How Do You Build a Secure Web Application?

Securing Your Application

To build secure Web applications, a holistic approach to application security is required and security must be applied at all layers.

If you were to review and analyze the top security issues across many Web applications, you would see a pattern of problems. By organizing these problems into categories, you can systematically tackle them. These problem areas are your application’s vulnerability categories.

Application Vulnerability Categories

What better way to measure the security of a system than to evaluate its potential weak points? To measure the security resilience of your application, you can evaluate the application vulnerability categories. When you do this, you can create application security profiles, and then use these profiles to determine the security strength of an application.

These categories are used as a framework throughout this guide. Because the categories represent the areas where security mistakes are most frequently made, they are used to illustrate guidance for application developers and architects. The categories are also used as a framework when evaluating the security of a Web application. With these categories, you can focus consistently on the key design and implementation choices that most affect your application’s security. Application vulnerability categories are described in Table 1.0.

Table 1.0: Application Vulnerability Categories

Category	Description
Input Validation	How do you know that the input that your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.
Authentication	“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization	“What can you do?” Authorization is how your application provides access controls for resources and operations.
Configuration Management	Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Sensitive Data	Sensitive data refers to how your application handles any data that must be protected either in memory, over the wire, or in persistent stores.
Session Management	A session refers to a series of related interactions between a user and your Web application. Session management refers to how your application handles and protects these interactions.
Cryptography	How are you keeping secrets, secret (confidentiality)? How are you tamperproofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Parameter Manipulation	Form fields, query string arguments, and cookie values are frequently used as parameters for your application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.
Exception Management	When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Auditing and Logging	Who did what and when? Auditing and logging refer to how your application records security-related events.

Security Principles

Recommendations used throughout this guide are based on security principles that have proven themselves over time. Security, like many aspects of software engineering, lends itself to a principle-based approach, where core principles can be applied regardless of implementation technology or application scenario. The major security principles used throughout this guide are summarized in Table 2.0

Table 2.0: Summary of Core Security Principles

Principle	Concepts
Compartmentalize	Reduce the surface area of attack. Ask yourself how you will contain a problem. If an attacker takes over your application, what resources can he or she access? Can an attacker access network resources? How are you restricting potential damage? Firewalls, least privileged accounts, and least privileged code are examples of compartmentalizing.
Use least privilege	By running processes using accounts with minimal privileges and access rights, you significantly reduce the capabilities of an attacker if the attacker manages to compromise security and run code.
Apply defense in depth	Use multiple gatekeepers to keep attackers at bay. Defense in depth means you do not rely on a single layer of security, or you consider that one of your layers may be bypassed or compromised.
Do not trust user input	Your application’s user input is the attacker’s primary weapon when targeting your application. Assume all input is malicious until proven otherwise, and apply a defense in depth strategy to input validation, taking particular precautions to make sure that input is validated whenever a trust boundary in your application is crossed.
Check at the gate	Authenticate and authorize callers early — at the first gate.
Fail securely	If an application fails, do not leave sensitive data accessible. Return friendly errors to end users that do not expose internal system details. Do not include details that may help an attacker exploit vulnerabilities in your application.
Secure the weakest link	Is there a vulnerability at the network layer that an attacker can exploit? What about the host? Is your application secure? Any weak link in the chain is an opportunity for breached security.
Create secure defaults	Is the default account set up with least privilege? Is the default account disabled by default and then explicitly enabled when required? Does the configuration use a password in plaintext? When an error occurs, does sensitive information leak back to the client to be used potentially against the system?
Reduce your attack surface	If you do not use it, remove it or disable it. Reduce the surface area of attack by disabling or removing unused services, protocols, and functionality. Does your server need all those services and ports? Does your application need all those features?

Summary

An ever-increasing number of attacks target your application. They pass straight through your environment’s front door using HTTP. The conventional fortress model and the reliance on firewall and host defenses are not sufficient when used in isolation. Securing your application involves applying security at three layers: the network layer, host layer, and the application layer. A secure network and host platform infrastructure is a must. Additionally, your applications must be designed and built using secure design and development guidelines following timeworn security principles.

5 Duties of a Cybersecurity Czar

5 Duties of a Cybersecurity Czar
Responsibilities of White House Official Defined
Eric Chabrow, Managing Editor
May 1, 2009

Legislation creating a White House director of cyberspace would give that official five distinct authorities and functions if enacted. Here’s the job description for the director of the National Office for Cyberspace, as outlined in the United States Information and Communications Enhancement Act of 2009, or U.S. ICE, which was introduced by Sen. Tom Carper, D.-Del., this week.

1. Develop and implement a comprehensive cyberspace strategy in coordination with a public-private partnership to ensure a trusted and resilient communications and information infrastructure, by:

Enhancing economic prosperity and facility market leadership for the U.S. information and communications industry;
Defending, preventing and repairing disruptions and damage to America’s information and communications infrastructure;
Ensuring U.S. capabilities to operate in cyberspace in support of national goals; and
Protecting privacy rights and preserving civil liberties of Americans.

2. Oversee federal government IT and communications systems, by:

Recommending to agencies how to mitigate vulnerabilities, attacks and exploitations discovered through activities required by this legislation;
Directing IT security policies, standards and guidelines to ensure agencies comply with standards created by the National Institute of Standards and Technology;

Requiring agencies to report unauthorized access, use, disclosure, disruption, modification or destruction of data or systems; and
Reviewing annually, and either approving or disapproving agencies’ information security programs;

3. Oversee the effective implementation of governmentwide operational evaluations by:

Monitoring, detecting, analyzing, protecting and responding against known vulnerabilities, attacks and exploitations;
Reporting to and collaborating with appropriate security operation centers and law enforcement agencies;

Mitigating the risk posed by successful exploitations of systems in a timely fashion to prevent future vulnerabilities and attacks.

4. Report to Congress by March 1 of each year the overall IT security posture of the United States’ communications and information infrastructure, including detailed assessments of the:

Overall resiliency of the communications and information infrastructure effectiveness of the United States and its government, including the ability to monitor, detect, mitigate and respond to an incident;

Information security effectiveness of each agency, including the ability to monitor, detect, mitigate and respond to an incident; and
Significant deficiencies in IT securing and reporting practices of federal government agencies.

The director also would submit a remedial action plan to address agency deficiencies, including an associated budget and recommendations for relevant actions by the executive branch and Congress.

5. Develop and implement policy, guidance and regulations – in coordination with the Office of Management and Budget, NIST and the General Services Administration – that cost effectively enhance federal government IT security by:

Standardiing security requirements – known as lock-down configurations – of commercial off-the-shelf products and services including cloud computing products and service purchased by federal agencies;

Pre-certifying products and services with known levels of security standards and configurations, when practicable; and
Reducing vulnerabilities and costs associated with custom products and services by providing incentives to get agencies to purchase standard products and services through the GSA.

These policies, guidance and regulations should allow purchasing decisions to reasonably account for significant supply chain risks associated with any specific product or service.

The cyberspace director also must annually inform Congress the cost savings and security enhancements achieved by using the federal government purchasing power and recommendations to achieve further cost savings.

White House Set To Reel-In Cybersecurity Role?

By Marc Handelman on April 24th, 2009

In news from the RSA Conference 2009, comes an apparent ‘put on notice’ speech by the acting cybersecurity director from the White House. A 60 day review of cybersecurity initiatives promulgated by the federal government will come under review, according to Hathaway. Reading between the lines, coupled with other recent news, points to an effort to reel-in cybersecurity command and control to the Executive Mansion… More information, including a short snippet of the original CNET Networks, Inc. (NasdaqGS: CNET) post, appears after the jump.

From the original CNET post by Declan McCullagh: ” White House may relieve DHS of cybersecurity role”
SAN FRANCISCO — The federal official overseeing a 60-day review of the U.S. government’s cybersecurity efforts indicated Wednesday that the final report recommends shifting more responsibilities to the White House. “It provides the president with recommendations for a White House organizational structure that can effectively address cyberspace-related issues,” Melissa Hathaway, acting cyberspace director for the White House’s National Security and Homeland Security councils, said at the RSA computer security conference here.

10 ways small business can improve security during a recession

by David Kelleher – GFI – Friday, 24 April 2009

Although many companies are understandably cutting back due to the current financial climate, IT security is one area companies cannot afford to. Protecting a company’s network and data assets is a key part of doing business today. Security is a cost of doing business and not an item on a checklist that can be added or removed as needed.

The challenge for many SMBs is finding a balance between security and expenditure. How can an IT administrator justify the investment in a security tool when the whole business is in cost-cutting mode?

Human error is still probably the most critical security vulnerability facing storage environments in small and medium sized enterprises. With cyber crime and identity theft expected to increase in 2009, SMBs will need to be even more vigilant in their defenses against attacks directed at human gullibility to fall for phishing and social engineering attacks.

SMBs cannot afford to ignore security. Even if budgets are tight, the overall cost of a security breach, loss of data and downtime far exceeds the amount an SMB needs to spend to secure its data and network. Short-term gains could translate into long-term losses if the security of the business becomes another victim of the recession.

Implementing adequate security can be achieved using a mix of technology and security best practices and the following 10 steps can help SMBs go a long way towards addressing security threats in a tough financial climate.

1. Determine Vulnerability

Conduct an extensive audit of all security measures in place – all hardware, software and other devices – and the privileges and file permissions given to all employees in the organization. Actively test the security of the storage environment and check the logs of the network and storage- security controls such as firewalls, IDSs and access logs to see if anything was discovered and highlighted as a possible security event. Event logs are an important, but often neglected, source of security information.

2. Monitor Activity

Monitor user’s activity 24 x 7 x 365. For a single administrator, monitoring event logs and carrying out regular audits is a massive undertaking. However, it might be realistic to monitor the logs within the storage environment rather than the entire network. Logs have proven to be a source of great value if a security breach occurs and an investigation ensues. Logs analysis transcends all of this as it is not only a post event type of tool but it also allows you to better understand the way your resources are being used and allows for improved management of it.

3. Control Access

Access to data should be given only to those who need it, even if that person happens to be your cousin or the boss’s son.

4. Safeguard Information

Safeguard all business information. The use of uncontrolled portable storage devices, such as flash drives and DVDs, puts considerable volumes of data at risk. These devices are easy to lose and they can be stolen quite easily if left lying around. In many cases, the data that is on portable storage devices is often not protected using encryption.

5. “Need-to-know and need-to-use”

Enact technological barriers that permit device use according to a clear and defined policy. Recent studies show that data leakage by employees increases when people lose their job. Portable devices such as USB stick or PDAs can hold large volumes of data. Monitoring and controlling their use on the network is key to reducing the risk of data leakage or malicious activity by disgruntled employees. Use of devices should be restricted to those who really need to be mobile.

6. Data Handling Policies

Implement stringent security policies with regard to how data is accessed, handled and transferred. Technology alone will not protect a company’s data. Strong and enforceable security policies as well as employee and management’s awareness of security issues will go a long way towards improving the level of storage security within an organization.

7. Simple Employee Communication

Explain the meaning of each policy in clear and simple language how each one is implemented throughout the organization.

8. Employee Education

Employees need to be reminded that they should not leave their passwords written on a sticky note on their monitor. They need to understand that sharing passwords is equivalent to sharing the key to their home. They need to be told not to divulge any information to third-parties without authenticating the request. They need to have a basic understanding of security and the most common threats, eg email phishing and social engineering. Additionally, they should be reminded that their actions are being monitored and that they are accountable to the company.

9. Backup Everything

Backup all communications and data to, from and within the business. Check your backups regularly to ensure that if the company’s network is down, you can get everything online in a short time-frame. You don’t want to be in a position where your backups are corrupt.

10. People Management

Storage security is more than protecting the data using technology or placing it under lock and key, it is also an exercise in people management. The people using and creating the data are the greatest threat and weakest security link.

Even with spending overall on security expected to rise, “doing more with less” will remain the mantra for much of 2009. By following these basic tips, SMBs can get through the challenging economic climate without compromising their IT security.

RSA: Ramifications of converging physical and IT security

Angela Moscaritolo – April 23 2009

Companies should consider merging physical and information security into a converged program — it might be challenging but it will be worth it, Ronald Woerner, security compliance manager at online brokerage TD Ameritrade, said Thursday at the RSA Conference.

“If you differentiate physical and information security, you silo yourself,” Woerner said.

A convergence effort might be met with challenges in dealing with educational differences between physical and information security employees, company politics and the notion of one part of the business stepping on the other’s “turf,” Woerner said. But he claimed a successful convergence effort can provide many benefits, including an alignment of goals, information sharing and a single focal point for security within the business.

In merging its physical and information security parts of the business, TD Ameritrade ran into a few hurdles along the way. The effort took more than a year, and one of the most difficult aspects was figuring out salary adjustments for employees, Woerner said. The company tapped into physical security employees to do some elements of information security, and vice versa, so it was necessary to work with human resources to alter pay based on new responsibilities that employees took on.

One of the problems with convergence is that physical security employees are generally not comfortable with the idea of merging with information security, but this is something that seems to be changing, Doug Wheaton, manager of marketing communications at HID, a company that provides physical and information security convergence products, told SCMagazineUS.com Thursday. He added that there is a “strong recognition” that physical security employees who don’t accept IT will be left behind.

Woerner challenged companies to “break out of your silo” and start thinking about convergence and the benefits it can bring. As a start, take your counterpart in physical security out to lunch and begin the conversation, he suggested. He added that companies should create a risk model that includes both physical and information security threats.

First, determine your company’s assets, and then determine the risks to those assets, Woerner said.

RSA Conference 2009 – Day 1

Opening day of RSA Conference 2009

Welcome to day one of the RSA Conference 2009. For the second consecutive year, The Tech Herald will be bringing you daily coverage of the latest security trends and news, live from the conference floor.

11:00 PST
Great set of morning meetings. Randy from ESET spoke to us about a wide range of topics including a new study I can tell you more about tomorrow morning. We also spoke about ESET’s newest release, as well as the initial feedback from the product. According to him, most who’ve seen the new features loved them (we covered them in an earlier news article, which you can read here).

After the meeting with Randy, I sat down with Gary Palgon of NuBridges. If you haven’t heard of the company, the likely reason is that it’s only eight years old. Yet, despite the lack of household association, it certainly has some well-known customers.

For example, Amazon, Walmart, Wachovia and Bank of America all use the ‘at rest’ and ‘in motion’ data protections offered by NuBridges. I spoke with Palgon about some new developments from the company, the details of which will be covered in a later update (much like the ESET meeting, I’ve agreed to keep the data under embargo conditions).

Finally, I met with Daniel and Jarrod of Netronome. While the subject of the meeting is too detailed for this brief update, I can say they are in possession of something I have never seen before.

Specifically, Netronone offers the ability to patch the oft-forgotten hole on UTM, IPS, or IDS-based security configurations, SSL monitoring. Often the various layers in network security and monitoring ignore SSL traffic as it is viewed as a trusted stream of data. If SSL is checked, it is only the expected ports that are watched. Both examples can lead to issues, and Netronome solves them. I’ll cover the outfit and its related services in more detail once RSA 2009 has concluded.

Now it’s time for something completely different. As promised, here are some images from the opening day of this year’s RSA.

And some images from my walk around the city this morning.

07:00 PST
Much as with last year, the first day of the RSA Conference is proving to be a bit slow. There are various classes in session but, other than that, most of the expo attendees are just starting to arrive. While slow, that doesn’t mean there’s nothing of interest to be seen and heard here.

The great thing about an event such as the RSA Conference is that there are people from all walks of IT in attendance. For example, early this morning I met a man at Starbucks who’s attending for the first time. What made his story interesting, as we waited for the black gold to be brewed and served, is that he is a Helpdesk employee; not the typical executive or freelance-security guru that you’d expect to meet at an event such as this.

While requesting that his name and company remain anonymous, my coffee partner told me that he was here to learn about cloud computing and desktop-related protections. His bosses are looking to layer security across a network of 200 seats, and they want the most for their money. Since he has sales experience, he was picked as the man to talk to vendors on the RSA floor and sort fact from hype.

Working the Helpdesk for a company that supports 200 seats is actually a good way to understand the types of defenses needed on the network. It’s interesting to learn that he was picked for the vetting role because of his sales experience.

