Web Security Errors

I normally wouldn't blog this much but so many of us here do web development that its good for all of us to review these.  Yes I know we all know better but I'd virtually guarantee that we all have done at least one of these in the last 24 months:

• Unvalidated parameters: Information from Web requests isn't validated before being used by a Web application. Attackers can use these flaws to attack backside components through a Web application.
  
• Broken access control: Restrictions on what authenticated users are allowed to do aren't properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions.
  
• Broken account and session management: Account credentials and session tokens aren't properly protected. Attackers who can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities.
  
• Cross-site scripting flaws: The Web application can be used as a mechanism to transport an attack to a user's browser. A successful attack can disclose the user's session token, attack the local machine, or spoof content to fool the user.
  
• Buffer overflows: Web application components in some languages that don't properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.
  
• Command injection flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application.
  
• Error-handling problems: Error conditions that occur during normal operation aren't handled properly. If an attacker can cause errors that the Web application doesn't handle, he or she can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
  
• Insecure use of cryptography: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
  
• Remote administration flaws: Many Web applications let administrators access a site using a Web interface. If these administrative functions aren't very carefully protected, an attacker can gain full access to all aspects of a site.
  
• Web and application server misconfiguration: Having a strong server configuration standard is critical to a secure Web application. These servers have many configuration options that affect security and aren't secure out of the box. [_Go_]

The full report is here.  Nice job guys.  Thank you.

And Just One More

Oh and I'd also kick in one other security glitch that's related to these but not specifically mentioned: Installing Open Source applications on the quick.  You know the drill -- you grab some code, install it and then poof!  The client is running it and is happy so you kinda ignore it.  And you don't realize that the default installation leaves the password in the clear!  Think I'm kidding?  For example a lot of php applications use .inc for include files as their extension so config.inc is viewable by anyone who knows it exists.

A Chance for Open Source Revenues

Although I have no actual metrics on this I suspect it is quite common.  Now this makes me think that a possible revenue opportunity for Open Source authors is something like "Security Check", for $99 or $X (per server), I'll check over your installation and make sure you don't have any holes.  Given that a lot of Open Source applications are rolled into hosting / consulting, it would be relatively easy to pass this type of cost onto the ultimate customer.

5:23:24 PM      Google It!   comment []    IM Me About This   

Sobig Anyone?

Sigh.  Another stupid virus but apparently spreading fairly well:

 Sobig is a worm that uses e-mail and shared network folders to infect machines running Microsoft's Windows operating system, according to information posted on the Web site of Helsinki antivirus company F-Secure.

The worm arrives in e-mail messages from a single sender, big@boss.com, and is stored in attached executable files with names such as Sample.pif, Untitled1.pif, and Movie_0074.mpeg.pif, according to F-Secure. [_Go_]

5:10:10 PM      Google It!   comment []    IM Me About This   

Boston Blog Meetup - Tomorrow !!!

Anyone out there interested in the Boston Blog Meetup tomorrow night? Its at the Someday Cafe in Somerville.  There are only 6 people signed up which makes going marginal at best.  If anyone here is going thought it would probably be worth it.  Leave me a comment / drop me a note.  [_Go_]

Note: If you are NOT in Boston, blog meetups happen all over the place so check it out, 3rd wednesday of every month. 

I will also probably be going to the Boston Ryze mixer on Thursday.  [_Go_]

4:43:54 PM      Google It!   comment []    IM Me About This   

Happy Birthday to You!  Happy Birthday to You!  Ok.  Now I'll Blog

This is a very 21st century birthday present.  Dewayne's fiance has started blogging as one of the presents to him (well 1/2 of it is a present).  Happy Birthday Dewayne!  And welcome aboard Michelle!

1:12:17 PM      Google It!   comment []    IM Me About This   

Read Keith Today

I was going to blog a bunch of pointers to stuff on Keith's site when it realized -- it's faster and easier if you just read all of today's entries.  PHP and Quickies.   If you read this blog then I suspect with the possible exception of the Hannigan / Denisof news you'll be interested in most of the Quickies.  And I agree with Keith on blocking Crawler 918.

10:44:57 AM      Google It!   comment []    IM Me About This   

Blogging Flow Metrics or How Many Clicks on that Link in the Window?

No one really seems to say how many hits a link in a blog gives them so I thought it might be interesting for folks to know these numbers.  Last week I linked to Kalsey's article on small business web sites (great article btw).  A little while later he im'd me with these stats and an interesting point:

• "Your links are always good for a few dozen visitors a day for a week or so"
• "Interestingly, the shorter your writeup, the more people seem to click through"

10:25:29 AM      Google It!   comment []    IM Me About This   

Very, Very Cool

Bizarre.  I actually met the author of these on the train one time back in 1999.  Now he has a web site.  Go figure.  I particularly liked #2 of Batch 31.  [_Go_]

Note: These will almost certainly make you smile so I'm not going to describe them further.  Click through and see.

Found via Rhys.

10:20:57 AM      Google It!   comment []    IM Me About This   

Hi.  I'm Scott and I'll Be Your Internet Agent for Right Now

I've never seen anyone make this analogy for blogging yet so I'll give it a go:

Are Blogs Nothing More than Agents for the Internet?

A few years back, circa 1995 or so, the term "agent" or "intelligent agent" was all the wave.  We were all going to have different agents that knew our tastes and collected content on our behalf, alerting us to interesting things.  Needless to say that despite tens of millions of dollars in venture funding and even manufacturing dollars (anyone remember General Magic and Sony's Magic Cap) that failed utterly. 

Now we have blogs and it actually feels strikingly similar.  Think about my blog for example.  Right now if you read it then you are getting an agent that covers:

• Technology
• Blogging
• Open Source
• PHP
• Marketing
• Microsoft
• ...

If you read Mark Pilgrim's blog then you are getting coverage of:

• CSS
• XHTML
• Browser Issues
• ...

And if you read Inluminent you are getting:

• Online Marketing
• Mac / OS X
• Pretty Girls

So if you read 10 or 20 different blogs regularly then you are actually getting the results of 10 or 20 different agents that are busily scouring the net for you.  And, even better, those agents are sometimes even creating content for you.  Now that makes them intelligent agents indeed.

Thoughts?

10:14:52 AM      Google It!   comment []    IM Me About This   

Cool Mail Server Feature

While I can't imagine purchasing a mail server these days with the plethora of good Open Source ones, I have to admit that this is a cool feature for a mail server:

Workload Spreading (CRM)

Using the round-robin distribution method, each message can be delivered to only one subscriber. For example, a sales mailing list could spread initial sales enquiries evenly between sales team members. This is an ideal Customer Relationship Management feature, which helps to ensure timely responses by allowing a group of users to handle mail for a single address (e.g. sales@yourcompany.com). [_Go_]

I'm not sure if this is in another mail server or not but I haven't seen it described in this way at least.  Good job on positioning -- always smart to tap into the CRM buzzword these days.

10:06:14 AM      Google It!   comment []    IM Me About This   

Squirrel Mail Alternative Anyone?

Help!  I need an alternative to SquirrelMail since its use of the authentication daemon courier IMAP daemon (or the daemon itself) is flaky.  Make that very flaky.  PHP please.  Any thoughts?

I'm installing PHPGroupware now but it feels *L A R G E* when all I need is webmail.

Note: I'm not saying that SquirrelMail isn't good but it is blowing up on my main box right now and I don't want to update a mail daemon in the middle of a work day (cautious me?  yes).

8:04:05 AM      Google It!   comment []    IM Me About This