A Guide to Building Secure Web Applications 126
some-guy writes "The Open Web Application Security Project has released
A Guide to Building Secure Web Applications, Version 1.1
"While this document doesn't provide a silver bullet to cure all the ills, we hope it goes a
long way in taking the first step towards helping people understand the inherent problems
in web applications and build more secure web applications and Web Services in the
future...""
Secure Web Applications (Score:5, Insightful)
Re:Secure Web Applications (Score:1)
Re:Secure Web Applications (Score:3, Insightful)
I know security can suffer heavily if a project starts to get into a time crunch, but in how many projects was security even a consideration in the first place?
If anyone starts working on a network-based project on a base install of any operating system (Windows, Linux, even OpenBSD), then there are problems well before the project's deadline approaches.
Re:Secure Web Applications (Score:2)
The first few chapters of that document described how you should see security in your entire company. Be realistic: if loosing creditcard-information is not going to harm your stock, why should you put effort in securing it? On the other hand, if it means your credibility as a trustworthy company diminishes, you (as a developer) will be more likely to have budget to set things up in a secure way.
Bottomline: explain to your boss how much $$$ is involved with certain choices, let him do the math in Excel (they are really good at that). If they understand that they will loose money when a webapp is compromised, they will be very likely to give you the opportunity to write decent software.
Re:Secure Web Applications (Score:3, Informative)
Or a direct link: http://members.rogers.com/razvan.peteanu/best_pra
TOC (Score:3, Funny)
Chapter 2 - Installing linux
Chapter 3 - Updating OpenSSL libraries
What else do you need? Oh, yeah...
Chapter 4 - Unplugging your network connection
(That should lock it down from outside pretty well.)
Chapter 5 - Removing your harddrive and pounding it with a big ass sledgehammer.
(Now it's secure from the INSIDE, too.)
See? Good network security really isn't so hard.
You forgot some (Score:1)
>Chapter 2 - Installing linux
>Chapter 3 - Updating OpenSSL libraries
>Chapter 4 - Unplugging your network connection
>Chapter 5 - Removing your harddrive and pounding it with a big ass sledgehammer.
Chapter 6 - ???
Chapter 7 - Profit!
Re:TOC (Score:1)
Re:TOC (Score:1)
My $1.50 (Score:1)
Re:My $1.50 (Score:2)
That sounds suspiciously like security through obscurity, which we all know *DOES NOT WORK*. /etc/password (/etc/shadow) or to a database of some sort. Sure I could make it very obscure, but if instead of validating that username and password everytime a page loads and instead passing a variable saying LOGGED_IN="TRUE", I defeat my own security by making it vary easy to bypass my login.
I've done some web apps that require a login, either to the standard
As the article says, validating input, and failing securely are two of the most important things you can do. If you're expecting a phone number, don't accept anything except numbers (and possibly -) as input. And make sure that if the system fails, it doesn't leave you wide open, it actually shuts down.
Re:My $1.50 (Score:1)
Re:My $1.50 (Score:1)
Re:My $1.50 (Score:1)
Make it too obscure and you might intrigue the hacker with the challenge...Unless it is some young script kiddie.
Re:My $1.50 (Score:1)
Re:My $1.50 (Score:2)
A big-ass deadbolt in a solid metal frame is secure without being obscure.
Bringing a gun to a knife fight is more secure - especially when everyone else sees your piece
The US's fighting stance vis Iraq is certainly not "security through obscurity"
I could go on, but you get the idea.
Now - on-topic - There wasn't much at the site that wasn't covered better elsewhere IMHO.
Regards, Tom
Re:My $1.50 (Score:1)
Your point is good; the other guy was way off base, but giving the impression of the inability to spell a word like 'ignorant' doesn't generally lend credibility to your argument.
Sorry to be pedantic. I had a roommate that insisted on pronouncing the word incorrectly while using it as a synonym for 'stupid', and it made my teeth curl every time he did it. i guess seeing it in print rubbed me the wrong way.
Re:My $1.50 (Score:1)
Re:i've got a guide (Score:1)
Re:Easy, use Java Web Application Servers (Score:1)
Re:Easy, use Java Web Application Servers (Score:1)
Re:Easy, use Java Web Application Servers (Score:1)
ASP managed code *I believe* is just the ASP app not the buggy IIS server it runs on.
Re:Easy, use Java Web Application Servers (Score:1)
Choosing the right programming language is clearly an important decision, but it is still possible to create reasonably secure software in c/c++/perl/etc. It just takes some knowledge of what potential problems could come up and good programming practices.
And of course testing (!!!!), code review, and good design with security built in from the beginning.
