Chapter 7 Application Security
EXAMALERT
Referencing baselines for established patterns of use help to spot variations that can identify unauthorized access attempts.
Three basic areas of hardening
* Application * Host * Data
Rules for preventing XSS in your applications
* Never insert untrusted data except in allowed locations * Use HTML escape before inserting untrusted data into HTML element content * Use attribute escape before inserting untrusted data into HTML common attributes * Implement Javascript escape before inserting untrusted data into HTML JavaScript data values * Use CSS escape before inserting untrusted data into HTML style properties * Apply URL escape before inserting untrusted data into HTML URL parameters * Use an HTML policy engine to validate or clean user-driven HTML in an outbound way * Prevent DOM-based XSS.
Objective
*Explain the importance of application security controls and techniques
Cram Saver 4: Explain what steps cab be taken to harden a web-based application.
Access control may be accomplished at the operating system or application level by including a requirement for regular update of Secure Sockets Layer (SSL) certifications for secured communications. Regular log review is critical for web servers to ensure that submitted URL values are not used to exploit unpatched buffer overruns or to initiate other forms of common exploits.
Web Services
Access restrictions to Internet and Intranet web services might be required to ensure proper authentication for nonpublic sites, whereas anonymous access might be required for other pages.
Application fuzzing
Attack vectors are within its I/O, such as the user interface, the command-line options, URLs, forms, user generated content, and Remote Procedure Call (RPC) requests.
EXAMALERT
Cross -site request forgery (XSRF) is an attack in which the end user executes unwanted actions on web applications which she is currently authenticated.
EXAMALERT
Default application administration accounts, standard passwords, and common service installed by default should also be reviewed and changed or disabled as required.
FTP Services
File Transfer Protocol (FTP) servers are used to provide file upload and download to users, whether through anonymous or authenticated connection. Because of limitations in the protocol, unless an encapsulation scheme is used between the client and host systems, the login and password details are passed in clear text and might be subject to interception by packet sniffing.
Protocol fuzzing
Forged packets are sent to the tested application, which can act as a proxy and modify requests on-the-fly and then relay them.
Cross-site Scripting (XSS)
Is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
File-format fuzzing
Multiple malformed samples are generated and then opened sequentially. When the program crashes, debug information is kept for further investigation.
NNTP Services
Network News Transfer Protocol (NNTP) servers providing user access to newsgroup posts raise many of the same security considerations risks as email servers.
Server side validation
Occurs on the server where the application resides. Helps protect against malicious attempts by a user to bypass validation or submit unsafe input information to the server.
NOTE
Security monitoring during baselining is important because an ongoing attack during the baselining process could be registered as the normal level of activity.
Application
Security of applications and services such as Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), web servers, and user client-side applications and integration status.
EXAMALERT
Software exploitation is a method of searching for specific problems, weaknesses, or security holes in software code. It takes advantage of a program's flawed code.
EXAMALERT
The most common result if improper input validation is buffer overflow exploitation. Additional types of input validation errors result in format string and denial-of-service (DOS) exploits.
NOTE
To help mitigate the effect of an XSS flaw on your website, it is also good practice to set the HTTPOnly flag on the session cookie as well as any custom cookies that are not accessed by your own JavaScript.
XSRF
An XSRF attack tricks the victim into loading a page that contains a malicious request, usually through sending a link via email or chat. The attacker uses the identity and privileges of the user to execute an undesired function.
DNS Services
Domain Name Service (DNS) servers responsible for name resolution may be subject to many forms of attack, including attempts at DoS attacks intended to prevent proper name resolution for key corporate holdings.Planning to harden DNS server solutions should include redundant hardware and software solutions and regular backups to protect against loss of name registrations.
Fuzzing
Enables an attacker to inject random looking data into a program to see whether it can cause the program to crash.
Cram Saver 1: Explain what fuzzing is and how it is used in application security.
Fuzzing is a process by which semi-random data is injected into a program or protocol stack for detecting bugs. The idea behind fuzzing is based on the assumption that there are bugs within every program. A systematic discovery approach should find them sooner or later. The data generation part consists of generators. Generators usually use combinations of static fuzzing vectors or totally random data. The vulnerability identification relies on debugging tools.
