How To Break Web Software – Reviewed

by Laurence Posted on August 5, 2009

How to Break Web Software
Functional and Security Testing of Web Applications and Web Services, by Mike Andrews and James A. Whittaker Published 2006

book cover how to break software

 

Contains recipes for 24 different hacks.  Most of them are supposed to be common knowledge in the field by now. They are actually pretty common defects.  Frameworks are getting better at weeding out a lot of these, but these concepts are still ‘required reading’ in my mind. I have reviewed several systems by startups that suffer from one or more of these holes.  Junior programmers sometimes look at me like I’m nuts when I bring this stuff up.

The book covers basic types of hacks that everybody should know:

  • SQL Injection: Back end code converts paramaters supplied from outside (like form values) directly into SQL. This means hackers can run arbitrary SQL. Read more on the kid named Bobby Tables here: http://bobby-tables.com/
  • Cross Site Scripting: XSS, site redisplays data blindly to other users, so arbitrary JavaScript can be executed on others machines. This one’s my personal favorite: 
    <IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
  • Buffer Overflows: overflowing memory by passing too much data to a method – could destabilize server, or cause unexpected behavior. I think this one is less common in most web applications. Checking for max length of fields is one solution. Network devices are more prone to this one.
  • Weak cryptography: relying on an in-house hash, or common hash can easily be broken.  Security through obscurity is stupid.
  • Other more interesting hacks are:
  • URL jumping (eg, switch to /admin/delete_all/ directly)
  • Cookie poisoning – eg, inject loggedin=true into a cookie
  • Session hijacking – steal a URL that has ?sessionID={somehash}
  • WSDL attacks (attacking exposed SOA interfaces, injecting XML designed to send server into infinite loop, command based XML, etc).

The basic solution is do not trust ANYTHING that comes in from outside. Validate, validate, validate everything that comes in for length, data type, corrupt characters, encoding,

Always escape quotes and slashes on incoming data. Make sure your framework does it for you.  Write a unit test that attempts SQL injection attacks in version 0.1 of your software!

PHP Magic quotes does this automatically, and that is the underpinning if security for thousands of PHP websites that use the ball of mudd design pattern (http://www.laputan.org/mud/).
With PHP 6 magic quotes is gone, and when hosting providers upgrade, there will be a mydrid of newly opened security holes on the internet.

I prefer to validate all incoming data at the UI (javascript), web action layer (PHP, Java, etc), business layer (add throws InvalidArgumentException to all methods, and unit tests for bad cases), and database layer (if using stored procedure).

In terms of web services, validation with XSD is common, and the same rules as above apply to the subsequent chain of objects processing the data.

For protecting users:

  • Use https, it is ubiquitous now
  • Re-filter content for nasty data when displaying it (do not assume the data store is clean).

For protecting the server:

  • Shut off directory indexing, which when enabled reveals all files on the server.
  • Disable the server signature. Knowing what version the server is running means a hack is only a google search away if the server is not patched.
  • Code all data access methods with a buffer – eg, use LIMIT and OFFSET. If you ask for all records, and there are millions there, it will gladly take them all at once and crash the server.

Granted, this is an idealistic view, and must be applied where security requirements are high.

Audiences who will find this book useful:

  • Web developers
  • QA engineers working on a web site
  • QA Managers
  • Software Development Managers
  • Junior Programmers
  • Network / Security professionals
  • SOA developers and architects. As more and more infrastructure is exposed by services, and in particular web services, many of these principles apply.

 

 

 

Posted in Book Reviews | Tagged , , | Comments Off on How To Break Web Software – Reviewed

Building Spring 2 Enterprise Applications

by Laurence Posted on October 25, 2008

Building Spring 2 Enterprise Applications
Interface21, Bram Smeets, Seth Ladd (2007)

Spring 2 Enterprise

This book is an excellent nuts and bolts introduction to the Spring 2.0 framework. It covers the core (DI/IoC) container, aspect oriented programming, data access, transactions, and Spring MVC.  At work I introduced this as part of our bi-monthly book club topic.  If you don’t know what DI/IoC is, buy this book used for $1 on amazon and read it.

