Defense against Hackers: A Crash Course in Defensive Programming
There are a number of reasons why a hacker would spend time attempting to compromise a system: political, financial exploitation via blackmail, disgruntled employee seeking revenge, recognition among fellow hackers and/or boredom. Whatever the reason we as programmers should do out due diligence to make the job of the hacker as difficult as possible, and provide a means of tracking down a system that has been compromised. This blog posting details some common methods used to gain unauthorized access to company resources. These resources could be personnel data, customer information, and/or any type of sensitive materials that any given company would not want to be disclosed to the public. It is beyond the scope of this document to all list all means of hacker defense, but I can show you how to write applications are not as vulnerable to attack. Hackers typically use the following means to attack websites:Cross Site Scriting (XSS) and SQL Injection.
Cross Site Scripting
A XSS attack can occur when unfiltered control characters are passed via a
web browser to a web server.
- Type 0 – A HTML request references an HTML page on a users system and injects a script that runs with full user privileges.
- Type 1 – A HTML request parameter data is unfiltered and directly used to display data on a resulting page
- Type 2– A HTML request parameter data is unfiltered and persisted to storage. The unfiltered data is later view by in future by other users. – Example Message Board Chats and Blog Posts.
- Loss of data
- Data corruption
- Unintended data exposure
- Use a web tier validation mechanism such as Struts Validator or Servlet Filter to validate all user data. No data should be trusted as being valid.
- Use the java.util.regex.Pattern and java.util.regex.Matcher classes to validate data.
Definition
A SQL Injection/Insertion attack can occur when unfiltered control characters are passed to a SQL statement. The UI tier of an application is supposed to filter data before going to the business and persistence tiers – however these attacks can also occur if a web service is improperly written. Web services are exposed to potentially unlimited number and type of clients.
Risks
- Loss of data
- Data could be deleted from a given table
- Table could be dropped
- Data corruption
- Unwanted data could be put into the database
- Data referential integrity could be corrupted.
- Unintended data exposure
Sample Vulnerable Code
public Accounts[] someVunerableMethod(String accountNumber)
{ String sqlStatement = new String();
Statement vunerableStatement;
sqlStatement = "SELECT * FROM MASTER_ACCOUNTS WHERE account_number = '" +accountNumber+ "';";
try
{
vunerableStatement = conn.createStatement();
vunerableStatement.execute(sqlStatement);
}
catch(Exception ex){}
}
- Use the java.util.regex.Pattern and java.util.regex.Matcher classes to validate data.
- Use PreparedStatement instead of Statement.
Conclusion
The techniques discussed in this posting will keep the less experienced hackers
from damaging your website. Make sure that you keep a watchful eye for OS and
application server vulnerabilities. Keep track of your software versions--this
includes third party libraries, and database drivers.
0 comments:
Post a Comment