SOFTware is HARD

I was once involved in reviewing our company’s application architecture to identify security risks and recommend possible mitigation solutions. Since every organisation has its own unique constraints, available resources, and risk appetite, the solution herein might not apply to other organisations. Nevertheless, this post showcases what one can do with UML to document and explain (pictorially) security flaws in application architecture. The as-is architecture follows. A detailed explanation follows: The system (under design) is a Java Enterprise Application that is deployed in AppSvr (Application Server) within the Internal zone. The deployed application consists of both HTML-based as well as SOAP-based services. The 2 WebSvr’s ([Apache] Web Server) in the DMZ act as proxies. There is a load-balancing appliance used to balance requests to the web servers. A request pool has been created on the appliance (WebPool). The (public) user would access the URL endpoint of the appli...

Be aware of the difference between the Browser Mode vs. Document Mode. Browser Mode is controlled by the client browser - is affected primarily by "Compatibility View" settings as well as domain  Document Mode is controlled by the web server, and/ or the web page  Using IE 8-9, some strange behaviour has been observed. Enabling Compatibility View (for either intranet, all websites) would result in the following for affected sites: IE conditional comments would detect IE7 User-agent sent would be IE7 (compatible) Browser mode would show IE 9 Compatibility View Document mode would be IE 7 standard The above behaviour would not be affected by X-UA-Compatible meta-tags within the page.  However, sending X-UA-Compatible HTTP header would alter the behaviour as follows: IE conditional comments would detect IE9 User-agent sent would be IE7 (compatible) Browser mode would show IE 9 Compatibility View Document mode would depend on the value o...

According to the HTTP specs, there are a number of HTTP codes used to redirect browser clients.   301 Moved Permanently : Permanent redirect. Document has moved permanently, future requests to use the redirected URL instead. Response is cacheable. Modern browsers change the HTTP method to a GET with the exception of IE (which preserves HTTP HEAD, DELETE method). 302 Found : Temporary redirect. To be superseded by 303 and 307. Response may be cached if headers allow for it. Most modern browsers treat this as 303 with the exception of IE (which treats it as 307). 303 See Other : Request should be redirected to a GET regardless of the original request method. The response must not be cached. Supported by all modern browsers. 307 Temporary Redirect : Temporary redirect. Request should be redirected to the redirected URL. The original request method is to be preserved and a POST request should be re-posted. Response may be cac...

We just had a Security Assessment for our web applications. Some points of interest follows: Cookie XSS security: Where possible, all cookies should be configured to be httpOnly . This is to prevent client-side scripts or applets from accessing the cookie. Incidentally, this is the default for ASP.NET session cookie and cannot be changed via httpCookies element in Web.Config: <httpCookies httpOnlyCookies="true"/> Prevent MITM from accessing the session: Ensure that the session cookie is delivered over secured HTTP session (TLS). Setting the cookie as secure d indicates to the browser that the cookie should only be sent over a secured channel. To configure the httpCookies element: <httpCookies requireSSL="true" /> Note that Forms and Session cookies have slightly different behaviour with Forms cookie being more secured and more configurable. Interestingly, setting requireSSL to true for Forms cookie mandates that the communication channel to ...

Put in a static file named app_offline.htm in the root of the site. Afterwhich, all requests for that site will be served from this file. Technically, what happens is that the entire application domain will be stopped and unloaded, all without performing an IIS reset. Note the following caveats: Any error in the Web.Config may result in the app_offline.htm page not showing up! The file (app_offline.htm) must be of at least 512 bytes for it to take effect for IE browser. Otherwise, IE would display a “Friendly Error" message by default. The effect of this file is that the server will serve out a HTTP response bearing this header: HTTP/1.1 503 Service Unavailable

The newer Internet Explorer comes with the F12 Developer Tools wherein you find the Browser Mode and the Document Mode. Difference between the Browser Mode and the Document Mode Document Mode is something that the web server can control. By specifying the HTTP header, the HTML meta-tags, or the DocType declaration, the Document Mode changes accordingly. See my earlier article . However, the Browser Mode cannot be changed by the server. What really happens when IE Compatibility View is activated? when IE Compatibility View is activated, the HTTP user-agent header is changed to that of IE7. The user-agent sent by the browsers follows: IE Browser Mode User-Agent IE10 Mozilla/ 5.0 (compatible; MSIE 10.0 ; Windows NT 6.1; Trident/6.0) IE9 Mozilla/ 5.0 (compatible; MSIE 9.0 ; Windows NT 6.1; Trident/5.0) IE8 Mozilla/ 4.0 (compatible; MSIE 8.0 ; Windows NT 6.1; Trident/4.0) IE7 Mozilla/ 4.0 (compatible; MSIE 7.0 ; Windows NT 6.1) IE10 WinPhone Mozilla/ 5.0 (comp...

