2. Bibliography
• OWASP – Open web applications security
projects – www.owasp.org
• OWASP Code review guide
3. Introduction
• Code reviews:
– Ad hoc reviews
– Pair programming
– Walkthrough
– Team review
– Inspection
• Purpose – security
4. Code review strategies
• Automatic
• Manual – use checklists
– Risk based
– Most encountered programming mistakes
– Mitigation of most encountered vulnerabilities
exploited in the world
– Security best practices
5. Checklist based on best practices
• Authentication
• Authorization
• Session management
• Input validation and output sanitization
6. Checklist based on best practices
To be presented next meeting
• Prevent Cross Site Request Forgery
• Cryptographic controls
• Error handling
• Logging
• Prevent Race conditions
7. Authentication
• Check user is not allowed to choose weak
passwords
Bad:
String password = request.getParameter("Password");
if (password == Null)
{throw InvalidPasswordException()
}
8. Authentication
• Check user is not allowed to choose weak
passwords
OK:
if password.RegEx([a-z])
and password.RegEx([A-Z])
and password.RegEx([0-9])
and password.RegEx({8-30})
and password.RexEX([!"£$%^&*()])
return true;
else
return false;
9. Authentication
• Password storage strategy: hashing using a
one-way hash algorithm + salting
OK hashing:
import java.security.MessageDigest;
public byte[] getHash(String password) throws
NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
byte[] input = digest.digest(password.getBytes("UTF-8"));
}
10. Authentication
• Password storage strategy: hashing using a one-way
hash algorithm + salting
OK salting:
import java.security.MessageDigest;
public byte[] getHash(String password, byte[] salt) throws
NoSuchAlgorithmException {
MessageDigest digest = MessageDigest.getInstance("SHA-
256");
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
11. Authorization
• Check the access roles matrix and make sure it is
created respecting the need-to-know and least-
privilege principle
• Check the business logic for errors
Bad:
if user.equals("NormalUser")
{ grantUser(Normal_Permissions);
} else{ //user must be admin/super
grantUser("Super_Permissions);
}
12. Authorization
• Check if security by obscurity is used
• Check if authorization is verified for every request
Good:
String action = request.getParameter("action");
if (action.equals("doStuff"))
boolean permit = session.authTable.isAuthorised(action);
if (permit) doStuff();
else{
throw new (InvalidRequestException("Unauthorised
request");
session.invalidate();
}
13. Session Management
• Check if only framework’s session manager is
used
• Check the cryptographic strength, the length of
the sessions and character pool
• Check that sessionIds coming from clients are
validated
• Check there is a timeout implemented for idle
sessions
• Check session is destroyed on logout
14. Input validation and output
sanitization
• Ensure 2 separate validations occur: first a
security validation, then a business validation
• Ensure in the security validation, data are
canonicalized first
public static void main(String[] args) {
File x = new File("/cmd/" + args[1]);
String absPath = x.getAbsolutePath();
String canonicalPath = x.getCanonicalPath();
}
15. Input validation and output
sanitization
• Check that all input that traversed untrusted
zones is validated, not only user input
• Check that validators or sanitizers are adapted
for the modules that receives/uses data –
encode, escape, etc
• Check validators are applied in a safe side
(never client side)
16. Input validation and output
sanitization
public class DoStuff {
public String executeCommand(String userName) {
try {
String myUid = userName;
Runtime rt = Runtime.getRuntime();
rt.exec("cmd.exe /C doStuff.exe " +”-“ +myUid);
}
catch(Exception e) { e.printStackTrace(); } } }
17. Input validation and output
sanitization
String myQuery = “select food from foods where
name=?”;
String sortOrder=request.getParameter(“order”);
myQuery+=sortOrder;
PreparedStatement preparedStatement =
connection.prepareStatement(myQuery);
preparedStatement.setString(1, “Shaorma”);
ResultSet resultSet =
preparedStatement.executeQuery();
18. Input validation and output
sanitization
import java.io.*;
import javax.servlet.http.*;
import javax.servlet.*;
public class HelloServlet extends HttpServlet {
public void doGet (HttpServletRequest req, HttpServletResponse
res) throws ServletException, IOException {
String input = req.getHeader(“USERINPUT”);
PrintWriter out = res.getWriter();
out.println(Server.HTMLEncode(input));
out.close();
}
}