Code review for secure web applications


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Code review for secure web applications

  1. 1. Code Review for Secure Web Applications With java samples
  2. 2. Bibliography• OWASP – Open web applications security projects –• OWASP Code review guide
  3. 3. Introduction• Code reviews: – Ad hoc reviews – Pair programming – Walkthrough – Team review – Inspection• Purpose – security
  4. 4. Code review strategies• Automatic• Manual – use checklists – Risk based – Most encountered programming mistakes – Mitigation of most encountered vulnerabilities exploited in the world – Security best practices
  5. 5. Checklist based on best practices• Authentication• Authorization• Session management• Input validation and output sanitization
  6. 6. Checklist based on best practices To be presented next meeting• Prevent Cross Site Request Forgery• Cryptographic controls• Error handling• Logging• Prevent Race conditions
  7. 7. Authentication• Check user is not allowed to choose weak passwordsBad:String password = request.getParameter("Password");if (password == Null) {throw InvalidPasswordException() }
  8. 8. Authentication• Check user is not allowed to choose weak passwordsOK:if password.RegEx([a-z]) and password.RegEx([A-Z]) and password.RegEx([0-9]) and password.RegEx({8-30}) and password.RexEX([!"£$%^&*()]) return true;elsereturn false;
  9. 9. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK hashing:import;public byte[] getHash(String password) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA-1"); digest.reset(); byte[] input = digest.digest(password.getBytes("UTF-8"));}
  10. 10. Authentication• Password storage strategy: hashing using a one-way hash algorithm + saltingOK salting:import;public byte[] getHash(String password, byte[] salt) throws NoSuchAlgorithmException { MessageDigest digest = MessageDigest.getInstance("SHA- 256"); digest.reset(); digest.update(salt); return digest.digest(password.getBytes("UTF-8"));}
  11. 11. Authorization• Check the access roles matrix and make sure it is created respecting the need-to-know and least- privilege principle• Check the business logic for errorsBad:if user.equals("NormalUser") { grantUser(Normal_Permissions);} else{ //user must be admin/super grantUser("Super_Permissions);}
  12. 12. Authorization• Check if security by obscurity is used• Check if authorization is verified for every requestGood:String action = request.getParameter("action"); if (action.equals("doStuff"))boolean permit = session.authTable.isAuthorised(action);if (permit) doStuff();else{ throw new (InvalidRequestException("Unauthorised request"); session.invalidate();}
  13. 13. Session Management• Check if only framework’s session manager is used• Check the cryptographic strength, the length of the sessions and character pool• Check that sessionIds coming from clients are validated• Check there is a timeout implemented for idle sessions• Check session is destroyed on logout
  14. 14. Input validation and output sanitization• Ensure 2 separate validations occur: first a security validation, then a business validation• Ensure in the security validation, data are canonicalized firstpublic static void main(String[] args) {File x = new File("/cmd/" + args[1]);String absPath = x.getAbsolutePath();String canonicalPath = x.getCanonicalPath();}
  15. 15. Input validation and output sanitization• Check that all input that traversed untrusted zones is validated, not only user input• Check that validators or sanitizers are adapted for the modules that receives/uses data – encode, escape, etc• Check validators are applied in a safe side (never client side)
  16. 16. Input validation and output sanitizationpublic class DoStuff {public String executeCommand(String userName) { try { String myUid = userName; Runtime rt = Runtime.getRuntime(); rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);}catch(Exception e) { e.printStackTrace(); } } }
  17. 17. Input validation and output sanitizationString myQuery = “select food from foods where name=?”;String sortOrder=request.getParameter(“order”);myQuery+=sortOrder;PreparedStatement preparedStatement = connection.prepareStatement(myQuery);preparedStatement.setString(1, “Shaorma”);ResultSet resultSet = preparedStatement.executeQuery();
  18. 18. Input validation and output sanitizationimport*;import javax.servlet.http.*;import javax.servlet.*;public class HelloServlet extends HttpServlet {public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String input = req.getHeader(“USERINPUT”); PrintWriter out = res.getWriter(); out.println(Server.HTMLEncode(input)); out.close();}}
  19. 19. Thank you for the interestQuestions?
  20. 20. Prevent Cross Site Script Forgery
  21. 21. Cryptographic controls
  22. 22. Error handling
  23. 23. Logging
  24. 24. Prevent Race Conditions