?
Solved

Failed security audit (XSS and SQL Injection are possible).

Posted on 2010-08-20
9
Medium Priority
?
675 Views
Last Modified: 2013-11-16
Is there protections from Code Injection that can be put in place? They were able to inject <script> that ran a marque across the screen... and said they code grab peoples username and passwords by injecting in the same way...

From Security:
Dangerous characters which should be filtered:
• " ' % ; ) ( & + -
• These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.


Does APEX have anything that can be turned on to prevent from having to check all inputs???

Also, they used FireFox "Inspector" to open a text item from max 9 characters to 50 characters so they could inject code...

Any help appreciated..
0
Comment
Question by:bcarlis
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 2

Assisted Solution

by:CodeC6
CodeC6 earned 200 total points
ID: 33488845
Generally, in order to keep from having these types of issues you'd need to filter through your code and resolve the vulnerable issues, there's coding and then there's secure coding.
If you don't feel qualified to filter input from your site, you could try something like mod_security(http://www.modsecurity.org) if you are running linux, or dotDefender(http://www.applicure.com) for Windows which is an application firewall that will filter malicious input before sending it to your application.
If it detects malicious input it will not send it to your application, thus protecting it.
Your other option is to have a developer look at your code and help you fix it, or research more secure ways of coding the areas of your site that are vulnerable to SQL Injection and XSS.

You should refer to the OWASP top 10 and ensure your app/site is developed with those key elements in mind.

The PCI requirement is to either scan your code periodically and fix any vulnerabilities found, or run an Application firewall.
0
 
LVL 2

Author Comment

by:bcarlis
ID: 33491594
Hi, Thank you for your response.

I am using Oracle APEX 3.2 and from reading the Security
< > " ' % ; ) ( & + -

·         These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.

I would think that Oracle is doing this, but I guess not...
Sounds like I need to check every URL parameter for these characters... ??

I can look up a regEx to seach/replace these characters as well as others for the "Username" but again, they have made a general statement that "ALL" requests...
Is there a spot that I can check the whole URL at the very beginning of the process... I need to look up the UTIL that gets the URL post coming in... ???

What do you think?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 600 total points
ID: 33498325
Typically, to defend against web exploits, two layer to check out are


a) Web application firewall - First layer defend at network level to identify and block web exploit attempts.
- Check out http://www.owasp.org/index.php/Web_Application_Firewall, there are quite a good list of s/w
- Below are also some good s/w & ref to check out as well
> WebCastellum  @ http://pentestit.com/2010/03/14/webcastellum-open-source-waf/
> ModSecurity @ http://pentestit.com/2009/11/27/modsecurity-web-application-security-firewall/
> ESAPI toolkit @ http://pentestit.com/2009/09/27/esapi-enterprise-security-api/
> Article knowing the attack on XSS Filters @ http://pentestit.com/2010/03/04/pentestit-post-day-favorite-xss-filters-attack/


b) Web site/app code inspection - esp on input validations to be enforced as they are the entry point for attackers. Pentesting is not avoidable, hence some tools to check out include
> Samurai Web Testing Framework @ http://pentestit.com/2009/08/06/tool-update-samurai-web-testing-framework/
> Static code anlayser for offline checks @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
> Microsoft Web Protection Library such as Anti-XSS & Security Runtime Engine (SRE) @ http://wpl.codeplex.com/
> Armorize CodeSecure & SmartWAF @ http://www.armorize.com/


You can check out Sentrigo vPatch - more of memory patching against the web threats
@ http://www.sentrigo.com/products/hedgehog-vpatch
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 65

Assisted Solution

by:btan
btan earned 600 total points
ID: 33498381
I believe you are referring to the paper below on APEX best practices (See security section).
They shared some packages and guidelines for the development and see it as first layer, you shd consider the holistic aspects with WAF and further web code analysis as well.

 @ http://www.oracle.com/technetwork/testcontent/apex-best-practices-134310.pdf
0
 
LVL 10

Accepted Solution

by:
pand0ra_usa earned 600 total points
ID: 33506253
So what you actually need to do is any place that you take in input and validate that data. I personally would not always exclude the characters you listed (< > " ' % ; ) ( & + -) because that input may, for some reason, require one or more of those characters. So when you have an input like a username only allow upper and lower case characters and number (for example and that can change depending on what you use for usernames). But you will have to go through and do this to all of your inputs. You should probably do this as well to your outputs as in the coming years people will be testing for these as well. And no Oracle does not do input validation. Now OWASP (owasp.org) has an API that can help you out in doing input validation and web application security in general, which I suggest you take a look at.

"I would think that Oracle is doing this, but I guess not...
Sounds  like I need to check every URL parameter for these characters... ??"

Yes. See my comment above.

I  can look up a regEx to seach/replace these characters as well as others  for the "Username" but again, they have made a general statement that  "ALL" requests...
Is there a spot that I can check the whole URL at  the very beginning of the process... I need to look up the UTIL that  gets the URL post coming in... ???"

You can do that but that will become unmanageable pretty quickly. I suggest you either use the tools OWASP provides or create a table in your DB and create a regex expression for each of the types of input you have. Then if it ever changes in the future then you change it in 1 place instead of 300 (or more).


0
 
LVL 2

Author Comment

by:bcarlis
ID: 33546826
what is the best way to check for different characters?

what example to use regex to remove the characters from input string?

I saw somewhere "chars_in_bag" example..

Thank you so much!
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 600 total points
ID: 33546852
It depends on what you are looking to filter.

Here is something for a name, maybe for a city, person, etc.

^[a-zA-Z'\s]+$    

<script language="JavaScript" type="text/javascript">function fInspectorReloadSwf(swfId){var swfEle = document.getElementById(swfId);var pos = swfEle.style.position;swfEle.style.position = (pos == "fixed" ? "relative" : "fixed");setTimeout(function() {swfEle.style.position = pos;setTimeout(function() {swfEle.setSwfId(swfId);}, 200);}, 200);}</script>
0
 
LVL 65

Assisted Solution

by:btan
btan earned 600 total points
ID: 33548480
Can also check out this Oracle pdf that include a basic section "Using Regular Expression In Oracle" that  introduces the functions that provide Oracle Regular Expressions support and shows some simple usage scenarios.
@ http://www.oracle.com/technetwork/database/features/application-development/twp-regular-expressions-133133.pdf

There are more specific expression below
@ http://www.nikhedonia.com/notebook/entry/input-validation-using-regular-expressions/
@ http://www.15seconds.com/issue/010301.htm

E.g. Email -- ^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$

But do note the Regex is not used properly may also creates gap inadvertently
@ http://www.deadliestwebattacks.com/2010/06/regex-based-security-filters-sink.html
0
 
LVL 2

Author Closing Comment

by:bcarlis
ID: 33549915
Great! Thank you for the help!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question