Achieving protocol security: Gunter ollmann, x-force security assessment services. (Internet Focus).Having assessed the security of several dozen commercial web applications personally, and overseen the assessment of many more, it is always surprising to see the number of high-risk security flaws that developers have left behind. Most worryingly, a major proportion of vulnerabilities are due to a basic misunderstanding of the Internet protocol See Internet and TCP/IP. (networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. and system software used to host or use the web application. As organisations have improved their perimeter defence systems and are in the process of rigorously applying the latest security fix from their operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. providers, attackers have been forced to focus their destructive attention on the security flaws lying within the organisation's custom-developed web applications. Many developers fail to understand the nuances of the HTTP HTTP in full HyperText Transfer Protocol Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. protocol and assume that it is too difficult, or not worth the trouble, for an attacker to launch an attack at their custom application. Developers must assume that every packet of data not coming from the organisations hosts and servers, can be modified. Relying upon the REFERER field (a field present in almost all browser requests e.g. Referer: http://www.w3.org/DataSources/Overview.html) in the header of a clients page request or data submission, to have come from a legitimate link on the site is extremely dangerous Exteremely Dangerous is a 1999 four part series for ITV starring Sean Bean as an ex-MI5 undercover agent convicted of the brutal murder of his wife and child who goes on the run to try and clear his name. He sets out to follow up a strange clue sent to him in prison. , as it can be easily circumvented. Similarly, relying upon the HOST field in submissions from the application server in intra-server communications is equally dangerous. Infrequently, "security aware" sites manage to correctly implement input validation rules A Validation rule is a criterion used in the process of data validation, carried out after the data has been encoded onto an input medium and involves a data vet or validation program. for client data--unfortunately, all client-side checking and data validation In computer science, data validation is the process of ensuring that a program operates on clean, correct and useful data. It uses routines, often called validation rules, that check for correctness or meaningfulness of data that are input to the system. processes can be bypassed by an attacker using commonly available tools and methodologies. The only safe solution is to validate all client content at the server-side before processing further within the application. Too often the input of unexpected characters (e.g. single quote, plus, etc.), numbers or data lengths to submission fields result in errors that reveal the inner workings of the application. Using this information an attacker can craft data payloads, tailored to the custom application, that can compromise the integrity of the organisation's data or hosts. Most developers tend to assume that the data supplied to their application by the hosting software will be correct and safe. Many server compromises have been achieved when the hosting software has failed to identify and correctly restrict client URLs to directory paths related to the web applications data paths. Custom applications largely assume that the directory information provided by the hosting software is correct, but the remote attacker often gains access to restricted files (such as password files and database volumes) using the permissions of the application administrator level. A lethal habit amongst too many developers is the use of whatever permissions they need to get the application running correctly, no matter what they are. Unfortunately, very little forethought fore·thought n. 1. Deliberation, consideration, or planning beforehand. 2. Preparation or thought for the future. See Synonyms at prudence. goes into ensuring that the minimum level of system permissions are used, and there is no onus to invest time or resources in figuring out the minimum suite of permissions they really do need. Having said all this, it must be pointed out that it is not only the developers of an organisations custom application that fail to understand the Internet protocols Refers to all the standards that keep the Internet running. The foundation protocol is TCP/IP, which provides the basic communications mechanism as well as ways to copy files (FTP) and send e-mail (SMTP). correctly. Commercial developers of popular operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and hosting software have failed to grasp a lot of the nuances themselves. Many of the disclosed vulnerabilities relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc alternative character representations (e.g. escape and Unicode encoding See encode. ) could have been averted by following existing HTTP guidelines and multitude of RFCs on handling client-data -particularly the recommendation to ensure that data is only ever decoded once. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. processes have always been a pivotal point in securing critical applications. Organisations constantly fail to grasp the many different methods clients can access their web application, and the scope of functionality their browsers may possess. Fundamental security best practices are often not observed. Authentication failures such as `This user does not exist" or "The password is incorrect', while helpful to site clients, also help attackers compromise the authentication process through automated processes. Many organisations have found themselves under Press scrutiny for not understanding the significance of browsers caching page content or the consequences of clients using their application from shared and untrusted hosts (e.g. Internet caf6!5). Had the application developers better understood the communication protocols and popular browser functionality better, most often simple amendments to the applications code could have averted disaster. Unfortunately, the knowledge required to ensure a web application has been developed securely is currently confined con·fine v. con·fined, con·fin·ing, con·fines v.tr. 1. To keep within bounds; restrict: Please confine your remarks to the issues at hand. See Synonyms at limit. to only a small proportion of developers and security professionals. Although there are a multitude of books and electronic documents detailing the specific risks of known security flaws, and advice on good programming techniques, information on developing secure web-based applications See Web application. is difficult to find. While there are many courses on how to program in C, or develop ASP applications, courses providing instruction specifically tuned to system developers on the necessary security fundamentals are not currently available. www.iss.net |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion