Presentation is loading. Please wait.

Presentation is loading. Please wait.

SE604: Software Testing and QA Secure SW Development for QA Lecture#3

Published byFrederick Harmon Modified over 6 years ago

Similar presentations

Presentation on theme: "SE604: Software Testing and QA Secure SW Development for QA Lecture#3"— Presentation transcript:

1 SE604: Software Testing and QA Secure SW Development for QA Lecture#3
Slides by Ahmed Ibrahim

2 Agenda Prevention Techniques
Practical Demo with Vulnerability Scanners Assignment #4

3 The reviewer must be aware with software vulnerabilities.
Secure code review is to identify and fix potentially risky security vulnerabilities in the late stages of the development process. The reviewer must be aware with software vulnerabilities. The developer must write a secure code and avoid software vulnerabilities

4 Common 10 Software Vulnerabilities
There are many software vulnerabilities, we will discuss the common 10 software vulnerabilities from CWE* list SQL Injection Cross-site Scripting OS Command Injection Classic Buffer Overflow Integer Overflow Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Use of Hard-coded Credentials Missing Authentication for Critical Function Missing Encryption of Sensitive Data * CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

5 Common 10 Software Vulnerabilities
There are many software vulnerabilities, we will discuss the common 10 software vulnerabilities from CWE* list SQL Injection Cross-site Scripting OS Command Injection Classic Buffer Overflow Integer Overflow Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Use of Hard-coded Credentials Missing Authentication for Critical Function Missing Encryption of Sensitive Data * CWE™ is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

6 Agenda Prevention Techniques
Practical Demo with Vulnerability Scanners Assignment #4

7 Prevention Techniques

8 Prevention Techniques
Definition of prevention - the action of stopping something from happening or arising. Organizations apply prevention techniques to avoid software vulnerabilities and save time, cost and resources and ensure data integrity, availability and confidentiality.

9 Prevention Techniques
SQL Injection, Cross-site Scripting and OS Command Injection Recall that SQLI, XSS and OS Command Injection attacks are types of code injection: user input is mistakenly interpreted as malicious program code. In order to prevent these types of code injection, secure input handling is needed. For a web developer, there are two fundamentally different ways of performing secure input handling: Encoding (Escaping) and Validation

10 Prevention Techniques
Encoding (Escaping), which escapes the user input so that we can interpret it only as data, not as code. Validation, which filters the user input so that we can interpret it as code without malicious commands.

11 Prevention Techniques
Encoding is the act of escaping user input so we can see it only as data, not as code. Examples SQLI ‘ to ‘’ XSS < to <

12 Encoding Example: SQLI
... string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt);

13 Encoding Example: SQLI
The query that this code intends to execute follows: However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string: for itemName, then the query becomes the following: SELECT * FROM items WHERE owner = <userName> AND itemname = <itemName>; name' OR 'a'='a SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name' OR 'a'='a'; SELECT * FROM items;

14 Encoding Example: SQLI
Use Escape Routines to Handle Special Input Characters private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); } string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + SafeSqlLiteral(username) + "' AND itemname = '" + SafeSqlLiteral(ItemName.Text) + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...

15 Encoding Example: SQLI
If an attacker with the user name wiley enters the string: for itemName, then the query becomes the following: name => “ name' OR 'a' = 'a ” Invalid query name' OR 'a'='a SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name’' OR ‘’a‘’=‘’a';

16 Encoding Example: SQLI
Is converting ‘ to ‘’ enough? Study the next query: If an attacker enters the string: then the query becomes the following كل عام وانتم بخير Solution? More Encoding (;) Validation and Sanitization SELECT * FROM Products WHERE ProductID = <product_id>; 5 ;Drop Table Admin SELECT * FROM Products WHERE ProductID = 5 ; Drop Table Admin

17 Encoding Example: XSS The most recognizable type of encoding in web development is HTML escaping, which converts characters like < and > into < and >, respectively. The following pseudocode is an example of how user input could be encoded using HTML escaping and then inserted into a page by a server-side script: Print “<html>” Print “Latest comment: ” Print encodeHtml( userInput ) Print “</html>”

