====== Secure programming ====== * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf * Mozilla secure coding guidelines: https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines ===== Security programming courses ===== * Very nice course, materials for reading, slides: http://www.cs.washington.edu/education/courses/cse504/10sp/ * StackGuard: http://www.cs.cornell.edu/courses/cs513/2007fa/paper.stackguard.pdf * Aleph One: http://www-inst.cs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf ===== Buffer overflow ===== * Complete teaching material for BO explanation, interactive examples written as Java applet (smasher, stackguard, stack demo...), nice, but older (2002): http://nsfsecurity.pr.erau.edu/bom/ * BO demo with simple login procedure (BO leads to overwriting of stored passwords, allowing attacker to login) (without involvement of system stack), C/C++ source code: http://www.cse.msu.edu/~enbody/overflow.htm * [Lecture 1 candidate] BO demo with real Linux environment, nice tutorial (2008): http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo.html, http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo3.html, http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo32.html * Slides only, but examples of encoded shellcode: http://www.slideshare.net/null0x00/buffer-overflow-demo-by-saurabh * Slides only, stack overflow, heap overflow, extended examples of encoded shellcode: http://www.slideshare.net/KevinCSmallwood/software-exploits-3591553 * Secure coding in C/C++ (book) slides: http://www.cert.org/secure-coding/content/t4-seacord-secure-codingv4pdf.pdf * Large number of security-related video tutorials: http://www.securitytube.net * [Lecture 1 candidate] Buffer overflow primer (video tutorial, 9 parts, 2011): http://www.securitytube.net/groups?operation=view&groupId=4 * Buffer overflow, example with overwriting part of username: http://www.sans.org/reading_room/whitepapers/securecode/buffer-overflow-attack-mechanism-method-prevention_386 * Tutorial, example codes, shell codes: http://www.securiteam.com/securityreviews/5OP0B006UQ.html * Great sw security protection tutorials: https://www.corelan.be/ * https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/ * https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ ===== Format string vulnerabilities ===== * [Lecture 1 candidate] Format string vulnerabilities primer (video tutorial, 4 parts, 2011): http://www.securitytube.net/groups?operation=view&groupId=3 ===== Cryptography ===== * Java applets demonstrating DES cipher, linera & differential cryptoanalysis: http://nsfsecurity.pr.erau.edu/crypto/index.html ===== Compiler security flags ===== http://msdn.microsoft.com/en-us/library/aa290051%28v=vs.71%29.aspx ===== Static analysis tools ===== * Splint C checker (Win&Linux): http://www.splint.org/manual/manual.html * Microsoft PREfast driver code checker (available in DDK/WDK): http://msdn.microsoft.com/en-us/library/windows/hardware/gg487345.aspx * Coverity free checker for open source projects https://scan.coverity.com/ ==== RATS analyzer ==== * Compilation: * download and install expat XML parser: http://expat.sourceforge.net/ * download sources at http://code.google.com/p/rough-auditing-tool-for-security/source/checkout * for Linux, read: https://security.web.cern.ch/security/recommendations/en/codetools/rats.shtml * for Windows: * open RATS Visual Studio project * set include path and library path to expat directories * if required (missing external symbol _rubylex_column), comment out ruby support (tokens.h - ruby language) and (engine.c - setup_ruby()) * copy extpat.dll into working directory and run ===== CWE vulnerabilities ===== * CWE-2000: Comprehensive CWE Dictionary http://cwe.mitre.org/data/slices/2000.html * 2011 CWE SANS Top 25 Most Dangerous Programming Errors https://www.securecoding.cert.org/confluence/display/java/2011+CWE+SANS+Top+25+Most+Dangerous+Programming+Errors * CWE ID 78 mitigation: https://www.securecoding.cert.org/confluence/display/java/IDS07-J.+Do+not+pass+untrusted%2C+unsanitized+data+to+the+Runtime.exec%28%29+method * The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java ===== Taint analysis ===== * C * tanalysis STAC - Static Taint Analysis for C https://code.google.com/p/tanalysis/ * Cqual (2004) http://www.cs.umd.edu/~jfoster/cqual/ * C# * Wrapper class for C# objects (usable also elsewhere) http://www.codeproject.com/Articles/169504/A-Simple-Taint-Checking-Solution-for-C * Java * Static analyzer for Java bytecode http://sourceforge.net/projects/jlint/ * LAPSE+ https://www.owasp.org/index.php/Category:OWASP_LAPSE_Project * Security Scanner for Java EE, plugin for eclipse * Detected problems: Parameter Tampering, URL Tampering, Header Manipulation, Cookie Poisoning, SQL Injection, Cross-site Scripting, HTTP Response Splitting, Command Injection, Path Traversal, XPath Injection, XML Injection * List of security code analyzers: http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html ===== Fuzzing ===== * PEACH fuzzer http://peachfuzzer.com/ * Proper combination of OS & Peach & Debugging tools MUST be used (either all x86 or x64) * Problem: Could not start monitor "WindowsDebugger". Error: Cannot use the 32bit version of Peach 3 on a 64bit operating system. * 32bit version: http://sourceforge.net/projects/peachfuzz/files/Peach/3.0/ * MS Debugging tools x32 http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.8.4.0.msi * 64bit version: * http://sourceforge.net/projects/peachfuzz/files/Peach/3.0/ * Download WDK: http://msdn.microsoft.com/en-us/library/windows/hardware/ff551063%28v=vs.85%29.aspx * tools available in c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\ * Run cmd with Administrator privileges * peach configuration.xml * Run Peach in agent mode: //peach -a tcp// * ERROR: Error, could not load platform assembly 'Peach.Core.OS.Windows.dll'. The assembly is part of the Internet Security Zone and loading has been blocked. * Solution: https://forums.peachfuzzer.com/showthread.php?198-Could-not-load-platform-assembly-Peach-Core-OS-Windows-dll * ERROR: Could not start monitor "WindowsDebugger". Could not find a part of the path 'C :\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll'. * set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file * ===== Notes ===== * Example output for new students: * Use format of https://is.muni.cz/auth/th/396518/fi_b/bp.pdf as an example * High-level metrics: platform... * Iterative process, highlight to students * Platform supported * Properties from Andrii * IDE integration vs. standalone / server-based tool * Coverity experience * 3 bc theses * Use owasp tools, test against vulnerable apps, evaluate * Implement personalized testing scenarios inside given framework (he Web Application Hacker's Handbook scenarios) * multiple scenarios, every week demonstration of progress * Vulnerability scanners - Nessus, Metasploit... * Metrics (owasp top 10) A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards ==== OWASP tools ==== * List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project * https://www.owasp.org/index.php/Category:OWASP_Tool ==== Web security testing tool ==== * w3af framework for manipulating HTTP (fuzzers, crawlers...) http://w3af.org/features * free, opensource * Contrast scanner (free/commercial) http://www1.contrastsecurity.com/pricing * Cross-Site Scripting in free edition * OWASP Top 10-PCI/DSS Compliance in payed ($399) * on-premises option (1st app $999/month) * [2014] OWASP Access Control Rules Tester Project https://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Project * Insufficient Access Control * TRY * [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html * TRY * firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html * [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project * web application penetration testing framework, command-line interpreter and a set of plugins * [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project * Security Scanner for Java EE Applications * eclipse plugin * TRY * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework * TRY * [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project * TRY * [2014] OSAFT https://www.owasp.org/index.php/O-Saft * ssl testing and auditing tool * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations * try ==== Vulnerable app / distro / hackme challenges ==== * [2014] OWASP Insecure Web App Project https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project * InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling * [2012] Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 * Mutillidae contains all of the vulnerabilties from the OWASP Top 10 * TRY * http://sourceforge.net/projects/mutillidae/files/mutillidae-project/ * [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project * application with vulnerabilities, virtual machine * TRY * Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA * covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try * [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project * vulnerable app, challenges: https://github.com/Hackademic/hackademic/ * TRY * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd * TRY: https://github.com/OWASP/SecurityShepherd * security teaching application, CTF * [2015] Samurai Web Testing Framework http://samurai.inguardians.com/ * preinstalled Mutillidae, ==== Security-supporting library ==== * [2009] AntiSamy https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET * API for ensuring user-supplied HTML/CSS is in compliance within an application's rules * OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads * Java, .NET, ASP, PHP, Python, JavaScript... * TRY * [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project * fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer * Given JSON-like content, convert it to valid JSON. Java library * [2015] Several Java web applications and command line applications covering different security topics: https://github.com/dschadow/JavaSecurity ==== Security processes and awareness ==== * XSS prevention sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet