Search
Calendar
May 2025
S M T W T F S
« Apr    
 123
45678910
11121314151617
18192021222324
25262728293031
Tags
Android BEA CTO DBunit Devoxx Eclipse EJB ESB Groovy GWT Hibernate IntelliJ IDEA Java JDBC Jetty JMS Jonathan Lalou JSF JSF2 JUnit long tweet Maven Maven 2 Maven 3 MS-DOS Mule Mule ESB Oracle Oracle Coherence PyData2024 Python recommendation Sonar Spring SQL Tangosol Tibco TibcoRV Tomcat tutorial Unix Weblogic Weblogic 10 XML XSD
Last posts
Archives

PostHeaderIcon 5 Classic Software Security Holes Every Developer Should Know

Author: Jonathan Lalou

As software developers, we’re the first line of defense against malicious actors trying to exploit our systems. Understanding common security vulnerabilities is crucial for writing secure and resilient code. Here are 5 classic security holes that every developer should be aware of:

1. SQL Injection

How it works: Attackers inject malicious SQL code into user inputs, such as login forms or search fields, to manipulate database queries. This can allow them to bypass authentication, retrieve sensitive data, or even modify or delete database records.

Example:

Vulnerable Code (PHP):


$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);

Exploit:

An attacker could enter a username like ' OR '1'='1 and a password like ' OR '1'='1. This would modify the query to SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1', which will always evaluate to true, granting them access without the correct credentials.

Prevention/Fix:

  • Use parameterized queries or prepared statements: These techniques separate the SQL code from the user-supplied data, preventing the data from being interpreted as code.

Secure Code (PHP):


$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "ss", $username, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
  • Principle of Least Privilege: Ensure that the database user has only the minimum necessary permissions.
  • Input validation: Sanitize and validate all user inputs to ensure they conform to the expected format and do not contain malicious characters.

2. Cross-Site Scripting (XSS)

How it works: Attackers inject malicious scripts, typically JavaScript, into websites viewed by other users. These scripts can then steal session cookies, hijack user accounts, or deface the website.

Example:

Vulnerable Code (PHP):


echo "<div>" . $_GET['comment'] . "</div>";

Exploit:

An attacker could submit a comment containing <script>alert('You have been hacked!');</script>. When other users view the comment, the script will execute in their browsers, displaying an alert. A more sophisticated attack could steal the user’s session cookie and send it to the attacker’s server.

Prevention/Fix:

  • Output encoding: Encode all user-generated content before displaying it on the page. This ensures that any HTML tags or JavaScript code is treated as text, not code.

Secure Code (PHP):


echo "<div>" . htmlspecialchars($_GET['comment'], ENT_QUOTES, 'UTF-8') . "</div>";
  • Input validation: Sanitize user input to remove any potentially malicious code.
  • Content Security Policy (CSP): Implement a CSP to control which resources (scripts, styles, etc.) the browser is allowed to load.

3. Buffer Overflow

How it works: A buffer overflow occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory locations. This can lead to program crashes, data corruption, or, in the worst case, arbitrary code execution.

Example:

Vulnerable Code (C):


#include <string.h>
void vulnerable_function(char *input) {
  char buffer[10];
  strcpy(buffer, input); // Vulnerable function
}
int main() {
  char user_input[20] = "This is too long!";
  vulnerable_function(user_input);
  return 0;
}

Exploit:

In this example, strcpy doesn’t check the size of input. If input is longer than 10 bytes, it will write beyond the bounds of buffer, potentially corrupting the stack and allowing an attacker to overwrite the return address to execute malicious code.

Prevention/Fix:

  • Use safe string handling functions: Use functions like strncpy() or snprintf() that take a maximum length argument and prevent writing past the end of the buffer.

