Dr. Dobb's Journal - October 2008 - (Page 28) D10fish_p3as 8/20/08 8:01 AM Page 28 Core Technology SAFE CODING PRACTICES continued from page 26 therefore, is an attack pattern that focuses on enabling scripts from one site (the attacker’s site) to access content from another site (for instance, the user’s bank account site). To do this, users must typically visit either a malicious or naive website, although many experiments in social engineering have shown that users can be funneled toward even the most outlandish of sites quite readily. The most common form of this type of vulnerability is a simple reflection flaw, and focuses on unfiltered HTML parameters (form parameters, typically) being reflected back to the user from a server request. The canonical form of this attack vector was first shown by search engine result pages, which typically reflected the user’s query term in the title of the page. Without filtering, this reflected query term could easily contain HTML tags that were not correctly encoded and would therefore be interpreted as valid HTML by the receiving browser. In essence, any reflection of unfiltered incoming data is a problem, as the number and variety of exploits resulting from XSS grows everyday; see Example 4. Just as the manifestation of XSS reflection is simple to describe, the mitigation is also incredibly simple—encode anything that is read from the incoming request before sending it back to the browser. While we’re using Java here to show examples, all the prevalent page stacks include HTML encoding mechanisms that are easily employed to avoid this vulnerability. For example, this ASP statement is exploitable: Response.Write Request.Form("username”" In contrast, the following statement is not: Response.Write Server.HTMLEncode( Request.Form("username")) Likewise, the same kind of transformation can be used in Java to prevent this exploit, although there’s (still) no built-in object to perform a standard transformation. That said, it’s simple to write such a String transformer. For those in search of an “off the shelf” package, the JTidy project (jtidy .sourceforge.net) is a good place to start. Other, more complex, manifestations of XSS revolve around the persistent storage of unfiltered user input that is later used to provide response content. This is a more diffi- cult type of XSS to diagnose, as the attack pattern depends not only on a user’s unfiltered input being stored, but on that stored data being made available to other users from that point onward. Naive forum software packages were particularly susceptible to this attack pattern in the early days of the Web. But even today, any application that stores incoming unfiltered data in a database (or file) and then sends that stored data to the user at a later date is vulnerable to this persistent form of XSS. Once again, the mitigation is simple, requiring the program to either encode information before being stored or worst case to encode before sending information from the persistent store to the user. In general, it is always safer to encode data before storage, as in this way every possible future usage of that data is already guarded against XSS. Finding the Flaws Obviously, while the mitigations described here are simple to implement, the biggest challenge facing developers or development organizations trying to come to grips with security within an existing code base, or within code being newly created, is finding the areas of vulnerability. Manual code inspection can obviously be leveraged, but sitting around a table looking at reams of code, trying to find what might be extensively obfuscated vulnerabilities isn’t anybody’s idea of a fun time, I’m sure. Static source-code analysis offers a potential solution to this problem, focusing on the potential vulnerabilities or weaknesses that are present in the code, rather than attempting to find existing exploits or attack vectors as a traditional application security or pen test dynamic tool might. Using an SCA tool can significantly shorten the time and effort involved in finding these issues and preparing them for mitigation. There are many of these tools available with varying capabilities, both open source and commercial. Klocwork (the company I work for) provides one such commercial static source-code analysis product suite, focusing on C, C++, and Java, and providing developers fast, accurate analysis of operational defects and security vulnerabilities, integrated within your IDE of choice. DDJ public void validateUser(String user, String pwd, Connection db) throws InvalidUserException { PreparedStatement stmt = null; ResultSet rs = null; try { // Prepare the statement, rather than concatenating it String sql = "select id from users where user=? and pwd=?"); stmt = db.prepareStatement(sql); // Substitute our incoming parameters into the query stmt.setString(1, user); stmt.setString(2, pwd); // Execute the query and process the results as before rs = stmt.executeQuery(); if( rs == null || rs.next() == null ) throw new InvalidUserException(); } catch( SQLException e ) { throw new InvalidUserException(); } finally { try { if( rs != null ) rs.close(); } catch( Exception e ) { } try { if( stmt != null ) stmt.close(); } catch( Exception e ) { } } } Example 3: A safe version of Example 2. public void doGet(HttpServletRequest req, HttpServletResponse res) { string title = req.getParameter("searchTerm"); res.getOutputStream().write(title.getBytes("UTF-8")); } Example 4: Unfiltered incoming data is a problem. 28 Dr. Dobb’s Journal l www.ddj.com l October 2008 http://jtidy.sourceforge.net http://jtidy.sourceforge.net http://www.ddj.com
Table of Contents Feed for the Digital Edition of Dr. Dobb's Journal - October 2008 Dr. Dobb's Journal - October 2008 Contents Friday Night Fish Fry Alia Vox Developer Diaries Developer’s Notebook Is Your Next Language COBOL? Conversations Safe Coding Practices Code Signing in Adobe AIR OpenID Single Sign-On The Book Cipher Algorithm Indexing and Searching Image files Extending Continuous Integration Into ALM The Agile Edge Effective Concurrency Swaine’s Flames Dr. Dobb's Journal - October 2008 Dr. Dobb's Journal - October 2008 - (Page Bellyband1) Dr. Dobb's Journal - October 2008 - (Page Bellyband2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page Cover1) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page Cover2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 1) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 3) Dr. Dobb's Journal - October 2008 - Contents (Page 4) Dr. Dobb's Journal - October 2008 - Contents (Page 5) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 6) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 7) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 8) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 9) Dr. Dobb's Journal - October 2008 - Alia Vox (Page 10) Dr. Dobb's Journal - October 2008 - Alia Vox (Page 11) Dr. Dobb's Journal - October 2008 - Developer Diaries (Page 12) Dr. Dobb's Journal - October 2008 - Developer Diaries (Page 13) Dr. Dobb's Journal - October 2008 - Developer’s Notebook (Page 14) Dr. Dobb's Journal - October 2008 - Developer’s Notebook (Page 15) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 16) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 17) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 18) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 19) Dr. Dobb's Journal - October 2008 - Conversations (Page 20) Dr. Dobb's Journal - October 2008 - Conversations (Page 21) Dr. Dobb's Journal - October 2008 - Conversations (Page 22) Dr. Dobb's Journal - October 2008 - Conversations (Page 23) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 24) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 25) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 26) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 27) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 28) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 29) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 30) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 31) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 32) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 33) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 34) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 35) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 36) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 37) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 38) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 39) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 40) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 41) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 42) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 43) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 44) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 45) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 46) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 47) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 48) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 49) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 50) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 51) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 52) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 53) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 54) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 55) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 56) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 57) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 58) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 59) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 60) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 61) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 62) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 63) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 64) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 65) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 66) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 67) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 68) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 69) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 70) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 71) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page 72) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page Cover3) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.