18 Encoding Example: XSS If the user input were the string <script>...</script>, the resulting HTML would be as follows: Because all characters with special meaning have been escaped, the browser will not parse any part of the user input as HTML or execute script. document.write(escape(userInput)); => JS escapeshellcmd($input) => PHP <html>” Latest comment: <script>…</script> </html>”

19 Prevention Techniques
Validation is the act of filtering user input so that all malicious parts of it are removed, without necessarily removing all code in it. There are two main characteristics of validation: Classification strategy: User input can be classified using either blacklisting or whitelisting. Validation outcome: User input identified as malicious can either be rejected or sanitized.

20 Validation classification strategy
Blacklisting: Instinctively, it seems reasonable to perform validation by defining a forbidden pattern that should not appear in user input. If a string matches this pattern, it is then marked as invalid.

21 Validation classification strategy
Whitelisting: Whitelisting is essentially the opposite of blacklisting: instead of defining a forbidden pattern, a whitelist approach defines an allowed pattern and marks input as invalid if it does not match this pattern.

22 Validation outcome When input has been marked as invalid, one of two actions can be taken Rejection: the input is simply rejected, preventing it from being used elsewhere in the website. Sanitization: all invalid parts of the input are removed, and the remaining input is used normally by the website.

23 Validation outcome Of these two, rejection is the simplest approach to implement. That being said, sanitization can be more useful since it allows a broader range of input from the user. For example, if a user submits a credit card number, a sanitization routine that removes all non-digit characters would prevent code injection as well as allowing the user to enter the number either with or without hyphens.

24 Validation Example: SQLI
Study the next query: If an attacker enters the string: Blacklisting [( ‘ ), ( ; ), ( = ), ( LIKE ), ( % ), ( TABLE), (DROP), (.)] Applying sanitization => will remove (;), (Drop) and (Table) then the query becomes the following SELECT * FROM Products WHERE ProductID = <product_id>; 5 ;Drop Table Admin SELECT * FROM Products WHERE ProductID = 5 Admin => Invalid query and Prevents SQLI

25 Validation Example: SQLI
Study the next query: If the user enters the string: Blacklisting [( ‘ ), ( ; ), ( = ), ( LIKE ), ( % ), ( TABLE), (DROP), (.)] Applying sanitization => will remove (.) then the query becomes the following SELECT * FROM Cards WHERE CardID= <card_id>; SELECT * FROM Cards WHERE CardID= ; => Valid query

26 Validation Example: XSS
One of the most recognizable types of validation in web development is allowing some HTML elements (such as <em> and <strong>) but disallowing others (such as <script> and onclick). String unsafe =   "<p><a href=' onclick='stealCookies()'>Link</a></p>"; String safe = clean(unsafe, Whitelist.basic()); // now: <p><a href=" >Link</a></p>

27 Validation Example: OS Command Injection
The following PHP code snippet is vulnerable to a command injection attack: -rf / Sanitizing Input Replace or Ban “;” Other shell escapes available Example: && | ... <?php $file=$_GET['filename']; system("rm $file"); ?>

28 Sanitization Examples
Google Search “ahmed ' ibrahim . Mohamed” => ahmed Ibrahim Mohamed Facebook

29 Agenda Prevention Techniques
Practical Demo with Vulnerability Scanners Assignment #4

30 Vulnerability Scanners
w3af w3af is a Web Application Attack and Audit Framework. “The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities”. The framework is developed using Python to be easy to use and extend.

31 Vulnerability Scanners Demo

32 Agenda Prevention Techniques
Practical Demo with Vulnerability Scanners Assignment #4

33 References injection-in-asp-net vulnerability-scanners/

Download ppt "SE604: Software Testing and QA Secure SW Development for QA Lecture#3"

Similar presentations

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Similar presentations

Ads by Google