book

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

by Michael Howard, David LeBlanc, John Viega

September 2009

Intermediate to advanced

464 pages

9h 58m

English

McGraw-Hill

Read now

Unlock full access

Cover Page
24 Deadly Sins Of Software Security
Copyright Page
Contents
Foreword
Acknowledgments
Introduction
Part I Web Application Sins
1 SQL Injection
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedA Note about LinqSinful C#Sinful PHPSinful Perl/CGISinful PythonSinful Ruby on RailsSinful Java and JDBCSinful C/C++Sinful SQLRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2006-4953CVE-2006-4592Redemption StepsValidate All InputUse Prepared Statements to Build SQL StatementsC# RedemptionPHP 5.0 and MySQL 4.1 or Later RedemptionPerl/CGI RedemptionPython RedemptionRuby on Rails RedemptionJava Using JDBC RedemptionColdFusion RedemptionSQL RedemptionExtra Defensive MeasuresEncrypt Sensitive, PII, or Confidential DataUse URLScanOther ResourcesSummary
2 Web Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting)
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedDOM-Based XSS or Type 0Reflected XSS, Nonpersistent XSS, or Type 1Stored XSS, Persistent XSS, or Type 2HTTP Response SplittingCross-Site Request ForgerySinful Ruby on Rails (XSS)Sinful Ruby on Rails (Response Splitting)Sinful CGI Application in Python (XSS)Sinful CGI Application in Python (Response Splitting)Sinful ColdFusion (XSS)Sinful ColdFusion (XSS)Sinful C/C++ ISAPI (XSS)Sinful C/C++ ISAPI (Response Splitting)Sinful ASP (XSS)Sinful ASP (Response Splitting)Sinful ASP.NET Forms (XSS)Sinful ASP.NET (Response Splitting)Sinful JSP (XSS)Sinful JSP (Response Splitting)Sinful PHP (XSS)Sinful PHP (Response Splitting)Sinful CGI Using Perl (XSS)Sinful mod_perl (XSS)Sinful mod_perl (Response Splitting)Sinful HTTP Requests (XSRF)Spotting the Sin PatternSpotting the XSS Sin During Code ReviewSpotting the XSRF Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2003-0712 Microsoft Exchange 5.5 Outlook Web Access XSSCVE-2004-0203 Microsoft Exchange 5.5 Outlook Web Access Response SplittingCVE-2005-1674 Help Center Live (XSS and XSRF)Redemption Steps (XSS and Response Splitting)Ruby on Rails Redemption (XSS)ISAPI C/C++ Redemption (XSS)Python Redemption(XSS)ASP Redemption (XSS)ASP.NET Web Forms Redemption (XSS)ASP.NET Web Forms Redemption (RS)JSP Redemption (XSS)PHP Redemption (XSS)CGI Redemption (XSS)mod_perl Redemption (XSS)Redemption Steps (XSRF)A Note about TimeoutsA Note about XSRF and POST vs. GETRuby on Rails Redemption (XSRF)ASP.NET Web Forms Redemption (XSRF)Non-Draconian Use of HTML EncodeExtra Defensive MeasuresUse HttpOnly CookiesWrap Tag Properties with Double QuotesConsider Using ASP.NET ViewStateUserKeyConsider Using ASP.NET ValidateRequestUse the ASP.NET Security Runtime Engine SecurityConsider Using OWASP CSRFGuardUse Apache::TaintRequestUse UrlScanSet a Default Character SetOther ResourcesSummary

