Solved

Is Cross Site Request Forgery (CSRF) & XSS applicable to RPG coding?

Posted on 2016-08-13
10
120 Views
Last Modified: 2016-08-19
http://www.fieldexit.com/forum/display?threadid=227

I refer to above url

a) is the above url's sample codes RPG codes?

b) are CSRF & XSS secure coding applicable to RPG coding?
0
Comment
Question by:sunhux
  • 3
  • 2
  • 2
  • +2
10 Comments
 

Author Comment

by:sunhux
ID: 41754775
RPG is the coding used in AS400 or OS400
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41754810
The site shows the RPG typing for the mentioned CGI program which takes in the csrftoken.
D CSRFToken       S            256                          
D CSRFTokenCookie...                                        
D                 S            256                          

...

CSRFToken = #getData('CSRFToken');          
CSRFTokenCookie = #getCookie('CSRFToken');
You can check out the IBM site on RPG programming codes, note the syntax

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/We13116a562db_467e_bcd4_882013aec57a/page/Coding%20in%20RPG%20IV%20-%20Chapter%202%20General%20info%20about%20RPG

Secure coding on web vulnerabilities as mentioned applys in the concept, it is not only web based. For e.g. general SQL secure practices also apply to DB2 on the iSeries (injection protection and such) which includes embedded SQL in RPG programs.

See secure coding for business oriented languages like COBOL and RPG which are application driven fronted mostly by web based services. Application based tend to interface with DB tier hence the below shows gaps specific to SQL injection coding

RPG language is used today in IBM platforms, on mainframe and mid-range systems (iSeries, AS/400 or whatever brand IBM currently uses). “Attack surface” is similar to COBOL, with security concerns in RPG code not well-known, as with COBOL.

Regarding technical flaws, RPG uses EXEC SQL for embedded code, that is safe unless dynamic SQL is used
https://www.kiuwan.com/blog/security-business-oriented-languages-cobol-rpg/
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 41755053
RPG is the coding used in AS400 or OS400
That's a relief! I was trying to work out how CSRF could be used as an exploit in Role Playing Games!
0
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 41756222
1a) Yes, CGI example shown is RPG.

1b). Yes.  RPG applications can be vulnerable to CSRF & XSS if proper precautions are not taken - same as any programming language.
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 125 total points
ID: 41757928
CSRF and XSS vulnerabilities exist because of how http web servers and web clients interface and operate, regardless of the platform the server runs on. It could be php, or java, or node.js, or RPG.

Sometimes you as a programmer use a framework that attempts to mitigate those risks, but they are always there, and must be dealt with. To deal with CSRF, XSS and other application level attack like content injections, you must first understand what they do and how they can be invoked. I strongly suggest to look at the OWASP top 10.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

You will notice that although some server side examples are presented in php or java, they are applicable in all programming languages and frameworks, even in RPG.

PS
Especially in RPG, since IBM i developers who turned to web tend to be too arrogant in their false presumption that they have the best and most secure platform in the world.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:sunhux
ID: 41759852
Thanks Gary, Shalom.

I'm facing resistance from my colleagues in apps teams doing Cobol & RPG coding who categorically
claim that XSS & CSRF & X-Frame-Option (=SAMEORIGIN to deal with clickjacking) are irrelevant &
inapplicable to RPG & Cobol.

If you could indicate short Cobol & RPG codes that allude to XSS & clickjacking vulnerabilities or
provide more links that explicitly indicate so, it would help to convince them


One side question:
an external consultant for secure coding told me that opensource source code scanner (eg: Yasca)
usually detect about 20% of poor/insecure codes only while paid scanners (specifically he says
Fortify & Appscan) usually detect about 3 times more for the same piece of codes: any truth?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41760559
You should also include SQLi, this is also one of the top major web vulnerability (also in OWASP)
- sample for COBOL and RPG (as in my last post) - https://www.kiuwan.com/blog/security-business-oriented-languages-cobol-rpg/

To further this, Appscan (scan tool) also advocate the flaw checks in COBOL source code. Instead you should ask the code to scan using the scanner instead of getting any other codes to reflect for assurance
How do you learn about COBOL scan rules in IBM Security AppScan Source for Security - and what are some of the potential vulnerabilities in COBOL source code?

Answer

 COBOL files (.cbl) can be directly imported into AppScan Source for security scanning.

 From a security perspective, COBOL applications have similar considerations to any other kind of application. AppScan Source can help you identify high risk locations within your COBOL application - and assist you in their remediation.

http://www-01.ibm.com/support/docview.wss?uid=swg21502622
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 41760570
YASCA coverage is dependent more on the plugin it supports, like some of the external plugins distributed with Yasca are as below. But note the plugin will be file extension specific to invoke scan. For instance, a plugin that scans Java source code can be configured to only scan files with the .java extension.
 Grep Plugin. Uses external GREP files to scan target files for simple patterns.
 PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues.
 JLint Plugin. Uses J-Lint to scan Java .class files for issues.
 antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues.
 FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues.
 Lint4J Plugin. Uses Lint4J to scan Java .class files for issues.

The grep plugin is useful in having extended coverage as long as you can supplied the valid PCRE-style regular expression for the flaw including OWASP. For more info, see this http://www.scovetta.com/yasca/yasca-manual.pdf
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 125 total points
ID: 41760910
Hi sunhux,

Obviously your colleagues are clueless to the nature of CSRF and XSS.
Please read the OWASP examples and show them that XSS and CSRF are platform agnostic, and are as applicable to COBOL web apps as to PHP code.

You can also tell them that the author of this book told you personally that using COBOL does not make a web application immune to these attacks.  

COBOL and RPG, although poor choices for web development, are capable to deal with web based attacks ONLY IF you make them so, not by any inherent nature.

The only way for COBOL and RPG to be irrelevant is if all of the web interface is managed by an external platform, and COBOl/RPG are used as a data backend to that. But then SQL injection must still be ruled out.
0
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 250 total points
ID: 41761558
Who knows, maybe your colleagues are using a framework that includes good input validation, or have built and maintain good input validation routines that make their sites invulnerable to these attacks.I'd need to see your production code to comment.  

Maybe all the UI layer is managed by another software layer, and all the RPG programs see are nice validated input.

Maybe they are living in AS/400 security dreamland:  a place where nothing bad can ever happen to you because you because you run a magical operating system that even protects them against programmer errors and ignorance.

But there is nothing in RPG (I'm an IBM i / iSeries AS400 RPG programmer with almost 3 decades of experience) that provides automatic protection from these attacks.  It has nothing to do with the inherent security of the operating system - this is all about understanding web application security, and how to prevent common attacks through input validation.

For RPG, good luck with source vulnerability scanners.  They need to understand the programming language, and most don't - not even IBM's AppScan Source product (which really is a great product- I've used it in the past):

http://www-01.ibm.com/support/docview.wss?uid=swg21628056

There are two approaches to web application security (we prefer using both for web-facing mission critical applications):

Application scanning applications - which typically simulate an attack to determine if a vulnerability exists.

Source scanning applications - which search application search code for high-code patterns (or missing validation code patterns).

For applications that depend on less-widely used web programming languages like RPG, I suggest you look at application scanning tools, as opposed to source scanning tools.
1

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now