Security Vulnerabilities in Your Web Application

Do you know if your web site is secure? You may be surprised to find that the answer is “No”. Developers’ coding practices can lead to many pitfalls when it come to security, and naturally so. We as programmers often think in terms of how an application “should” work, instead of how it “could” work. Especially when you have to code for last-minute requirements, or meet an upcoming deadline, security tends to be at the bottom of our priority list. First, I’ll go over the top two of the Open Web Application Security Project (OWASP) top ten vulnerabilities, and then discuss what you can do to protect against them.

The OWASP Top Ten Project can be found at their website: http://www.owasp.org/index.php/OWASP_Top_Ten_Project

The number one security vulnerability as of writing this article, is Cross-site Scripting (XSS). Cross-site scripting occurs when an attacker inserts malicious coding into a page element appears to be from a trustworthy source. When a user interacts with the element, (i.e. clicks a link or even views an image) the embedded programming is submitted as part of the browser’s request and can execute on the user's computer. For example, many forum and guestbook sites allow users to submit posts with embedded HTML and JavaScript. If someone views a post that contains malicious JavaScript, then the user can be subjected to information theft or session hijacking.

Additional common vulnerabilities are Injection Flaws. A site that accepts user input and executes commands based on some or all of that user-supplied data, is vulnerable to injection attacks. The most common form of injection is SQL injection. One form of SQL injection is when text provided by a user is inserted directly into a SQL command, which can result in elevated privileges, information theft, and information tampering. Lets imagine that an insecure website that contains a username and password login form.



The website then takes the username and password supplied by the user, and builds the SQL query string below.

SELECT * FROM Users WHERE username = ‘“ + txtUserName.Text + “’ AND password = ‘” + txtPassword.Text + ”’;

This approach does work, but what it also does is allow a malicious user to inject his own SQL into the command, and possibly gain unauthorized access. What would happen if a user entered the following into the login form?



When the form is submitted, the SQL query that gets executed would look something like this:

SELECT * FROM Users WHERE username = ‘’ OR 1=1 --’ AND password = ‘randomtext’;

This is a valid SQL query that will execute and always return true, allowing the user to gain access to the system. The “--“ command acts as a comment, which tells the SQL engine to ignore anything after it. So “’ AND password = ‘randomtext’;” is ignored.

Surprisingly, both XSS and injection flaws are easily avoidable. The easiest and most important way to protect against these types of attacks is one of my golden rules.

ALWAYS VALIDATE USER INPUT!

As a web developer, it is a mistake to trust any data coming from the browser. Data should be validated and revalidated to ensure that it cannot be used in an unsafe manner. There are two types of validation - positive validation and negative validation. Most developers would approach fixing a vulnerability by restricting the use of certain characters. In the SQL injection example, one could just eliminate the use of the apostrophe, equals sign, and hyphens. The same applies for the XSS example. One can restrict the special characters used in JavaScript. These are examples of negative validation, also known as black listing. But one problem with negative validation, is that there is still room for other special characters to make their way into the application if the developer chooses to use negative validation alone. On the other hand, one could also only allow A through Z characters into a textbox, and disallow all others, which is an example of positive validation, also known as white listing. By using positive validation, the developer specifies which characters are allowed while disallowing all others. Overall, you should always use positive validation when validating user input, or even better, use both positive and negative validation.

Another method in protecting against security vulnerabilities, particularly SQL injection attacks, is to use parameterized queries or stored procedures. In ASP .NET, Visual Studio allows developers to quickly and easily create parameterized queries for database operations. For more information on using parameterized queries, check out http://aspnet101.com/aspnet101/tutorials.aspx?id=1.

Encoding data that is displayed in the browser is also important. If special characters do make it into a field, and your application reflects that data back to the screen, it could render as code. So make sure to HTML encode your output before sending it to the screen by calling Server.HTMLEncode(String). This way, malicious code is rendered as harmless text.

It doesn’t take much to prevent many security flaws from creeping into your application. Just remember to always validate user input, HTML encode your output, and use parameterized queries or stored procedures.

Related Post: Define Your Development Team's .NET Coding Standards
on No comments:
Labels: ,

Define Your .NET Coding Standards

These days, software development is accomplished by several developers. Many team members work on code during development, but in most cases, it is unlikely that the code is maintained by those same developers long after it is installed into production. For this and many other reasons, a good set of standards and best practices should be defined for your organization. The following standards are used by my development team and I, but feel free to adopt and change these standards and practices to best fit the needs of your organization. Also, look into what other organizations in your industry are using. Note: All code examples are in VB .NET but most can apply to C# .NET as well.

Environment

It is extremely important, when coding in .NET, to enable Option Explicit and Option strict for all projects. This forces developers to explicitly declare and type variables before they are used. The compiler will generate more efficient machine code and significantly increase application performance.

Formatting

Formatting makes the logical organization of the code obvious. Taking the time to ensure that the source code is formatted in a consistent, logical manner is helpful to you and to other developers who must decipher the source code.

  1. Align blocks of code using indentation.








  1. Keep maximum line length for comments and code to a reasonable length to avoid having to scroll the source code editor. This strategy also provides cleaner hard copy presentation.

  1. Use line breaks between logical blocks of code. Doing so creates "paragraphs" of code, which aid the reader in comprehending the logical segmenting of the software.












  1. Place the concatenation operator (“_”) at the end of each line instead of at the beginning.






  1. Do not use an underscore (“_”) in function names except for event handlers.












  1. Develop and use structured error-handling routines where applicable. This includes file IO, database operations, and network operations.








  1. Explicitly release object references.



  1. Do not use abbreviations or contractions as parts of identifier names. For example, use GetWindow instead of GetWin.
  2. Do not use acronyms that are not generally accepted in the computing field.
  3. Where appropriate, use well-known acronyms to replace lengthy phrase names. For example, use UI for User Interface and OLAP for On-line Analytical Processing.
  4. When using acronyms, use Pascal case or camel case for acronyms more than two characters long. For example, use HtmlButton or htmlButton. However, you should capitalize acronyms that consist of only two characters, such as System.IO instead of System.Io.
  5. When writing SQL statements, use all uppercase for keywords and mixed case for database elements, such as tables, columns, and views.
  6. Put each major SQL clause on a separate line so that statements are easier to read and edit.

Variables

Good variable naming standards and practices is vital in creating code that is easily understood and maintained. In most situations, the developer working with code is not the developer who originally wrote it. There are three naming standards that you should be aware of:

Pascal case

The first letter in the identifier and the first letter of each subsequent concatenated word are capitalized. You can use Pascal case for identifiers of three or more characters. For example:



Camel case

The first letter of an identifier is lowercase and the first letter of each subsequent concatenated word is capitalized. For example:



Uppercase

All letters in the identifier are capitalized. Use this convention only for identifiers that consist of two or fewer letters. For example:



Refer to these capitalization styles for the variable naming standards below.

  1. Keep the scope of variables as small as possible to avoid confusion and to ensure maintainability.
  2. Use Camel case for local variables and parameters








  1. Use Pascal case for namespaces, properties, enumerated values, classes, events, methods and functions.
  2. Use the prefixes below for visual objects used on your forms. This lets you and other developers know what object type you are working with, and aids in readability and understanding of your code. For client-side objects, declared variables, and visual objects that are not used such as static labels, no prefix is necessary.

LBL - Label
GRD or GRID - GridView
TXT - Textbox
DL - DataList
CMD or BUT - Button
DTL - DetailsList
CMD or BUT - LinkButton
FMV - FormView
CMD or BUT - ImageButton
REP - Repeater
LNK - HyperLink
DS - SqlDataSource
CMB or DDL - DropDownList
DS - AccessDataSource
LST - ListBox
DS - ObjectDataSource
CHK - Checkbox
DS - XmlDataSource
CHK - CheckboxList
DS - SiteMapDataSource
OPT - RadioButton
RTV - ReportViewer
OPT - RadioButtonList
IMG - Image
IMG - ImageMap
TBL - Table
UOL - BulletedList
HID - HiddenField
LIT - Literal
CAL - Calendar
AD - AdRotator
FUL - FileUpload
WIZ - Wizard
XML - XML
MLV - MultiView
PNL - Panel
PLH - PlaceHolder
VIEW - View
SUB - Substitution
LOC - Localize

SQL

Using a naming standard and good practices for the SQL statements in your project will make your queries easier to read and understand, which will make the underlying dataset and relevant code easier to understand as well.

  1. Capitalize keywords.




  1. Never use “SELECT *”
  2. Do not use prefixes for database objects. For example, use Employee instead of tblEmployee.
  3. Database object names should be singular. For example, name a table “Order” instead of “Orders”.
  4. When creating a SQL query in your code, put each statement on a separate line.






