Hack Proofing Your Web Applications Fast Track • Appendix 539 ; Be aware of vulnerabilities you might be introducing and do all you can to mitigate their risks.You can’t always get rid of every poten- tial vulnerability, but you can do a lot towards preventing exploit. ; Use the least amount of privilege you can get away with. Don’t let your program run as system or under Administrative rights on a Windows machine or with SUID permissions on a Unix system unless you absolutely have to. If you can’t think of another way, ask others for insight. ❖ Chapter 3: Understanding the Risks Associated with Mobile Code Recognizing the Impact of Mobile Code Attacks ; Browser attacks can occur by visiting Web pages.As soon as an HTML Web page appears, the mobile code will automatically begin executing on the client system. ; Mail client attacks occur when a piece of e-mail is sent using HTML-formatted messages. Once the message is opened or viewed in the preview window, it will begin executing. ; Documents can contain small pieces of code called macros that may execute when a document is opened.This code has the power to be damaging, since it has access to many system resources. Identifying Common Forms of Mobile Code ; VBScript and Microsoft JScript allow interaction with ActiveX controls, which can cause security problems if the ActiveX control allows access to restricted system resources. ; The ActiveX security mechanism contains unsafe code by asking users if they wish to allow the ActiveX control to be installed. www.syngress.com Chapter 2 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 539 540 Appendix • Hack Proofing Your Web Applications Fast Track ; Java applets are the safest type of mobile code.To date, there have been no serious security breaches due to Java applets. ; The greatest threat from e-mail attachments is Trojan programs that claim they do one thing, when in fact, they do something malicious. Protecting Your System from Mobile Code Attacks ; There are two approaches to protecting against security threat. One is to use knowledge and technical skill to manually protect user sys- tems.The second is to use security applications designed specifically to automatically deter security threats. ; Different types of security applications include virus scanners, Back Orifice detectors, firewall software,Web-based tools, and client security updates. ❖ Chapter 4: Vulnerable CGI Scripts What Is a CGI Script, and What Does It Do? ; CGI is used by Web servers to connect to external applications. It provides a way for data to be passed back and forth between the visitor to a site and a program residing on the Web server. CGI isn’t the program itself, but the medium used to exchange informa- tion between the Web server and the Internet application or script. ; CGI uses server-side scripting and programs. Code is executed on the server, so it doesn’t matter what type of browser the user is using when visiting your site. ; Uses for CGI are found at sites such as eBay and e-commerce sites that may use more complex CGI scripts and programs for making transactions; guest books, chatrooms, and comment or feedback forms are another common use for CGI programs. www.syngress.com Chapter 3 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 540 Hack Proofing Your Web Applications Fast Track • Appendix 541 ; CGI should be used when you want to provide a dynamic, interac- tive Web page, and need to take advantage of the Web server’s func- tions and abilities.They are an excellent means to searching and storing information in a database, processing forms, or using infor- mation that is available on the server and cannot be accessed through other methods. However, you should consider using CGI programs when interaction with the user will be limited. ; Many ISPs don’t provide CGI support, as poorly written scripts and programs are a security risk, and may jeopardize the security of that site and others hosted on their Web server. Break-Ins Resulting from Weak CGI Scripts ; One of the most common methods of hacking a Web site is to find and use poorly written CGI scripts. Using a CGI script, you may be able to acquire information about a site, access directories and files you wouldn’t normally be able to see or download, and perform various other unwanted and unexpected actions. ; It is important that you ensure that the form used to collect data from users is compatible with the CGI script. ; Your code should analyze the data it is receiving, and provide error- handling code to deal with problems. Error handling deals with improper or unexpected data that’s passed to the CGI script. It allows you to return messages informing the user that certain fields haven’t been filled out, or to ignore certain data. ; Wrapper programs and scripts can be used to enhance security when using CGI scripts.They can provide security checks, control owner- ship of a CGI process, and allow users to run the scripts without compromising your Web server’s security. www.syngress.com Chapter 4 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 541 542 Appendix • Hack Proofing Your Web Applications Fast Track Languages for Writing CGI Scripts ; A compiled CGI program would be written in a language like C, C++, or Visual Basic.With