Cram Quiz 1: Which of the following is a process by which semi-random data is injected into a program or protocol stack for detecting bugs? A. Cross-site scripting B. Fuzzing C. Input validation D. Cross-site request forgery
Fuzzing. Fuzzing is the process by which semi-random data is injected into a program or protocol stack for detecting bugs. The idea behind fuzzing is based on the assumption that there are bugs within every program.
Software assurance
Is a term used to describe vendor efforts to reduce vulnerabilities, improve resistance to attack, and protect the integrity of their products.
Client side validation
Occurs when the data entered into a form is validated through a web-page script via the user's browser before the form is pasted back to the originating server. Often used for convenience because it allows for immediate feedback to the user if incorrect data is input.
Cram Quiz 4: Which of the following are steps to mitigate XSS attacks? (Choose two correct answers.) A. Set the HTTPOnly flag in the session cookie B. Always include a default value and character limitations C. Never insert untrusted data except in allowed locations D. Hardcode the authentication credentials into the application
Set the HTTPOnly flag in the session cookie. Never insert untrusted data except in allowed locations.
File and Print Services
User file-storage solutions often come under attack when unauthenticated access attempts provide avenues for manipulation. Files can be corrupted, modified, deleted, or manipulated in many other ways. Access control through proper restriction of file and share permissions, access auditing, and user authentication schemes to ensure proper accesses are necessary. Print servers also pose several risks, including possible security breaches in the event that unauthorized parties access cached print jobs. DoS attacks might be used to disrupt normal methods of business, and network-connected printers require authentication of access to prevent attackers from generating printed memos, invoices, or any other manner of printed materials.
Cram Quiz 3: Which of the following are steps to mitigate XSRF attacks? A. Hardcode the authentication credentials into the application B. Always include a default value and character limitations C. Set the HTTPOnly flag on the session cookie D. Add a token for every POST and GET request that is initiated from the browser to the server
Add a token for every POST and GET request that is initiated from the browser to the server. To mitigate XSRF attacks, the most common solution is to add a token for every POST and GET request that is initiated from the browser to the server.
Cram Quiz 2: Joe tricks Jane into submitting a request via link in an HTML email. Jane is authenticated with the application when she clicks the link. As a result, money is transferred to Joe's account. Which of the following attack has occurred? A. Buffer overflow B. Cross-site scripting C. Cross-site request forgery D. Input validation error
Cross-site request forgery. XSRF is an attack in which the end user executes unwanted actions on a web application while she is currently authenticated.
Data Repositories
Data repositories of any type might require specialized security considerations based on the bandwidth and processing resources required to prevent DoS attacks, removal of default password and administration accounts such as the SQL default sa account, and security of replication traffic to prevent exposure of access credentials to packet sniffing. Hardening efforts may also address security of the storage and backup of storage-area networks (SAN), network access server (NAS) configurations, and directory services such as Microsoft Active Directory and Novell eDirectory.
Patch Management
Describes the method for keeping computers up-to-date with new software releases that are developed after an original software product is installed.
DHCP Services
Dynamic Host Configuration Protocol (DHCP) servers share many of the same security problems associated with other network services, such as DNS servers. DHCP servers might be overwhelmed by lease requests if bandwidth and processing resources are insufficient.
Cram Quiz 6: Which of the following are steps that can be taken to harden NoSQL databases? (Choose two correct answers.) A. Binding the interface to multiple IP addresses B. Encrypting data in the application prior to database writes C. Changing the default database ports D. Setting the default encryption to SSL
Encrypting data in the application prior to database writes. Changing the default database ports. Best practices for protecting NoSQL databases include changing the default ports, binding the interface to only one IP, and encrypting data in the application prior to writing it to the database.
Common gateway interference (CGI) scripting
Exploits and buffer overflow used to run undesirable code on the server.
EXAMALERT
Fuzzing is a black box software testing process by which semi-random data is injected into a program or protocol stack for detecting bugs. The idea behind fuzzing is based on the assumptions that there are bugs within every program.
Cram Saver 2: Explain what steps can be taken to mitigate cross-site scripting (XSS) attacks.
Never insert untrusted data except in allowed locations. Use HTML escape before inserting untrusted data into HTML element content, use attribute escape before inserting untrusted data into HTMl common attributes, implement JavaScript escape before inserting untrusted data into HTML JavaScript data values, use CSS escape before inserting untrusted data into HTML style property, apply URL escape before inserting untrusted data into HTML URL parameter, use an HTML policy engine to validate or clean user-driven HTML in an outbound way, and prevent DOM-based XSS.To help mitigate the effect of an XSS flaw on your website, it is also good practice to set the HTTPOnly flag on the session cookie and on any custom cookies that are not assessed by your own JavaScript.
Cram Saver 5: Explain what steps can be taken for proper application patch management.
Proactive patch management is necessary to keep your technology environment secure and reliable. As part of maintaining a secure environment, organizations should have a process for identifying security vulnerabilities and responding quickly. This involves having a comprehensive plan for applying software updates, configuration changes, and countermeasures to remove vulnerabilities from the environment and lessen the risk of computers being attacked. It might include using automated tools that make administrators aware of critical updates and allow them to manage and control installation.
Data
Security of data and mitigation risks on laptops, PCs, removable media, mobile devices, and static environments.
Host
Security of the operating system through hardware and soft ware implementations such as firewalls and anti-malware programs, along with logical security involving access control over resources and virtualization.
Application baselining
Similar to operating system baselining in that it provides a reference point for normal and abnormal activity. As with operating system hardening, default configurations and passwords must be changed in applications such as database and web-based applications.
Cram Quiz 5: Which of the following are steps that can be taken to harden DNS services? (Choose two correct answers) A. Anonymous access to share files of questionable or undesirable content should be limited B. Regular review of networks for unauthorized or rogue servers C. Technologies that allow dynamic updates must also include access control and authentication D. Unauthorized zone transfers should also be restricted
Technologies that allow dynamic updates must also include access control and authentication. Unauthorized zone transfers should also be restricted. Planning to harden DNS server solutions should include redundant hardware and software solutions and regular backups to protect against loss of name registrations. Technologies that allow dynamic updates must also include access control and authentication to ensure that registrations are valid. Unauthorized zone transfers should also be restricted to prevent DNS poisoning attacks.
Cram Saver 3: Explain what steps can be taken to mitigate cross-site request forgery (XSRF) attacks.
To mitigate this type of attack, the most common solution is to add a token for every POST or GET request that is initiated from the browser to the server. When a user visits a site, the site generates a cryptographically strong, pseudorandom value and sets it as a cookie on the user's machine. The site requires every form submission to include this pseudorandom value as a form value and also as a cookie value. When a POST request is sent to the site, the request is considered valid only if the form value and the cookie value are the same. Another solution is to use the unique identifiers that are provided as part of the session management. One extra check can be added to the validation subroutines and the requests modified to include the necessary information.
Cross-site Scripting (XSS) prevention
Vulnerabilities can be used to hijack the user's session or to cause the user accessing malware tainted site A to unknowingly attack site Bon behalf of the attacker who planted code on site A.
Race condition
When a window of time exists between a security operation and the general function it applies to, a window of opportunity is created that might allow security measures to be circumvented.
EXAMALERT
When pressed with a question that relates to mitigating the danger of buffer overflows or XSS attacks, look for answers that relate to input validation. By restricting the data that can be input, application designers can reduce the threat posed by maliciously crafted URL references and redirected web content.
Software Assurance Forum for Excellence in Code (SAFECode)
Works to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services.
EXAMALERT
You can use role-based access control (RBAC) to improve security, and eliminating unneeded connection libraries are character sets might help to alleviate common exploits.
EXAMALERT
You should implement secure programming practices that reduce the frequency and severity of errors. You should also perform source code review using a combination of manual analysis and automated analysis tools.