Last night, while outside the hotel enjoying the evening, I met a developer in town to take classes on risk assessment and secure development. His company sent him here to gather information, but the other side to this particular story is that his company dispatched him because it is currently merging business and IT. It’s taken a while, and there’s still a long way to go, but businesses are finally starting to learn that security has to be a part of the business model and not an afterthought.

The Tech Herald has quite a few meetings lined up for the opening day of RSA 2009. Luckily for me, the first one is with Randy and Jeff of ESET — lucky because it’s at Starbucks and this geek needs his caffeine fix.

RSA Conference 2009 Day 2 Cick Here

RSA Conference 2009: Day 2

RSA Conference 2009: Day 2

Welcome to day two of the RSA Conference 2009. For the second consecutive year, The Tech Herald will be bringing you daily coverage of the latest security trends and news, live from the conference floor.

13:30 PST
Held a meeting with ISC(2) this morning. It has launched a new teaching and awareness training initiative aimed at kids. This is going to be huge, not least because the goals of the initiative are to teach children — middle school and slightly younger — about responsible use of information and technology. They will be covering topics such as cyber bullying, sexting, social networking and information disclosure.

While the initial results of the trial program in the U.S. are strong, the program has already proven itself to be a huge success in the U.K.

12:45 PST
The keynote from Lieutenant General Alexander, Director of the NSA, had some interesting moments. Overall the address mostly explained what the NSA is and set the record straight on the matter of national cybersecurity.

“We do not want to run the security for the U.S.,” said Alexander, pointing out that the NSA would take a more technical support role in the future, once the issue of cybersecurity has been addressed.

The idea is that there’s one team, not one or the other, when it comes to managing national security. At one point he said that if the NSA or DHS managed national cybersecurity alone, everyone would lose. That’s a pointed statement, and one that almost comes off as wishful thinking when you consider where the public sector and politics come into play.

Augmenting the support role, Alexander also said he would want to harness the collective brain power at the NSA to help address issues and develop policy and methods used in security.

As an idea of what’s out there now, with regard to threats that would need protected against or completely removed, he pointed to data that said there are 210 billion e-mails per day, or two million per second.

By 2015, the number of Internet hosts is expected to exceed human population (approx. six billion). And, of those hosts, 4,000 will be terroristic in nature. Militants have already started using the Internet to communicate, so according to the keynote slides this is expected to continue and grow. Another interesting figure revealed by the slides showed there are 32,000 suspected cyber attacks each day.

While the keynote was not what most expected, it did shed light on the NSA’s present stance. Melissa Hathaway, who will speak at RSA tomorrow, was praised by the Lieutenant General when he said she has done a phenomenal job in her role so far.

08:23 PST
The crowd is starting to pick up, including a protest on firewalls (marketing from Palo Alto, one of the vendors here at the show) taking place outside the conference.

Enrique Salem, Symantec’s CEO, held an interesting keynote this morning. Unlike his predecessor, John Thompson, Salem came straight to the point when talking about the changes in the security industry and what it was that businesses and security managers needed to do to adapt and address these changes.

“The current security model isn’t working,” Salem said.

He proposed a new way for working with security that’s risk-based, information centric, responsive, and work-flow driven. We’ll cover this in more detail after the conference, but Salem’s point is that we need to better define the risks that we face on a case-by-case basis. As no two threat models are the same, we must define the information within the business and know what it is, where it is, and what risk it poses or could pose. We must then plan the response to any risk or threats to the business (malicious attacks, data loss, etc.), and develop a workflow
of automated processes that streamlines the response and makes it faster.

Twitter’s Security Vulnerabilities

Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users’ followers and modify profile pages.

Michael Mooney, a 17-year-old living in Brooklyn, N.Y., said that he wrote the worms because he was bored and wanted to bring Twitter’s attention to the security holes.

Mooney released a fifth worm on the microblogging site.

The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack “everything looks fine” to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Background
The term “cross-site scripting” originated from the fact that a malicious web site could load another web site into another frame or window, then use Javascript to read/write data on the other web site. Over time the definition changed to mean the injection of HTML/Javascript into a web page, which may be confusing because the name is no longer an accurate description of the current definition.

