appsec - What cookie attacks are possible between computers in related DNS domains (*.example.com)?

Here, several servers in the same DNS domain emit cookies under a variety of settings (scope, HTTPS, Secure) and another host emits a cookie with the same value.Example Suppose a user has the following cookie set at secure.example.com: authCookie = SomeSessionToken (Scope example.com, Secure, HTTPOnly)Then the user goes to a blog.example.com that is compromised (perhaps in another tab). It sets a non HTTPOnly cookie like this: authCookie = AlternateSessionToken (Scope example.com, Secure, not-HTTPOnly)Would the next request to secure.example.c...Read more

appsec - How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone?I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as bruteforcing the login page of the application, keylogger on the client, and of course rubberhose cryptanalysis (or nowadays we should call it "Chocolate Cryptanalysis").Of course any form of hash will not prevent those attacks....Read more

appsec - How much does a security audit cost?

For a PHP CMS, what should I expect to budget for a security audit, both whitebox and blackbox? The codebase is about 85,000 LOC ("Lines of Code") and I would probably use a North American company for testing. I really have no idea if an audit would cost $10-20k or well over $100k. I'm not asking for an exact quote, just a general guesstimate so that I know what to expect. If you could separate your estimates between blackbox and whitebox testing, that would also be helpful.Edit:I'll try to list as many factors as I can.Type of app: A web conte...Read more

appsec - Protect application from being modified

I have a question about how to protect a program from modification if that program is able to communicate with a remote validation server. More specifically I'm asking for android APK file, but it can go to any other program as well. I imagine the following hypothetical scenario:There is an APK installation file that the user is downloading and installing on his device.The application, after being installed and used is sending "some information" about its integrity to a remote server.The server is validating that the program is OK or is modifie...Read more

appsec - Can apps be trusted when requesting your credentials?

I recently bought a newsreader app for my tablet that connects to Google Reader. To do so, it required my Google account password. Isn't this effectively the same as handling the password to the developers of said app? I wouldn't care about someone else reading my feeds, but this could be used to access my private email as well... Isn't this an extremely efficient method of gathering passwords and a terrible security risk for users?...Read more

appsec - How secure are the default ASP.NET membership and role providers for Sql Server?

I have a very basic idea of how these work. I've used them many times when I needed a user management system rather then writing my own. But should I use these for a production system? Would windows user accounts actually provide more security then these accounts in the database tables, given a small user base with verification of new users before activation?I do believe that this system of course is more secure than anything I could write, but are there any hardening measures I should be taking or a 3rd party provider that's much better?...Read more

appsec - Is it a vulnerability to display exception messages in an error page?

Our web application has an error page that displays the absolute URL path and query of the page on which the error occurred, the date/time of the error, and the exception message. (We do not display the stack trace. That is an obvious vulnerability.)Is it a vulnerability to display exception messages in an error page?For maximum security, what should we display in an error page? What should we not display?EDIT: My hunch is that it is a vulnerability, but I want to hear an expert opinion....Read more

appsec - Prevent manipulation of password database

Given: A malicious user has gained (root) access to the server hosting an application's password database. Let's say the application is using a reliable password hashing mechanism like bcrypt and the password database is storing the relevant information - username, hash, salt, # iterations...Is it possible to prevent the malicious user from creating their own admin user in the database and successfully logging into the application with full rights? Presumably they could INSERT a new admin user into the database with their own bcrypt'ed password...Read more

appsec - What risks should I be aware of before allowing advertisements being placed on my website?

The thought of having a 3rd party send javascript, and images to end users seems to be a scary thought, but that is exactly what we are doing when I place advertisements onto my site. Does serving advertisements from AdSense, or any of the online marketing companies decrease the safety of my browsing session?What is the maximum damage a malicious advertisement could do?Suppose my business model requires serving ads, how can I safely serve advertisements on my site? What precautions can I take?...Read more

appsec - Intel SGX and MSRs - what do developers need to know?

Intel SGX is an intriguing new technology that will ship as part of upcoming Intel processors. It is designed to enable running software in a secure enclave. Code running in the enclave will be isolated by the hardware from untrusted code running on the same processor, so you can execute security-critical code in the enclave and protect it from attack. While SGX is not supported in currently available processors, Intel suggests that it will be available soon. The hope is that this might provide a strong foundation for certain kinds of isola...Read more

appsec - Can my machine be compromised if I use an outdated application and the input data is trusted?

Suppose I decide to use an outdated application for some reason: maybe I can't update it for compatibility reasons, or updates are not provided in the official repositories I use, or maybe I just don't feel like upgrading it because it just works and I see no reason to update it. For all I know, this application might be full of vulnerabilities that were only patched in later versions.The question is: can I get infected by using such an application if its input data is trusted? For example, I'm not talking about a PDF reader that you can use to...Read more

appsec - Can you exploit an application that imports a vulnerable library, but does not actually use the classes from the library?

Suppose you have vulnerable library, vuln-lib.jar, that you then import into your source code but never actually use:#My importsimport com.vuln.lib.*#My code ..And you go onto to deploy this application to a server. Is it possible to exploit a known vulnerability in this library even if your code does not use any of the classes the library provides as part of the source code? And if so, how would that happen?...Read more

appsec - Code Injection detection on Web Servers

Recently I found one of my web servers hacked with malicious code injected to websites hosted there. It wasn't exactly my fault, as I shared the server with other people and someone put some unsafe script/website on the server. Luckily to me there was no damage or data loss. But it got me thinking. I found out about the breach totally by accident. I simply tried to pull a some updates to another script from my Git repository and it returned an error about uncommited modified files in my working copy.In most cases there is no access to shell on ...Read more

appsec - Storing sensitive information securely

I know there have been a few questions about this already, but I just wanted to know if anyone can take a look at my design plans to see if there are any gaping security holes. I am in the process of making a web application which securely stores sensitive information that can then be retrieved by staff members who have access to it.I have two servers - a main server and a decryption server. The main server stores the encrypted data, authenticates the users, outputs the HTML, etc. The decryption server only stores a partial private key and does...Read more