November 3, 2015

Handling Software Vulnerabilities, Part III

This is the third and final part of this three-part blog series on how to handle different software vulnerabilities. In the first part, I explained one of the most important and widespread attacks, injection attacks, and some workarounds to mitigate them. In the second part, I explained cross-site scripting attacks (XSS) and cross-site request forgery (CSRF) attacks. In this part, we look into Unvalidated redirects and security misconfigurations.

#4 Unvalidated redirects and forwards

During the development of a web application, you’re often required to redirect users from one page to other pages or to use internal forwards. An Unvalidated URL Redirect attack occurs when the application receives the URL to which it redirects the user from the GET or POST parameters, or an untrusted source. Sometimes the target URL is specified in unvalidated parameters or in the query string itself. If there is no check on the validity of the redirect target, then the user may be transferred to an attacker-controlled site or page. The primary goal of this attack is to then execute a phishing attack or to trick the user into downloading malicious software. As an example, consider the URL If the web application fails to check the value of the URL parameter, then the user will be transferred to the attacker-controlled site, www. Since the URL looks authentic (it points to and the user trusts the domain, they may be tempted to trust the redirection. Consider the following code snippet demonstrating a piece of vulnerable code:

    protected void btnUnsafe_Click(object sender, EventArgs e)

This will result in an attacker redirecting a user to the attacker’s site. The attacker’s site might be designed to look like your site so as to steal the user’s credentials or other confidential information.

What are the risks?

These attacks may result in a user visiting the attacker’s site, which might result in an installation of malware software on the user’s system or in a disclosure of the user’s password or other sensitive information to attacker.

How do we fix this?

You can use redirects safely by following any of these methods below:

  1. Don’t involve user-supplied values in calculating the destination URL
  2. Encode the user input and validate the values if user-supplied values can’t be avoided in calculating the destination URL

The following code snippet demonstrates how to safely encode the user-supplied values before using it for a redirect:

 protected void btnSafe_Click(object sender, EventArgs e)
What advantage it will give?

#5 Security misconfigurations

Improper server or web application configuration leads to various flaws, which could result in your application becoming vulnerable to various attacks. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Vulnerabilities in the Security Misconfiguration category allow attackers to take advantage of various server or application features intended for debugging or to test environments to launch an attack. Such flaws include, but are not limited to:

  1. Debugging enabled
  2. Incorrect folder permissions
  3. Using default credentials
  4. Being able to remotely access setup or server management pages

What are the risks?

The system could be completely compromised before you realize. All of your data could be stolen or modified slowly over time. Your application is vulnerable to attacks if any of these is true for you:

  1. Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries
  2. Are any unnecessary features enabled or installed (e.g. ports, services, pages, accounts, privileges)?
  3. Are default accounts and their passwords still enabled and unchanged?
  4. Does your error handling reveal stack traces or other overly informative error messages to users?
  5. Are the security settings in your development frameworks and libraries not set to secure values?

How do we fix this?

You can prevent such issues by ensuring that your servers are configured securely. Below are some suggestions:

  • The principle of least privilege should be followed
  • Many servers these days come with debugging and management features turned off by default. Pay extra care while enabling any such feature
  • Disable default credentials and keep directory listing disabled
  • A process of deploying all new software updates and patches in a timely manner should be followed, because Microsoft keeps releasing security patches for potential vulnerabilities almost every month

Besides these countermeasures, tools like “AppScan Standard” can be used to identity common security configuration issues. Software security is a broad topic to explain, and even a three-part blog can’t cover everything regarding common vulnerabilities. I tried to squeeze in the most common and critical categories of vulnerabilities in this blog. Every developer should be aware of these security issues and their countermeasures while working on a web-based application, otherwise your application is prone to various attacks. This not only affects the ability of your application to function, but also compromises the data confidentiality and goodwill of you and your clients. Thanks for reading this. Happy coding!