this type of program, the source code must first be run through a compiler program.The compiler con- verts the source code into machine language that the computer on which the program is run can understand. Once compiled, the pro- gram then has the ability to be executed. ; An interpreted language combines compilation and execution.When a user requests a script’s functionality, it is run through a program called an interpreter, which compiles it and executes it. For example, when you run a Perl script, it is compiled every time the program is executed. ; One issue with Unix shell programs is that you are more limited in controlling user input and other security issues than in other languages. ; Perl has become a common method of creating CGI scripts.While a good choice for new programmers, it should not be mistaken as being a poor choice for complex programs. One problem with Perl is that, because it is interpreted, it is compiled and executed as one step each time the program is called. For this reason, there is greater possibility that bad data submitted by a user will be included as part of the code. ; C or C++ are another option.A common problem that occurs when Internet programs are created with C or C++ is buffer over- flows.A way to avoid this problem is to use the MAXSIZE attribute for any fields used on a form.This will limit the amount of data a user can enter through normal means. Advantages of Using CGI Scripts ; CGI is beneficial because all code is run on the server. JavaScript, ActiveX components, Java applets, and other client-side scripts and www.syngress.com Chapter 4 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 542 Hack Proofing Your Web Applications Fast Track • Appendix 543 programs all run on the user’s computer.This makes it possible for adept hackers to make use of this information and attack your site. ; With CGI, you can protect yourself by controlling permissions to various directories, hiding code within compiled programs, and other methods. Rules for Writing Secure CGI Scripts ; Limit user interaction. ; Don’t trust input from users. ; Don’t use GET to send sensitive data. ; Never include sensitive information in a script. ; Never give more access than is absolutely necessary. ; Program on a computer other than the Web server, and ensure that temporary files and backup files of your scripts are removed from the server before your site goes live. ; Double-check the source code of any third-party CGI programs. ; Test your CGI script or program. ❖ Chapter 5: Hacking Techniques and Tools A Hacker’s Goals ; Intruders will utilize numerous tactics and tools to evade detection when they scan your networks and systems.They may use stealth scans or fragmented TCP packets. ; Skilled intruders will carefully plan their attack for when you least expect it. Based on their early reconnaissance of your systems, they will already have assembled the tools to take control of your system after it has been successfully penetrated. www.syngress.com Chapter 4 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 543 544 Appendix • Hack Proofing Your Web Applications Fast Track ; Rootkits are compilations of tools that contain Trojan versions of common system-monitoring utilities and modified kernel patches and shared library objects that will allow the intruder to remain on your system undetected. ; Some intruders may immediately alert you to their presence by defacing your Web site, whereas others will be as quiet as they can so that they can watch what you’re doing. Others may ultimately utilize your system as a launching site by which they may attack other networks with impunity. ; The same tools that intruders use to gauge your network’s vulnera- bilities can be used to your benefit. By staying as current on vulner- ability reports and intrusion utilities as the attackers do, you can better defend your systems. The Five Phases of Hacking ; Creating an attack map Intruders utilize many publicly-available information resources to gather information on your site without even visiting it.Tools such as Name Server Lookup (nslookup) and ARIN provide a wealth of information by which an intruder can start to assemble a picture of your network. ; Building an execution plan The intruder has three crucial ele- ments in mind when forming the attack execution plan: a vulnerable service, the OS of the target system, and the appropriate remote and local exploit code necessary to carry off a successful intrusion. ; Establishing a point of entry The latest vulnerability is often the least defended.The intruder knows this and will make his first attempts on your networks based on this principle.The intruder will also perform a scan of your systems to determine what hosts are online and what other potentially vulnerable services they offer. ; Continued and further access After an intruder has initially determined the method of attack, he will carefully test the potential www.syngress.com Chapter 5 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 544 Hack Proofing Your Web Applications Fast Track • Appendix 545 vulnerability for signs that it will respond to his attack with a suc- cessful intrusion. He will likely attempt these tests from multiple IP ranges so as not to raise any