In recent years XSS surpassed buffer overflows to become the most common of all publicly reported security vulnerabilities. Likely at least 68% of websites are open to XSS attacks on their users. In general, cross-site scripting holes can be seen as vulnerabilities present in web pages which allow attackers to bypass security mechanisms. By finding clever ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued due to confusion with the same abbreviation for Cascading Style Sheets.

XSS attacks are written in a client-side scripting language, most often a dialect of ECMAScript (e.g. JavaScript[7], JScript), sometimes including some markup language such as HTML or XHTML as well. XSS sometimes reaches other technologies including Sun Microsystems’s Java, Microsoft’s ActiveX and VBScript, Adobe’s Flash and ActionScript, and RSS and Atom feeds.

XSS vulnerabilities have been reported and in some cases exploited since the 1990s. Some of the prominent sites affected were the search engine Google, the email services of Google and Yahoo!, the social networking sites Facebook, MySpace and Orkut. The developers of MediaWiki have fixed at least 20 XSS holes in order to protect Wikipedia and other wiki users.

Browser vendors began in 2008 to stop their users from accessing blacklisted web resources. Opera as of version 9.5 blocks on a page-by-page basis based on Haute Secure, Netcraft, and PhishTank data. At the time of Opera’s release, both Microsoft’s Internet Explorer (IE) and Mozilla Firefox public betas had related features. Firefox blocks are site-by-site and based on Google and StopBadware.org data

Types
Three distinct types of XSS vulnerabilities exist: non-persistent, persistent and DOM-based (which can be either persistent or non-persistent).

DOM-based

The DOM-based XSS vulnerability, also referred to as local cross-site scripting, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short. With DOM-based cross-site scripting vulnerabilities, the problem exists within a page’s client-side script itself. For instance, if a piece of JavaScript accesses a URL request parameter and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS hole will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side scripts.

In practice, exploiting such a hole would be very similar to the exploit of non-persistent type vulnerabilities (see below), except in one very important situation. Because of the way older versions of Microsoft Internet Explorer treat client-side script in objects located in the “local zone” (for instance, on the client’s local hard drive), an XSS hole of this kind in a local page can result in remote execution vulnerabilities. For example, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client’s local system, a script could be injected and would run with privileges of that user’s browser on their system. (Local HTML pages are commonly installed with standard software packages, including Internet Explorer.) This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits. The Local Machine Zone Lockdown in IE6 on Windows XP Service Pack 2 was implemented to prevent attackers from executing scripts in the local file zone but did not protect Internet Explorer users from similar vulnerabilities.

Non-Persistent

The non-persistent cross-site scripting hole is also referred to as a reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data are included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If any occurrence of the search terms is not HTML entity encoded, an XSS hole will result.

At first blush, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page’s content. Due to the general requirement of the use of some social engineering in this case (and normally in Type 0 vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities.

Persistent

The persistent XSS vulnerability is also referred to as a stored or second-order vulnerability, and it allows the most powerful kinds of attacks. A type 2 XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A classic example of this is with online message boards, where users are allowed to post HTML formatted messages for other users to read.

Persistent XSS can be more significant than other types because an attacker’s malicious script is rendered more than once. Potentially, such an attack could affect a large number of users with little need for social engineering,[24] and the application could be infected by a cross-site scripting virus or worm.

The methods of injection can vary a great deal, and an attacker may not need to use the web application itself to exploit such a hole. Any data received by the web application (via email, system logs, etc) that can be controlled by an attacker must be encoded prior to re-display in a dynamic page, else an XSS vulnerability of this type could result

Exploit scenarios
Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.

Simple persistent attack

1. Mallory posts a message to a social network.
2. When Bob reads the message, Mallory’s XSS steals Bob’s cookie.
3. Mallory can hijack Bob’s session and impersonate Bob.

DOM-based attack

1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page’s JavaScript opens a vulnerable HTML page installed locally on Alice’s computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice’s computer’s local zone.
5. Mallory’s malicious script now may run commands with the privileges Alice holds on her own computer.

Non-Persistent

1. Alice often visits a particular website, which is hosted by Bob. Bob’s website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
2. Mallory observes that Bob’s website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL.
4. Alice visits the URL provided by Mallory while logged into Bob’s website.
5. The malicious script embedded in the URL executes in Alice’s browser, as if it came directly from Bob’s server. The script can be used to email Alice’s session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice’s knowledge.

Persistent

1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members.
2. Mallory notices that Bob’s website is vulnerable to a type 2 XSS attack.
3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
4. Upon merely viewing the posted message, site users’ session cookies or other credentials could be taken and sent to Mallory’s webserver without their knowledge.
5. Later, Mallory logs in as other site users and posts messages on their behalf….

Identity Attack

1. Bob hosts a site that allows users to post messages which includes a stored list of user names as recommendations.
2. Alice is a regular visitor to the recommendation-based site; she uses an alias to protect her identity.
3. Mallory knows one or more of Alice’s email addresses but not her identity alias.
4. Mallory uses social engineering to send a disguised recommendation link or the link to a carefully constructed redirect page which recommends a staged posting to Bob’s site.
5. Alice clicks on the link. Her session cookies or willing-login trigger the recommendation.
6. Mallory reads the recommendation list and discovers Alice’s online identity.

Please note, the preceding examples are merely a representation of common methods of exploit and are not meant to encompass all vectors of attack.

Feds want hackers to secure the nation’s networks

Sam Symons

Hackers can cause governments a large amount of trouble from day to day, from stealing valuable info to changing websites, and they’re getting a bit fed up about it. A job posting has been listed on ResumeWare.net, asking for an applicant who will “understand hacker methodologies, tools, and tactics. Additionally, the candidate will have an understanding of common operating system and domain structures, servers, services, and associated vulnerabilities.”

This report comes from Fox News, who say the job posting is on behalf of the Homeland Security Department, and that they (the applicant) would receive payment to secure the nation’s networks. It seems everybody is getting on the cyber security bandwagon; the Pentagon is increasing the number of security experts they have from 80 to 250 by 2011. David Powner, who is the director of technology issues for the Government Accountability Office, said that, “We’re clearly not as prepared as we should be.” The U.S. has not kept up with technology innovations which are needed to protect the country from cyber attacks, of which there are a vast amount each day. The Pentagon has reportedly spent over $100 million in the last 6 months, on repairing damage from these attacks, and responding to them.

It’s good to see security against cyber attacks being stepped up, and it will be a vital step in many respects. The U.S. is ill-prepared for a cyber attack, as Fox News states, and this job posting will fill a position in the government that is greatly needed.

Conference on terrorism and cyber security to be held in Madrid

The Conference will provide the 150 participants with an in-depth overview of available methods of improving the application of existing policies and standards in these fields.

The Conference will bring together, on 16 and 17 April in San Lorenzo de El Escorial (near Madrid), national and international experts who will share their experience of combating the use of Internet for terrorist purposes and protecting Internet and critical infrastructures from attacks via Internet by terrorists.

The Conference will provide the 150 participants with an in-depth overview of available methods of improving the application of existing policies and standards in these fields.

The discussions will be devoted to the following subjects:

· Session I: The use of the Internet for terrorist purposes
- Internet as a tool for supporting terrorism (apologie du terrorisme), recruiting terrorists and financing terrorist activities
- Countering the use of the Internet by terrorists (monitoring, investigation and prosecution)

· Session II: The Internet and critical infrastructures as targets of cyber-attacks by terrorists
- The risk of cyber-attacks by terrorists
- Protecting critical infrastructures and developing a capacity for defence and response in the event of cyber-attacks by terrorists.

The conference will be opened by the Secretary General of the Council of Europe, Terry Davis, the Secretary of State for Security of Spain, Antonio Camacho (tbc), the Deputy Attorney General for Judicial and International Affairs of the Mexican Government, Juan Miguel Alcántara Soria, and the Executive Director of the United Nations Counter-Terrorism Committee, Mike Smith.

The Conference will be preceded on 15 and 16 April (ending at 1 pm) by a meeting of the Council of Europe Committee of Experts on Terrorism (CODEXTER).

A press conference is scheduled for Thursday 16 April at 4.30 pm