One Stack Exchange poster mentioned a piece of commercial code that kept crashing. The company wondered why. This error-handling (or error-ignoring) routine was the problem:
/* FIXME! */
One of the biggest dangers that emerge from coding flaws is making software more vulnerable to attack or misuse.
Opening the door to the system
Chen Levkovich, CEO of Zuznow, says that using the exec command in PHP is a mistake because it can give someone root access. “If you don’t properly pass parameters without thinking about security, there’s a chance someone [could break in],” he said.
exec($args, $output, $return_var);
$escaped_command = escapeshellcmd($args);
exec($escaped_command, $output, $return_var);
SQL statement passing
According to Oliver Lavery, vice president of research at IMMUNIO, a real-time web application security vendor, directly passing SQL statements opens a door for a SQL insertion attack. “The attacker can cause the program to confuse what it thinks is data and control statements,” Lavery said. By sending a statement to end the data stream, the attacker can then send commands to take control of the system. Instead, pass parameters. Here’s a Java example followed by a better way.
sqlQuery=’SELECT * FROM custTable WHERE User=’ + Username + ‘ AND Pass=’ + password
sqlQuery=’SELECT * FROM custTable WHERE User=? AND Pass=?’
The dangerous curl command
David Pellerin, a senior tech lead with custom software designer TWG, is amazed that the Unix curl command, used for testing or mirroring websites, allows an insecure mode that effectively bypasses SSL/TLS, trusting that all sites are on the up and up. “For local development and testing, this is fine, but my main point is that sometimes these tools get used in production scenarios, and I feel like it should be much harder to bypass these security features than by simply passing in a simple argument like that,” Pellerin said.
$ curl –insecure
Verifying a password can go wrong easily. Developers may assume that cryptography is enough. “But a lot of times that web application has a config file on the server with the password to the key,” Pellerin said. Even hashing can go wrong, as with the Ruby code below that uses hashing algorithm SHA256 with no salt value. “This is dangerous because many programmers will think, ‘Oh this must be secure—I’m using a one-way hashing function!’ But in reality the hashed data can be cracked in under one second using ‘rainbow tables.'”