alarms. ; The attack The intrusion itself will happen relatively quickly.The intruder will gain a foothold through a vulnerable service, but the heart of the attack will lie in how well he covers his tracks fol- lowing the initial penetration. Social Engineering ; Rather than exploit weaknesses in software design to get into your site, an intruder may exploit human trust relationships to acquire sensitive data.The attacker may simply acquire seemingly inconse- quential data that will ultimately afford him a clearer view of how he can electronically exploit your site. ; It is exceedingly easy for the attacker to impersonate authorized personnel via written communications such as e-mail, postal mail, and instant messaging.Whether through outright impersonation or digital sleight-of-hand, users can be tricked into divulging data (such as login IDs and passwords) that can be used to breach your systems. ; Through impersonation of authorized personnel (or even the opposite sex) via the telephone, the attacker can gather information from unsuspecting employees. Careless disposal of internal docu- ments can also afford the attacker a wealth of useful data when he digs through your company’s trash. ; By use of false ID badges or simply by acting as if he belongs where he is, an intruder can gain physical access to the plant where your systems are used by authorized personnel. By accessing your physical systems, he can perform extensive reconnaissance that he can use for further social engineering attacks—by which he can gain still greater amounts of information that he can later use to attack your site. www.syngress.com Chapter 5 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 545 546 Appendix • Hack Proofing Your Web Applications Fast Track The Intentional “Back Door”Attack ; The vast majority of computer-related security incidents are due to malicious insiders. Disgruntled employees are almost exclusively the cause of these incidents. ; Back door attacks entail situations in which a developer introduces a nonapproved, hidden login or authentication method by which he can—through unorthodox means—access the system and its data. ; Back door attacks can be readily discovered and tracked down when the code base is maintained through a revision control system, is thoroughly documented, and is maintained by a robust and current software process diagram. Exploiting Inherent Weaknesses in Code or Programming Environments ; The ambitious intruder isn’t just interested in breaching your system through common exploits. If he’s after your software, he’ll also want to evaluate that for weaknesses and vulnerabilities. ; The intruder will likely download all of the information related to your project that he can find. He won’t analyze it on your system because that would likely give away his presence. ; Through the use of hex editors, debuggers, and disassemblers, the attacker will be able to assess the sorts of vulnerabilities and weak- nesses your software holds, even if he can only acquire copies of the binary executables. The Tools of the Trade ; Through the use of hex editors, the attacker can view and edit any executable or binary file, seeking hidden commands, execution flags, and/or possible back doors that may have been inserted by developers. www.syngress.com Chapter 5 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 546 Hack Proofing Your Web Applications Fast Track • Appendix 547 ; A debugger is used to analyze how a program behaves when it’s executed.Through use of this tool, an attacker can track multiple facets of a program, including—but not limited to—any function and the names and values assigned to function arguments, as well as local variables.These can assist the intruder in determining runtime weaknesses in the program. ; Disassemblers allow the attacker to convert a binary program down to its assembly (machine code) origin. Disassemblers also allow the attacker to radically alter the program’s functions by inserting or removing jumps and calls as well as importing selected functions. ❖ Chapter 6: Code Auditing and Reverse Engineering How to Efficiently Trace through a Program ; Tracing a program’s execution from start to finish is too time- intensive. ; You can save time by instead going directly to problem areas. ; This approach allows you to skip benign application processing/ calculation logic. Auditing and Reviewing Selected Programming Languages ; Uses of popular and mature programming language can help you audit the code. ; Certain programming languages may have features that aid you in efficiently reviewing the code. www.syngress.com Chapter 5 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 547 548 Appendix • Hack Proofing Your Web Applications Fast Track Looking for Vulnerabilities ; Review how user data is collected. ; Check for buffer overflows. ; Analyze program output. ; Review file system interaction. ; Audit external component use. ; Examine database queries and connections. ; Track use of network communications. Pulling It All Together ; Use tools such as Unix grep, GNU less, the DOS find command, UltraEdit, the free ITS4 Unix program, or Numega to look for the functions previously listed. ❖ Chapter 7: Securing Your Java Code Overview of the Java Security Architecture ; The five tenets of security are: containment, authentication, autho- rization, encryption, and auditing. ; Security systems that are implemented at the JVM level are far less likely to contain holes than security implemented at the application level.When possible, try to use the security mechanisms provided in Java. ; The new sandbox mechanism with Java 2 allows fine-grained access to system resources. www.syngress.com Chapter 6 Continued 137_hackapps_appFT 6/19/01 3:46 PM Page 548 [...]... CGI over, 135–136 buffer overruns and, 108 109 , 376–377 digital certificates and, 105 106 , 385–386, 400 disabling, 110 firewalls and, 379 incorrectly marked “safe for scripting,” 109 – 110 intentionally malicious, 109 JScript and, 107 mail client attacks through, 85, 87 marking as safe/unsafe, 107 , 389–396 methods for writing safe, 382 in Microsoft applications, 105 network-level security settings and,... to Secure Web Applications As a reply to attacks on Web sties and applications, increased emphasis is placed on system and application security Public Key Infrastructure and Public Key Cryptography were designed expressly for the Web to authenticate system access and encrypt data between systems www.syngress.com 137 _hackapps_ appFT 558 6/19/01 3:46 PM Page 558 Appendix • Hack Proofing Your Web Applications. .. See also Java applets Java applets, 22–23, 101 105 Authenticode and, 401 background threads and, 103 104 , 287–288 benefits of CGI over, 135–136 code audits and, 221 573 137 _hackapps_ index 574 6/19/01 3:27 PM Page 574 Index e-mail, reporting reading of to host server by, 103 granting additional access to, 102 103 JAR signing and, 311–315 Java Security Web site, 103 JavaScript vs., 93–94 mail client attacks... must be in a CFLOCK www.syngress.com 137 _hackapps_ appFT 556 6/19/01 3:46 PM Page 556 Appendix • Hack Proofing Your Web Applications Fast Track Chapter 10 Continued Session and application variables exist until they time out or the server is cycled ❖ Chapter 11: Developing Security-Enabled Applications The Benefits of Using Security-Enabled Applications A decent hacker can exploit weaknesses in any application,... www.syngress.com 137 _hackapps_ appFT 6/19/01 3:46 PM Page 551 Hack Proofing Your Web Applications Fast Track • Appendix 551 Chapter 8 Continued expose your XSL in much the same way that HTML is exposed to the client Securing XML Use existing methods of security to protect your XML HTTPS works with your XML in the same way it does with HTML Try to keep everything on the server Perform your XSL transformation... dynamically manage ActiveX controls www.syngress.com 137 _hackapps_ appFT 6/19/01 3:46 PM Page 553 Hack Proofing Your Web Applications Fast Track • Appendix 553 Chapter 9 Continued Methodology for Writing Safe ActiveX Controls Thoroughly document your control.You should also design your control with the minimum functionality required to accomplish its task If your control violates any of the following, it should... not be allowed Use the Web server in addition to any ColdFusion security you may write www.syngress.com 137 _hackapps_ appFT 6/19/01 3:46 PM Page 555 Hack Proofing Your Web Applications Fast Track • Appendix 555 Chapter 10 Continued ColdFusion is only as secure as the machine it is on If the machine has security holes, then ColdFusion (and any other application) is vulnerable Attack your own machine from... Internet Creating Web Applications Using XML XML and XSL should be used in conjunction with HTML when creating your Web applications. With these tools, your Web applications will be easier to maintain and can support a wider variety of browsers XML should not only be used in communicating with different entities over the Internet, but should be used as a means of communication within your application... development effort, but also aid in the security of your application Having coding standards in place and published within your organization not only helps to keep code consistent from one developer to another, but they also ensure portability of development work www.syngress.com 137 _hackapps_ appFT 560 6/19/01 3:46 PM Page 560 Appendix • Hack Proofing Your Web Applications Fast Track Chapter 12 Continued Creating... defined an appropriate back-out strategy www.syngress.com 137 _hackapps_ appFT 6/19/01 3:46 PM Page 559 Hack Proofing Your Web Applications Fast Track • Appendix 559 Chapter 11 Continued Testing methods should involve performance testing, functionality testing, and security testing ❖ Chapter 12: Cradle to Grave: Working with a Security Plan Examining Your Code Two types of code reviews are used during the development . scripts without compromising your Web server’s security. www.syngress.com Chapter 4 Continued 137 _hackapps_ appFT 6/19/01 3:46 PM Page 541 542 Appendix • Hack Proofing Your Web Applications Fast Track Languages. Continued 137 _hackapps_ appFT 6/19/01 3:46 PM Page 540 Hack Proofing Your Web Applications Fast Track • Appendix 541 ; CGI should be used when you want to provide a dynamic, interac- tive Web page,. Continued 137 _hackapps_ appFT 6/19/01 3:46 PM Page 542 Hack Proofing Your Web Applications Fast Track • Appendix 543 programs all run on the user’s computer.This makes it possible for adept hackers to