Exclusively for you!! Trial version of Google Apps, Apply Coupon-CNHPGX6T6QRWGV!!
Security Leak: Session Fixation vulnerability
Jul16

Security Leak: Session Fixation vulnerability

Welcome to CodeSpread! What is a Session? HTTP is a stateless protocol. Each request to the server is independent and does not contain any information about the user like who has requested which page or any information/state of the client machine. ASP.NET Session state can be used to store values that will persist across page requests. ASP.NET session state identifies requests from the same browser as a session.This session is limited to some time, then it expires and renew again. Whenever the Session starts, a cookie by the name of ASP.NET_SessionId identifier is created which stores the values of session and can be retrieved by calling the identifier. By default, if a user is inactive for 20 minutes, the Session will expire and all items that had been stored in the Session will be discarded. There are methods to kill the session programmatically like Session.Abandon() Session.Clear() Session.RemoveAll() These methods can only end the session but does not delete the cookie. What is Session Fixation? As the security of cookie is dependent on the client machine, there is a chance of hacking/stealing this cookie which might reveal the session identifier. Unlikely but naive,Another way the hacker can steal the session identifier is from the query string,if session identifier is appended to the URL. If stolen, An attacker can impersonate a user by using the authenticated session ID (SID). Lets create the basic flow to understand session fixation. User visited a site having a valid ASP.NET_SessionId like ‘abcdefg’ . User logs in with his valid credentials and perform some transaction. Here, the session identifier does not change ‘abcdefg’. Hacker creates or obtains a valid session identifier. Hacker impersonates the user and continue as the user. Hacker can continue to impersonate the victim user until the SID expires. Another way is where the SID is appended to the URL as a query parameter. In a phishing mail, which contains a URL, SID can be appended  which is only known to the hacker. Once the user logs in, the hacker can use this SID, which is now associated with an authenticated session, to impersonate the user. So please avoid clicking any links on spam mails. How can it be fixed? There are many countermeasures available, One of them is to Assign a new session identifier on login and, Remove the session identifier once the user logs out. Second, Regenerate session identifier on each request, although this is not always possible. Third, As a precautionary measure and applicable for small sites, Enable Https. Fourth A log out function, which states that a session should not allow further requests. Not a very secure option though....

Read More
New SDLC: Security Development Life Cycle
Jan16

New SDLC: Security Development Life Cycle

When I heard Security Development Life Cycle, my first reaction was, is it really possible? But, as always, Microsoft surprised me with the introduction of SDL. I just went through a paper published by Microsoft and , I have included most of the points ‘as-is’ in this article. What is SDLC or Security Development Life Cycle? It is a simple framework for the pragmatic inclusion of security practices in the software development process. It outlines a series of discrete, non-proprietary security development activities that when joined with effective process automation and solid policy guidance represent the steps necessary for an organization to objectively claim compliance with the Microsoft SDL as defined by the “Advanced” level in the SDL Optimization Model. Just stress on few keywords in the above definition for ex: ‘security practices’ , ‘series’ , ‘organization’ , ‘compliance’. Now, we can try and and relate these terms in a generic manner, first of all by ‘generic practices’- we mean that SDL is not a hand written document but these are few practices which originated from individual or group’s experiences. Second, ‘series’ implies that these are a chain of steps or guidelines which are followed in an organized manner to achieve the goal. Third, ‘organization’ – this is the most important keyword which stresses on a dynamic SDLC dependent on an organization’s needs. It basically holds the due share of an organization in applying SDLC. Fourth and Last, ‘compliance’- which says set your standards and I’ll follow. This is the basic need of industry and widely accepted as a criteria in every organization. What are the activities expected? To achieve Security, Integration of secure development concepts into an existing development process is required. Here, we have mentioned all the stages of our other SDLC [Software Development Life Cycle] combined with security concepts to achieve our new SDLC [Security Development Life Cycle]. We will see what all security concepts can be accumulated at each stage of SDLC. Pre-SDL Requirements: Security Training SDL Practice 1: Training Requirements All members of a software development team(developers, testers, and program managers) must receive appropriate training to stay informed about security basics and recent trends in security and privacy. Basic software security training should cover foundational concepts such as: Secure design, including the following topics: •    Attack surface reduction •    Defense in depth •    Principle of least privilege •    Secure defaults Threat modeling, including the following topics: •    Overview of threat modeling •    Design implications of a threat model •    Coding constraints based on a threat model Secure coding, including the following topics: •    Buffer overruns (for applications using C and C++) •    Integer arithmetic...

Read More