1. Secure Coding
Web Application SecurityVulnerabilities and Best Practices

2. What is Secure
Coding?

3. Is it this?

4. ...or this?

5. ...maybe even this?

6. Security Principles
• Minimise Attack Surface Area
• Establish Secure Defaults
• Principle of Least Privilege
• Principle of Defence in Depth
• Fail Securely
• Separation of Duties
• Avoid Security by Obscurity
• Keep Security Simple
• Fix Security Issues Correctly

7. Minimise Attack Surface
• Every feature or technology is a risk.
• Secure development is all about reducing
the risk by minimising the attack surface.

8. Thanks Boromir.

9. Establish Secure
Defaults
• By default a system should be secure out-
of-the-box.
• It should be up to the user to reduce their
security if allowed.

10. Trust Morpheus!

11. Principle of Least
Privilege
• Use the least possible privilege to perform
the required business task.

12. Don’t be the luser!

13. Principle of Defence in
Depth
• Always consider that upper layers are
already compromised.

14. This is how we do it.

15. Fail Securely
• Code fails regularly.

16. Fail Securely
isAdmin = true;
!
try {
codeWhichMayFail();
isAdmin = isUserInRole("Administrator");
} catch (Exception ex) {
log.write(ex.toString());
}

17. Separation of Duties
• Some roles have different levels of trust
than normal users.

18. Hell yeah!?!

19. Avoid Security By
Obscurity
• Security By Obscurity is a weak security
control.
• Security By Obscurity depends on
knowledge.

20. Don’t be like Dawson!

21. Keep Security Simple
• Simplicity leads to better understanding the
system and its constraints.

22. Please!

23. Fix Security Issues
Correctly
• Understand the root cause of the problem.
• Identify the the pattern of the problem.
• Some issues are wide-spread across the
code base.
• Develop a Fix
• Develop Tests

24. Fix Security Issues Correctly
PHP Hash Collision DOS(CVE-2011-4885)
• Problem: PHP was found vulnerable to a
denial of service by submitting a large
amount of specially crafted variables
• Solution: max_input_vars was introduced
to limit the number of variables that can be
used in a request

25. Fix Security Issues Correctly
PHP Remote Code Execution(CVE-2012-0830)
if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
}
!
... code removed ...
!
PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC)
{
!
... code removed ...
!
if (is_array) {
!
... code removed ...
!
if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
}
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
!
... code removed ...
!
symtable1 = Z_ARRVAL_PP(gpc_element_p);
!
... code removed ...
!
}

26. Fix Security Issues Correctly
PHP Remote Code Execution(CVE-2012-0830)
• Vulnerability occurs when max_input_vars is
exceeded and the variable is an array.
• Code execution occurs when Z_ARRVAL_PP is
called to obtain reference of an updated
hashtable.
• If number of variables is greater than
max_input_vars, gpc_element will point to the
previous variable value, which is not initialised
memory.

27. Security in Languages

28. Rails/Grails/MVC
• Model/View/Controller and scaffolding
paradigm is often abused.

29. Python
• Python has a funny way of dealing with
different data types.

30. Python
Number Rounding
round(4000/5000)
# vs
round(4000.0/5000)

31. JavaScript Type
Problems
• JavaScript has loose semantics on its types.

32. JavaScript
Types Differences
{} + {} = NaN
{} + [] = 0
[] + {} = "[object Object]"
[] + [] = ""
{} - 1 = -1
[] - 1 = -1
-1 + {} = "-1[object Object]"
-1 + [] = "-1"

33. JavaScript
Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")
[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$
$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$
$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.
$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=
$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+
$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+
$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.
$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__
+"("+$.__$+""+$.$__+$.___+")"+""")())();
!
// equal to
!
alert(1);

34. C
• In C the type system is completely
arbitrary. You can do whatever you like
with pointers.

35. Ruby
• The Ruby language supports the use of
system commands.
• Kernel.system provides means of injecting
malicious input into the application to
bypass security measures.

36. Struts
• Struts allows you to do dynamic method invocation
• http://host/struts2_security_vulnerability/
changepassword!changePassword.action?
newPassword=my_new_password&username=bruce
• <init-param>
<param-
name>struts.enable.DynamicMethodInvocation</
param-name><param-value>false</param-
value></init-param>

37. Thanks!