3 Web Client–Related Vulnerabilities (XSS)
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedPrivacy Implications of Sinful GadgetsSinful JavaScript and HTMLSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsMicrosoft ISA Server XSS CVE-2003-0526Windows Vista Sidebar CVE-2007-3033 and CVE-2007-3032Yahoo! Instant Messenger ActiveX Control CVE-2007-4515Redemption StepsDon’t Trust InputReplace Insecure Constructs with More Secure ConstructsExtra Defensive MeasuresOther ResourcesSummary
4 Use of Magic URLs, Predictable Cookies, and Hidden Form Fields
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedMagic URLsPredictable CookiesHidden Form FieldsRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2005-1784Redemption StepsAttacker Views the DataAttacker Replays the DataAttacker Predicts the DataAttacker Changes the DataExtra Defensive MeasuresOther ResourcesSummary
Part II Implementation Sins
5 Buffer Overruns
Overview of the SinCWE ReferencesAffected LanguagesThe Sin Explained64-bit ImplicationsSinful C/C++Related SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-1999-0042CVE-2000-0389–CVE-2000-0392CVE-2002-0842, CVE-2003-0095, CAN-2003-0096CAN-2003-0352Redemption StepsReplace Dangerous String Handling FunctionsAudit AllocationsCheck Loops and Array AccessesReplace C String Buffers with C++ StringsReplace Static Arrays with STL ContainersUse Analysis ToolsExtra Defensive MeasuresStack ProtectionNonexecutable Stack and HeapOther ResourcesSummary
6 Format String Problems
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful C/C++Related SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2000-0573CVE-2000-0844Redemption StepsC/C++ RedemptionExtra Defensive MeasuresOther ResourcesSummary
7 Integer Overflows
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful C and C++Sinful C#Sinful Visual Basic and Visual Basic .NETSinful JavaSinful PerlSpotting the Sin PatternSpotting the Sin During Code ReviewC/C++C#JavaVisual Basic and Visual Basic .NETPerlTesting Techniques to Find the SinExample SinsMultiple Integer Overflows in the SearchKit API in Apple Mac OS XInteger Overflow in Google Android SDKFlaw in Windows Script Engine Could Allow Code ExecutionHeap Overrun in HTR Chunked Encoding Could Enable Web Server CompromiseRedemption StepsDo the MathDon’t Use TricksWrite Out CastsUse SafeIntExtra Defensive MeasuresOther ResourcesSummary
8 C++ Catastrophes
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful Calls to DeleteSinful Copy ConstructorsSinful ConstructorsSinful Lack of ReinitializationSinful Ignorance of STLSinful Pointer InitializationSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2008-1754Redemption StepsMismatched new and delete RedemptionCopy Constructor RedemptionConstructor Initialization RedemptionReinitialization RedemptionSTL RedemptionUninitialized Pointer RedemptionExtra Defensive MeasuresOther ResourcesSummary
9 Catching Exceptions
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful C++ ExceptionsSinful Structured Exception Handling (SEH)Sinful Signal HandlingSinful C#, VB.NET, and JavaSinful RubySpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2007-0038Redemption StepsC++ RedemptionSEH RedemptionSignal Handler RedemptionOther ResourcesSummary
10 Command Injection
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCAN-2001-1187CAN-2002-0652Redemption StepsData ValidationWhen a Check FailsExtra Defensive MeasuresOther ResourcesSummary
11 Failure to Handle Errors Correctly
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedYielding Too Much InformationIgnoring ErrorsMisinterpreting ErrorsUsing Useless Return ValuesUsing Non-Error Return ValuesSinful C/C++Sinful C/C++ on WindowsRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinCVE-2007-3798 tcpdump print-bgp.c Buffer Overflow VulnerabilityCVE-2004-0077 Linux Kernel do_mremapRedemption StepsC/C++ RedemptionOther ResourcesSummary
12 Information Leakage
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSide ChannelsTMI: Too Much Information!A Model for Information Flow SecuritySinful C# (and Any Other Language)Related SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinThe Stolen Laptop ScenarioExample SinsCVE-2008-4638CVE-2005-1133Redemption StepsC# (and Other Languages) RedemptionNetwork Locality RedemptionExtra Defensive MeasuresOther ResourcesSummary
