Thursday, April 3, 2014

Validations and Error Handling – Security Controls

Input Validations

Almost 90% of vulnerabilities arise out of having poor or no input validations at the entry point of the application. There are countless different vulnerabilities of input validation type out there and applications are exploited by attackers. Essentially when developers are not treating each input as evil then it gets consumed directly into the application and exposing business logic with severe payload. These injections can force application to go into vulnerable state. Here are possible set of vulnerabilities arising out of poor input validation in the code.
1.) Various injection vectors (SQL, LDAP, XPATH etc.)
2.) Cross Site Scripting (XSS)
3.) Cross Site Request Forgery (CSRF)
4.) Buffer overflows
5.) Integer and logical boundary overrun
6.) Canonicalization issues
7.) Validation bypass (Client side)
8.) Serialization attacks
9.) Information leakage
Input validation is very easy to detect since application usually breaks and send abnormal response back to client. This response contains some signature which helps in detecting type of vulnerability. Attacker or tester usually does fuzzing to determine state of validation. This is one of the most important domains for application security.

Data Validations

Application needs place to store and access data from the system. Application may be using various data sources like database, file system, third part application, cross domain calls/APIs, browser memory etc. All these sources can be manipulated by attacker and it can help in stealing information or manipulating behavior of the application. In era of Web 2.0 applications are not running in isolation with single domain, applications are interlinked and share information seamlessly in-between. Application data is no longer restricted to database and dataset, we are seeing data get exchanged in XML, RSS feed, JSON etc. Application need to validate this data before consuming. Here is a list of weak area in the application which can lead to possible vulnerabilities,
1.) Proxy injections from third party stream
2.) XSS injection with RSS feeds
3.) Client side logic bypass
4.) Upload/download stream injections
5.) Remote command/code injection and execution
6.) Callback manipulation in JavaScript
Data validation is becoming equally important like input validation, it is imperative to validate any stream before consuming either on server or client side. We are seeing new ways of hacking and attacking in this area once code is not developed securely.

Error Handling

Error and exception handling is very important aspect of the development process. Many applications are written without having strong and central error handling routine in place. If error is not handled properly then it can lead to information leakage, Denial of Services (DoS) etc. Here is the list of possible security vulnerabilities arising due to poor error handling,
1.) Information leakage
2.) Logic bypass
3.) Internal logic and routine disclosure
4.) Denial of Services (DoS)
5.) Stack trace enumeration
There are several best practices need to be followed in source code for error and exception handling and some of the popular attack vectors to exploit error handling routines are as follows.
1.) Fuzzing and fault code injections
2.) Denial of Services injections
Automated scanners and engines detect vulnerabilities based on error signatures and this information proves very useful for them. Error handling is responsible for over 90% of information leakage.