If you are having trouble viewing this email, click here to view this online



   ISSUE 19

19 February 2013

Article of the Month   Around the World

Few tips for Secure Web Development

Developing websites, either for information sharing or commercial use should be done in a safe and secure manner, so that the people or the general public who actually benefits from those sites will not lose their confidential information or get infected by malware.

Input Validation

Presently many websites have the options of Sign up and Sign in. It may be to subscribe to that specific site, to do online shopping or may be even for online banking. For this , the website needs user inputs but these inputs can both be positive and negative as the user is not always restricted in submitting inputs. Therefore it is very important to treat all user input as potentially malicious and validate them. This input validation can be handled in numerous ways.

a. Whitelisting (Accept known good)

In this, only a set of safe inputs are allowed and all other inputs are blocked by default. This is the best technique that should be used to validate all input whenever possible.

A Whitelist is basically a list which says "A, B and C is good (and everything else is bad)".

b. Blacklisting (Reject known bad)

In this method it blocks certain malicious inputs from being submitted. This is the least secure way of input validation. The risk of using this method is that the set of possible bad inputs are potentially infinite.

A Blacklist is basically a list which says "A, B and C is bad (and everything else is good)".

c. Sanitization

This method is for filtering out characters which are dangerous and still allowing legitimate inputs. It should be used when there is a large range of inputs to be accepted for correct functionality.

Inputs should not only be validated at the point of entering because client side input validation can be easily bypassed by using a local proxy. Thus data input should be validated at the backend too.


Even though it’s very simple to avoid many applications are still susceptible to these attacks. An injection is something that tricks an application into including unintended commands in the data sent to an interpreter. The interpreters can be SQL, OS Shell, LDAP etc. The impact of an injection is usually severe. An entire database can be read or modified. It may also allow full access to a database schema or even an account.

How to avoid injection flaws in web applications?

1. Avoid the interpreter entirely
2. Use an interface that supports bind variables (e.g.- Prepared Statements or Stored Procedures)
3. Encode / escape all user input before passing it to the interpreter

Enforce Proper Error Handling

Web applications frequently generate error conditions during normal operations. Sites should never return system generated error messages or debug information to the user. Proper exception handling should be used to trap errors and display customized, non-informative errors to the users.

Good error handling techniques should be able to handle any practical set of inputs, while enforcing appropriate security. Simple error messages should be generated and logged so that their cause, whether a fault in the site or a hacking attempt can be evaluated. Handling of errors should not only be done for user inputs but also for any errors that can be produced by internal sections such as system calls and database queries. To determine whether a web application is vulnerable, simple testing can be done by checking how the site responds to various input errors. Comprehensive testing should be usually done to cause internal errors and see how the application performs.

How to protect a site?

1. Return simple error messages to the user and log a more detailed error message to the server.
2. Provide the user with data validation errors, but do not provide developer level debug information.
3. Enable detailed logging features so that it can be reviewed for anomalies and would make it easier to track cyber criminals.
Cross-Site Scripting (XSS)

XSS impacts users in various ways. The most typical are stealing a user’s session, stealing sensitive data, rewrite web page or even redirect the user to a phishing site. More severely, it can install a XSS proxy which allows an attacker to observe and direct all user’s behavior on vulnerable site and force user to other sites.

It is very difficult to identify and remove XSS flaws in a web application. The main thing to do will be to carry out a security review of the code and search for all places where an input from a HTTP request could possibly make its way into the HTML output.

The best method to protect a site from cross-site scripting is to guarantee that the web application performs validation of all cookies, query strings, form fields against a precise specification of what should be permitted.

Enforce Proper Authentication and Session Management

Authentication and session management is an important part of web applications. It is vital to authenticate users of sites and mange active sessions in order to keep the site safe. Solid authentication methods can be bypassed by flawed credential management methods like password change, forgot my password or even remember my password functions.

A typical websites user authentication involves a user id and a password. Failure to manage sessions and account authentication can make a website vulnerable to attacker. So, complex session management and authentication methods should be used to protect the credentials of the user as therefore to protect the web site from potential threats.

Session management can be done by using cookies, embedded session IDs in query stings or using hidden fields. Whichever method is used if session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. So session tokens should be generated with sufficient randomness, complexity and length.

Code review and penetration testing can be done to determine and analyze whether a specific web application is vulnerable in authentication and session management.

Having a log out option and automatic session expiration would help to protect a web application. Other than that developers could also implement various features that are mentioned below.

Session ID A user’s entire session should be protected through SSL, so it cannot be hijacked through a network.
Password Strength Minimum Size, complexity (alphanumeric/special characters)
Password Use Restricting the user to a defined number of login attempts, users, should change their password occasionally; users should not be able to use old passwords again
Password Storage Passwords should be stored in either hashed or encrypted form.

Insecure Storage

Information is one of the most important things in a web application. Mainly sensitive information that a user might have or share with a site (passwords, credit card numbers and account records). These types of information are normally stored in encrypted form so that it is impossible for an attacker to access them. The problem with sensitive data is that web developers fail to identify all of it and sometimes they even fail to recognize all the places that this information will be stored.

The impacts of insecure storage are that attackers will be able to access or modify confidential and private data of users. This could lead to company embarrassment, customer dissatisfaction and loss of trust. In some countries the company might get sued or fined, due to non compliance of regulatory requirements like PCI DSS etc.

Identifying all the sensitive data, all the places that it is stored and then applying suitable protecting mechanisms of file encryption, database encryption and data element encryption will protect you from unwanted attacks.

Denial of Service

Web sites are mainly vulnerable to denial of service attacks, because an application cannot easily differentiate between an attack and normal traffic. Denial of service attacks will consume lot of resources so that even genuine users will not be able to use the system. Other type of impacts are attackers might target a specific user by sending invalid credentials until the system locks out that users account or might request a new password for a user and gain access of his account.

It is hard to detect and protect yourself against denial of service attacks. It would be best if test tools can be used to generate web traffic and test how a certain web application behaves under a heavy load. Limiting the resources allocated to a specific user can also help into some extent.

The above mentioned types are not the only ways a web application will get attacked or neither are those the only types of vulnerabilities found in a website. In the present world the number of web servers and applications are growing rapidly day by day. So, developers must always assume that their sites are at-risk and vulnerable. Other than the damage a vulnerable site can have on its owner, it can also pose a threat to a whole lot of internet users because unsecured sites are commonly used for phishing and malware attacks.

One of the best ways to secure a site and keep it away from unwanted attacks is to install patches when they are available for different components of the system and eventually do regular audits by professional security firms especially if your site has any credit card information, passwords and other sensitive data. You might think you can spot all of your own mistakes but trust me it always good to get another pair of eyes looking for vulnerabilities.

Dharaka Ellawala

Dharaka is an undergraduate of Informatics Institute of Technology who is currently following B.Eng (Hons) in Software Engineering. Currently he is working as Intern - Information Security Engineer  at Sri Lanka CERT|CC .

The world's most dangerous search engine
  By Dave Maass | Wednesday, Feb 06, 2013

'....Simply put, Shodan is a search engine. While Google crawls the Internet looking for websites, Shodan is scanning for devices connected to the Internet and recording information about the software running on those devices. What has the press and security professionals worried is that Shodan has revealed wide-scale holes in Internet safety, from somewhat embarrassing privacy oversights to keep-you-up-at-night vulnerabilities in critical infrastructure......'

China threatened by overseas hackers
  Updated: 2013-02-07 21:32

'....Recently foreign media have been hyping up "cyber attack from China" and the talk of a "Chinese hacking threat" is in the air. But it turns out that China is actually the real victim of cyber attacks, Xinhua reported, citing statistics from the National Computer Network Emergency Response Coordination Center of China (CNCERT/CC).

The number of Internet users on the Chinese mainland keeps rising sharply, but Chinese users don?t take net safety protection as seriously as do most western users. Hence China has become the biggest victim of Internet hacking......'

Anonymous posts over 4000 U.S. bank executive
  By Violet Blue for Zero Day | February 4, 2013 -- 07:28 GMT (23:28 PST)

'....Anonymous appears to have published login and private information from over 4000 American bank executive credentials its Operation Last Resort, demanding US computer crime law reform......'

Month in Brief

Facebook Incidents Reported to Sri Lanka CERT|CC in January 2013


  Fake + Harassment



Statistics - Sri Lanka CERT|CC



Traveling Overseas with Mobile Phones, Laptops, PDAs, and Other Electronic Devices.

Office of the National Counteringelligence Executive

Adobe Flash Zero-Day Attack Uses Advanced Exploitation Technique

  By Haifei Li | Monday, February 11, 2013 at 3:31pm

'....On February 7, Adobe issued a security bulletin warning of zero-day attacks that leverage two Flash vulnerabilities.

While digging in depth into the original sample, we found that the exploit uses highly sophisticated exploitation techniques to attack various Flash Player versions. It also includes ?user-friendly?

tricks that give no signs or symptoms to its victims

The ingenious exploit uses a previously unknown technique to craft the heap memory on Flash Player. With the aid of a regular expression-handling vulnerability that is related to a heap-based buffer overflow, the attack can create a highly reliable memory information leak that allows the exploit to bypass the usually effective exploitation mitigations of address space layout randomization (ASLR) and data execution prevention (DEP) on Windows

7 and other versions......'

Every single Internet Explorer at risk of drive-by hacks until Patch Tuesday
  Tuesday, February 12, 2013 | Updated: Wednesday, February 13, 2013 | Version: 1.2

'....Microsoft has lined up a bumper Patch Tuesday this month to snap shut a backbreaking 57 security vulnerabilities in its products.

Five of the 12 software updates addressing the gaping holes will tackle critical flaws that allow miscreants to execute code remotely on vulnerable systems.

In all, the soon-to-be-patched vulnerabilities exist in the Windows operating system, Internet Explorer web browser, Microsoft Server Software, Microsoft Office and the .NET framework......'

  Notice Board
  Training and Awareness Programmes - February 2013
Date Event Venue
- 18 Launch of “e-Thaksalawa” National Educational Learning Content Portal  developed by ICT Branch  by H.E. the President   Ministry of Education, “Isurupaya”  
- 18 -22 ICT Training for newly recruited SLEAS officer National Institutes of Education, Maharagama  
- 18 -22 Awareness Programme for Teacher of ICT centers selected for National Vocational Qualification (NVQ) Training UNIVOTEC, Rathmalana



Brought to you by: