Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys-
tem, without the prior written permission of the publisher.
ISBN: 978-0-07-162676-7
MHID: 0-07-162676-X
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162675-0, MHID: 0-07-162675-1
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade-
mark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one
copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless
of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information
accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised
of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause
arises in contract, tort or otherwise.
To Jennifer, who has put up with many days of my working
on a book, and to Michael for improving
my writing skills on our
fifth book together.
—David
To my family for simply putting up with me,
and to David as he continues
to find bugs in my code!
—Michael
This page intentionally left blank
ABOUT THE AUTHORS
Michael Howard is a principal security program manager on the Trustworthy Com-
puting (TwC) Group’s Security Engineering team at Microsoft, where he is responsible
for managing secure design, programming, and testing techniques across the company.
Howard is an architect of the Security Development Lifecycle (SDL), a process for
improving the security of Microsoft’s software.
Howard began his career with Microsoft in 1992 at the company’s New Zealand
office, working for the first two years with Windows and compilers on the Product Support
Services team, and then with Microsoft Consulting Services, where he provided security
infrastructure support to customers and assisted in the design of custom solutions and
development of software. In 1997, Howard moved to the United States to work for the
Windows division on Internet Information Services, Microsoft’s web server, before moving
to his current role in 2000.
Howard is an editor of IEEE Security & Privacy, is a frequent speaker at security-re-
lated conferences, and regularly publishes articles on secure coding and design. Howard
is the co-author of six security books, including the award-winning Writing Secure Code
(Second Edition, Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill
Professional, 2005), The Security Development Lifecycle (Microsoft Press, 2006), and his
most recent release, Writing Secure Code for Windows Vista (Microsoft Press, 2007).
David LeBlanc, Ph.D., is a principal software development engineer for the Microsoft
Office Trustworthy Computing group and in this capacity is responsible for designing
and implementing security technology used in Microsoft Office. He also helps advise
other developers on secure programming techniques. Since joining Microsoft in 1999, he
has been responsible for operational network security and was a founding member of the
Trustworthy Computing Initiative.
David is the co-author of the award-winning Writing Secure Code (Second Edition,
Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill Professional,
2005), Writing Secure Code for Windows Vista (Microsoft Press, 2007), and numerous articles.
John Viega, CTO of the SaaS Business Unit at McAfee, is the original author of the 19
deadly programming flaws that received press and media attention, and the first edition
of this book is based on his discoveries. John is also the author of many other security
books, including Building Secure Software (Addison-Wesley, 2001), Network Security with
OpenSSL (O’Reilly, 2002), and the Myths of Security (O’Reilly, 2009). He is responsible for
numerous software security tools and is the original author of Mailman, the GNU mail-
ing list manager. He has done extensive standards work in the IEEE and IETF and co-in-
vented GCM, a cryptographic algorithm that NIST has standardized. John is also an
active advisor to several security companies, including Fortify and Bit9. He holds an MS
and a BA from the University of Virginia.
vii
About the Technical Editor
Alan Krassowski is the Chief Architect of Consumer Applications at McAfee, Inc., where
he heads up the design of the next generation of award-winning security protection
products. Prior to this role, Alan led Symantec Corporation’s Product Security Team,
helping product teams deliver more secure security and storage products. Over the past
25 years, Alan has worked on a wide variety of commercial software projects. He has
been a development director, software engineer, and consultant at many industry-leading
companies, including Microsoft, IBM, Tektronix, Step Technologies, Screenplay Systems,
Quark, and Continental Insurance. Alan holds a BS degree in Computer Engineering
from the Rochester Institute of Technology in New York. He currently resides in Port-
land, Oregon.
viii
24 Deadly Sins of Software Security
ix
AT A GLANCE
Part I Web Application Sins
1
SQL Injection . . . . . . . . . . . . . . . . . . . 3
2
Web Server–Related Vulnerabilities
(XSS, XSRF, and Response Splitting) . . . . 29
3
Web Client–Related Vulnerabilities (XSS) . . . 63
4
Use of Magic URLs, Predictable Cookies, and
Hidden Form Fields . . . . . . . . . . . . . . 75
Part II Implementation Sins
5
Buffer Overruns . . . . . . . . . . . . . . . . . 89
6
Format String Problems . . . . . . . . . . . . . 109
7
Integer Overflows . . . . . . . . . . . . . . . . 119
8
C++ Catastrophes . . . . . . . . . . . . . . . . 143
9
Catching Exceptions . . . . . . . . . . . . . . . 157
10
Command Injection . . . . . . . . . . . . . . . 171
x
24 Deadly Sins of Software Security
11
Failure to Handle Errors Correctly . . . . . . . 183
12
Information Leakage . . . . . . . . . . . . . . 191
13
Race Conditions . . . . . . . . . . . . . . . . . 205
14
Poor Usability . . . . . . . . . . . . . . . . . . 217
15
Not Updating Easily . . . . . . . . . . . . . . . 231
16
Executing Code with Too Much Privilege . . 243
17
Failure to Protect Stored Data . . . . . . . . . 253
18
The Sins of Mobile Code . . . . . . . . . . . . 267
Part III Cryptographic Sins
19
Use of Weak Password-Based Systems . . . . 279
20
Weak Random Numbers . . . . . . . . . . . . 299
21
Using Cryptography Incorrectly . . . . . . . . 315
Part IV Networking Sins
22
Failing to Protect Network Traffic . . . . . . . 337
23
Improper Use of PKI, Especially SSL . . . . . 347
24
Trusting Network Name Resolution . . . . . . 361
Index . . . . . . . . . . . . . . . . . . . . . . . . 371
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv
Part I
Web Application Sins
1
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A Note about LINQ . . . . . . . . . . . . . . . . . . . . . . . 6
Sinful C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Sinful PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Sinful Perl/CGI . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Sinful Python . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Sinful Ruby on Rails . . . . . . . . . . . . . . . . . . . . . . . 9
Sinful Java and JDBC . . . . . . . . . . . . . . . . . . . . . . . 9
Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sinful SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
xi
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 13
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 13
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 14
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CVE-2006-4953 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CVE-2006-4592 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Validate All Input . . . . . . . . . . . . . . . . . . . . . . . . . 19
Use Prepared Statements to Build SQL Statements . . . . . . 19
C# Redemption . . . . . . . . . . . . . . . . . . . . . . . . . . 19
PHP 5.0 and MySQL 4.1 or Later Redemption . . . . . . . . 20
Perl/CGI Redemption . . . . . . . . . . . . . . . . . . . . . . 20
Python Redemption . . . . . . . . . . . . . . . . . . . . . . . 21
Ruby on Rails Redemption . . . . . . . . . . . . . . . . . . . 22
Java Using JDBC Redemption . . . . . . . . . . . . . . . . . . 22
ColdFusion Redemption . . . . . . . . . . . . . . . . . . . . . 23
SQL Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 23
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 24
Encrypt Sensitive, PII, or Confidential Data . . . . . . . . . . 25
Use URLScan . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2
Web Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting) . . . 29
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
DOM-Based XSS or Type 0 . . . . . . . . . . . . . . . . . . . 31
Reflected XSS, Nonpersistent XSS, or Type 1 . . . . . . . . . 32
Stored XSS, Persistent XSS, or Type 2 . . . . . . . . . . . . . 34
HTTP Response Splitting . . . . . . . . . . . . . . . . . . . . 34
Cross-Site Request Forgery . . . . . . . . . . . . . . . . . . . 37
Sinful Ruby on Rails (XSS) . . . . . . . . . . . . . . . . . . . . 38
Sinful Ruby on Rails (Response Splitting) . . . . . . . . . . . 38
Sinful CGI Application in Python (XSS) . . . . . . . . . . . . 38
Sinful CGI Application in Python (Response Splitting) . . . 38
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39
Sinful C/C++ ISAPI (XSS) . . . . . . . . . . . . . . . . . . . . 39
Sinful C/C++ ISAPI (Response Splitting) . . . . . . . . . . . 39
Sinful ASP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 40
Sinful ASP (Response Splitting) . . . . . . . . . . . . . . . . . 40
xii
24 Deadly Sins of Software Security
Sinful ASP.NET Forms (XSS) . . . . . . . . . . . . . . . . . . 40
Sinful ASP.NET (Response Splitting) . . . . . . . . . . . . . . 40
Sinful JSP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Sinful JSP (Response Splitting) . . . . . . . . . . . . . . . . . 41
Sinful PHP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 41
Sinful PHP (Response Splitting) . . . . . . . . . . . . . . . . 41
Sinful CGI Using Perl (XSS) . . . . . . . . . . . . . . . . . . . 42
Sinful mod_perl (XSS) . . . . . . . . . . . . . . . . . . . . . . 42
Sinful mod_perl (Response Splitting) . . . . . . . . . . . . . 42
Sinful HTTP Requests (XSRF) . . . . . . . . . . . . . . . . . . 42
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 43
Spotting the XSS Sin During Code Review . . . . . . . . . . . . . . 43
Spotting the XSRF Sin During Code Review . . . . . . . . . 44
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 44
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CVE-2003-0712 Microsoft Exchange 5.5 Outlook Web
Access XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CVE-2004-0203 Microsoft Exchange 5.5 Outlook Web
Access Response Splitting . . . . . . . . . . . . . . . . . . 46
CVE-2005-1674 Help Center Live (XSS and XSRF) . . . . . . 47
Redemption Steps (XSS and Response Splitting) . . . . . . . . . . 47
Ruby on Rails Redemption (XSS) . . . . . . . . . . . . . . . . 47
ISAPI C/C++ Redemption (XSS) . . . . . . . . . . . . . . . . 48
Python Redemption(XSS) . . . . . . . . . . . . . . . . . . . . 49
ASP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 49
ASP.NET Web Forms Redemption (XSS) . . . . . . . . . . . 50
ASP.NET Web Forms Redemption (RS) . . . . . . . . . . . . 50
JSP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 51
PHP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . 53
CGI Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 53
mod_perl Redemption (XSS) . . . . . . . . . . . . . . . . . . 54
Redemption Steps (XSRF) . . . . . . . . . . . . . . . . . . . . . . . 55
A Note about Timeouts . . . . . . . . . . . . . . . . . . . . . 55
A Note about XSRF and POST vs. GET . . . . . . . . . . . . 55
Ruby on Rails Redemption (XSRF) . . . . . . . . . . . . . . . 56
ASP.NET Web Forms Redemption (XSRF) . . . . . . . . . . 56
Non-Draconian Use of HTML Encode . . . . . . . . . . . . . 57
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 57
Use HttpOnly Cookies . . . . . . . . . . . . . . . . . . . . . . 57
Wrap Tag Properties with Double Quotes . . . . . . . . . . . 58
Consider Using ASP.NET ViewStateUserKey . . . . . . . . . 58
Consider Using ASP.NET ValidateRequest . . . . . . . . . . 59
Use the ASP.NET Security Runtime Engine Security . . . . . 59
Contents
xiii
Không có nhận xét nào:
Đăng nhận xét