One of the costly Arthimatic overflow bug resulting in a loss of more than US$370 million

One of the costly Arithmetic overflow bug resulting in a loss of more than US$370 million.

Ariane 5 Flight spacecraft crash in June 1996.

"Because of the different flight path, a data conversion from a 64-bit floating point to 16-bit signed integer value caused a hardware exception (more specifically, an arithmetic overflow, as the floating point number had a value too large to be represented by a 16-bit signed integer). Efficiency considerations had led to the disabling of the software handler (in Ada code) for this error trap, although other conversions of comparable variables in the code remained protected. This led to a cascade of problems, culminating in destruction of the entire flight. "

Source Wikipedia

Common security issues in XML,XSLT,XSD files

Here is some of the issues related XML,XLST,XSD. I know It is very rough list.

· Do validate all user inputs for XML/HTML/Script Tags-XML Injection

· Before creating an XML, data should be properly encoded to avoid XML injection. (Hacker can inject malicious script in the CDATA section)

· XML data should be validated using a native .Net class to ensure that it does not contain any malicious data.

· Serving XML/XSLT/XSD files over HTTP

· Clear text secrets in XML files

· XML Output Escaping Turned off

· XML files in the web root

· SQL injection using invalidated user inputs.

Interesting Example!!! Security ROI: Fact or Fiction?

Interesting Example!!!

Security ROI: Fact or Fiction?

Airport security. Assume that all the new airport security measures increase the waiting time at airports by—and I'm making this up—30 minutes per passenger. There were 760 million passenger boarding in the United States in 2007. This means that the extra waiting time at airports has cost us a collective 43,000 years of extra waiting time. Assume a 70-year life expectancy, and the increased waiting time has "killed" 620 people per year—930 if you calculate the numbers based on 16 hours of awake time per day. So the question is: If we did away with increased airport security, would the result be more people dead from terrorism or fewer?

From CSOnline.

ACE TEAM@ACE CONFERENCE-REDMOND WA

Here is the Team Snap after ACE Conference@Redmond. Entier 4 days are full of security sessions ,presentations, Hands on different tools.

10-15th August : ACE Conference

Attending ACE Security Conference in Redmond, WA,USA. 11th- 15th August 2008. attending more than 100+ Security Professionals from all over the world. Once of its kind of footstep of BLACKHAT.

Key Configuration areas to look during Security Reviews.

I categorize them in 3 buckets
1) Web server Configurations
2) Database Configurations
3) Application Level Configurations

Database Configurations

• Installation Considerations for Production Servers
• Patches and Updates
• Protocols Accounts
• Shares
• Ports
• Auditing and Logging
• Files and Directories
• Services
• Registry
• SQL Server Database Objects
• SQL Server Security
• SQL Server Users
• SQL Server Logins
• SQL Server Roles

Web Server Configurations

• IIS Lockdown
• Patches and Updates
• Services
• Accounts
• Protocols
• Files and Directories
• Ports
• Shares
• Registry
• Sites and Virtual Directories
• Auditing and Logging
• Script Mappings
• IIS Metabase
• ISAPI Filters
• Server Certificates
• Code Access Security
• Machine.config
• Other Check Points

Application Level Configurations

• Web Server
• IIS Specific
• SQL Server Specific
• Source Code
• Auditing and Logging
• ASP.Net 2.0 Specific Issues

I joined Microsoft India this month

i happy to share that this month i joined Microsoft india. it is like dream come true.

PCI Standards and Application Security.

From my experience i am tried to identified the Controls/Requirement which come under Application Security bucket. This are the major controls, apart from that there are other controls which comes under different bucket's like Infrastructure Security, Process , Physical Security etc.

Requirement 6.3.7, 6.5, 6.6 , 11.3.2 talks about Application Security

PCI DSS Requirements - Application security

•6.3.7 Review custom code prior to release to production or customers, to identify potential coding vulnerabilities.

•6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project.

Review custom application code to identify coding vulnerabilities

•6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

–Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

–Installing an application layer firewall in front of web-facing applications.

PCI DSS Requirement -Integrating Security in Software Develpoment Life cycle

•6 Develop and maintain secure systems and applications

PCI DSS Requirement -Application Penetration Testing

•11.3 Perform application-layer penetration tests at least yearly

–11.3.2 Application-layer penetration tests.

Common Top 10 web Vulnerabilities – PCI Equivalence

Major Vulnerabilities mention in PCI DSS Requirement 6.5

§6.5.1 Unvalidated input

§6.5.2 Broken access control

§6.5.3 Broken authentication and session management

§6.5.4 Cross-site scripting (XSS) attacks

§6.5.5 Buffer overflows

§6.5.6 Injection flaws (for example, Xpath injection ,SQL injection)

§6.5.7 Improper error handling

§6.5.8 Insecure storage

§6.5.9 Denial of service

§6.5.10 Insecure configuration management

Reference https://www.pcisecuritystandards.org/pdfs/navigating_pci_dss_v1-1.pdf

http://www.owasp.org/index.php/Top_10_2004

History before PCI- DSS- Compliance

PCI DSS stands for Payment Card Industry Data Security Standards.

The Payment Card Industry Security Standards Council was formed, and on the 15 December 2004 by Following Five major compaines.

Initially this compaines have there own security program.

1. Visa Card Information Security Program
2. MasterCard Site Data Protection
3. American Express Data Security Operating Policy
4. Discover Information and Compliance
5. JCB Data Security Program

PCI- Compliance - What it means to Organization

What is PCI- DSS?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide standard mandated by Visa and MasterCard for the protection and Security of cardholder information.

To whom it applies

"Any organization that processes credit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data "

• Standards and requirements for data security
• Non-legislative, but enforceable through Fines

PCI DSS-“Digital Dozen”
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information security

To Become a PCI Compliance we need Classify them in different buckets

No “single technology” makes company PCI compliant. Above figure shows the broad classification of all 12 Requirement controls.

Continue in part -2

SAP Security

SAP Security Assessment V3 English

From: fseineldin, 6 months ago

| View | Upload your own

SAP Security Assessment framework


SlideShare Link

COMMONLY FOUND SECURITY ISSUESS IN WEB SERVICES . NET CODE

COMMONLY FOUND WEB SERVICES ISSUES IN .NET CODE.

Check the following areas in web services form security point of view
· Input validation
· Authentication
· Authorization
· Information Disclosure
· Auditing & Logging
· Unnecessary protocol
· Communication Channels



1. Inadequate Input Validation in IBUYSPY webservices
--------------------------------------------------------
NONE of the inputs accepted by the ANY of the web methods are validated before being sent to the business methods.
Although there is currently no well known vulnerability that can be exploited, input validation is required as per policy.

Example:--
IBUYSPY \App_Code\OrderCancel.cs(58):
[WebMethod]
public IBUYSPY.Utility ProcessCancel(string orderId, string[] itemId, string itemStatusReasonCode)
{
const string LOGSOURCE = " IBUYSPY.Utility.ProcessCancel";
IBUYSPY.Utility omResult = new Utility.Result();
CancelOrder order = new CancelOrder();
try
{
int retVal = order.ProcessCancel(orderId, itemId, itemStatusReasonCode);

IBUYSPY.Utility \App_Code\PaymentWebService.cs(41):
public IBUYSPY.Utility ProcessCharge(string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new Payment.PaymentService();
IBUYSPY.Result Result = PaymentService.ProcessCharge("",serviceRequestNumber);

==================
Recommendations
==================
Perform input validations for all user inputs.


2. Hard-coded default namespace http://www.tempuri.org should not be used
-------------------------------------------------------------------------------

Hard-coded default namespace http://www.tempuri.org should not be used. The logic in this code allows for the possibility that this default namespace could be returned in two places.


==================
Recommendations
==================

Each XML Web Service needs a unique namespace in order for client applications to distinguish it from other services on the Web. By default, ASP.Net Web Services use http://tempuri.org/ for this purpose. While this suitable for XML Web Services under development, published services should use a unique, permanent namespace.

Your XML Web Service should be identified by a namespace that you control. For example, you can use your company's Internet domain name as part of the namespace. Although many namespaces look like URLs, they need not point to actual resources on the Web.


3. WebServices configured to communicate over cleartext http channel
--------------------------------------------------------------------------------------------
IBUYSPY.asmx configured to communicate over cleartext http channel which leads to data integrity and confidentiality issues (data is HBI).

File >>app.comfig, web.config, master.config

==================
Recommendations
==================
Configure IBUYSPY.asmx to communicate only over https.


4. Consuming Web Services using Basic Authentication
-------------------------------------------------------------------------------------------------------------
Consuming Web Services using Basic Authentication. This application consumes webservices using basic authentication for which a domain account is hardcoded in code. Also, since the web service is not under SSL, this is subject to network eavesdropping.

Code Excerpts:
--------------------------
service.Credentials = new System.Net.NetworkCredential (UserName, Password, Domain);
Files:- IBUYSPY\Callout\GetSystemUserInfo.cs
===============
Recommendation:
===============
-- Use Digest or NTLM.



5. Information disclosure through web-service files
------------------------------------------------------------------------------------------------------------------

The web service is configured to allow execution of the Documentation protocol, which when enabled provides the WSDL documentation with all the necessary information to communicate with the web service.
WSDL documentation reveals descriptive information about web services. Descriptive information such as that produced by appending? WSDL to a web services file (.asmx) may be considered an information leakage security risk when the web service is intended for private consumption only.

