Secure Development Lifecycle for Open Source Usage

Preface How do we adjust the SDL (Security Development Lifecycle) process for the growing use of open source in internal/external systems we develop and maintain? This is a question I hear a lot lately from our customers in some recent SDL projects we (AppSec Labs) carried out for our customers. After we did some research, […]

XXE Injection

Description

Different client technologies such as Web, Mobile Cloud and more – sends messages to business applications using XML. In order for the application to work with these self-descriptive XML messages, it has to parse them and check that the format is correct.

XML External Entity (XXE) attacks occurs when the attacker declares an external entity inside an XML message that is sent to the server, and uses it in the body of the XML message. When the XML parser receives the XML message, it notices the reference to the entity and looks for the value of the entity to replace the entity’s reference with the actual value.

External entity meant to be declared in an XML document, to reference external source to be fetched and be used as the content of the entity – this behavior leads to scenarios where the attacker can inject “SYSTEM” identifier which tells the XML parser that the value of the entity is actually a file path on the local server.

The result will allow the attacker to read files located on the application server such as “/etc/passwd” or “c:\windows\win.ini”
Same goes for Internal URLs in an organization – the attacker will be able to extract the content of these URLs using XXE attack assuming he has additional info about internal servers.

See how to fix it!

Read more

Fingerprint Web Application Framework

Description

If a framework version number is being disclosed by the application in the response header, an attacker can use this information to find and exploit known vulnerabilities, specific to the used framework(s). This increases the likelihood of anattack and also allows an attacker to launch a more focused attack on the application.

Such headers might include: Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version and others.

For example:

excessive_headers

See how to fix it!

Read more

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more

Cookie Secure Flag

Description

When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

See how to fix it!

Read more

Cookie – HttpOnly Flag

Description

When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.

If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

See how to configure it!

Read more

Clickjacking

Description

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on what they can see, which is the the top level page.

This is a malicious technique of tricking web users into clicking on something different from what they believe they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

This is a browser security issue that is a vulnerability throughout a variety of browsers and platforms.

See how to fix it!

Read more

Web Page Caching

Description

Caching improves the user browsing experience by reducing the latency time, allowing for better bandwidth usage and reduction of the web server load.
Web pages with web cache enabled can be cached in the client browser as well as in the server proxies and gateways that are part of the web traffic between the client and the web server.
When a web page is not available, a web server and/or a web proxy can serve the browser with a cached web page.
Since cache information can contain sensitive data, it has to be protected from unauthorized access. In the case of web applications, it needs to avoid caching confidential information on the user’s browser.

See how to fix it!

Read more

Session Timeout

Description

Session timeouts are a protection mechanism for users who leave their computer unattended, or who walk away from a shared computer without logging out of an application.
After the timeout period, the user has to log in again. This is somewhat like a password-protected screen saver which starts after a number of minutes of inactivity on a computer.
A session timeout is an important security control for any application. It specifies the length of time that an application will allow an idle user to remain logged in before forcing the user to re-authenticate.

See how to fix it!

Read more

SQL Injection

Description

SQL injection (SQLi) attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

See how to fix it!

Read more