Sunday, August 17, 2014

UnHandled exceptions and secure coding

We all want our programs to run with explicit control doing exactly what the user or other processes needs. But as we know that does not always happen. This has cause the rise of several large components of software development, Quality Assurance (QA) testing, Test Driven Design (TDD), etc. These processes try to identify all the reasons why a program may fail. Never less even with these processes programs fail for many reasons.

This weekend I went to one of my favorite web sites (www.movies.com) to look for a movie to watch. I click on one of the controls and I received an exception. This is a major Internet site. I hope nothing bad comes of this for movies.com but this is not a good thing for a major web site. movies.com gets about 15,000 users a month to visit their site and is rank as 3,152 for top sites by daily users and page views. To see the exception that prompted this blog post scroll to the bottom of this post.

One of the principals of secure programming is to fail securely. Many programmers simple do not look at exception handling as part of secure coding. One of my favorite sayings is “An error message to a cyber criminal, is like a bone to a dog; something good to chew.”

Exceptions throw out a lot of very useful information; file paths, database names, database table names, server names, program names, module names, line numbers, etc. All of this information is very helpful to developers at 3:00am in the morning trying to debug a production issue. The same information is also helpful to a cyber criminal. Many forms of attack require knowing or guessing locations of files, with exception information being out in the open you are reducing the time and guessing the bad guy needs to find a vulnerability to enter your application it also provides a red flag to the bad guys that something is amiss here and maybe this is a good place to start for something bad to happen at your organization.

All exceptions need to be caught and sanitized before propagating them to upstream callers and or displaying them.

A few suggestions on exception handling in a more secure way.

  1. Log your exceptions; remember to sanitize what you log. Never log passwords, or other highly sensitive information. Look closely at user input to make sure you really need to log that information.
  2. Display an error message to the user to know something is wrong with the application. The programmer needing the error information at 3am in the morning should be trained to know where to look for additional error information in a log.
  3. Cleanup state if the application is going to fail. Cleanup often involves reclaiming of resources, rolling back of transactions or some combination of these two among others. Some of this can be automated. Make sure the entire cleanup mechanism is also tested in QA.
  4. Fail-secure should be part of the application design and included as part of the functional specification and not left to individual implementers.
  5. Make sure programmers are not using the anti-pattern of “exception swallowing”


Summary:

How your application will fail-secure should be part of the design document and reviewed early in the lifecycle. Use the programming framework to detect an exception and then augmented the frameworks exception handling with activities that are performed after the system has detected the exception.

Carefully consider the content of error messages displayed to the user. This is to ensure that those messages cannot be used to launch a more serious attack.

Finally, a process should be in place that ensures that all errors and exceptions are logged and audited periodically to detect and potentially prevent any malicious activity that appears in the audit trail and no confidential information is being logged.


References:
https://www.owasp.org/index.php/Secure_Coding_Principles#Fail_securely
http://msdn.microsoft.com/en-us/magazine/cc188938.aspx
http://www.oracle.com/technetwork/java/seccodeguide–139067.html
http://en.wikipedia.org/wiki/Error_hiding



Exception: www.movies.com
Server Error in ‘/’ Application.
1. In GetTheaterShowTimes()

2. Passed movieId: 

3. Passed zipCode: 74012

6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012

7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012

10. forceRetrieve = True

11. resultsDoc == null? False

12. Trying to get results from file system!


Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)
  at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)
  at System.Xml.XmlTextReaderImpl.ParseElementContent()
  at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)
  at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)
  at System.Xml.XmlDocument.Load(XmlReader reader)
  at System.Xml.XmlDocument.Load(String filename)
  at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254
  at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372 Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.ApplicationException:
1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7.             and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 1
2. Trying to get results from file system!
Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace:    at System.Xml.XmlTextReaderImpl.Throw(String res, String arg)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos)   at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type)   at System.Xml.XmlTextReaderImpl.ParseElementContent()   at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace)   at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc)   at System.Xml.XmlDocument.Load(XmlReader reader)   at System.Xml.XmlDocument.Load(String filename)   at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254   at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372


Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


Stack Trace: [ApplicationException:

1. In GetTheaterShowTimes()
2. Passed movieId:
3. Passed zipCode: 74012
6. So far, we have: movieIDMapCacheKeyBuilder = MovieIdMapByZip_74012
7. and: theaterSearchCacheKeyBuilder = TspTheatersByZip_74012
10. forceRetrieve = True
11. resultsDoc == null? False 12. Trying to get results from file system!

Error Message: Unexpected end of file while parsing CDATA has occurred. Line 4595, position 312.Error Source: System.XmlError StackTrace: at System.Xml.XmlTextReaderImpl.Throw(String res, String arg) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type, Int32& outStartPos, Int32& outEndPos) at System.Xml.XmlTextReaderImpl.ParseCDataOrComment(XmlNodeType type) at System.Xml.XmlTextReaderImpl.ParseElementContent() at System.Xml.XmlLoader.LoadNode(Boolean skipOverWhitespace) at System.Xml.XmlLoader.LoadDocSequence(XmlDocument parentDoc) at System.Xml.XmlDocument.Load(XmlReader reader) at System.Xml.XmlDocument.Load(String filename) at Mdc.Cache.MdcCache.GetFromDisk(String key, CacheFileTypes cacheFileType, String cacheDirectory) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Cache\MdcCache.cs:line 254 at Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:line 372] Mdc.Movie.App.MovieManager.GetTheaterShowTimes(String movieId, DateTime date, String zipCode, String city, String state, String country, String theaterid, TheaterCollection& theaters, Hashtable& performances, TheaterSearchStatus& searchStatus, Movie& movie, Hashtable& byMovies, MovieIDMapCollection& moviesMap) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.App\MovieManager.cs:649 Mdc.Movie.Presentation.TheaterSelectionPage.OnLoad(EventArgs e) in c:\jenkins\jobs\MDC Website\workspace\Release 2.6.1\Movies.com 2.0\Mdc.Movie.Presentation\TheaterSelectionPage.aspx.cs:529 System.Web.UI.Control.LoadRecursive() +71 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3178


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18446