Chapters 1 and 2 introduce the concept of Dependency Injection (DI) and Inversion of Control (IoC). Through a series of easy to follow examples, the book explains the short comings of the ‘new()’ keyword in Java.  You’ll never need to use ‘new()’ again if you use a DI container such as Spring. It is a neat idea and makes unit testing and refactoring a breeze, provided your XML configuration files are well organized.

Chapters 3 and 4 cover Aspect Oriented Programming and Spring’s implementation Spring AOP. I found this to be a clearly written example of how AOP works and what Spring AOP does for you. In a nutshell, AOP allows wrappers (called advice) to be placed around object methods, such that the wrapper code runs before, after, or before and after a method on an existing object is called. These wrappers address cross-cutting concerns, such that objects may become more focused and less intertwined in an architecture. Whether it is a new object model or the maintenance of an existing domain model, AOP can come in very handy in terms of adding logging, auditing, security, or monitoring.

To use Spring AOP, the target object must be instantianed by the Spring factory. At that point what the caller is handed at runtime is a proxy object that wraps the target object, based on the AOP configuration. Wrapping is also called method interception. This technique can be used to manage life cycles of external resources (like database connections or network sockets), handle transaction logic, impose security, logging, etc. It can also be used filter or convert exceptions that are thrown by the wrapped method. Some very clean code can come from this methodology, perhaps at the expense of some overhead.

The book concludes with a chapter on testing, and it was a little thin. The first half covers unit testing with JUnit. The integration testing section of the testing chapter introduces using mock objects (EasyMock) to facilitate unit testing how objects interact. I would have liked to see some more real world examples of how to wire up these powerful tools together in a larger unit test suite. With Spring, more and more critical details about the software are ending up in XML configuration files. This makes me a little nervous because there is no compiler to check for accuracy. Unless a full scale unit test suite is created, the likelihood of runtime errors increases with the use of Spring.

Update 1/3/2009 – with Spring 3.0 now available, this book is dated. If you are new to Spring or DI/IoC, chapters 1-4 are a great overview of the basics. Spring 3.0 adds some auto-magic features like @Autowired. It pays to understand what is going on under the hood. This book shows how everything was done by hand in version 2.0 – the old days of 2007.

 

Posted in Book Reviews | Tagged , | Comments Off on Building Spring 2 Enterprise Applications

Here Comes CentOS

by Laurence Posted on December 20, 2007

Take the song “Here Comes Santa Clause”, and instead sing “Here comes Cent-OS”.

Here comes CentOS! Here comes CentOS! 
Right down CentOS Lane!
Linus and Stallman and all their c-code, making up the brains,
Files are loading, packets pinging,
All is secure and tight
Make your backups, read the Tao,
'Cause CentOS boots tonight!

Here comes CentOS! Here comes CentOS!
Right down CentOS Lane!
He's got a keg that's filled with beer for the IT people again
See the console boot up so fast, what a beautiful sight
Your Kung Fu's strong, bring Yoda along,
'Cause CentOS boots tonight!

Here comes CentOS! Here comes CentOS!
Right down CentOS Lane!
Nobody cares if you're rich or poor for
it costs you just the same
Open source code is good for all, Gnu makes everything free
Fill your drives with open source love,
'Cause CentOS boots tonight

Here Comes CentOS! Here comes CentOS!
Right down CentOS lane.
He'll still be up when the users ring out, the network crashed again.
The secret of his magic be shown to all, just read man page or source.
Let's give thanks to the open source Gods,
'Cause CentOS boots, CentOS boots, CentOS boots tonight.

You SSH in, you code with vi,
He writes standard out, he's telling you 'hi'
CentOS is RedHat for free

He's makin' a list and parsin' it twice,
Software for all, at a low price
CentOS is loadin' on down

He sees you when you're surfing
He knows when you're off-line.
He even knows if you're patched or not,
So update for goodness sake!

You SSH in, you code with vi,
He writes standard out, he's tellin' you 'hi'
CentOS is RedHat for free!

He sees you when you're gaming
He knows when you're up late
He even knows if you leveled or not,
So play WoW for goodness sake!

You SSH in, you code with vi,
He writes standard out, he's tellin' you 'hi'
CentOS is RedHat for free!

He's makin' a list and parsin' it twice,
Software for all, at a low price
CentOS is loadin' on down

You SSH in, you code with vi,
He writes standard out, he's tellin' you 'hi'
CentOS is RedHat for free
CentOS is loadin', CentOS is bootin', CentOS is live tonight!!!

 

Update: 2011 – since I wrote this in 2007, Ubuntu has become my favorite Linux flavor. I have also used RedHatES due to my organization’s site license. I’m happy with it. I probably won’t write another song about Linux though, at least, I don’t plan to.

Posted in Fun Nerdy | Tagged , , | Comments Off on Here Comes CentOS

The Number e in Calculus

by Laurence Posted on July 2, 2004

One of my closest math tutors once told me he had a student who asked the question: “Was math discovered or invented?”

I think the answer is probably ‘both’.  Some math I find beautiful.  Thinking about it can really clear my mind.  Especially the number ‘e’, which must have been discovered, since it has more to do with nature than with man.

Some Calculus Background:

In school math can get overly complicated. Maybe it is with good reason to challenge learners. For the most part I think it scares people away.  At this website calculus is not scary, but it is simplified. To tell you about the number ‘e’ and calculus, first I should explain that calculus is based on two concepts:

  1. The first is finding the slope of a line tangent to a function. This is called a derivative.  Think of acceleration, which is the rate of change. As a rocket speeds up, it accelerates.
  2. The second concept in calculus is finding the area under a function.   This is called an integral. Think of total distance traveled, or total fuel burned by a rocket.

These two concepts make up the fundamental theorem of calculus.  Intuitively, the acceleration of the rocket, the speed of the rocket, and the fuel it burns are related. Mathematically we use calculus to model the relationship.  It turns out it is possible to solve for each of the functions and tell the acceleration of the rocket and the total fuel burned – at any point in its trajectory!  The other amazing thing is, derivatives and integrals are inverse operations. This is sort of like multiplying and dividing.  It goes a little further though because we are dealing with rates of change. Instead of cutting apples into pieces, or multiplying rabbits, calculus allows us to look at relationships between units of measure as their rates change.

Consider a letter that is also a number: e = 2.718281828459045235…

When graphed [f(x) = ex], it looks like this:

e to the x graph

The number ‘e’ is important because it is tied to compounding growth. If a bank compounded interest daily instead of monthly, then hourly, then every minute, then every second, then every millisecond, and so on, mathematicians have found ‘e’ is arrived at. It represents the maximum performance level of any compounding activity. This applies to interest in the bank, reproducing bacteria, or the growing number of Napster shares in 2000.

Where calculus fits in: The function ex is it’s own derivate and integral.

e to the x graph

This tells us, at all points along the curve f(x) = ex, the slope is equal to ex, the area under the curve is equal to ex, and the y value (height) is equal to ex. Using the rocket example traveling at rate ex, ‘speed’, ‘acceleration’, and ‘distance’ are equal at all times.

Key point: The number e is somehow like the number one, in that it is an identity for the inverse operations of calculus. For multiplication and division, 1 is the identity value: 1 * 1 = 1 and 1/1 = 1. In calculus, ex is that identity.

Illustrated graphically:

e to the x graph
How is it, that a property of nature, and calculus can be related?

 

This one is also interesting:

epi*sqrt(-1) = -1

Try typing it into your calculator. I’m amazed at how the universe is setup.

pi, and e are letters that stand for concepts. The numbers 2.71… and 3.14… were assigned arbitrarily, tied to the numbering system we use (base 10), but in hex, binary, or anything else they would still have the same meaning.

Posted in Science and Math | Tagged , , | Comments Off on The Number e in Calculus