MSDN Magazine - November 2008 - (Page 48) Reviewing code is a slow, tedious, and mind-numbing task. ry string, the application will choose the malicious script input for the value of the lastLogin variable. If you answered XSS, give yourself one point. HttpContext.Application object is not shared across servers. If this application was deployed in a server farm, it could lead to session ID collisions. If you caught this bug, give yourself one point. Another serious problem is that the session IDs generated by this class are easily guessed sequential integers. If a user looks at his session token and notices that he has session ID 100, he could use a simple browser utility to change the session ID to 99 or 98 or any other lower value to hijack those users’ sessions. A much better option for the developer in this case would be to use a GUID or other large, random, string-combining letters and numbers. If you realized that sequential integers are poor choices for session ID tokens, you score a point. Bug #7 (C#) private decimal? lookupPrice(XmlDocument doc) { XmlNode node = doc.SelectSingleNode( @"//products/product[id/text()='" + Request["itemId"] + "']/price"); if (node == null) return null; else return (Convert.ToDecimal(node.InnerText)); } Answer If you said XPath injection, give yourself one point. XPath injection works on exactly the same principle as its much more (in)famous cousin SQL injection. By creating a query that combines XPath code with unvalidated and unescaped user input, this code is vulnerable to injection attacks. Any application that manipulates text that is then used to perform some form of operation is subject to injection vulnerabilities. Bug #9 (C#) bool login(string username, string password, SqlConnection connection, out string errorMessage) { SqlCommand selectUserAndPassword = new SqlCommand( "SELECT Password FROM UserAccount WHERE Username = @username", connection); selectUserAndPassword.Parameters.Add( new SqlParameter("@username", username)); string validPassword = (string)selectUserAndPassword.ExecuteScalar(); if (validPassword == null) { // the user doesn't exist in the database errorMessage = "Invalid user name"; return false; } else if (validPassword != password) { // the given password doesn't match errorMessage = "Incorrect password"; return false; } else { // success errorMessage = String.Empty; return true; } } Bug #8 (C#) public class CustomSessionIDManager : System.Web.Session State.SessionIDManager { private static object lockObject = new object(); public override string CreateSessionID(HttpContext context) { lock (lockObject) { Int32? lastSessionId = (int?)context.Application ["LastSessionId"]; if (lastSessionId == null) lastSessionId = 1; else lastSessionId++; context.Application["LastSessionId"] = lastSessionId; return lastSessionId.ToString(); } } } Answer Answer There are two main problems here. While the code cor- rectly applies a lock around the app logic to ensure that two threads don’t create the same session ID at the same time, it’s still not safe to deploy in a server farm. Application state as referenced by the Learn to review code for security bugs. It’s a dying skill. 48 msdn magazine The biggest problem here is that the application is returning too much information to the user in the case of a failed login. While it’s definitely helpful for a user to know whether he just mistyped his password or whether he completely forgot his user name, this information is also useful to an attacker attempting a brute force attack against the application. Although it sounds counterintuitive, in this situation it’s better to be unhelpful. Failed logins should display messages such as “Invalid username or password,” not “Invalid username” and “Invalid password.” If you caught this, you get a point. And give yourself a bonus point if you also remembered that the application shouldn’t be storing passwords in plaintext in the database; instead, it should be storing and comparing salted hashes of the passwords. Security Quiz
Table of Contents Feed for the Digital Edition of MSDN Magazine - November 2008 Contents MSDN Magazine - November 2008 Toolbox CLR Inside Out Data Points Cutting Edge Security Briefs Test Your Security IQ Agile SDL Access Control Utility Spotlight RIA Test Run Wicked Code Foundations Team System End Bracket MSDN Magazine - November 2008 MSDN Magazine - November 2008 - (Page Intro) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page Cover1) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page Cover2) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 1) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 2) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 3) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 4) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 5) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 6) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 7) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 8) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 9) MSDN Magazine - November 2008 - MSDN Magazine - November 2008 (Page 10) MSDN Magazine - November 2008 - Toolbox (Page 11) MSDN Magazine - November 2008 - Toolbox (Page 12) MSDN Magazine - November 2008 - Toolbox (Page 13) MSDN Magazine - November 2008 - Toolbox (Page 14) MSDN Magazine - November 2008 - Toolbox (Page 15) MSDN Magazine - November 2008 - Toolbox (Page 16) MSDN Magazine - November 2008 - CLR Inside Out (Page 17) MSDN Magazine - November 2008 - CLR Inside Out (Page 18) MSDN Magazine - November 2008 - CLR Inside Out (Page 19) MSDN Magazine - November 2008 - CLR Inside Out (Page 