Solved

Failed security audit (XSS and SQL Injection are possible).

Posted on 2010-08-20
9
621 Views
Last Modified: 2013-11-16
Is there protections from Code Injection that can be put in place? They were able to inject <script> that ran a marque across the screen... and said they code grab peoples username and passwords by injecting in the same way...

From Security:
Dangerous characters which should be filtered:
• " ' % ; ) ( & + -
• These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.


Does APEX have anything that can be turned on to prevent from having to check all inputs???

Also, they used FireFox "Inspector" to open a text item from max 9 characters to 50 characters so they could inject code...

Any help appreciated..
0
Comment
Question by:bcarlis
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 2

Assisted Solution

by:CodeC6
CodeC6 earned 50 total points
ID: 33488845
Generally, in order to keep from having these types of issues you'd need to filter through your code and resolve the vulnerable issues, there's coding and then there's secure coding.
If you don't feel qualified to filter input from your site, you could try something like mod_security(http://www.modsecurity.org) if you are running linux, or dotDefender(http://www.applicure.com) for Windows which is an application firewall that will filter malicious input before sending it to your application.
If it detects malicious input it will not send it to your application, thus protecting it.
Your other option is to have a developer look at your code and help you fix it, or research more secure ways of coding the areas of your site that are vulnerable to SQL Injection and XSS.

You should refer to the OWASP top 10 and ensure your app/site is developed with those key elements in mind.

The PCI requirement is to either scan your code periodically and fix any vulnerabilities found, or run an Application firewall.
0
 
LVL 2

Author Comment

by:bcarlis
ID: 33491594
Hi, Thank you for your response.

I am using Oracle APEX 3.2 and from reading the Security
< > " ' % ; ) ( & + -

·         These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.

I would think that Oracle is doing this, but I guess not...
Sounds like I need to check every URL parameter for these characters... ??

I can look up a regEx to seach/replace these characters as well as others for the "Username" but again, they have made a general statement that "ALL" requests...
Is there a spot that I can check the whole URL at the very beginning of the process... I need to look up the UTIL that gets the URL post coming in... ???

What do you think?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 150 total points
ID: 33498325
Typically, to defend against web exploits, two layer to check out are


a) Web application firewall - First layer defend at network level to identify and block web exploit attempts.
- Check out http://www.owasp.org/index.php/Web_Application_Firewall, there are quite a good list of s/w
- Below are also some good s/w & ref to check out as well
> WebCastellum  @ http://pentestit.com/2010/03/14/webcastellum-open-source-waf/
> ModSecurity @ http://pentestit.com/2009/11/27/modsecurity-web-application-security-firewall/
> ESAPI toolkit @ http://pentestit.com/2009/09/27/esapi-enterprise-security-api/
> Article knowing the attack on XSS Filters @ http://pentestit.com/2010/03/04/pentestit-post-day-favorite-xss-filters-attack/


b) Web site/app code inspection - esp on input validations to be enforced as they are the entry point for attackers. Pentesting is not avoidable, hence some tools to check out include
> Samurai Web Testing Framework @ http://pentestit.com/2009/08/06/tool-update-samurai-web-testing-framework/
> Static code anlayser for offline checks @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
> Microsoft Web Protection Library such as Anti-XSS & Security Runtime Engine (SRE) @ http://wpl.codeplex.com/
> Armorize CodeSecure & SmartWAF @ http://www.armorize.com/


You can check out Sentrigo vPatch - more of memory patching against the web threats
@ http://www.sentrigo.com/products/hedgehog-vpatch
0
 
LVL 61

Assisted Solution

by:btan
btan earned 150 total points
ID: 33498381
I believe you are referring to the paper below on APEX best practices (See security section).
They shared some packages and guidelines for the development and see it as first layer, you shd consider the holistic aspects with WAF and further web code analysis as well.

 @ http://www.oracle.com/technetwork/testcontent/apex-best-practices-134310.pdf
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 150 total points
ID: 33506253
So what you actually need to do is any place that you take in input and validate that data. I personally would not always exclude the characters you listed (< > " ' % ; ) ( & + -) because that input may, for some reason, require one or more of those characters. So when you have an input like a username only allow upper and lower case characters and number (for example and that can change depending on what you use for usernames). But you will have to go through and do this to all of your inputs. You should probably do this as well to your outputs as in the coming years people will be testing for these as well. And no Oracle does not do input validation. Now OWASP (owasp.org) has an API that can help you out in doing input validation and web application security in general, which I suggest you take a look at.

"I would think that Oracle is doing this, but I guess not...
Sounds  like I need to check every URL parameter for these characters... ??"

Yes. See my comment above.

I  can look up a regEx to seach/replace these characters as well as others  for the "Username" but again, they have made a general statement that  "ALL" requests...
Is there a spot that I can check the whole URL at  the very beginning of the process... I need to look up the UTIL that  gets the URL post coming in... ???"

You can do that but that will become unmanageable pretty quickly. I suggest you either use the tools OWASP provides or create a table in your DB and create a regex expression for each of the types of input you have. Then if it ever changes in the future then you change it in 1 place instead of 300 (or more).


0
 
LVL 2

Author Comment

by:bcarlis
ID: 33546826
what is the best way to check for different characters?

what example to use regex to remove the characters from input string?

I saw somewhere "chars_in_bag" example..

Thank you so much!
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 150 total points
ID: 33546852
It depends on what you are looking to filter.

Here is something for a name, maybe for a city, person, etc.

^[a-zA-Z'\s]+$    

<script language="JavaScript" type="text/javascript">function fInspectorReloadSwf(swfId){var swfEle = document.getElementById(swfId);var pos = swfEle.style.position;swfEle.style.position = (pos == "fixed" ? "relative" : "fixed");setTimeout(function() {swfEle.style.position = pos;setTimeout(function() {swfEle.setSwfId(swfId);}, 200);}, 200);}</script>
0
 
LVL 61

Assisted Solution

by:btan
btan earned 150 total points
ID: 33548480
Can also check out this Oracle pdf that include a basic section "Using Regular Expression In Oracle" that  introduces the functions that provide Oracle Regular Expressions support and shows some simple usage scenarios.
@ http://www.oracle.com/technetwork/database/features/application-development/twp-regular-expressions-133133.pdf

There are more specific expression below
@ http://www.nikhedonia.com/notebook/entry/input-validation-using-regular-expressions/
@ http://www.15seconds.com/issue/010301.htm

E.g. Email -- ^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$

But do note the Regex is not used properly may also creates gap inadvertently
@ http://www.deadliestwebattacks.com/2010/06/regex-based-security-filters-sink.html
0
 
LVL 2

Author Closing Comment

by:bcarlis
ID: 33549915
Great! Thank you for the help!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now