DOCSLIB.ORG

OWASP Code Review Guide V1.1 2008

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
OWASP Code Review Guide V1.1 2008 OWASP CODE REVIEW GUIDE 2008 V1.1 © 2002-2008 OWASP Foundation This document is licensed under the Creative Commons Attribution Share Alike 3.0 license. You must attribute your version to the OWASP Code Review Guide or the OWASP Foundation. OWASP Code Review Guide V1.1 2008 Table of Contents Foreword by Jeff Williams, OWASP Chair .................................................................................................................................... 4 Welcome to the OWASP Code Review Guide 1.1 ........................................................................................................................ 6 About The Open Web Application Security Project ..................................................................................................................... 8 Code Review Guide History ....................................................................................................................................................... 10 Introduction ............................................................................................................................................................................... 11 Preparation ................................................................................................................................................................................ 13 Security Code Review in the SDLC ............................................................................................................................................. 16 Security Code Review Coverage ................................................................................................................................................ 18 Application Threat Modeling ..................................................................................................................................................... 22 Code Review Metrics ................................................................................................................................................................. 45 Crawling code ............................................................................................................................................................................ 49 Searching for code in J2EE/Java ................................................................................................................................................. 56 Searching for code in Classic ASP ............................................................................................................................................... 60 Javascript / Web 2.0 keywords and pointers ............................................................................................................................. 63 Code review and PCI DSS ........................................................................................................................................................... 64 Reviewing by technical control: Authentication ........................................................................................................................ 66 Reviewing by technical control: Authorization .......................................................................................................................... 73 Reviewing by technical control: Session Management ............................................................................................................. 78 Reviewing by technical control: Input Validation ...................................................................................................................... 81 Reviewing by technical control: Error Handling......................................................................................................................... 83 Reviewing by technical control Secure application deployment ............................................................................................... 95 Reviewing by technical control Cryptographic controls ............................................................................................................ 99 Reviewing Code for Buffer Overruns and Overflows ............................................................................................................... 112 2 OWASP Code Review Guide V1.1 2008 Reviewing Code for OS Injection ............................................................................................................................................. 117 Reviewing Code for SQL Injection ............................................................................................................................................ 121 Reviewing Code for Data Validation ........................................................................................................................................ 127 Reviewing Code for Cross-site scripting ................................................................................................................................... 141 Reviewing code for Cross-Site Request Forgery issues ............................................................................................................ 148 Reviewing Code for Logging Issues .......................................................................................................................................... 153 Reviewing Code for Session Integrity issues ............................................................................................................................ 158 Reviewing Code for Race Conditions ....................................................................................................................................... 161 Additional security considerations: ......................................................................................................................................... 163 Java gotchas ............................................................................................................................................................................. 164 Java leading security practice .................................................................................................................................................. 170 Classic ASP Design Mistakes .................................................................................................................................................... 173 PHP Security Leading Practice ................................................................................................................................................. 177 Strings and Integers ................................................................................................................................................................. 180 Reviewing MySQL Security ...................................................................................................................................................... 184 Reviewing Flash Applications ................................................................................................................................................... 187 Reviewing Web services .......................................................................................................................................................... 190 How to write an application code review finding .................................................................................................................... 192 Automated Code revieW ......................................................................................................................................................... 195 Tool Deployment Model .......................................................................................................................................................... 196 The Owasp Orizon Framework ................................................................................................................................................ 197 The Owasp Code Review Top 9 ................................................................................................................................................ 208 Guide References ..................................................................................................................................................................... 216 3 OWASP Code Review Guide V1.1 2008 FOREWORD BY JEFF WILLIAMS, OWASP CHAIR Many organizations have realized that their code is not as secure as they may have thought. Now they're starting the difficult work of verifying the security of their applications. There are four basic techniques for analyzing the security of a software application - automated scanning, manual penetration testing, static analysis, and manual code review. This OWASP Guide is focused on the last of these techniques. Of course, all of these techniques have their strengths, weaknesses, sweet spots, and blind spots. Arguments about which technique is the best are like arguing whether a hammer or saw is more valuable when building a house. If you try to build a house with just a hammer, you'll do a terrible job. More important than the tool is probably the person holding the hammer anyway. The OWASP guides are intended to teach you how to use these techniques. But the fact that they are separate shouldn't be an indicator that they should be used alone. The Development Guide shows your project how to architect and build a secure application,
Load more

Recommended publications
  • Learn Python the Hard Way
    ptg11539604 LEARN PYTHON THE HARD WAY Third Edition ptg11539604 Zed Shaw’s Hard Way Series Visit informit.com/hardway for a complete list of available publications. ed Shaw’s Hard Way Series emphasizes instruction and making things as ptg11539604 Zthe best way to get started in many computer science topics. Each book in the series is designed around short, understandable exercises that take you through a course of instruction that creates working software. All exercises are thoroughly tested to verify they work with real students, thus increasing your chance of success. The accompanying video walks you through the code in each exercise. Zed adds a bit of humor and inside jokes to make you laugh while you’re learning. Make sure to connect with us! informit.com/socialconnect LEARN PYTHON THE HARD WAY A Very Simple Introduction to the Terrifyingly Beautiful World of Computers and Code Third Edition ptg11539604 Zed A. Shaw Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
    [Show full text]
  • Digital Rights Management and the Process of Fair Use Timothy K
    University of Cincinnati College of Law University of Cincinnati College of Law Scholarship and Publications Faculty Articles and Other Publications Faculty Scholarship 1-1-2006 Digital Rights Management and the Process of Fair Use Timothy K. Armstrong University of Cincinnati College of Law Follow this and additional works at: http://scholarship.law.uc.edu/fac_pubs Part of the Intellectual Property Commons Recommended Citation Armstrong, Timothy K., "Digital Rights Management and the Process of Fair Use" (2006). Faculty Articles and Other Publications. Paper 146. http://scholarship.law.uc.edu/fac_pubs/146 This Article is brought to you for free and open access by the Faculty Scholarship at University of Cincinnati College of Law Scholarship and Publications. It has been accepted for inclusion in Faculty Articles and Other Publications by an authorized administrator of University of Cincinnati College of Law Scholarship and Publications. For more information, please contact [email protected]. Harvard Journal ofLaw & Technology Volume 20, Number 1 Fall 2006 DIGITAL RIGHTS MANAGEMENT AND THE PROCESS OF FAIR USE Timothy K. Armstrong* TABLE OF CONTENTS I. INTRODUCTION: LEGAL AND TECHNOLOGICAL PROTECTIONS FOR FAIR USE OF COPYRIGHTED WORKS ........................................ 50 II. COPYRIGHT LAW AND/OR DIGITAL RIGHTS MANAGEMENT .......... 56 A. Traditional Copyright: The Normative Baseline ........................ 56 B. Contemporary Copyright: DRM as a "Speedbump" to Slow Mass Infringement ..........................................................
    [Show full text]
  • 100% Pure Java Cookbook Use of Native Code
    100% Pure Java Cookbook Guidelines for achieving the 100% Pure Java Standard Revision 4.0 Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, California 94303 USA Copyrights 2000 Sun Microsystems, Inc. All rights reserved. 901 San Antonio Road, Palo Alto, California 94043, U.S.A. This product and related documentation are protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Restricted Rights Legend Use, duplication, or disclosure by the United States Government is subject to the restrictions set forth in DFARS 252.227-7013 (c)(1)(ii) and FAR 52.227-19. The product described in this manual may be protected by one or more U.S. patents, foreign patents, or pending applications. Trademarks Sun, the Sun logo, Sun Microsystems, Java, Java Compatible, 100% Pure Java, JavaStar, JavaPureCheck, JavaBeans, Java 2D, Solaris,Write Once, Run Anywhere, JDK, Java Development Kit Standard Edition, JDBC, JavaSpin, HotJava, The Network Is The Computer, and JavaStation are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and certain other countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. All other product names mentioned herein are the trademarks of their respective owners. Netscape and Netscape Navigator are trademarks of Netscape Communications Corporation in the United States and other countries. THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
    [Show full text]
  • C Programming Tutorial
    C Programming Tutorial C PROGRAMMING TUTORIAL Simply Easy Learning by tutorialspoint.com tutorialspoint.com i COPYRIGHT & DISCLAIMER NOTICE All the content and graphics on this tutorial are the property of tutorialspoint.com. Any content from tutorialspoint.com or this tutorial may not be redistributed or reproduced in any way, shape, or form without the written permission of tutorialspoint.com. Failure to do so is a violation of copyright laws. This tutorial may contain inaccuracies or errors and tutorialspoint provides no guarantee regarding the accuracy of the site or its contents including this tutorial. If you discover that the tutorialspoint.com site or this tutorial content contains some errors, please contact us at [email protected] ii Table of Contents C Language Overview .............................................................. 1 Facts about C ............................................................................................... 1 Why to use C ? ............................................................................................. 2 C Programs .................................................................................................. 2 C Environment Setup ............................................................... 3 Text Editor ................................................................................................... 3 The C Compiler ............................................................................................ 3 Installation on Unix/Linux ............................................................................
    [Show full text]
  • Medical Device Cyber Security – Best Practice Guide
    Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________
    [Show full text]
  • To Download PDF File of Guidelines for Application Software Testing
    Office of the Government Chief Information Officer GUIDELINES FOR APPLICATION SOFTWARE TESTING [G20] Version: 1.10 May 2018 ©The Government of the Hong Kong Special Administrative Region of the People’s Republic of China The contents of this document remain the property of and may not be reproduced in whole or in part without express permission of the Government of the HKSAR GUIDELINES FOR AMENDMENT HISTORY APPLICATION SOFTWARE TESTING ________________________________________________________________________________ Amendment History Change Revision Description Pages Revision Date Number Affected Number 1 Update the document style in order to Whole 1.1 Dec 1999 conform with the Document Style document Manual Version 2.0. 2 Revise the outdated contents to reflect 2-1, 5-2, 1.1 Dec 1999 current practices. 6-2, 7-2, 7-4, 7-5, 7-7, 8-9, 10-1, 11-1 3 The personnel to take up the quality 5-2, 6-4, 1.1 Dec 1999 assurance role is revised. 8-1, 9-2, 9-3 4 Remove the banner ‘Standards & Front Cover 1.2 Jun 2003 Methods Document’. Page 5 Remove page number of Amendment Amendment 1.2 Jun 2003 History and Tables of Contents History and Tables of Contents 6 Remove the Distribution and Release Distribution 1.2 Jun 2003 Page and Release Page 7 Merging of ITSD into the Commerce, Whole 1.3 Jul 2004 Industry and Technology Bureau on 1 Document July 2004. Replace ‘Information Technology Services Department (ITSD)’ by ‘The Office of the Government Chief Information Officer (OGCIO)’. Replace logo of ITSD by OGCIO Front Cover Page 8 Review the update-ness 1.4
    [Show full text]
  • Automatic Reusability Analysis of Software Binaries
    AUTOMATIC REUSABILITY ANALYSIS OF SOFTWARE BINARIES RAMAKRISHNAN VENKITARAMAN and GOPAL GUPTA Applied Logic, Programming-Languages, and Systems (ALPS) Laboratory Department of Computer Science The University of Texas at Dallas Email: [email protected], [email protected] 1 We consider reusability of software component binaries. Reuse of code at the binary level is im- portant because usually only the machine code for system components is available; vendors do not want to share their source code for proprietary reasons. We develop necessary and sufficient conditions for ensuring that software binaries are reusable and relate them to the coding standards that have been developed in the industry to ensure binary code reusability. These coding stan- dards, in essence, discourage the (i) use of hard-coded pointers, and (ii) writing of non-reentrant code. Checking that binary code satisfies these standards/conditions, however, is undecidable, in general. We thus develop static analysis based methods for checking if a software binary satisfies these conditions. We also consider the problem of automatically checking if coding standards have been followed in the development of embedded applications. The problem arises from practical considerations because DSP chip manufacturers (in our case Texas Instruments) want various third party software developers to adhere to a certain coding standard to facilitate system inte- gration during application development. This static analysis rests on an abstract interpretation framework. Our analyzer takes object code as input, disassembles it, builds the flow-graph, and statically analyzes the flow-graph for the presence of dereferenced pointers that are hard coded. The analyzer is currently being extended to check for compliance with other rules adopted by TI as part of its coding standards.
    [Show full text]
  • Coding Guidelines and Quick Start Tips for Software Development Version 0.6 (In Progress)
    Coding Guidelines and Quick Start Tips for Software Development Version 0.6 (in progress) Includes: C, Python, and some Assembler and C++ File: “C:\Travel_Briefcase\EricSchool\Research\Coding Guidelines.doc” Last modified by Eric L. Michelsen The goal of coding guidelines is to improve the productivity of all software development: Easier, faster, more reliable. 1. Source code is a language for people, not just computers. 2. Comment as you go. Don’t wait for later. 3. Ask yourself: “How will the next person know that?” “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by [implication], not smart enough to debug it.” - Brian W. Kernighan “Whenever possible, ignore the coding standards currently in use by thousands of developers in your project’s target language and environment.” - Roedy Green, How To Write Unmaintainable Code, www.strauss.za.com/sla/code_std.html “There is much more to programming than simply writing the code.” - T. M. R. Ellis, Fortran 90 Programming, Addison-Wesley, 1994, p693. “These guidelines will make everyone’s life easier, even yours.” - Eric L. Michelsen APOLLO Lunar Laser Ranging Software Coding Guidelines Table of Contents 1. Why Coding Guidelines? ................................................................................................................ 5 1.1 Guidelines Summary ................................................................................................................. 6 1.2 Document Overview.................................................................................................................
    [Show full text]
  • (12) United States Patent (10) Patent No.: US 6,810,410 B1 Durham (45) Date of Patent: Oct
    USOO681041 OB1 (12) United States Patent (10) Patent No.: US 6,810,410 B1 Durham (45) Date of Patent: Oct. 26, 2004 (54) CUSTOMIZING ACLIENT APPLICATION 6,412,008 B1 6/2002 Fields et al. ................ 709/228 USING AN OPTIONS PAGE STORED ON A 6.424,981 B1 7/2002 Isaac et al. ................. 707/513 SERVER COMPUTER OTHER PUBLICATIONS (75) Inventor: Peter Emmanuel Durham, Seattle, WA http://my.zdnet.com/myzdnet/alerthelp, Jun. 10, 1999.* (US) Here's an easy way to free yourself from browser promos, Mossberg, Walter, wall Stree Journal, Aug. 21, 1997.* (73) ASSignee: Moon Corporation, Redmond, WA http://my.zdnet.com/myzdnet/alerthelp/ dated Jun. 10, 1999. * cited by examiner (*) Notice: Subject to any disclaimer, the term of this Primary Examiner Moustafa M. Meky U.S.C.patent is154(b) extended by 0 ordays. adjusted under 35 (74) Attorney,y, Agent, or Firm-KlarquistquISL SpSparkman, s LLP (57) ABSTRACT (21)21) Appl. NoNo.: 09/366,4851366, A method and apparatus for displaying an options page for (22) Filed: Aug. 3, 1999 client application in a network environment. Instead of hard 7 coding the options page within the client application, the (51) Int. Cl." ................................................ G06F 13/00 options page is Stored on a Server computer and may be (52) U.S. Cl. ........................ 709/203; 709/217; 709/219 updated dynamically without modifying the client applica (58) Field of Search ................................. 709/200, 201, tion. In one aspect, the user requests to view the options page 709/203, 206, 217, 218, 219, 223, 224, using menu commands generated by the client application.
