Defense against Hackers: A Crash Course in Defensive Programming

There are a number of reasons why a hacker would spend time attempting to compromise a system: political, financial exploitation via blackmail, disgruntled employee seeking revenge, recognition among fellow hackers and/or boredom. Whatever the reason we as programmers should do out due diligence to make the job of the hacker as difficult as possible, and provide a means of tracking down a system that has been compromised. This blog posting details some common methods used to gain unauthorized access to company resources. These resources could be personnel data, customer information, and/or any type of sensitive materials that any given company would not want to be disclosed to the public. It is beyond the scope of this document to all list all means of hacker defense, but I can show you how to write applications are not as vulnerable to attack. Hackers typically use the following means to attack websites:Cross Site Scriting (XSS) and SQL Injection.

Cross Site Scripting

A XSS attack can occur when unfiltered control characters are passed via a
web browser to a web server.

• Type 0 – A HTML request references an HTML page on a users system and injects a script that runs with full user privileges.
• Type 1 – A HTML request parameter data is unfiltered and directly used to display data on a resulting page
• Type 2– A HTML request parameter data is unfiltered and persisted to storage. The unfiltered data is later view by in future by other users. – Example Message Board Chats and Blog Posts.

Risks

• Loss of data
• Data corruption
• Unintended data exposure

Defense

1. Use a web tier validation mechanism such as Struts Validator or Servlet Filter to validate all user data. No data should be trusted as being valid.
2. Use the java.util.regex.Pattern and java.util.regex.Matcher classes to validate data.

SQL Injection/Insertion Attack

Definition
A SQL Injection/Insertion attack can occur when unfiltered control characters are passed to a SQL statement. The UI tier of an application is supposed to filter data before going to the business and persistence tiers – however these attacks can also occur if a web service is improperly written. Web services are exposed to potentially unlimited number and type of clients.

Risks

• Loss of data
• Data could be deleted from a given table
• Table could be dropped
• Data corruption
• Unwanted data could be put into the database
• Data referential integrity could be corrupted.
• Unintended data exposure

Sample Vulnerable Code

public Accounts[] someVunerableMethod(String accountNumber)
{
String sqlStatement = new String();
Statement vunerableStatement;
sqlStatement = "SELECT * FROM MASTER_ACCOUNTS WHERE account_number = '" +accountNumber+ "';";
try
{
vunerableStatement = conn.createStatement();
vunerableStatement.execute(sqlStatement);
}
catch(Exception ex){}


}

Defense

1. Use the java.util.regex.Pattern and java.util.regex.Matcher classes to validate data.
2. Use PreparedStatement instead of Statement.

Conclusion

The techniques discussed in this posting will keep the less experienced hackers
from damaging your website. Make sure that you keep a watchful eye for OS and
application server vulnerabilities. Keep track of your software versions--this
includes third party libraries, and database drivers.

XML for the Java Programmer: XMLBeans

There are a number of ways to manipulate XML using Java. One could use DOM, SAX, create a custom API, and/or use XMLBeans. However XMLBeans provide an easy way to create Java objects that represent XML documents. Not only does one not have to write XML specific code, but all code related to the manipulation of the XML documents is automatically generated.

A XMLBean in an open source framework for accessing XML documents via bound Java objects. The elegance of this framework lies in the fact one only needs create a XSD in order to generate the Java objects. The generated Java objects allow complete access to the the XML document that is represented by the given XSD.

BEA donated XMLBean project and it is hosted as a top level Apache project. The XMLBean project is used by a number of vendors. BEA has incorporated XMLBeans inside Weblogic Workshop. To create XMLBeans you have to do the following: create a project if not already created, and place a copy of your XSDs inside the default "Schemas" folder. If the "Schemas" folder does not exist, right click on your project and create a new schema project. After you have copied XSD files into your schema folder all of your classes for manipulating your XML document will be automatically created. Each time the XSD file changes, the corresponding Java objects are updated.

For example, suppose that we have to manage a collection of employee records that are written in XML. Each given record has the following information: first name, last name, middle name, title, and data of birth. The resulting XML may look as follows:

<EmployeeData xmlns="http://temp.openuri.org/EmployeeSample/Employee.xsd">
<employee>
   <title>Programmer</title>
   <firstName>John</firstName>
   <lastName>Doe</lastName>
   <middleName>Wayne</middleName>
   <dob>2006-12-26-05:00</dob>
</employee>
<employee>
   <title>Agent</title>
   <firstName>John</firstName>
   <lastName>Tucker</lastName>
   <middleName>Smith</middleName>
   <dob>2006-12-26-05:00</dob>
</employee>
</EmployeeData>

The following is the XSD file that is used to write a compliant Employee XML file:

<xs:schema xs="http://www.w3.org/2001/XMLSchema"
tns="http://temp.openuri.org/EmployeeSample/Employee.xsd"
targetnamespace="http://temp.openuri.org/EmployeeSample/Employee.xsd"
elementformdefault="qualified" attributeformdefault="unqualified">
<xs:element name="EmployeeData">
<xs:complextype>
 <xs:sequence>
    <xs:element name="employees" type="tns:employee" minoccurs="0" maxoccurs="unbounded"/>
 </xs:sequence>
</xs:complextype>
<xs:complextype name="employee">
 <xs:sequence>
    <xs:element name="title" type="xs:string"/>
    <xs:element name="firstName" type="xs:string"/>
    <xs:element name="lastName" type="xs:string"/>
    <xs:element name="middleName" type="xs:string"/>
    <xs:element name="dob" type="xs:date"/>
 </xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>

If you place the given XSD in a schema folder, the following classes will be automatically generated for you: Employee, EmployeeDataDocument, and EmployeeData. The document class has a number of parse methods for loading compliant XML files, and various save methods to persist the XML file. The Employee and EmployeeData objects have usual getter and setter methods for data manipulation.

With the XMLBeans, one can generate Java objects that allow you to read, write, and manipulate XML. The Apache XMLBeans project gives developers a means to not only write code that persists to XML documents, but the XMLBeans project allows developer to write thus saving time and money.

Further Readings

1. WC3 XML Schema Primer
   
2. Apache XMLBeans Project
3. Weblogic Workshop
   

Making Software More Cost Effective

As a software developer and user I am constantly faced with shrinking deadlines, scope changes, and global competitors (outsourcing). When developing software one has the fixed cost of hardware, development tools, and any third-party software the one uses to develop the given piece of software. Then there are the variable costs that include the number of man hours spent developing code, software documentation, and defect management. Many companies control costs by using one or more of the following methods: Open Source software, high level development tools, and/or packaged software.

Open Source software can be a good way to control your fixed costs. However one has to ensure that the given Open Source solution does not cause your variable cost to increase. For instance let's assume that a company has a choice between a open source solution and proprietary solution, and that the proprietary solution's software license costs 1000 dollars. Let's also assume that the given company has to customize each solution, and that the development cost for the open source solution is 60 dollars per man hour to customize and the proprietary solution costs 30 dollars per man hour. The cost per man hour difference could be due to more advanced development tools, development staff is more familiar with the proprietary solution, and/or the proprietary solution has better APIs. In any case if the variable cost of the proprietary solution is less that that of the open source solution. The company should examine not only how many development hours to implement the open source solution, but also how long the given solution will persist in the enterprise before life cycle retirement. In the aforementioned scenario, the Open Source solution costs as much as the proprietary solution after only 33.33 development hours. If any more development time is spent than 33.33 development hours the proprietary solution is more cost effective. The following graph illustrates the cost of each solution.


High Level development tools, languages and APIs are a most effective way of controlling costs. For instance many web developers are comfortable writing software using tools such as VI and notepad. However many of the new development tools offer time saving features such as code completion, code generation, and/or visual development environment.

Architect and analysts should never ignore variable costs when implementing solutions, and selecting products. Although it could be tempting to deliver a solution that has cheap fixed costs, in the long term you may be delivering a more expensive solution.