13 Race Conditions
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful CodeRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2008-0379CVE-2008-2958CVE-2001-1349CAN-2003-1073CVE-2000-0849Redemption StepsExtra Defensive MeasuresOther ResourcesSummary
14 Poor Usability
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedWho Are Your Users?The Minefield: Presenting Security Information to Your UsersRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsSSL/TLS Certificate AuthenticationInternet Explorer 4.0 Root Certificate InstallationRedemption StepsWhen Users Are Involved, Make the UI Simple and ClearMake Security Decisions for UsersMake Selective Relaxation of Security Policy EasyClearly Indicate ConsequencesMake It ActionableProvide Central ManagementOther ResourcesSummary
15 Not Updating Easily
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful Installation of Additional SoftwareSinful Access ControlsSinful Prompt FatigueSinful IgnoranceSinfully Updating Without NotifyingSinfully Updating One System at a TimeSinfully Forcing a RebootSinfully Difficult PatchingSinful Lack of a Recovery PlanSinfully Trusting DNSSinfully Trusting the Patch ServerSinful Update SigningSinful Update UnpackingSinful User Application UpdatingSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsApple QuickTime UpdateMicrosoft SQL Server 2000 PatchesGoogle’s Chrome BrowserRedemption StepsInstallation of Additional Software RedemptionAccess Control RedemptionPrompt Fatigue RedemptionUser Ignorance RedemptionUpdating Without Notifying RedemptionUpdating One System at a Time RedemptionForcing a Reboot RedemptionDifficult Patching RedemptionLack of a Recovery Plan RedemptionTrusting DNS RedemptionTrusting the Patch Server RedemptionUpdate Signing RedemptionUpdate Unpacking RedemptionUser Application Updating RedemptionExtra Defensive MeasuresOther ResourcesSummary
16 Executing Code with Too Much Privilege
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsRedemption StepsWindows, C, and C++Linux, BSD, and Mac OS X.NET CodeExtra Defensive MeasuresOther ResourcesSummary
17 Failure to Protect Stored Data
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedWeak Access Controls on Stored DataSinful Access ControlsWeak Encryption of Stored DataRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2000-0100CVE-2005-1411CVE-2004-0907Redemption StepsC++ Redemption on WindowsC# Redemption on WindowsC/C++ Redemption (GNOME)Extra Defensive MeasuresOther ResourcesSummary
18 The Sins of Mobile Code
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful Mobile CodeSinful Mobile Code ContainersRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2006-2198CVE-2008-1472CVE-2008-5697Redemption StepsMobile Code Container Redemption StepsMobile Code RedemptionsExtra Defensive MeasuresOther ResourcesSummary
Part III Cryptographic Sins
19 Use of Weak Password-Based Systems
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedPassword CompromiseAllowing Weak PasswordsPassword IterationNot Requiring Password ChangesDefault PasswordsReplay AttacksStoring Passwords Instead of Password VerifiersBrute-Force Attacks Against Password VerifiersRevealing Whether a Failure Is Due to an Incorrect User or PasswordOnline AttacksReturning a Forgotten PasswordRelated SinsSpotting the Sin PatternPassword CompromiseAllowing Weak PasswordsIterated PasswordsNever Changing a PasswordDefault PasswordsReplay AttacksBrute Force Attacks Against Password VerifiersStoring Passwords Instead of Password VerifiersOnline AttacksReturning a Forgotten PasswordSpotting the Sin During Code ReviewTesting Techniques to Find the SinPassword CompromiseReplay AttacksBrute-Force AttacksExample SinsZombies Ahead!Microsoft Office Password to ModifyAdobe Acrobat EncryptionWU-ftpd Core DumpCVE-2005-1505CVE-2005-0432The TENEX BugSarah Palin Yahoo E-Mail CompromiseRedemption StepsPassword Compromise RedemptionWeak Password RedemptionIterated Password RedemptionPassword Change RedemptionDefault Password RedemptionReplay Attack RedemptionPassword Verifier RedemptionOnline Brute-Force Attack RedemptionLogon Information Leak RedemptionForgotten Password RedemptionExtra Defensive MeasuresOther ResourcesSummary