==================
Recommendations
==================

- Authorize access to WSDL files using NTFS permissions.
- Remove WSDL files from Web server.
- Disable the documentation protocols to prevent the dynamic generation of WSDL

Disable non required protocols, such as Documentation in the appropriate ASP.NET configuration file to prevent attackers from easily obtaining required syntax for interacting with the target web service. Ensure fix is implemented in production.
The following example shows the web Services configuration element added to a Web.config file to disable the automatic generation of browser-friendly documentation:







6. Unsafe methods exposed as WebMethod / web-services :
---------------------------------------------------------------------------------------------------------------------------------------
The web-methods allow the callers elevated privileges as the web-services uses a fixed identity without any impersonation and the identity is also a part of the power users group on the server.

Using these methods any user can download any file to which he does not have access to, and can execute any SP query and get access to data.

The following methods are unsafe:
GetFile (allows users unauthorized access to any file which can be accessed by the service account which belongs to power user group)
GetListContent, GetPromoListContent, GetListItemCount, ModifiyListItem,DeleteListItem, Eventlog

==================
Recommendations
==================

Remove the vulnerable methods
Restrict them with proper authorization and input validation controls


7. Configuration Error Brock - Default IUSR account used for web services
------------------------------------------------------------------------------
Brock - Default IUSR account used for web services
Rename default IUSR account or use other account for local web service. IUSR_BROCK account

8. Design Recommendation
----------------------------------------

Bicep.asmx and BV.asmx should not be hosted in the trusted domain, and must be hosted in the throw away domain. These two web services are at the core of the functionality, they interact with the back end system and when give page data return the translated pages. A malicious user can send requests to the SOAP APIs and cause the translation to occur in the domain. Although the translation needs to occur and the pages needs to be loaded using the process by Translate.js. However, it is possible to start a translation and then request the page ID from the SOAP API.

There is no known way to create SOAP requests from an external domain. However, as we have mentioned to segregate the trusted and untrusted data handlers, it is recommended to move these Web Services to the throw away domain as well.
NOTE: It is also recommended to put the physical path as a static server side parameter, instead of evaluating at run time, as there might be some future exploits against using HTTPContext Object.

Global.ascx
Line 12:

Statics.PhysicalServerPath = Context.Request.PhysicalApplicationPath;

==================
Recommendations
==================

This is used to dynamically load the binaries using kernel32.dll's LoadLibrary Native function.

9. Web service configured to use multiple communication protocols (ie. HttpGet, and HttpPost)
---------------------------------------------------------------------------------------------------
The web service permits HTTP-GET, HTTP-POST, and SOAP requests. If the web service uses SOAP messages, disable HTTP-GETs and HTTP-POSTs at a machine level(machine.config). To minimize the attack surface of the web service, disable those request methods not used by the web service.

==================
Recommendations
==================
Disable HTTP-GET and HTTP-POST if not required by the web service.

This can be achieved by disabling in machine.config.

In machine.config, the following is present by default:







So to disable HttpGet and HttpPost in machine.config, comment out the HttpPost and HttpGet lines







NOTE: If either of these communication protocols need to be enabled for other web services it is possible to add them back per web service in each web service's web.config file by creating a and adding support for these protocols with the and elements.



10. Web services send sensitive error messages to client
------------------------------------------------------------

This is a pervasive issue with the application. The web services do not send generic messages the thick client. This fix requires code level changes within the server component.



The recommended solution to preserve both data confidentiality and troubleshooting capabilities is to store detail application exceptions locally on the server while providing the user with a generalized error message.


11. Verbose Error Messages in: IBUYSPY webservices
-------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
In ALL the web methods exception handling is implemented this way:-
[WebMethod]
public IBUYSPY.Result ProcessChargeTransaction(string orderId, string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new IBUYSPY.PaymentService();
IBUYSPY.Result omResult = PaymentService.ProcessCharge(orderId, serviceRequestNumber);

return Result;
}
catch (SoapException ex)
{
throw ex;
}
catch (Exception ex)
{
throw ex;
}

This will result in verbose error messages being returned to the end user in case of an exception.

==================
Recommendations
==================

Unless required by business, throw exceptions that include generic error messages.


12. Insufficient logging controls in IBUYSPY webservices
-------------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
From a logging perspective it is important to know exactly which client asked for the transaction for an order.


==================
Recommendations
==================
Authenticate the caller. Authorize to make sure the caller is allowed to call the service.
Once action is taken, log the caller's identity against the action taken. This is important for scenarios where the caller may later repudiate calling the service and taking the action.

b) Multi-tiered applications MUST track and push, from beginning to end, all information necessary to audit transactions. This MUST occur from the original connection to the system, through authentication and/or impersonation, to the end of the interaction.

Verified. The serial number of the client certificate used to authorize the caller has been logged as part of the call.

You can add me in Linked in contacts

http://www.linkedin.com/pub/4/611/739

One more Security Blog which i started long back in 2004

This blog is related to .NET Security

http://dotnetsecurity.blogspot.com/

My other Database security blogs

Database realated security blog

http://sqlsecurity.blogspot.com/