  1. Avoid using reserved keywords for database object or field names. You can use the SQL Reserved Words Checker located at http://www.petefreitag.com/tools/sql_reserved_words_checker to make sure.
on No comments:
Labels:

Getting Out of Debt on Your Own

I’m no financial expert, but if you’re one of many people who have credit card debt, you could be heading down the wrong financial path. In my opinion, no one should ever have to use a credit card. Simply put, if you can’t afford it, don’t buy it! For larger purchases, it is better to save up for what you want than to finance it. The first important step in the right financial direction is always to pay off all credit card debt.

So what’s the first step? Stop paying interest! Not all the money you pay on your credit card goes towards the amount you owe. In fact, interest is paid before one cent is applied to your principal balance. So the first step in getting out of credit card debt is to transfer your balance to a zero interest credit card. There are many credit card companies that offer 0% APR on balance transfers for 12 months, and that is exactly the deal you need to take advantage of. A great resource for learning your best options for transferring your credit card balance is http://www.smartbalancetransfers.com/. This site has an abundance of information to help you decide which company and plan is right for you. Even with a 3% balance transfer fee, the money you’ll save in interest is more than enough to cover the balance transfer fee.

Once you’re balance is transferred, you can start to make some real progress towards being debt-free. Forget about minimum payments. Make a budget of your income and expenses, and figure out a monthly payment that you can afford. It should be more than your minimum monthly payment. A good financial planning website is http://www.mint.com. Once you register, you can add your checking and credit card accounts to your Mint.com account. Mint will automatically download your transaction history and show you where money is coming in, and most importantly, where it is being spent.

Transferring your balance to a zero interest APR, sticking to your budget, and making regular monthly payments on your credit card that you can afford, will get you heading on your way down the right financial path to a brighter financial future.

on 1 comment:
Labels: ,

Add Google Maps To Your Site Using ASP .NET

Embedding Google Maps into your website or blog has never been easier. If you’re unfamiliar with Google Maps, check out http://maps.google.com. With Google’s Map API, you can provide geographic data visualization using a more interactive and robust interface, all for free!

Used alone, Google’s API is utilized entirely by JavaScript, which, in my opinion, can be difficult to manage, and can quickly clutter up your code. Therefore, I searched for an alternative solution using ASP .NET. The solution I found is a Google Maps ASP .NET user control developed and maintained by http://en.googlemaps.subgurim.net. This user control acts as a wrapper around the Google Maps API, providing easy access to many of the features in the Google Maps API, as well as some additional features that take advantage of the ASP .NET data source objects. All of this is contained in one user control, and best of all, not a single line of JavaScript is needed!

To get started using the Google Maps API along with the GoogleMaps.Subgurim.NET user control, you first have to visit the Google Maps API site at http://code.google.com/apis/maps, and sign up to receive a Google Maps API key. When signing up, keep the following in mind:

  • The key is only valid for the web address you specify, and you must abide by Google’s terms and conditions.

Once you have obtained your key, visit the home of the GoogleMaps.Subgurim.NET user control at http://en.googlemaps.subgurim.net. Downloading the control is free and no registration is necessary. The best thing about this control is the supporting documentation and forums available to assist developers of all experience levels. Once you download the .zip file, do the following:

  • Copy the GMaps.dll file into your application’s “bin” directory.

  • Add the control to the toolbox by right-clicking the toolbox; Choose Items; .NET Framework Components; Browse. Locate the GMaps.dll and select it. Click OK.
Now you have a fully functional Google Maps user control that you can utilize entirely with ASP .NET!
on No comments:
Labels:

Shred Your Unneeded Documents


In today's information driven world, you can never be too careful when discarding documents you no longer need. Identity theft is more common than ever, and even the most basic information can be useful to a malicious person if he is determined. When you're ready to dispose of unneeded documents, you should definitely shred them! Now you're probably asking - What documents should I shred?

The easy answer: Anything that has a signature, account number, social security number, or medical or legal information (plus credit offers).

The complete answer:
  • Address labels from junk mail and magazines
  • ATM receipts
  • Bank statements
  • Birth certificate copies
  • Canceled and voided checks
  • Credit and charge card bills, carbon copies, summaries and receipts
  • Credit reports and histories
  • Documents containing maiden name (used by credit card companies for security reasons)
  • Documents containing names, addresses, phone numbers or e-mail addresses
  • Documents relating to investments
  • Documents containing passwords or PIN numbers
  • Driver's licenses or items with a driver's license number
  • Employee pay stubs
  • Employment records
  • Expired passports and visas
  • Unlaminated identification cards (college IDs, state IDs, employee ID badges, military IDs)
  • Legal documents
  • Investment, stock and property transactions
  • Items with a signature (leases, contracts, letters)
  • Luggage tags
  • Medical and dental records
  • Papers with a Social Security number
  • Pre-approved credit card applications
  • Receipts with checking account numbers
  • Report cards
  • Resumés or curriculum vitae
  • Tax forms
  • Transcripts
  • Travel itineraries
  • Used airline tickets
  • Utility bills (telephone, gas, electric, water, cable TV, internet)
on No comments:
Labels:

The Effects of Technology on Human Evolution

Isn’t technology great? I’m not just talking about computers and cell phones, but the modern amenities that make the quality our lives much better. Things like indoor plumbing, modern medicine, frozen dinners, soap, electrical appliances, etc. The list goes on. When I refer to technology, I am referring to anything that makes human life easier, including but not limited to the stuff I just mentioned. I enjoy the benefits of technology just as everyone else does. And I also believe that modern medicine (drugs, surgery, therapy, immunizations, etc.) should be administered to everyone in need. But what effect does this technology have on us as a species?

In order to sustain life, a species needs to be able to adapt to a changing environment. This is made possible by evolution. Evolution can be summarized as a series of genetic mutations inherited from the next generation. There are several reasons why genetic mutations occur. Sexual reproduction, environmental changes, agents such as radiation, and errors that occur during DNA replication, are all examples of mutagens (events that trigger genetic mutations). Evolution aids in the continuing struggle for survival of life on Earth. However, evolution is very slow, and a species will more likely become extinct before it can evolve in order to adapt to a rapid dramatic change in the environment. Evolution also requires large amounts of ideal DNA samples to be passed on through sexual reproduction. Who or what determines the source of ideal DNA? The answer is natural selection, commonly referred to as “survival of the fittest”. In order to ensure that only optimal DNA is passed on to the next generation, a species is constantly subject to natural selection. Without it, evolution decreases in both speed and magnitude, as if it wasn’t slow enough already! Natural selection is designed to prevent the old, weak, sick, and inferior specimens from passing their genetic material to the next generation. This way, only the best DNA samples are incorporated into the next generation, strengthening the species. Evolution is an important element of survival on earth.

So what does all this evolution and natural selection have to do with technology? Let’s start with modern medicine. I want you to understand that I am not opposed to modern medicine, but take a minute to think of the effect it has on our species. Modern medicine protects the very specimens that natural selection is designed to eliminate, allowing for more inferior genetic material to be passed to the next generation, thus decreasing the effectiveness of our evolution. It may even allow damaged and negatively mutated DNA, i.e. a mutation caused by an agent such as radiation, to be passed to the next generation, essentially weakening our species, and possibly introducing new diseases into our world. This may be the cause of cancer. Who knows? Without modern medicine, a diseased, weak or injured specimen would be eliminated via natural selection, unable to contribute its genetic makeup to future generations.

Besides modern medicine, the development and utilization of weapons contributes to the failure of natural selection, allowing more specimens to survive and reproduce. Weapons were first used by early humans to defend themselves from predators. Not long after, they used weapons to acquire sources of food that were once difficult to obtain. As our species and technology continued to evolve, we eventually climbed to the top of the food chain, effectively eliminating the threat of predators, and disrupting the fragile equilibrium of the ecosystem. Now, the only hazards to humans are other humans, as well as the environment, disease, and the very technology we have created.



Assuming that there are no catastrophic disasters, i.e. sudden extreme climate change, meteor strike, nuclear war, etc., we will inevitably reach a point at which the need for evolution approaches zero. The planet and its environment will continue to change, while the evolution of our species has slowed to a halt. Once that point is reached, the survival of our species will depend on the utilization of technology, as well as the development of new technology, in order to sustain our life on earth. The dependency of technology by humans has already begun, and is continuously increasing, as well as the weakening of our species, decreasing the long-term probability of the survival of the human race.
on 2 comments:
Labels:
Subscribe to: Posts (Atom)