20 Weak Random Numbers
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful Non-cryptographic GeneratorsSinful Cryptographic GeneratorsSinful True Random Number GeneratorsRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewWhen Random Numbers Should Have Been UsedFinding Places That Use PRNGsDetermining Whether a CRNG Is Seeded ProperlyTesting Techniques to Find the SinExample SinsTCP/IP Sequence NumbersODF Document Encryption StandardCVE-2008-0166 Debian “Random” Key GenerationThe Netscape BrowserRedemption StepsWindows, C, and C++Windows with Trusted Platform Module (TPM) Support.NET CodeUnixJavaReplaying Number StreamsExtra Defensive MeasuresOther ResourcesSummary
21 Using Cryptography Incorrectly
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedUsing Home-Grown CryptographyCreating a Protocol from Low-Level Algorithms When a High-Level Protocol Will DoUsing a Weak Cryptographic PrimitiveUsing a Cryptographic Primitive IncorrectlyUsing the Wrong Cryptographic PrimitiveUsing the Wrong Communication ProtocolFailing to Use SaltFailing to Use a Random IVUsing a Weak Key Derivation FunctionFailure to Provide an Integrity CheckFailure to Use Agile EncryptionRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewUsing Home-Grown Cryptography (VB.NET and C++)Creating a Protocol from Low-Level Algorithms When a High-Level Protocol Will DoUsing a Weak Cryptographic Primitive (C# and C++)Using a Cryptographic Primitive Incorrectly (Ruby, C#, and C++)Using the Wrong Cryptographic PrimitiveUsing the Wrong Communication ProtocolTesting Techniques to Find the SinExample SinsMicrosoft Office XOR ObfuscationAdobe Acrobat and Microsoft Office Weak KDFRedemption StepsUsing Home-Grown Cryptography RedemptionCreating a Protocol from Low-Level Algorithms When a High-Level Protocol Will Do RedemptionUsing a Weak Cryptographic Primitive RedemptionUsing a Cryptographic Primitive Incorrectly RedemptionUsing the Wrong Cryptographic Primitive RedemptionFailing to Use Salt RedemptionFailing to Use a Random IV RedemptionUsing a Weak Key Derivation Function RedemptionFailure to Provide an Integrity Check RedemptionFailure to Use Agile Encryption RedemptionUsing the Wrong Communication Protocol RedemptionExtra Defensive MeasuresOther ResourcesSummary
Part IV Networking Sins
22 Failing to Protect Network Traffic
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsTCP/IPE-Mail ProtocolsE*TRADERedemption StepsExtra Defensive MeasuresOther ResourcesSummary
23 Improper Use of PKI, Especially SSL
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2007-4680CVE-2008-2420Redemption StepsEnsuring Certificate ValidityExtra Defensive MeasuresOther ResourcesSummary
24 Trusting Network Name Resolution
Overview of the SinCWE ReferencesAffected LanguagesThe Sin ExplainedSinful ApplicationsRelated SinsSpotting the Sin PatternSpotting the Sin During Code ReviewTesting Techniques to Find the SinExample SinsCVE-2002-0676CVE-1999-0024Redemption StepsOther ResourcesSummary
Index

Content preview from 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

SIN 6FORMAT STRING PROBLEMS

OVERVIEW OF THE SIN

Format string problems are one of the few truly new attacks to surface in recent years. One of the first mentions of format string bugs was on June 23, 2000, in a post by Lamagra Argamal (www.securityfocus.com/archive/1/66842); Pascal Bouchareine more clearly explained them almost a month later (www.securityfocus.com/archive/1/70552). An earlier post by Mark Slemko (www.securityfocus.com/archive/1/10383) noted the basics of the problem but missed the ability of format string bugs to write memory.

As with many security problems, the root cause of format string bugs is trusting user-supplied input without validation. In C/C++, format string bugs can be used to write to arbitrary memory locations, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Take Control of iOS & iPadOS Privacy and Security, 2nd Edition

Publisher Resources

ISBN: 9780071626750

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills