Secure programming
- 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf
- Mozilla secure coding guidelines: https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines
Security programming courses
- Very nice course, materials for reading, slides: http://www.cs.washington.edu/education/courses/cse504/10sp/
Buffer overflow
- Complete teaching material for BO explanation, interactive examples written as Java applet (smasher, stackguard, stack demo…), nice, but older (2002): http://nsfsecurity.pr.erau.edu/bom/
- BO demo with simple login procedure (BO leads to overwriting of stored passwords, allowing attacker to login) (without involvement of system stack), C/C++ source code: http://www.cse.msu.edu/~enbody/overflow.htm
- [Lecture 1 candidate] BO demo with real Linux environment, nice tutorial (2008): http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo.html, http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo3.html, http://www.tenouk.com/Bufferoverflowc/bufferoverflowvulexploitdemo32.html
- Slides only, but examples of encoded shellcode: http://www.slideshare.net/null0x00/buffer-overflow-demo-by-saurabh
- Slides only, stack overflow, heap overflow, extended examples of encoded shellcode: http://www.slideshare.net/KevinCSmallwood/software-exploits-3591553
- Secure coding in C/C++ (book) slides: http://www.cert.org/secure-coding/content/t4-seacord-secure-codingv4pdf.pdf
- Large number of security-related video tutorials: http://www.securitytube.net
- [Lecture 1 candidate] Buffer overflow primer (video tutorial, 9 parts, 2011): http://www.securitytube.net/groups?operation=view&groupId=4
- Buffer overflow, example with overwriting part of username: http://www.sans.org/reading_room/whitepapers/securecode/buffer-overflow-attack-mechanism-method-prevention_386
- Tutorial, example codes, shell codes: http://www.securiteam.com/securityreviews/5OP0B006UQ.html
- Great sw security protection tutorials: https://www.corelan.be/
Format string vulnerabilities
- [Lecture 1 candidate] Format string vulnerabilities primer (video tutorial, 4 parts, 2011): http://www.securitytube.net/groups?operation=view&groupId=3
Cryptography
- Java applets demonstrating DES cipher, linera & differential cryptoanalysis: http://nsfsecurity.pr.erau.edu/crypto/index.html
Compiler security flags
Static analysis tools
- Splint C checker (Win&Linux): http://www.splint.org/manual/manual.html
- Microsoft PREfast driver code checker (available in DDK/WDK): http://msdn.microsoft.com/en-us/library/windows/hardware/gg487345.aspx
- Coverity free checker for open source projects https://scan.coverity.com/
RATS analyzer
- Compilation:
- download and install expat XML parser: http://expat.sourceforge.net/
- download sources at http://code.google.com/p/rough-auditing-tool-for-security/source/checkout
- for Windows:
- open RATS Visual Studio project
- set include path and library path to expat directories
- if required (missing external symbol _rubylex_column), comment out ruby support (tokens.h - ruby language) and (engine.c - setup_ruby())
- copy extpat.dll into working directory and run
CWE vulnerabilities
- CWE-2000: Comprehensive CWE Dictionary http://cwe.mitre.org/data/slices/2000.html
- 2011 CWE SANS Top 25 Most Dangerous Programming Errors https://www.securecoding.cert.org/confluence/display/java/2011+CWE+SANS+Top+25+Most+Dangerous+Programming+Errors
- The CERT Oracle Secure Coding Standard for Java https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java
Taint analysis
- C
- tanalysis STAC - Static Taint Analysis for C https://code.google.com/p/tanalysis/
- Cqual (2004) http://www.cs.umd.edu/~jfoster/cqual/
- C#
- Wrapper class for C# objects (usable also elsewhere) http://www.codeproject.com/Articles/169504/A-Simple-Taint-Checking-Solution-for-C
- Java
- Static analyzer for Java bytecode http://sourceforge.net/projects/jlint/
-
- Security Scanner for Java EE, plugin for eclipse
- Detected problems: Parameter Tampering, URL Tampering, Header Manipulation, Cookie Poisoning, SQL Injection, Cross-site Scripting, HTTP Response Splitting, Command Injection, Path Traversal, XPath Injection, XML Injection
- List of security code analyzers: http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
Fuzzing
- PEACH fuzzer http://peachfuzzer.com/
- Proper combination of OS & Peach & Debugging tools MUST be used (either all x86 or x64)
- Problem: Could not start monitor “WindowsDebugger”. Error: Cannot use the 32bit version of Peach 3 on a 64bit operating system.
- 32bit version: http://sourceforge.net/projects/peachfuzz/files/Peach/3.0/
- MS Debugging tools x32 http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.8.4.0.msi
- 64bit version:
-
- tools available in c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\
- Run cmd with Administrator privileges
- peach configuration.xml
- Run Peach in agent mode: peach -a tcp
- ERROR: Error, could not load platform assembly 'Peach.Core.OS.Windows.dll'. The assembly is part of the Internet Security Zone and loading has been blocked.
- ERROR: Could not start monitor “WindowsDebugger”. Could not find a part of the path 'C
:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll'.
- set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file
- <Param name=“WinDbgPath” value=“c:\Program Files (x86)\Debugging Tools for Windows\” />
Notes
- Example output for new students:
- Use format of https://is.muni.cz/auth/th/396518/fi_b/bp.pdf as an example
- High-level metrics: platform…
- Iterative process, highlight to students
- Platform supported
- Properties from Andrii
- IDE integration vs. standalone / server-based tool
- Coverity experience
- 3 bc theses
- Use owasp tools, test against vulnerable apps, evaluate
- Implement personalized testing scenarios inside given framework (he Web Application Hacker's Handbook scenarios)
- multiple scenarios, every week demonstration of progress
- Vulnerability scanners - Nessus, Metasploit…
- Metrics (owasp top 10)
A1 Injection
A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
OWASP tools
- List of owasp tools https://www.owasp.org/index.php/Category:OWASP_Tools_Project
Web security testing tool
- w3af framework for manipulating HTTP (fuzzers, crawlers…) http://w3af.org/features
- free, opensource
- Contrast scanner (free/commercial) http://www1.contrastsecurity.com/pricing
- Cross-Site Scripting in free edition
- OWASP Top 10-PCI/DSS Compliance in payed ($399)
- on-premises option (1st app $999/month)
- [2014] OWASP Access Control Rules Tester Project https://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Project
- Insufficient Access Control
- TRY
- [2014] OWASP Mantra security testing web browser (build on Firefox) http://www.getmantra.com/owasp-mantra.html
- TRY
- firefox-based browser with large number of security plugins http://www.getmantra.com/tools.html
- [2014] ByWaf https://www.owasp.org/index.php/OWASP_Bywaf_Project
- web application penetration testing framework, command-line interpreter and a set of plugins
- [2011, 2014?] OWASP LAPSE Project https://www.owasp.org/index.php/OWASP_LAPSE_Project
- Security Scanner for Java EE Applications
- eclipse plugin
- TRY
- [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF
- [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
- TRY
- [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- TRY
- [2014] OSAFT https://www.owasp.org/index.php/O-Saft
- ssl testing and auditing tool
- tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations
- try
Vulnerable app / distro / hackme challenges
- [2014] OWASP Insecure Web App Project https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project
- InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling
- [2012] Mutillidae http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
- Mutillidae contains all of the vulnerabilties from the OWASP Top 10
- TRY
- [2013] OWASP Broken Web Applications Project https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
- application with vulnerabilities, virtual machine
- TRY
- Damn Vulnerable iOS Application https://www.owasp.org/index.php/OWASP_DVIA
- covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try
- [2011] Hackademic Challenges https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project
- vulnerable app, challenges: https://github.com/Hackademic/hackademic/
- TRY
- [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
- security teaching application, CTF
- [2015] Samurai Web Testing Framework http://samurai.inguardians.com/
- preinstalled Mutillidae,
Security-supporting library
-
- API for ensuring user-supplied HTML/CSS is in compliance within an application's rules
- OWASP Enterprise Security API https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Downloads
- Java, .NET, ASP, PHP, Python, JavaScript…
- TRY
- [2014] java-html-sanitizer https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
- fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS
- [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
- Given JSON-like content, convert it to valid JSON. Java library
- [2015] Several Java web applications and command line applications covering different security topics: https://github.com/dschadow/JavaSecurity