20) MSDN Magazine - November 2008 - CLR Inside Out (Page 21) MSDN Magazine - November 2008 - CLR Inside Out (Page 22) MSDN Magazine - November 2008 - Data Points (Page 23) MSDN Magazine - November 2008 - Data Points (Page 24) MSDN Magazine - November 2008 - Data Points (Page 25) MSDN Magazine - November 2008 - Data Points (Page 26) MSDN Magazine - November 2008 - Data Points (Page 27) MSDN Magazine - November 2008 - Data Points (Page 28) MSDN Magazine - November 2008 - Data Points (Page 29) MSDN Magazine - November 2008 - Data Points (Page 30) MSDN Magazine - November 2008 - Cutting Edge (Page 31) MSDN Magazine - November 2008 - Cutting Edge (Page 32) MSDN Magazine - November 2008 - Cutting Edge (Page 33) MSDN Magazine - November 2008 - Cutting Edge (Page 34) MSDN Magazine - November 2008 - Cutting Edge (Page 35) MSDN Magazine - November 2008 - Cutting Edge (Page 36) MSDN Magazine - November 2008 - Cutting Edge (Page 37) MSDN Magazine - November 2008 - Cutting Edge (Page 38) MSDN Magazine - November 2008 - Cutting Edge (Page 39) MSDN Magazine - November 2008 - Cutting Edge (Page 40) MSDN Magazine - November 2008 - Security Briefs (Page 41) MSDN Magazine - November 2008 - Security Briefs (Page 42) MSDN Magazine - November 2008 - Security Briefs (Page 43) MSDN Magazine - November 2008 - Security Briefs (Page 44) MSDN Magazine - November 2008 - Security Briefs (Page 45) MSDN Magazine - November 2008 - Test Your Security IQ (Page 46) MSDN Magazine - November 2008 - Test Your Security IQ (Page 47) MSDN Magazine - November 2008 - Test Your Security IQ (Page 48) MSDN Magazine - November 2008 - Test Your Security IQ (Page 49) MSDN Magazine - November 2008 - Test Your Security IQ (Page 50) MSDN Magazine - November 2008 - Test Your Security IQ (Page 51) MSDN Magazine - November 2008 - Agile SDL (Page 52) MSDN Magazine - November 2008 - Agile SDL (Page 53) MSDN Magazine - November 2008 - Agile SDL (Page 54) MSDN Magazine - November 2008 - Agile SDL (Page 55) MSDN Magazine - November 2008 - Agile SDL (Page 56) MSDN Magazine - November 2008 - Agile SDL (Page 57) MSDN Magazine - November 2008 - Agile SDL (Page 58) MSDN Magazine - November 2008 - Access Control (Page 59) MSDN Magazine - November 2008 - Access Control (Page 60) MSDN Magazine - November 2008 - Access Control (Page 61) MSDN Magazine - November 2008 - Access Control (Page 62) MSDN Magazine - November 2008 - Access Control (Page 63) MSDN Magazine - November 2008 - Access Control (Page 64) MSDN Magazine - November 2008 - Access Control (Page 65) MSDN Magazine - November 2008 - Access Control (Page 66) MSDN Magazine - November 2008 - Access Control (Page 67) MSDN Magazine - November 2008 - Access Control (Page 68) MSDN Magazine - November 2008 - Access Control (Page 69) MSDN Magazine - November 2008 - Access Control (Page 70) MSDN Magazine - November 2008 - Access Control (Page 71) MSDN Magazine - November 2008 - Utility Spotlight (Page 72) MSDN Magazine - November 2008 - Utility Spotlight (Page 73) MSDN Magazine - November 2008 - Utility Spotlight (Page 74) MSDN Magazine - November 2008 - Utility Spotlight (Page 75) MSDN Magazine - November 2008 - Utility Spotlight (Page 76) MSDN Magazine - November 2008 - Utility Spotlight (Page 77) MSDN Magazine - November 2008 - Utility Spotlight (Page 78) MSDN Magazine - November 2008 - Utility Spotlight (Page 79) MSDN Magazine - November 2008 - Utility Spotlight (Page 80) MSDN Magazine - November 2008 - RIA (Page 81) MSDN Magazine - November 2008 - RIA (Page 82) MSDN Magazine - November 2008 - RIA (Page 83) MSDN Magazine - November 2008 - RIA (Page 84) MSDN Magazine - November 2008 - RIA (Page 85) MSDN Magazine - November 2008 - RIA (Page 86) MSDN Magazine - November 2008 - RIA (Page 87) MSDN Magazine - November 2008 - RIA (Page 88) MSDN Magazine - November 2008 - RIA (Page 89) MSDN Magazine - November 2008 - RIA (Page 90) MSDN Magazine - November 2008 - Test Run (Page 91) MSDN Magazine - November 2008 - Test Run (Page 92) MSDN Magazine - November 2008 - Test Run (Page 93) MSDN Magazine - November 2008 - Test Run (Page 94) MSDN Magazine - November 2008 - Test Run (Page 95) MSDN Magazine - November 2008 - Test Run (Page 96) MSDN Magazine - November 2008 - Test Run (Page 97) MSDN Magazine - November 2008 - Test Run (Page 98) MSDN Magazine - November 2008 - Wicked Code (Page 99) MSDN Magazine - November 2008 - Wicked Code (Page 100) MSDN Magazine - November 2008 - Wicked Code (Page 101) MSDN Magazine - November 2008 - Wicked Code (Page 102) MSDN Magazine - November 2008 - Wicked Code (Page 103) MSDN Magazine - November 2008 - Wicked Code (Page 104) MSDN Magazine - November 2008 - Wicked Code (Page 105) MSDN Magazine - November 2008 - Wicked Code (Page 106) MSDN Magazine - November 2008 - Foundations (Page 107) MSDN Magazine - November 2008 - Foundations (Page 108) MSDN Magazine - November 2008 - Foundations (Page 109) MSDN Magazine - November 2008 - Foundations (Page 110) MSDN Magazine - November 2008 - Foundations (Page 111) MSDN Magazine - November 2008 - Foundations (Page 112) MSDN Magazine - November 2008 - Team System (Page 113) MSDN Magazine - November 2008 - Team System (Page 114) MSDN Magazine - November 2008 - Team System (Page 115) MSDN Magazine - November 2008 - Team System (Page 116) MSDN Magazine - November 2008 - Team System (Page 117) MSDN Magazine - November 2008 - Team System (Page 118) MSDN Magazine - November 2008 - Team System (Page 119) MSDN Magazine - November 2008 - End Bracket (Page 120) MSDN Magazine - November 2008 - End Bracket (Page Cover3) MSDN Magazine - November 2008 - End Bracket (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.