movies.com
Server Error in ‘/’ Application.
1. In GetTheaterShowTimes()

2. Passed movieId: 

3. Passed zipCode: 74012

6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012

7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012

10. forceRetrieve = True

11. resultsDoc == null? False

12. Trying to get results from file system!


Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
  at System.Xml.XmlTextReaderImpl.ParseElementContent()
  at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
  at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
  at System.Xml.XmlDocument.Load(XmlReader reader)
  at System.Xml.XmlDocument.Load(String filename)
  at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
  at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.ApplicationException:
1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 1
2. Trying to get results from file system!
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)   at System.Xml.XmlTextReaderImpl.ParseElementContent()   at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)   at System.Xml.XmlDocument.Load(XmlReader reader)   at System.Xml.XmlDocument.Load(String filename)   at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254   at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372


Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: [ApplicationException:

1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 12. Trying to get results from file system!

Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372] Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649 Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446

Thursday, June 12, 2014

Privacy

Here is a good definition of privacy...

An individuals’ ability to determine how much, to whom, and when / for how long Information about themselves is revealed.

Here is another definition...
The right to privacy is our right to keep a domain around us, which includes all those things that are part of us, such as our body, home, property, thoughts, feelings, secrets and identity. The right to privacy gives us the ability to choose which parts in this domain can be accessed by others, and to control the extent, manner and timing of the use of those parts we choose to disclose.

I think the first definition cuts to the heart of the matter a little quicker with a more simple and accessible definition.  


Tuesday, June 10, 2014

Privacy and the internet

A lot has been in the media recently about encrypting emails using gmail. But email isn't the only thing being looked at concerning your privacy. I decided for this blog post two show two inforgraphics. I have already talked about this subject in several blog post but showing the same information again on an important subject can't hurt.


Internet Privacy Tips Statistics 2014This Infographic was published on AnsonAlex.com

Here is the last Inforgraphic on Privacy I have for this blog post.

Sunday, May 11, 2014

Tulsa School of Dev



Don't forget May 16. OUS downtown campus free training. An all day event. For more information go to ...http://tulsaschoolofdev.com

Client Side Coding - JavaScript

JavaScript has several known security vulnerabilities. Now with HTML5 and JavaScript becoming more prevalent in web sites today and with more web sites moving to responsive web design with its dependence on JavaScript the developer needs to understand what vulnerabilities to look for.

The most significant vulnerabilities in JavaScript is cross-site scripting (XSS) and Document Object Model, DOM-based XSS.

Detection of DOM-based XSS can be challenging. This is cause by the following reasons.

• JavaScript is often obfuscated to protect intellectual property.
• JavaScript is often compressed out of concerned for bandwidth.

In both of these cases it is strongly recommended the code reviewer, and QA be able to review the JavaScript before it has been obfuscated and or compressed.

Another aspect that makes code review of JavaScript challenging is its reliance of large frameworks such as Microsoft .Net and Java Server Faces and the use of JavaScript frameworks, such as JQuery, Knockout, Angular, Backbone. These frameworks aggravate the problem because the code can only be fully analyzed given the source code of the framework itself. These frameworks are usually several orders of magnitude larger then the code the code reviewer needs to review. Because of time and money most companies simple accept that these frameworks are secure or the risks are low and acceptable to the organization.

Because of these challenges we recommend a hybrid analysis for JavaScript. Manual source to sink validation when necessary, static analysis with black-box testing and taint testing.

First use a static analysis. Developers, Code Reviewers and the organization needs to understand that because of event-driven behaviors, complex dependencies between HTML DOM and JavaScript code, and asynchronous communication with the server side static analysis will always fall short and may show both positive, false, false–positive, and positive-false findings.

Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.

Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.

Second the developers, QA needs to be certain the code was tested with JavaScript was turned off to make sure all client sided data validation was also validated on the server side.

Code examples of JavaScript vulnerabilities.

<html>
<script type=”text/javascript”>
var pos=document.URL.indexOf(“name=”)+5;
document.write(
document.URL.substring(pos,document.URL.length));
</script>
<html>

Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.

Another example:

  1. var url = document.location.url;
  2. var loginIdx = url.indexOf(‘login’);
  3. var loginSuffix = url.substring(loginIdx);
  4. url = ‘http://mySite/html/sso/’ + loginSuffix;
  5. document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists.

If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.

References:



  • http://docstore.mik.ua/orelly/web/jscript/ch20_04.html 
  • https://www.owasp.org/index.php/CRV2_SourceSinkRev
  • https://www.owasp.org/index.php/CRV2_CanStaticAnalyzersDoAll
  • https://www.owasp.org/index.php/Static_Code_Analysis
  • http://www.cs.tau.ac.il/~omertrip/fse11/paper.pdf
  • http://www.jshint.com/about/ https://github.com/mozilla/doctorjs

Saturday, March 8, 2014

OWASP Wins SC Magazine 2014 Editor's Choice Award


On Tuesday, February 25th OWASP was awarded the 2014 SC Magazine Editor’s Choice award. This was the final award of the evening and presented directly from Illena Armstrong, VP, editorial, SC Magazine.

For its ongoing support of the development and maintenance of secure web applications, we are calling out the achievements of the OWASP (OpenWeb Application Security Project). Its efforts in offering tools and education materials to developers and other security professionals has greatly aided in furthering the advancement of web application security. The nonprofit group does not endorse or recommend commercial products or services. This enables its open network to remain vendor neutral and synergize the collaborative efforts of the leading lights in software security worldwide. It’s all about trust, and information security professionals have come to rely on the group’s annual Top 10 project– ongoing since 2003 – which delineates the most common flaws present in web apps, thus increasing awareness in the security community of some of the most critical risks facing organizations. As well, the “Bug Bash,” held for three nights in November during the AppSec Conference, is considered one of the biggest application security bug searches in recent time. The event, sponsored by OWASP, gathered security researchers from 30 countries who collaborated to discern security gaps in software that runs the internet and some of the planet’s most commonly used applications. For its advocacy, out reach and teaching, we are delighted to recognize OWASP with this year’s Editor’s Choice Award
As a volunteer driven, non-profit organization our contributors donate their time and expertise for the betterment of all. It is exciting and rewarding for the entire community to be recognized for our continued efforts to increase application security!



http://owasp.blogspot.com/2014/03/owasp-wins-sc-magazine-2014-editors.html

Wednesday, January 15, 2014

RSA, NSA, OWASP Continued


Bruce Schneier, a well respected security expert has written an essay that has an opposing view of the NSA and why the NSA surveillance program is not good security. I don't always agree with Mr. Schneier but he does make some good points and as a very respected security expert I think its good the read his essay. I am not re-printing it here but here is the link.

http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/

You can subscribe to Mr.Schneier security newsletter here…on the web at <http://www.schneier.com/crypto-gram.html>. 


On another subject here is a podcast where I was interview about the project I am leading with OWASP concerning the Code Review Guide book.

http://trustedsoftwarealliance.com/2014/01/13/appsec-usa-2013-larry-conklin-and-the-code-review-book-project/



Tuesday, January 14, 2014

RSA, NSA, OWASP

Last week OWASP has had a vigorous debate on if OWASP should cancel planned secure code training at the RSA conference. I was (and still am) in favor of not canceling the secure code training. Debate surrounded the issue of RSA and its relationship with NSA. More specifically did RSA per request of NSA weaken its cryptology products to allow NSA better access to be able to unencrypted encrypted data encrypted with RSA products? These allegations came about because of documents leaked by Eric Snowden. At present time I know of no organization or individual who has confirmed if the allegations are true, partially true, false, or a government mandate that RSA had to fulfill.

I do know that OWASP’s main core value is to present unfretted security information to everyone.

What I don’t know is if OWASP had not cancelled its training would that have put a mark against OWASP as being able to continue its main core value of delivering unfretted security information to everyone and still be vendor impartial and have no ramifications to its brand name by co-marketing with RSA. I would have hoped the individuals attending the course could easily have made that distinction for themselves that OWASP and RSA are very different originations with each having its own values.

I think it’s sad that OWASP caved into media hype as to RSA and NSA relationship. I am also disappointed by RSA for not dealing the speaker cancellations in a positive way and for not being more open then they have been with their relationship with NSA. I do support OWASP and the speakers who cancelled their speaking engagements.

I think there is a larger discussion that was not raised completely. That discussion centers on our individual need for privacy and the real need by Law enforcement and governments to be able to gather information to make us secure and safe. This discussion is made harder by the fact that what is or is not privacy differs between individuals, cultures (American, European, Middle East, and Asian), and governments.

Current surveillance program being conducted by NSA is a direct response by Terrorist attack on 9/11 in New York. That attack 2,977 innocent people lost their lives. The mindset of this for need of surveillance was further embedded into American mindset by the Boston marathon attack where three spectators were killed and more than 200 people (men, women and children) were injured.

So this discussion needs to be kept in scope of what the NSA is doing is trying to do is prevent more deaths of our civilian population and reducing the fear of terrorism. Because of the secret nature of NSA we really will never know the results of these efforts to a large degree. That prevents us from having absolute confidence of the good and bad of organizations like NSA and its partners, governmental and others. This lack of confidence is not uncommon. We unfortunately we have a long history of individuals or groups within organizations abusing their power and we have just as long of uncovering the abuse. The difference here is our government has needs to keep part of its activities secret. While at the same time giving us the confidence that it has the oversight in place and abuse is not happening. Not a simple task.

One last thing, encryption; does encryption equal privacy? I have written a blog post talking about this every issue. American courts have upheld law enforcement request for suspects to give up encryption keys, etc. I want law enforcement and my government to be able to decrypt files by terrorist, pedophiles, and other bad guys/governments, however I also realize this can be very slippery slope.

Recap:
Unknowns… The benefits or fallout of OWASP doing or not doing secure code training at RSA conference is unknown. * The RSA and NSA relationship is largely unknown. We don’t know if RSA weaken its cryptology products per NSA request.

Facts… Secure training is very much needed. OWASP is a premier leader of making unfretted secure information open and available to anyone. With the Target data breach reaching over 70 million accounts the need for secure coding training needs to be at the forefront of all development teams.

Hopes… 
  • I think OWASP if it has the bandwidth should offer free secure coding to any organizations that has had a large data breach. The organizations with the data breach will pay for trainers expense; travel cost and provides the venue for the training. That would be a win-win solution for everyone, OWASP, consumers, businesses.

  • I would also like to see OWASP bring together, politicians, law enforcement, legal experts (defense, prosecuting, judicial), legal scholars on all levels (community, state and federal), for open panel discussions on privacy issues. OWASP has the opportunity to lead in the privacy arena giving everyone accurate information on privacy for individual’s, communities and discuss issues of NSA surveillance both positive and negative. This could be done here in America and in other countries. That would be very cool! Also it would be a win-win solution for everyone.

Resources: