A Progammer explores the IT Security field; offering packets of useful information he picks up along the way.
Subscribe

Archive for December, 2008

Clickjacking

December 30, 2008 By: Ron Category: Internet security, Web App Security 1 Comment →

It’s been a while since I last posted, I do apologize; things have been heck-tick.  I hope to make it up to you with a post on a new web vulnerability called ClickJacking.  There has been a lot of buzz in  the security community around Clickjacking ever since Robert Hanson and Jeremiah Grossman decided to cancel their talk on a new exploit they were going to introduce  at the OWASP conference which I attended back in September.  Adobe got wind of their talk and asked them to postpone “airing the issues” to give them time to put a fix out to their users.  Turns out that it’s really a browser flaw and not Adobe’s problem, though, we’ll get into that.

So what is Clickjacking?   Clickjacking is an interesting exploit since it is not a bug or defect in the browser software, but rather,  a design flaw which will get clearer as we go on. Clickjacking, as it’s name alludes to, is about getting a user to click on something they didn’t intend to click on and are not even aware they are clicking on it.  This is accomplished by loading a web page that has a hidden page or multiple pages behind the web page you are actually seeing.  The way this is done is by placing a “click here” button that looks perfectly fine but “underneath” the button is where a malicious site would place something that might be harmful.  There is a great demo here on the topic of clickjacking where you can see the  hidden page behind the one with the buttons that say “click here”.  They say a picture is worth a thousand words – it’s one thing for me to explain it and another to actually see the hidden page appear.   

One of Robert and Jeremiah’s  examples to demonstrate Clickjacking used Adobe Flash player.  They showed how easy it was to have a user click on something benign that turned on your computers’ video camera (if you had one).  It is a real scary thing for a malicious site to be able to turn on your video camera without your knowledge!  Robert and Jeremiah postponed their talk and Adobe has since taken responsibility and fixed the Clickjacking issue only when Flash-player is the avenue of a Clickjacking attack.  Clickjacking is an issue for all browsers with or without Javascript enabled, since Clickjacking can be accomplished with CSS and DHTML alone.  This exploit, however,  must be viewed within the larger picture.  It isn’t a flaw or a browser software bug but, rather, a complex vulnerability that became real due to the way we’ve evolved with the Internet.   Our browsers have become  more and more complex, which creates an environment where sophisticated exploits can breed and grow and become a reality.  It turns out that the concept behind this exploit was documented as far back as 2002.  However, back in 2002 the internet was a much simpler place and the idea of clickjacking wasn’t much of a threat.  We live in a much different 2.0 Internet world now. 

Firefox users that have the “NoScript” plugin can go out and get an update that will protect them from Clickjacking.  The users on all other browsers will need to wait.  In the meantime, as usual, please be careful where you go out on the net.

5 Tips to Secure Your Web App

December 05, 2008 By: admin Category: Uncategorized No Comments →

Given the increased shift from packaged software to cloud computing, a growing number of applications are web-based. Both the business models of software-as-a-service, as well as the real-time distribution modelmake Web Apps the ideal platform for new projects. While web distribution has a number of upsides, in order to effectively scale applications,it’s crucial to implement best practices to safeguard data. Any database or code that remains in a cloud is potentially vulnerable to attack. We consulted with leading web application security specialists for their top security tips:

Understand the Potential Sources of Vulnerability
Many developers assume that all attacks will come from outside of a network firewall, but this leaves open a potential attack from inside. Make sure that all data is guarded from unauthorized access by several layers of security,ensuring that lower-level employees, and others who might work in the office,do not have access to valuable code data. Internal attacks can come in any forms, all of which can be avoided by working to secure all levels of the application.

Utilize Multiple Layers of Security for Your Application.
Often times, IT professionals will rely solely upon an external firewall in order to protect a web application. In order to truly get a high level of security,however, one must cover all the bases. In practice, this means having an effective network virus scanner that operates in real time as well as a comprehensive network traffic tool to keep up with data movement across the network and potential breaches.

Integrate Security Concerns Into Your Development Cycle
When planning out the stages of development,whether you work on an agile process or a standard model, you’ll need to consider the security implications of each part of your application. Starting from the earliest conversations about requirements and design all the way to the final testing phase,security concerns should be at the forefront of your thought process from the very beginning. In particular, security testing should be as important as usability testing.

Be aware of the security implications of your coding conventions
Even simple coding conventions such as file locations can have large implications in terms of the security of a given file. While you attempt to create a stable code base by integrating standard practices such as basic password protection,make sure that you block all routes to sensitive files,not just standard ones.

Test for major, known sources of hacking
While there will always be unknown vulnerabilities that will require major testing and upgrades, you should always protect against the well-know, major holes that often arise in web applications,In particular,design your application to withstand SQL injections, remote code calls, format string weaknesses as well as XSS (Cross Site Scripting.)

This post was written by Maya Richard, who primarily writes about high speed internet deals . She can be reached with feedback by combining her name and gmail.com

Shelfari: Book reviews on your book blog