Recent Posts

Secure Web Application Practices – SQL Injection

January 24, 2016

SQL Injection is still the top web application security risk today according to OWASP top 10.

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Below are the best practices that you should follow or look for when reviewing an application for SQL Injection vulnerability.

  1. Always use parameterized query. Most of the SQL injection attacks are done when application is building the SQL query by concatenating untrusted data.**“SELECT * FROM accounts WHERE custID=’” + request.getParameter(“id”) + “’”;
  2. Prefer use of ORM. Although Security is hardly the main reason for choosing to use an ORM framework like Entity framework, we should understand that it is a great tool for mitigating SQL injection risks. These tools make use of parameterized queries and so help mitigate SQL injection risks to a great extent. Following query for instance mititgates the SQL Injection risk that was shown above.DbContext.Customers.Where (cust => cust.CustID == request.getParameter(“Id”));
  3. Use stored procedures. Stored procedures promote parameterization and thus avoid the SQL Injection risks that can arise out of concatenating queries.
  4. Stored procedures have risks as well. Look for query concatenation and dynamic queries inside an stored procedures. Check presence of EXEC statements that is used to execute dynamic queries. That is usually a smell for injection risks.
  5. Follow principle of least privileges. An application should have access to only the the data it needs and also only the kind of access it needs. It might mean that you will have to maintain multiple logins and there is a maintenance trade off.
  6. Validate untrusted data. Security is all about having multiple layers of defense so that multiple layers of vulnerabilities are required to get access to sensitive data. Untrusted data should be properly validated. Also prefer white listing rather than blacklisting. You never know enough about what data is bad.
  7. Implement proper error handling. Internal errors should not propagate to the end users. They disclose hell lot of information that is often used by malicious attackers for SQL injection attacks. Attackers can still use Blind SQL Injection attacks which is much harder than error based SQL injection attacks.
  8. Encrypt sensitive data. Hash passwords. This is another layer of defense that should always be considered. Passwords should always be hashed and also any other sensitive data should be encrypted.
  9. Isolate database network segment. A proper network segment should be created and firewall rules should be put in place so that only designated network segments have access to the data. A typical network segment divides network into Untrusted, Semi-Trusted and Trusted zones where database is placed into Trusted zone. Only certain applications in Semi-Trusted zone is allowed access to the data. This is again about applying another layer of defense and mitigating the security risks.
  10. Keep Software patched and current. Attackers usually use known vulnerabilities in software to attack certain applications. Many a times websites continue to use older versions of software multiple months after risks have been identified and this makes the attack vector really easy. It is always better to be current and patched.
  11. Ensure OS level commands like xp_cmdshell** are disabled. Modern SQL Server keeps them disabled by default which is what it should be -  secure by default. This is a very powerful command because an attacker if they have access can run any OS level command using this.

There are many automation tools that help identify many of the vulnerabilities quite easily. Following are some of the tools that you can use to make your job easier.

  1. SQL Inject Me (Firefox plugin): https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/
  2. Fuzz Testing with Burp Suite.
  3. Data extraction with SqlMap: http://sqlmap.org/
  4. Security scanning with Netsparker: https://www.netsparker.com/web-vulnerability-scanner/

Azure - Consuming Event Hubs from .Net

October 04, 2015

Event Hubs is a service that processes large amounts of event data from connected devices and applications. After you collect data into Event Hubs, you can store the data using a storage cluster or transform it using a real-time analytics provider. This large scale event collection and processing capability is a key component of modern application architectures including the Internet of Things (IoT).

I have unit test driven repository on Github to show common uses of Blob storage.

https://github.com/sanjaysingh/azure-samples/tree/master/EventHubTest

Azure VM capture is not what it sounds like

September 04, 2015

I learnt it the hard way. I was trying to capture a snapshot of my VM so that i can reuse to later create a fresh VM in case this one goes bad in anyway. I saw that Azure portal gives you a Capture option for the VM. Without reading any details and going by the name, i went ahead to capture the image. It asked me to run sysprem on the machine, which i did and shutdown the machine. When i went back to capture the image, it warned that it will DLETE this VM after the capture!!! That’s what was a huge setback for me. That’s not what I had expected a CAPTURE to be.

I did not want to delete that VM so thought to not go ahead with the capture. Guess what, i cannot RDC to my VM any more. Since i could not RDC, i thought may be capturing the image and creating another VM with that image would work. But it did not and the same issue that I could no longer RDC continued even with the machine created with the captured image. I was screwed.

That is very bad. A simple thing, like ‘putting the warning that VM would be deleted’ before i ran sysprep could have never caused this mess.

Note that i did put effort googling to see if there was any way out but no luck there as well.

Be careful with VM capture on Azure.

Azure - Consuming Blob storage from .Net

July 07, 2015

Azure Blob storage is a service for storing large amounts of unstructured data, such as text or binary data, that can be accessed from anywhere in the world via HTTP or HTTPS. You can use Blob storage to expose data publicly to the world, or to store application data privately.

Common uses of Blob storage include:

  • Serving images or documents directly to a browser

  • Storing files for distributed access

  • Streaming video and audio

  • Performing secure backup and disaster recovery

  • Storing data for analysis by an on-premises or Azure-hosted service

I have unit test driven repository on Github to show common uses of Blob storage.

https://github.com/sanjaysingh/azure-samples/tree/master/BlobStorageTest

Azure - Consuming Queue storage from .Net

June 14, 2015

Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world via authenticated calls using HTTP or HTTPS. A single queue message can be up to 64 KB in size, and a queue can contain millions of messages, up to the total capacity limit of a storage account.

Common uses of Queue storage include:

  • Creating a backlog of work to process asynchronously

  • Passing messages from an Azure Web role to an Azure Worker role

I have unit test driven repository on Github to show common uses of queue storage.

https://github.com/sanjaysingh/azure-samples/tree/master/QueueStorageTest

IoT Hello World - Control LED using Raspberry Pi

June 13, 2015

I used my Raspberry Pi B+ model to control a Led just to quickly see how easy or difficult it was. It turned out to be pretty straightforward once you have the hardware thins required.

  1. A two pin Led
  2. Two wires

After i installed Raspebian on the Pi using the standard guide that i have got. I installed WiringPi from https://projects.drogon.net/raspberry-pi/wiringpi/download-and-install/

For reference to GPIO pin layout, i referred http://pi4j.com/pins/model-b-plus.html. Connect long leg (+ve) of the LED to pin 11 (GPIO 0) and connect short leg (-ve) to any Ground (I connected to pin 6).

Note that you should also use a resistor on the ground wire to limit the amount of current being passed to the LED otherwise it might damage your LED or even the board. I learnt that usually that happens if you are going to use it for prolonged time but for my 2 sec demo it did not cause any issue without resistor. So do at your own risk.

*

GPIO pins can be programmatically controlled to be in either input or output mode. I saw that most of them are IN by default. I ran following to see pins status.

gpio readall*

* *

See that pin Gpio 0 is in IN mode. Change its mode to OUT as follows-

gpio mode 0 out

* *

Now you are ready to turn on/off the light. Use the following two commands.

For turning on the light - 

gpio write 0 1

* *

*

*

* *

For turning off the light

gpio write 0 0

Save nuget feed credentials

June 02, 2015

When working we custom Nuget feeds that require authentication, Visual Studio keeps prompting for user name and passwords and you are not able to save the password. This is really frustrating. You can run following command to save your credentials to the nuget.config file.

nuget sources update -name “My Feed Name” -source “https://nuget.sanjaysingh.net/PackageFeeds/Stable/nuget” -UserName “dev\sanjay” -Password “password”

Ensure that you have nuget.exe downloaded and your PATH variable is updated with its directory. You can download nuget.exe from following location.

https://www.nuget.org/nuget.exe

This command updated the machine wide config which is located at %APPDATA%\NuGet\NuGet.Config