Avoiding the CWE/SANS Top 25 Most Dangerous Programming Errors

Links from the class materials and other supplemental information, grouped by chapter:

Chapter 1: Introduction

Chapter 2: Secure Software Engineering

Links from the text:

• Software Vulnerability Disclosure: The Chilling Effect by Scott Berinato
• T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate by Sharon Gaudin
• In Legal First, Data-Breach Suit Targets Auditor by Kim Zetter
• Sarbases-Oxley
• HIPAA
• PCI-DSS standards
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley
• Federal Information Security Management Act of 2002
• Federal Reserve Information Security Standards
• Symantec Internet Security Threat Report, volume XIII
• XSSed archive
• Common Vulnerabilities and Exposures (CVE)
• Common Weakness Enumeration (CWE)
• 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (CWE side)
• CWE/SANS TOP 25 Most Dangerous Programming Errors (SANS side)
• Common Attack Pattern Enumeration and Classification (CAPEC)
• Open Web Application Security Project (OWASP)
• OWASP Top Ten Project

Chapter 3: Security and the software development life cycle

Links from the text:

• NIST SP 800-64
• Standards for Security Categorization of Federal Information and Information Systems is FIPS 199
• Secure Software Development Life Cycle Processes by Noopur Davis
• The emperor's old clothes by Charles Antony Richard Hoare
• Misuse and Abuse Cases: Getting Past the Positive by Paco Hope and Gary McGraw
• WEP insecurity
• The TI transponder cracking
• Info about the TCP design issues and security
• ``The Code Red Worm'' by Hal Berghel, Communications of the ACM, vol 44, no 12, December, 2001
• CERT Vulnerability Note VU#684820
• Lecture notes for Introduction to Security---Fall '05 by Steve Bellovin
• CERT Secure Coding Standards
• Validating C and C++ for Safety and Security: A structured approach to manual code review
• Nimda information from ``All public hospitals in Gothenburg Sweden crippled by Nimda'' by Peter Hakanson, Forum on Risks to the Public in Computers and Related Systems, ACM Committee on Computers and Public Policy, vol 21, no 67, October, 2001
• Morris worm information
• Inside the Slammer worm by Moore et al.
• Misplaced Trust: Kerberos 4 Session Keys in Proceedings of the 1997 Symposium on Network and Distributed System Security
• CERT Vulnerability Note VU#623217
• ``A Trend Analysis of Exploitations'' by Hilary K. Browne, John McHugh, William A. Arbaugh, and William L. Fithen, University of Maryland CS department technical report CS-TR-4200 and UMIACS-TR-2000-76
• ``Windows of Vulnerability: A Case Study Analysis'' by William A. Arbaugh, William L. Fithen, and John McHugh, in IEEE Computer Volume: 33, Number: 12, Pages: 52--59

Chapter 4: Input validation

Links from the text:

• CWE-20: Improper Input Validation
• Client Side Data Validation: A False Sense of Security by Tarak Modi
• SecurityFocus bug description for 3D3.Com ShopFactory Shopping Cart Cookie Price Manipulation Vulnerability
• An original BugTraq posting about this error
• Greasemonkey Firefox Add-on
• Javascript form validation---doing it right by Stephen Poley
• A definition of ``paranoid programming''
• Cleaning Up, Mucking Out and Paranoid Programming
• a humorous view of paranoid programming
• OWASP Enterprise Security API (ESAPI)
• Apache Struts
• Apache Commons Validator
• The OS.Path structure
• NTFS alternate data streams
• Java java.io.File getCanonicalPath Method
• OpenTop
• Boost C++ class library
• Canonicalize path names originating from untrusted sources
• More information about Nimda
• The corresponding CERT vulnerability note for IIS
• Another related CERT page
• The Nimda cost
• The Atlanta Business Chronicle's Nimda cost
• Code Red plus Nimda cost $3 billion
• In ``Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,'' Xu, Bhatkar, \& Sekar review current taint-related research and present a C-to-C translator for implementing fine-grained taint tracking.
• Robustness Testing of Software-Intensive Systems: Explanation and Guide by Julie Cohen, Dan Plakosh, and Kristi Keeler. CMU/SEI-2005-TN-015
• OPEN Process framework (OPF) Robustness Testing

Additional links, not from the course text, or, software needed for the chapter:

FCserver.class
FCserver.java Java version
FCserver.cpp C++ version

Chapter 5: Avoiding SQL injection

Links from the text:

• A tutorial about SQL injection
• Blind SQL injection
• SQL injection from CAPEC
• The xkcd cartoon
• The Mini license plate image
• The Chris Rimmer threat
• java.sql
• CWE-89: Failure to Preserve SQL Query Structure ('SQL Injection')
• SQLAPI++
• The Microsoft Source Code Analyzer for SQL Injection vulnerabilities in ASP code
• Tamper Data for Firefox
• Web Developer toolbar for Firefox
• TamperIE
• Burp suite of tools
• Paros proxy
• WebScarab
• Absinthe
• sqlmap
• sqlninja
• Pangolin
• WITOOL
• SQL injection tools
• SQL Injection Cheat Sheet

Additional links, not from the course text, or, software needed for the chapter:

bblookup.java Java program for lab
postgresql-8.3-605.jdbc4.jar (Java) This class archive might be needed to use the database.

bblookup.cpp C++ program for lab using libpg
To compile:

c++ -lpq -o bblookup bblookup.cpp

bblookup-libpqxx.cpp C++ program for lab using libpqxx
To compile:

c++ -lpq -lpqxx -o bblookup-libpqxx bblookup-libpqxx.cpp

Chapter 6: Avoiding OS command injection

Links from the text:

• MSC33-J. Prevent OS Command Injection
• Command Injection Impossible in Java and .NET?
• Command Injection In Java on Windows: 100\% Proven that it is 100\% Possible (in Certain Cases) by Dan Cornell
• CWE-78: Failure to Preserve OS Command Structure ('OS Command Injection')
• CWE-426: Untrusted Search Path
• CWE-73: External Control of File Name or Path
• Failure to Change Working Directory in chroot Jail
• Argument injection issues
• CAPEC 38, Leveraging/Manipulating Configuration File Search Paths
• The Open Source Vulnerability Database
• Securityfocus.com
• Secunia Advisory and Vulnerability Database search page
• IBM's ISS X-force database

Additional links, not from the course text, or, software needed for the chapter:

c++cmdinject.c
cmdinject.java

Chapter 7: Producing clean output

Links from the text:

• An example set of IRC server commands
• Enterprise Security Application Programming Interface (ESAPI)

Additional links, not from the course text, or, software needed for the chapter:

logbox.jar Run by

java -jar logbox.jar

logbox.zip Source for logbox (from Eclipse).

syslogger.cpp Compile by:

g++ -o syslogger syslogger.cpp

Chapter 8: Cross-site scripting

Links from the text:

• The Cross Site Scripting (XSS) FAQ
• Wikipedia entry on cross-site scripting
• CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
• Safari Archive JavaScript Same Origin Policy Violation Vulnerability
• Mozilla Firefox Unspecified Javascript Remote Code Execution Vulnerability
• Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
• Sun Java Runtime Environment Java Plug-in JavaScript Security Restriction Bypass Vulnerability
• Adobe Acrobat JavaScript Parsing Engine Arbitrary Code Execution Vulnerability
• MS Outlook Express 5 Javascript Email Access Vulnerability
• Example ways of session hijacking via XSS
• This link is a simple XSS example
• example of how to DoS the browser
• XSS---Stealing Cookies 101
• Example denial of service XSS attack
• Posting a bogus news message via XSS
• Another, well-written paper that includes posting a bogus story at a news site
• demo JavaScript port scanner
• The XSS worm on MySpace
• A description of the worm from its author
• More from Samy
• The Cross-site Scripting Virus
• XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion
• Stored and Reflected XSS attacks at OWASP
• information about using Flash for XSS attacks
• ``How To: Prevent Cross-Site Scripting in ASP.NET''
• Anti-Cross Scripting Library for ASP.NET
• Adding Cross-Site Scripting Protection to ASP.NET 1.0
• Apache Wicket
• HTTPOnly
• XSS (Cross Site Scripting) prevention cheat sheet
• RFC 2396
• OWASP Testing for Cross site scripting
• Acunetix Web Vulnerability Scanner
• XSSPloit
• Pixy
• XSS Rays
• Chorizo
• web-based XSS scanner
• ExploreNM.com
• information about the bogus login screen
• TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks by Amir Herzberg and Ahmad Gbara

