Chapter 9 - 01 - Understand Secure Application Design and Architecture - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Application Security Exam 212-82 Secure Coding Practices: Output Encoding Output encoding is a secure coding technique used to convert special characters into a different format so that they are no longer vulnerable at the target interpreter 4 \’ K...... /. :. It converts input characters into their equivalent encoded values, which are then sent to web pages N 4,/ \ \] y It allows unsafe characters and renders them as harmless text 001011 /@\ )--- | 101110 9 \ e ,/ '\\ \I / This type of encoding prevents attacks such as cross-site scripting (XSS) Copyright © by EC All Rights Reserved. Reproduction is Strictly Prohibited. Output Encoding Output encoding is a secure coding technique used to convert special characters into a different format so that they are no longer vulnerable at the target interpreter. It allows unsafe characters and renders them as harmless text. Output encoding converts input characters into their equivalent encoded values, which are then sent to web pages. This type of encoding prevents attacks such as cross-site scripting (XSS). For example, consider HTML encoding. An HTML encoding scheme is used to represent unusual characters so that they can be safely combined replaces unusual define within an HTML document. HTML encoding characters with strings that can be recognized while the various characters the structure of the document. If you want to use the same characters as those contained in the document, you might encounter problems. These problems can be overcome using HTML encoding. It defines several HTML entities to represent particularly usual characters such as: = & = < Module 09 Page 1167 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Secure Coding Practices: Error/Exception Handling Exceptions are the unusual errors that arise during the execution of a program or an application Exception handling is a mechanism that anticipates, detects, and resolves programming errors during execution of the application o Improper error or exception handling may crash the whole system or may fail in the middle of important operations It may affect confidentiality, integrity, and availability of sensitive data in an application ° | The error handling mechanism needs to be secure so that it can prevent the application from entering into the unknown state I... ‘ —— - Copyright © by EC Al Rights Reserved. ReproductionIs Strictly Prohibited Error/Exception Handling Exceptions are the unusual errors that arise during the execution of a program or an application. As these exceptions arise at runtime, they cannot be handled or resolved at compile time. Exception handling is a mechanism that anticipates, detects, and resolves programming errors during execution of the application. Improper error or exception handling may crash the whole system or may fail in the middle confidentiality, integrity, and availability of sensitive handling may give a path to the attacker to carry out an error message may give information about the internal messages of important operations. It may affect data in an application. Insecure error attack on the application. The detailed structure of the application. The error can also help the attacker to constrain the search space to carry out attacks. The error handling mechanism needs to be secure so that it can prevent the application from entering into the unknown state. Module 09 Page 1168 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 o Secure Coding Practices: Secure Session Cookies Browsers use cookies to maintain a session state O They also contain sensitive, session-specific data (e.g., user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs) O Use proper session-token generation mechanisms to O Do not store plaintext or weakly encrypted passwords in cookies O Implement cookie timeout O Cookie authentication credentials should be associated with an IP address O issue random session IDs Employ cookie randomization to change the website or a service cookie whenever the user makes a request vy Secure Session Cookies Browsers use cookies to maintain a session state. They also contain sensitive, session-specific data (e.g., user IDs, passwords, account numbers, links to shopping cart contents, supplied private information, and session IDs). Attackers engage in cookie/session poisoning by modifying the data in the cookie to gain escalated access or maliciously affect a user session. Developers must hence follow secure coding practices to secure web applications against such poisoning attacks. They must use proper session-token generation mechanisms to issue random session IDs. Considerations for secure session cookies: * Do not store plaintext or weakly encrypted passwords in cookies = |mplement cookie timeout = Cookie authentication credentials should be associated with an IP address = Make logout functions available = Validate all the cookie values to ensure that they are well-formed and correct = Employ cookie randomization to change the website or a service cookie whenever the user makes a request Module 09 Page 1169 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security Exam 212-82 Secure Coding Practices: Secure Response Headers O Asecure response header enhances the security of a web page or application in the global network O Setting security headers or policy settings hardens the application against security threats and prevents browsers from delivering vulnerable resources HTTP Strict Transport ¥’ HSTS helps web servers force v web browsers to interact with them using HTTPS v R Content Security Policy (CSP) Security (HSTS) With the HSTS header option, all insecure HTTP connections are automatically converted to HTTPS connections Itis a type of secure HTTP header response that can be used by modern web browsers to improve the security of a web page v’ It protects browsers from XSS, code injection, clickjacking, and other types of attacks Contra) ¥' This type of HTTP header is set to determine whether the browser needs to cache the requests or responses ¥ a It operates based on the directives or rules implemented for caching requests/responses Copyright © by EC Al Rights Reserved. ReproductionIs Strictly Prohibited Secure Response Headers Many security implementations can be applied to response headers from a host or server. A secure response header enhances the security of the web page or application in the global network. Security headers or policy settings harden the application against security attacks and prevent browsers from delivering vulnerable resources. Using the application’s compatibility and accessibility, programmers can enforce functionality via the headers, making the application secure and flexible. The following are some of the most common security header implementations. = HTTP Strict Transport Security (HSTS) HSTS enables web servers to force web browsers to interact with them using HTTPS. With the HSTS header option, all insecure HTTP connections are automatically converted into HTTPS connections. This policy ensures that all the communication between a web server and a web browser is encrypted and that all responses that are delivered and received originate from an authenticated server. = Content Security Policy (CSP) CSP is another type of secure HTTP header response that can be used by modern web browsers to improve the security of the web page. By implementing CSP, the browser can be safeguarded from XSS, code injection, clickjacking, and other types of attacks. CSP allows an administrator to efficiently control the content resources that are directed to the user agent. Module 09 Page 1170 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Application Security = Exam 212-82 Cache Control This type of HTTP header is set to determine whether the browser needs to cache requests or responses because, occasionally, caching private or sensitive information related to users can have unwanted consequences. It operates based on the directives or rules implemented for caching requests/responses. The caching policy can also be used to determine the location at which the resources are to be cached as well as the time-to-live for the cached resources. Module 09 Page 1171 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.