**security** (Score:3, Insightful)
My experience is there is much less out there than the hype may lead you to believe..
And there is no such thing as security when a talented hacker wants your network bad.
So..Just don't make yourself an easy target. If the average networked business provides itself with enough security to make a hacker actually have to WORK!! at it to get in, then you will filter out most attacks; unless the hacker has a specific interest in your company's network.
Re: **security** (Score:1)
But also this: If a hacker's probe reveals an interesting security method, wouldn't that just make that hacker more interseted in defeating it; for the challenge, and fame?
Re: **security** (Score:4, Insightful)
As far as your "there is no such thing as security" argument, I think it's pretty silly. Yes, if a hacker is ultra hardcore and is going to spend an inordinate amount of time breaking into your ISP's domain server to conduct man in the middle attacks or use advanced 0-day techniques, it is difficult to defend against. But a well designed, programmed, administered and protected (think Snort) system is an incredibly difficult thing to break into. A good IDS will stop unknown buffer overflows. A good administrator will not leave backup files out on the webserver. There is a lot that can be done to improve security to the point where you can be reasonably certain that you are secure. What would you have people do, say "Oh, a really great hacker can get into my system anyway, so I'm not going to bother with security anyway."
Re: **security** con't (Score:1)
My point was that a dedicated and talented hacker still can do it in most cases. In this sense, true 100% security is hard if not impossible.
But good security implementation is still a must.
Like this:An experienced car-thief might be able to break into my car and drive it away in under a minute. But that doesn't mean I should leave the keys in the door or joe average smo can take it.
But you are right in everything you say about security. I don't think we were really disagreeing.
Re: **security** con't (Score:2)
So once you've made it hard for the hacker to get into the system, also make it pointless. If the data that resides on the system is also strongly encrypted, than obtaining valuable information is not only hard it is a collossal pain, and beyond the capability of anyone except maybe NIST. BTW SSL as implemented by Web servers and browsers can't maintain encryption of data through to the back end, you need a third party product for that ( Yes they exist [entrust.com]).
Re: **security** con't (Score:2)
Encryption is not a magic wand. Does the web browser need to be able to decrypt traffic from the server? If so, when the web server becomes "owned", than the decryption capabilities get owned as well. What is the benefit, at best a layer of extra knowledge to find the decryption routines (security by obscurity).
Designing a cryptographic system that will help against "owned" servers (or insider fraud, say you can't trust the system administrators) is much harder. You almost always have to go with data oriented encryption, as opposed to channel oriented techniques (such as IPSEC or SSL). Hardware crypto devices are also very useful - the physical layer obviously is primarily designed to counter insider fraud in a server installation. But even more important is the ability of hardware crypto devices to control the type of operations they can perform.
Think of the "PIN" in a banking system. The hardware device does not have the ability to "decrypt a PIN" (at least in most banks, but that's a different story). Compare that with the situation where say a PIN Translate function is put on a software server and that server gets owned. It would be relatively easy to break down the PIN translate function (which consists of a decrypt followed by an encrypt) and examine the internal results to find the clear PIN.
In summary, most uses of channel encryption (clearly that was what was described in the quoted section) will provide little protection against compromised servers. Many types of database encryption have the same problems, if there is some means of the server accessing the clear data.
Re: **security** (Score:1)
That being said.. do you run apache? Were you running it during the 'year of the worms'? Did you ever see the logs? Suffice it to say.. it is a bigger problem then you give it credit for.
As for the 'no such thing as security'... I have to say.. I find it quite esoteric and not rooted in reality. Sure.. in theory.. you may very well be correct. Of course if your target is a well audited OS with software carefully chosen (by you) with services handpicked and configured then the 'no security' argument falls flat. Oh yea.. anything can be cracked (as in.. not hacked.. cracked) given time... but alas.. so often that time is after a programs primetime.
People who think there is no security and any cracker can own you if they try needs to rethink computer security. This isn't windows afterall
(cracker... not hacker..
Version 1.2 (Score:5, Funny)
Re:Version 1.2 (Score:2)
Re:Version 1.2 (Score:2, Informative)
Re:Version 1.2 (Score:2)
Examples are a must (Score:4, Interesting)
Does anyone really think that telling a developer that "they must validate input", for example, is really going to do any good? If the developer is lazy or even better (since laziness is no excuse) a newbie , perhaps they would be better served with some example code. A few brief snippets in popular languages covering common circumstances would go a long way to help reduce widespread security holes.
For example, a Perl snippet showing how to check for the validity of an email address. A VBScript snippet providing an example of comentizing for the sake of seperating out privelages. PHP snippets demonstrating resuse of trusted components.
Just a thought.
Re:Examples are a must (Score:1)
For clarity, "comentizing" is "componentizing".
examples often become crutches (Score:2, Insightful)
later,
Jess
Re:Examples are a must (Score:1)
I recommend anyone shooting their mouth off here to read it before they do.
But on topic with the parent post, it says "adopt the idea that examples are actually templates" (or something along those words). What he means is that writting an example that doesn't check for error return codes (or memory overrun issues) will most probably end up in insecure code being written.
Seriously though, anyone talking about security should read such a book before they do.
Re:Examples are a must (Score:1)
For instance, retrieving and parsing a URL is basic task that should have one and only one low-level function. It should check for valid information, throw away invalid information, and deliver a clean set of data that the programmer can use. If programmer does not use this function, that is negligence. If the function was never developed, then the project manager should be sacked.
This goes for everything. Requests to databases should have a standard layer to validate that the data is as expected. The functions to calculate hashes should be in one place.
The ludicrous fact is that these things do not exist because people people feel they need to create an optimized version for each application. Well, then why do we buy multi gigahertz machines if not to make our lives easier? If a web server or compiler results in a slow web page, then replace the technology instead of sacrificing security.
Ignores the wiki (Score:2)
security....a web application should protect front-end and back-enddata and system resources by implementing access control restrictions
Yea, whatever. [wikipedia.com]
This document does seem to be pretty good, but documents like this really need to be peer reviewed. Personally, I think a document like this would be better as a wiki than a pdf.
Re:Ignores the wiki (Score:1)
For those of you using PHP in particular... (Score:5, Informative)
---
Jedimom.com [jedimom.com], choo choo choosing you...
Re:For those of you using PHP in particular... (Score:1, Informative)
Sometimes the simplest solutions are the best, and doing more is just overkill. For example, suppose your 1000 php file project depends on register_globals being on. Instead of 'fixing' all the code so that it uses $_POST, or $_GET, or $_SESSION or $_COOKIE (and you will ALWAYS have to test all of them if input can come from either), you can just stick a couple of loops in a top level include file that iterate through those globals and register the named variables themselves (with a couple of small checks, of course, hehehe).
"click through" (Score:5, Informative)
This is one of my favorites. Most browsers fail SSL connections with a warning that allows the user to just "click through" if the certificate is expired, does not match the DNS name of the site, or is issued by an untrusted authority. Only the last of these should be a warning (since you may want to trust it anyway. The other two should be connection failures. I am glad they included this.
Re:"click through" (Score:1)
I've never seen people so clueless about security as those who run web-shops. You sometimes can't think of a suitable answer to a webeditor who thinks their thwarte certificate will be a shiny new complete security solution to all possible ills.
Re:"click through" (Score:2)
I agree with that in general, but you always have to take denial-of-service into account too. Can I disable all user accounts just by entering three bad passwords into the system?
Re:"click through" (Score:2)
A denial of service attack is obviously different to an intrusion.
It's very good topical (Score:1)
Sloppy samples (Score:5, Insightful)
As a result of this, my initial coding was functional, but crap. Over 3 months I picked up a better coding style, and on looking back at my initial code I was surprised at how badly it had been written. While there are many good resources for starting to code in a particular language, many of these use shortcut-code to get the message across.
For instance, PHP code that relies on "register_globals" is a bad example. For one thing, it doesn't work on all systems. For another, it can lead to programmers leaving holes or vulnerabilities in their sites. While it may be a pain to use $HTTP_POST_VARS["something"] every time, it's also nice to set an example of the most compatible method for coding.
Crap code is like a virus. If you make crap samples, and then somebody else makes crap samples based on the knowledge gained from your samples... pretty soon you have crap^2. A good thread might be for everyone to list the best known sites for PHP/Perl/etc sample, as well as known coding baddies/goodies.
"AND password=$password", not a good idea - phorm
Re:Sloppy samples (Score:2, Informative)
Re:Sloppy samples (Score:2)
Oh, and kudos for this work. I was at one time working on a simple PHP manual, but ran out of time before it even really got started. I'd be happy to start it up again, and get assistance from the slashdot crowd. It can be found at: phpmanual.phormix.com
Time for my server to get slashdotted? - phorm
Re:Sloppy samples (Score:3, Insightful)
bad password checking (Re:Sloppy samples) (Score:1)
WHERE USERNAME='$uname' PASSWORD='$pword'
This is common and quite foolish. I prefer to use:
SELECT COUNT(username) as SuccessCount FROM users WHERE username='" . $username . "' AND password=PASSWORD('" . $password . "')"
Where $username and $password have already been checked for funky input, and the PASSWORD function could be substituted for MD5 easily enough.
SELECT * FROM idiots WHERE username='admin' AND password='admin' - phorm
Quick useful SQL string (Re:Sloppy samples) (Score:2)
UPDATE users SET password=PASSWORD('$somerandomvalue') WHERE password=PASSWORD(username)
Substitute as needed:
password (possibly for MD5)
fields: password, username
table: users
Oh, and don't forget to set $somerandomvalue beforehand, otherwise the users get no password - which is even worse!
$somerandomvalue=iamadumbasswithaneasypassword - phorm
Re:Security... (Score:1)
Re:Security... (Score:1)
The inability to conduct a proper audit of the code is a security problem.
An Open-Source system.
Thankyou... (Score:2)
Re:Security... (Score:1)
Re:Security... (Score:1)
Re:Thanks... (Score:1)
I'm one of the people responsible for the Guide (editor, author, whatever you want to call it). This being the case, I'd like to clarify what we're saying there.
Those of us that do security for a living must understand that there is no such thing as "secure". There is only "secure against some class of attackers for some period of time". That's the best anyone (DOD included) can ever assure about a system. Take the example of a bank vault. Bank vaults are not un-assailable, nor are they designed to be. Instead, they are designed to withstand some form of attack for some period of time. There will always be some form of attack that will work against said vault, espically if what it's in the vault is valuable enough.
So what's a defender to do? First, those designing systems must realize that there will always be holes, and that designing those systems in ways that that minimize the impact of penetration of any layer is the only sane thing to do. Secondly, one must understand that it's not about making something "secure", it's about managing the risk involved in whatever enterprise you're about. There will always be risk, and the constant patch-and-pray cycle we see in computing is just validation of this principle. Instead of insisting that something be "secure", it's better that the risk/cost ratio for protecting that asset be favourable.
So can we commit to providing a silver bullet? It would be irresponsible of the authors of the Guide to do any such thing. Instead, we are attempting to present some strategies for understanding, quantifying, and managing risk.
HTH
What bugs me (Score:3, Interesting)
Yes, it's all good and dandy in theory and makes you look very clever indeed, but count how many unknowns you have to know before you can attack a site in this way, do some basic probability math and your chance of success is so low you might as well phone the web master and ask them what the password is.
Re:What bugs me (Score:3, Insightful)
These people make it out like it is easy to attack a site like this.
I don't think it is.
Re:What bugs me (Score:2, Informative)
IIS by default will throw the SQL error into the response (making it easier for developers to debug). If a developer doesn't trap/handle this and a user sees the error come up, they can find out a lot about the system. Then the user adds some quotation marks in with there inputs, and they could pass SQL instructions direct to the database.
This is a very real problem that occurs. Of course, the user would probably not be able to do meaningful damage without knowing the backend of the system, but they could still screw up your data tables.
Re:What bugs me (Score:2, Informative)
Security vulnerabilities aren't a person going "mirror, mirror, oh randomness mirror, give me a random string to hack this site".
it's all tied in together. For example securely failing is part of it. I personally will almost always check if a website can handle single quotes in HTML fields. Some of them do, some of them don't. Others don't and give away some such glarringly compromising error message that you can actually see the SQL statement.
here's a very simple one, take it home, think of it...
my user name is :
"Adam' \n go \n sp_addlogin 'myhaxx' , 'yourpass' \n go \n select '' = '" This statement might not even fail if the orginal statement is:
EXISTS( SELECT * FROM myUsers WHERE UserName = $UserName )
It's not as hard as you think it is, and just because you can't think of something, don't go thinking nobody else can.
Security is about being humble really.
random attacks? what for? (Score:2, Insightful)
it's irritating to write as much code as it takes to be secure, but i'm glad i did it with my project -- it doesn't allow anonymous stuff at all, but there are still risks involved
and there's no reason not to make sure your SQL is secure. (although not using the most-used server also helps -- i use firebird/interbase
Re:What bugs me (Score:1)
Which, with SQL server admins, might actually work!
Re:What bugs me (Score:1)
User: sa
Pass: blank
That's the way it comes off the CD, that's the way it will stay until the coming of the four horsemen (and I don't mean Rick Flair and crew.)
Re:What bugs me (Score:1)
SQL injection is only one problem, but the results of it's success (given the poor defensive posture of most web apps) are usually catastrophic. It's not the root cause of most problems, but it's something that we can't just ignore. Like it or not, it's dangerous. The authors of the Guide (myself included) would be remiss in not including it.
More generally, canonicalization of input and sanity checking external inputs is the root cause of most security problems (not just in web apps) today. Calling it "clever indeed" ignores the severity of the situation and the truly atrocious state of security (which directly is related to code quality) of most deployed apps.
We're not trying to be clever. We're trying to be practical.
Re:What bugs me (Score:1)
You can tell pretty quickly if the machine is going to be vulnerable (e.g. if you can execute arbitrary SQL commands), and, if it is, it is rather easy to determine if there are quick exploits available.
If you consider only "query injection", where you need to know something about the data, then *some* work is required (so you *may* have a point).
If, however, you look at "procedure injection", you can do some particularly nasty things if you can get to, say, xp_cmdshell
Or, if you know that an input field will be placed into the HTML stream without proper supervision, just put in a nifty SSI or a scripted nasty.
These things may not always work, but it is pretty quick work to determine whether or not they will
Cheers,
JAKD
Remember Me? (Score:2, Interesting)
Personally, I have left this "feature" out of my web-apps, but users are really demanding it, so how should it be handled?
Obviously storing a username and password, or a user id number in a cookie is a problem. I am already generating session GUIDs, so it would be possible to store the GUID in a cookie, and then do a look up when they return to match the user account (which is already done on every page for state managment). This almost has the same problem as storing the username/password, as a malicous user would just need to find someone else's GUID and stuff it in their own cookie.
So, was is the most secure method for remembering a user assuming you are already doing form-based authentication with SSL?
Here's all this OWASP document has to say:
Re:Remember Me? (Score:1)
another resource (Score:3, Informative)
T
Mirror (Score:2, Informative)
If you're interested in helping out with the project, check out our SourceForge project page [sourceforge.net] and drop me a line [mailto] if you'd like to contribute or have suggestions or patches. The whole thing is now in DocBook format, so diff's are always appreciated.
Re:Mirror (Score:1)
Book that covers similar topics (Score:3, Informative)
DOWNLOAD SITE FIXED (Score:1, Informative)
Mirror (Score:1)
URL modification and multiple SQL statements. (Score:4, Interesting)
Rain Forest Puppy (Score:1)
See also "Secure Programming for Linux and Unix" (Score:2)
Re:Security - Why there is ignorance MONEY! (Score:3, Informative)
Project Manager: Make it work as quick as possiable, this just a demonstration.
Devloper: It works, but it isn't secure.
Project Manager: Next project, we do not have more features to add. Put security on the puch list of things to do if it goes production.
Devloper(Next week after site goes into production without speaking to the devloper): You know that site that was just supposed to be a demonstration, it has security problems.
Project Manager: Is it working?
Devloper: Yes.
Project Manager: Is the flaw easy to find?
Programmer: Not by your average user, but by someone looking yes.
Project Manager: I do not see a reason to spend the money to secure this application at this time. It seems to be in production just fine, you are a better devloper than what I thought.
Six Months down the road, the devloper gets strung up when someone accesses all of the inforamtion at the site. I have seen this happen far to many times in the real world.
Re:Security - Why there is ignorance MONEY! (Score:2)
Always CYA.
Re:Security - Why there is ignorance MONEY! (Score:2)
Project Manager: Is the flaw easy to find?
Programmer: Not by your average user, but by someone looking yes.
Respond with a different answer. Multiple choice time.
Question: Is the flaw easy to find?
Answer 1: Yes.
Answer 2: For a hacker, yes.
Answer 3: For anyone who intends to harm our systems, yes.
Answer 4: For someone who uses this with malicious intent, yes.
Answer 5: Anyone who wants to harm our systems will find this.
If the project managers pushes for details about the average user, then you can patiently explain that average users isn't the issue to begin with. It's malicious users who are the problem because they are trying to find flaws, and this flaw will soon be obvious to them.
If you don't want the project manager to pick the cheapest and easiest way out, don't start out by giving them a cheap and easy way out.
Your project manager is probably getting their quarterly bonus based on how fast and how cheap they can get this project out the door. If you have a significant concern about security, don't automatically give them a justification for saving time and money in the short-run by ignoring it.
In the example you provide, you do this by immediately making it seem like the the probability of bad things happening is really low. Remember, when the shit hits the fan and the developer got strung up for bad security, it's because the developer made it easy for the PM to ignore security. Make a big fuss about it -- even if it gets ignored, you've at least covered your ass by voicing your concerns loudly.
Re:Security (Score:1)
Who put all that confusion in there?
Businesses aren't prioritizing thier IT budgets anymore. So the only way IT people can keep thier jobs nowadays is by jumping on the "terrorist" paranoia bandwagon.
It's called employment through FUD. Isn't it amazing how quickly we've degenerated into this? Do you security bigots remember the kinds of projects you were working on 3 years ago? Does it make you cry when you think about it?