Chapter 9: Cross-site request forgery (CSRF)

Links from the text:

• CSRF Vulnerability: A 'Sleeping Giant'
• Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)
• Gmail contact list hijacking (January 2007)
• Gmail filter hijack (September 2007)
• Gmail password change CSRF (March 2009)
• Foiling Cross-Site Attacks
• Jeremiah Grossman's blog
• The Wikipedia entry on CAPTCHA
• The CAPTCHA Project
• Origin header presentation from Stanford
• OWASP CSRFTester
• CAPEC 62
• WebGoat CSRF solution video
• SOMA Firefox add-on
• Content Security Policy

Chapter 10: Logging and error messages

Links from the text:

• CWE-209: Error Message Information Leak
• Information Leakage
• Apache Struts
• tikiwiki 1.9.5 mysql password disclosure \& xss
• Open Source Vulnerability Database (OSVDB)
• Google Hacking Database

Chapter 11: Cryptography Fundamentals

Links from the text:

• Handbook of Applied Cryptography
• An excellent overview of cryptography
• The standards for the SHA series of hashes
• Vlastimil Klima's page on MD5 collisions:
• NIST and approved hash functions
• The American Bar Association Section of Science and Technology Information Security Committee Digital Signature Guidelines Tutorial
• Digital Signature Standard (DSS, also called DSA)
• using RSA for digital signatures
• the TI RFID transponder cracking
• OpenSSL timing attacks
• An alternate version of information about OpenSSL timing attacks
• Why Cryptography Is Harder Than It Looks by Bruce Schneier
• Security Pitfalls in Cryptography by Bruce Schneier
• SHA-1
• SHA-256
• AES
• Block TEA
• RSA

Chapter 12: Using cryptography to enhance security

Links from the text:

• OWASP's Guide to Cryptography
• NIST Special Publications (800 Series)
• FIPS Home Page
• The TI RFID transponder cracking
• WEP insecurity
• Halderman et al., ``Lest We Remember: Cold Boot Attacks on Encryption Keys''
• HP JetDirect password vulnerability
• AccessData
• CERT Advisory CA-1993-15
• Word 98 Insecurity
• Microsoft Security Bulletin (MS98-005) Unwanted Data Issue with Office 98 for the Macintosh
• Microsoft Office Security, part two by Khushbu Jithra
• Guidelines for Extended Validation Certificates
• Security certificate warnings don't work, researchers say by Robert McMillan
• Microsoft Security Bulletin MS01-017
• Microsoft, VeriSign, and Certificate Revocation by Gregory L. Guerin
• Crying Wolf: An Empirical Study of SSL Warning Effectiveness by Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor
• Wikipedia entry on EFF DES cracker
• SHA-1 hash function under pressure
• Schneier on Security, August 17, 2005
• OpenSSL timing attacks
• An alternate version of information about OpenSSL timing attacks
• Smart Card Technology and Security
• Smart Card Security (Section 3)
• The Internet Archive copy of Visual Studio Enables the Programmable Web
• Mark O'Neill's Web Services Security
• Why applying standards to Web services is not enough by Viega, J. and Epstein, J.
• Battered, but not broken: understanding the WPA crack by Glenn Fleishman
• Tutorial: How to Crack WPA/WPA2
• Analysis of the SSL 3.0 protocol by David Wagner and Bruce Schneier
• Nessus
• OpenSSL
• Stunnel
• SSL Digger
• Open Source Vulnerability Database (OSVDB)

Chapter 13: Authentication

Links from the text:

• James L. Wayman, ``Biometric Authentication Technologies: Hype Meets the Test Results''
• MythBusters Fingerprints Busted
• the OWASP Guide to Authentication
• CAPTCHA Security: A Case Study by Jeff Yan and Ahmad Salah El Ahmad
• CWE-259: Hard-Coded Password
• The story behind the Palin e-mail hacking by Michelle Malkin
• Wikipedia entry on Aspect-oriented programming
• A Guide to Building Secure Web Applications and Web Services 2.0 Black Hat Edition by OWASP
• the fake secure login page

Chapter 14: Least privilege

Links from the text:

• Saltzer, J.H. and Schroeder, M.D., The Protection of information in computer systems
• Least Privilege by Sean Barnum and Michael Gegick
• Build Security In Home
• Wikipedia entry on least privilege
• Applying the Principle of Least Privilege to User Accounts on Windows XP
• Least-Privilege Technology Still Swimming Upstream, But Making Progress by Tim Wilson
• The evolution of Java security by Larry Koved, Anthony Nadalin, Don Neal, and Tim Lawson
• Preventing Privilege Escalation by Niels Provos, Markus Friedl and Peter Honeyman, 12th USENIX Security Symposium, Washington, DC, August 2003.
• Information about Gentoo portage and privilege separation
• Postfix information
• Postfix security discussion
• How to design secure network applications based on privilege separation by Denis Ducamp
• picture of OpenSSH privilege separation
• OpenBSD NTP daemon in OpenBSD 3.6 (and later)

Chapter 15: Authorization and Access Control

Links from the text:

• OWASP Guide to Authorization
• Wikipedia page on COBIT
• Wikipedia entry on Discretionary Access Control
• Wikipedia entry on Access Control Lists
• Wikipedia entry on Mandatory Access Control
• The Wikipedia entry on Mandatory Integrity Control in Windows
• Cracking Windows Access Control by Andrey Kolishchak
• Introduction to Windows Integrity Control by Tony Bradley
• The MSDN info on MAC in Windows Vista
• NSA page on SELinux
• SELinux Project Wiki
• NIST Role Based Access Control (RBAC) and Role Based Security
• Wikipedia entry on Role-Based Access Control
• Your Free MacWorld Expo Platinum Pass (valued at $1,695) by Kurt Grutzmacher
• Clickjacking Details
• Introduction to JAAS and Using JAAS
• Java Authentication and Authorization Service (JAAS) Reference Guide
• The JAAS Book
• Java Authorization Contract for Containers
• Authorization concepts and solutions for J2EE applications
• ASP.NET Authorization
• Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
• Open Source Vulnerability Database (OSVDB)
• SecurityFocus

Chapter 16: State and the web

Links from the text:

• gmail bug
• Schneier on Security for November 24, 2005
• The bug report for the Payflow Link vulnerability
• Cart32 vulnerability information
• Other, similar hidden field vulnerabilities
• SecurityFocus.com's search page
• An example of using Java to secure client-side state with hidden forms
• The LinPHA vulnerability
• Perl session cookies
• ASP session cookies
• Java session cookies
• More Java session cookies information
• WHID 2005-61: Gmail session management bug
• FTD.com hole leaks personal information
• Microsoft vulnerability with session identifiers
• An example of exploiting the Hotmail vulnerability
• Microsoft Passport Account Hijack Attack by Obscure
• Huge Hotmail security flaw reported by ZDNN Staff
• A good article with information about how ASP.NET sessions operate
• The Open Source Vulnerability Database
• Securityfocus.com
• National Vulnerability Database
• Add N Edit Cookies

Chapter 17: Stack overflows for C/C++

Chapter 18: Other buffer overflows for C/C++

Chapter 19: Buffer overflows and interpreted languages

Chapter 20: Race conditions

Links from the text:

• Craig Lowery, ``A Tour of TOCTTOUs''
• [8lgm] SunOS passwd advisory
• iDefense MacOS X advisory
• ISS Advisory ``Multiple scripts temporary file overwrite'' (Sep 30, 2004)
• Borisov et al., ``Fixing Races for Fun and Profit,'' 14th USENIX Security Symposium (2005)
• IE5 cross-site scripting exploit using temp file races
• RaceGuard, a Linux kernel modification that can detect race condition attacks on files/tmp
• ISS Security advisory ``Sendmail Remote Signal Handling Vulnerability''
• ``Linux kernel local root vulnerability (ia64 and amd64 ia32 compat.)''

Chapter 21: Resource access

Chapter 22: Resource management

Chapter 23: Coding errors

SkillBridge Training

Examples from the class notes (or, all as one file).

Selected Solutions from the class notes (no looking until you have solved the problems!). Note that all solutions are in an appendix of your course book. All solutions in a compressed tar file.

Evaluation form (if needed)