catch the security flaw #5 (flaw and its countermeasure)

In my last post, I showed input validation code that uses RegularExpressionValidators improperly. Thanks to Mathew Grabau and Marius Cristian CONSTANTIN for pointing out that the Page’s IsValid property has not been checked before using the input. As a result, effectively, the code performs only client side validation, which can easily be bypassed. As a…


Catch the security flaw #5

A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:- Code for Default.aspx:- 1: <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %> 2: <html xmlns="" > 3: <body> 4: <form id="form1" runat="server">…


Catch the Security Flaw(s) #4

Identify as many security issues as you can with this piece of code:- 1:     [WebMethod] 2: public string GetEmpName(string empid) 3: { 4: SqlConnection con = new SqlConnection(“server=.;database=test;uid=sa;pwd=PassW2rd12”); 5: SqlCommand cmd = new SqlCommand(“select username from users where id = ” + empid, con); 6: con.Open(); 7: string empname = (string)cmd.ExecuteScalar(); 8: con.Close(); 9: return…


NASSCOM – DSCI Information Security Summit 2008 Security Tutorial

My colleague Sagar and I will be conducting an application security workshop at the NASSCOM – DSCI Information Security Summit 2008 on the 1st December in IIIT, Hyderabad, India. More information can be found here:-  The agenda is here:-


How To: Configure permissions in Out-of-the-box MOSS 2007 Approval Workflow such that “Approvers” cannot edit or delete the item to be approved

1. Consider a Microsoft Office SharePoint Server 2007 site that will be used as a “Document Approval System”. Certain users will be “Editors” and they will be able to upload documents for approval. Another set of users will be “Approvers”. These users can either approve or reject the uploaded documents. The security requirement is that…


Catch the Security Flaw #3

Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is not a panacea. See if you can spot this bug. The code behind file looks…


Confusion property of symmetric block ciphers

Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered strong. One such property is the property of “Confusion”. What it means is that if an attacker is conducting an exhaustive key search, and if the key being tested is incorrect only in a few bits, the decrypted text should…


catch the security flaw #2 (flaw and its countermeasure)

In my previous “Catch the Security Flaw” post I wrote about a flawed CAPTCHA implementation. In this post I discuss what are the flaws in that implementation and how to prevent them. Before I go into the exact flaws, let us agree upon a standard notation to describe the flow of data. C stands for…


Catch the security flaw #2

Consider a fictional web site that lets you create new accounts (as shown below).   This site implements CAPTCHA to prevent a malicious user from creating large number of false accounts by running an automated script. The following code is used to implement the CAPTCHA. What do you think is the flaw here? public partial…


Catch the security flaw #1 (Flaw and its countermeasure)

It is time to discuss the flawed code that I posted a couple of weeks back. The comments posted were good and in essence summarize the flaw. The circled part is an example of an embedded code block. The query string parameter “id” will be inserted inside the <% %> block, creating HTML at the client…