    [Show full text]
  • A Survey of Compiler Testing (2019)
    1 A Survey of Compiler Testing∗ JUNJIE CHEN, College of Intelligence and Computing, Tianjin University, China JIBESH PATRA, Department of Computer Science, University of Stuttgart, Germany MICHAEL PRADEL, Department of Computer Science, University of Stuttgart, Germany YINGFEI XIONG, Key Laboratory of High Confidence Software Technologies (Peking University), MoE, China HONGYU ZHANG, School of Electrical Engineering and Computing, University of Newcastle, Australia DAN HAO, Key Laboratory of High Confidence Software Technologies (Peking University), MoE, China LU ZHANG, Key Laboratory of High Confidence Software Technologies (Peking University), MoE, China Virtually any software running on a computer has been processed by a compiler or a compiler-like tool. Because compilers are such a crucial piece of infrastructure for building software, their correctness is of paramount importance. To validate and increase the correctness of compilers, significant research efforts have been devoted to testing compilers. This survey article provides a comprehensive summary of the current state of the art of research on compiler testing. The survey covers different aspects of the compiler testing problem, including how to construct test programs, what test oracles to use for determining whether a compiler behaves correctly, how to execute compiler tests efficiently, and how to help compiler developers take action on bugs discovered by compiler testing. Moreover, we survey work that empirically studies the strengths and weaknesses of current compiler
    [Show full text]
  • English Arabic Technical Computing Dictionary
    Ï ú GAÓñ滅 @ ú æ®J Ë@ ñ ÓA®Ë@ úGQ« øQ Êm.'@ English . Arabic Technical Computing Dictionary èQmÌ'@ ©K PAÖ Ï@I. KQªK K Q¯ Free Software Arabisation Team http://wiki.arabeyes.org/Technical Dictionary Version: 2.0.29-02-2008 February 29, 2008 This is a compilation of the Technical Computing Dictionary that is under development at Arabeyes, the Arabic UNIX project. The technical dictionary aims to to translate and standardise technical terms that are used in software. It is an effort to unify the terms used across all Open Source projects and to present the user with consistant and understandable interfaces. This work is licensed under the FreeBSD Documentation License, the text of which is available at the back of this document. Contributors are welcome, please consult the URL above or contact [email protected]. Q Ì ÉJ ªË@ éÒ¢@ Ñ«YË QK AK.Q« ¨ðQåÓ .« èQK ñ¢ ÕæK ø YË@ úæ®JË@ úGñAm '@ ñÓA®ÊË éj èYë . l×. @QK. éÔg. QK ú¯ éÊÒªJÖÏ@ éJ J®JË@ HAjÊ¢Ö Ï@ YJ kñKð éÔg. QK úÍ@ ñÓA®Ë@ ¬YîE .ºKñJ ËAK. éîD J.Ë@ ÐYjJÒÊË éÒj. Óð éÓñê®Ó H. ñAg éêk. @ð Õç'Y®JË ð á ÔgQÖÏ@ á K. H. PAJË@ øXA®JË ,H. ñAmÌ'@ . ¾JÖ Ï .ñÓA®Ë@ éK AîE ú ¯ èQ¯ñJÖÏ@ ð ZAKñÊË ø X @ ú G. ø Q¯ ékP ù ë ñÓA®Ë@ ékP . éJ K.QªËAK. ÕÎ @ [email protected] . úΫ ÈAB@ ð@ èC«@ à@ñJªË@ úÍ@ H. AëYË@ ZAg. QË@ ,á ÒëAÖÏ@ ɾK. I. kQK Action, Z@Qk. @ Activate, , ¡ JK Active, ¡ J A Activity, A Abort, Actor, É«A¯ Aêk.
    [Show full text]
  • Permissionless Banking API
    Permissionless Banking API Christos Kyprianou Permissionless Banking API Master’s Thesis in Embedded Systems Parallel and Distributed Systems group Faculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology Christos Kyprianou Jan 31, 2018 Author Christos Kyprianou Title Permisionless Banking API MSc presentation Jan 31, 2018 Graduation Committee dr. ir. J. A. Pouwelse Delft University of Technology dr. J.S. Rellermeyer Delft University of Technology dr. Z. Erkin Delft University of Technology Abstract In this document we present an in-depth vulnerability assessment of the HSBC banking system. Going beyond prior work, we investigate the full stack down to the Java bytecode level and further analyze its 3 key platforms: Android OS, IOS and online banking. During the process we analyze their main security feature, OTP generation algorithm and examine the inner workings of mobile/online bank- ing through various vulnerability assesment techniques and successful man in the browser attacks in their main platforms showing the client-server communication packet flow. During the process we discovered several vulnerabilities and show that HSBC leaks details to multiple webserver which are not under it’s direct control such as: lo.v.liveperson.net. Additionally, the HSBC app is found to be inefficient, for instance, it repeatedly sends ”Lorum Ipsum” phrases. A gross waste of band- width, bordering on incompetence. Finally we present our own version that is able to perform the basic banking functions: 1-log-in, 2-view accounts and balances, 3- view transaction history and 4-perform transactions, adding more than 200% speed improvement. iv Preface This is the report of my MSc thesis project on implementing and testing a permis- sionless banking API, for the completion of my MSc degree in Embedded Systems.
    [Show full text]