Secure Code (C):


#include <string.h>
void secure_function(char *input) {
  char buffer[10];
  strncpy(buffer, input, sizeof(buffer) - 1); // Safe function
  buffer[sizeof(buffer) - 1] = '\0'; // Ensure null termination
}
int main() {
  char user_input[20] = "This is too long!";
  secure_function(user_input);
  return 0;
}
  • Bounds checking: Always check the size of the input data before writing it to a buffer.
  • Use a memory-safe language: Languages like Java and C# perform automatic bounds checking and memory management, making buffer overflows much less common.

4. Insecure Deserialization

How it works: Deserialization is the process of converting serialized data (e.g., JSON, XML) back into an object. Insecure deserialization vulnerabilities occur when an application deserializes untrusted data without proper validation. This can allow attackers to manipulate the deserialized object and execute arbitrary code.

Example:

Vulnerable Code (Python):


import pickle
import base64
from flask import Flask, request

app = Flask(__name__)

@app.route('/unserialize', methods=['POST'])
def unserialize_data():
    pickled_data = base64.b64decode(request.data)
    data = pickle.loads(pickled_data) # Vulnerable
    return f"Deserialized data: {data}"

if __name__ == '__main__':
    app.run(debug=True)

Exploit:

An attacker could craft a malicious pickle payload that, when deserialized, executes arbitrary code. For example, using os.system to run a command.

Prevention/Fix:

  • Never deserialize data from untrusted sources: If possible, avoid deserializing data from external sources altogether.
  • Use secure serialization formats: Use formats like JSON that have a simpler structure and are less prone to code execution vulnerabilities.
  • Validate serialized data: If you must deserialize untrusted data, validate its integrity and structure before deserializing it. Use digital signatures or message authentication codes.
  • Principle of Least Privilege: Run deserialization code with the lowest privileges possible.

Secure Code (Python):


import json
from flask import Flask, request

app = Flask(__name__)

@app.route('/unserialize', methods=['POST'])
def unserialize_data():
    data = json.loads(request.data) # Use json
    return f"Deserialized data: {data}"

if __name__ == '__main__':
    app.run(debug=True)

5. Broken Authentication and Session Management

How it works: These vulnerabilities relate to how applications handle user authentication and session management. If these processes are not implemented securely, attackers can steal credentials, hijack user sessions, and gain unauthorized access to sensitive data.

Example:

Broken Authentication (PHP):


$username = $_POST['username'];
$password = $_POST['password'];
// Vulnerable:  No password hashing
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);
if (mysqli_num_rows($result) > 0) {
  // Login successful
  session_start();
  $_SESSION['username'] = $username;
}

Exploit:

An attacker could steal the password from the database if it’s stored in plaintext.

Broken Session Management (PHP):


session_start();
$session_id = rand(); // Predictable session ID
setcookie('session_id', $session_id);
$_SESSION['user_id'] = 123;

Exploit:

An attacker could predict the session ID and hijack another user’s session.

Prevention/Fix:

  • Use strong password hashing algorithms: Use algorithms like bcrypt or Argon2 to hash passwords. Avoid storing passwords in plaintext.

Secure Code (PHP):


$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($connection, $query);
$user = mysqli_fetch_assoc($result);
if (password_verify($password, $user['password'])) { // Use password_verify
  // Login successful
  session_start();
  $_SESSION['username'] = $username;
}
  • Implement secure session management:

Generate session IDs using a cryptographically secure random number generator.

Secure Code (PHP):


session_start();
$session_id = session_create_id();
setcookie('session_id', $session_id, ['secure' => true, 'httponly' => true, 'samesite' => 'Strict']);
$_SESSION['user_id'] = 123;
  • Protect session IDs from disclosure (e.g., by using HTTPS).
  • Implement session timeouts to limit the duration of a session.
  • Implement mechanisms to prevent session fixation and session hijacking.
  • Multi-factor authentication (MFA): Implement MFA to add an extra layer of security to the authentication process.

By understanding these common vulnerabilities and implementing the recommended prevention techniques, developers can significantly improve the security of their software and protect their users from harm. #security #softwaresecurity #vulnerability #coding #programming

Posted in en-US | Tags:

Leave a Reply

(c) 2008 Jonathan Lalou's blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.