Here is everything you need to know about videos: http://diveintohtml5.info/video.html Considerations In general, these are the considerations when displaying/ rendering videos over the web: where is the video stored/ hosted? – On premise or in the cloud? Cloud-hosting can be a good option for load distribution if the videos are huge. what is the streaming/ downloading protocol? – The trend these days appears to be to stream videos using HTTP rather than specialised (and often expensive) protocols. who is the target audience and what browser/ platform are they using to view these videos? what browser? – Chrome, IE, Firefox, Opera? which version(s)? – still required to support IE6? what operating systems/ environment? – do we have Unix/ Mac users? need to support desktop/ tablet/ mobile? – some or all of these? The challenge for the 3rd consideration is to be able to accommodate everyone (from IE6 on a desktop to the iPad safari browser). To do this, a number of “t...

I recently was involved in getting the above to work in our environment. The steps follows: Ensure that the SSL certificates are correctly signed Ensure that the SSL certificate chain is present and valid Install the certificates in the “Current User” account for validation Execute mmc.exe, add “Certificates” snap-in with “My user account” Install the certificate within “Personal” store Verify by using Internet Explorer to retrieve the WSDL from the remote web service If the certificate and chain are correct, Internet Explorer will validate them and report so with “Certificate is OK” Install the certificates (and the entire chain) in the “Local Computer” account Execute mmc.exe, add “Certificates” snap-in with “Computer account” Install the certificate within “Personal” store Note the thumbprint of the certificate Configure the WCF web.config to make use of “Client Certificates” by finding the certificate within the “LocalMachine” using the thumbprint (remove the spac...

HTTP over TLS/ SSL performs encryption of transferred data. However, what is really encrypted and what isn’t? Part of the TLS/ SSL negotiation will not be secured. Everything else is securely transmitted. What is in the clear/ can be derived will be the destination hostname or IP address and the port (usually 443) URLs for GET/ POST/ HEAD request methods are secured GET URL parameters, e.g. ?data=12345678&id=123 POST URL All HTTP headers are secured. These include: Cookies Content-type/ content-length Cache control User-agent Accept (-encoding) HTTP payload is secured. This may be: POST parameter HTML/ XML data Does it therefore mean that the GET URL over HTTPS is secured? You decide for yourself…. As the GET URL method information is secured, any sniffer between the source and destination would not be able to “see” the URL parameters. However, the web browser would track the full GET URL (including the parameters) in the browsing history. As such, anyone havi...

It is quite straightforward to have (poor man's) single sign-on for multiple ASP.NET web applications without sourcing for an enterprise solution. Based on the following premise: assuming the web applications are in the same domain  forms or custom authentication is used for the web application In order to have things work, a couple of steps are required, namely: Enable Forms authentication for the relevant web applications, use: < authentication mode = " Forms " > Ensure that the validationKey and decryptionKey settings (under the machineKey element) are not auto-generated but are explicitly coded and shared across the relevant web applications (and web farm, if applicable). For IIS6, you can use this website to generate the keys For IIS7+, you can use IIS Manager to do so . Customise the name of the cookie (instead of the default .ASPXAUTH) but more importantly, set the cookie path to the default root "/" and the domain to a valid one,...

Three aspects are typically handled by Web Access Management software: protect resources authenticate users authorise users The flow is depicted in the following Activity Diagram:

Around the world, Chrome appears to have overtaken IE for the desktop recently. Source: StatCounter Global Stats - Browser Market Share Singapore is heavily dominated by iOS but Android is catching-up fast! Source: StatCounter Global Stats - Mobile OS Market Share

So many timeout settings… it’s ridiculous!

We have this requirement to ensure that the saved (X)HTML is completely self-contained. This means that displayed images need to be embedded. Ideally, no additional plugin (e.g. ActiveX, Applet, Flash, etc.) is required. Therefore, instead of using a img tag with the src attribute that refers to an remote image, the src attribute could actually embed the entire image that is encoded using Base64. The magic is to use the data URI scheme . E.g. <img src=" data:image/png;base64 , <Base 64 encoded data> "> This is supported in Gecko-based (Firefox) and WebKit-based (Android, Safari, Chrome) browsers. Trident-based (IE 8 and 9) are also supported.

How can web servers be optimised to perform faster? Can resources be cached, compressed, etc. There are a number of HTTP headers that one needs to understand in order to deal with performance optimisations. Last-Modified – Origin server indicates when the resource was believed to have been last modified. Given by both date and time. Etag – Entity tag or unique ID for each version of a resource which is usually comprised of the file-location, file-size and last modified date Expires – Origin server indicates to the browser when the resource becomes stale or how long to keep in cache. Applicable to HTTP/1.0; apparently  deprecated in HTTP/1.1 Cache-control – Origin server indicates to the browser and intermediaries whether or not to cache the resource and if to cache, for how long (cache-control:max-age). Applicable to HTTP/1.1 Notice the similarity in some definitions. In practice, Last-Modified and Etag are similar validators and can be grouped together. Expires and ...

Web applications can be written to work with HTTP as well as HTTPS schemes. To do so, URLs to resources should be encoded as relative URLs. For example, on a site (softwarehard.blogspot.com), all URLs to resources should be encoded as “/images/imageResource.jpg” or “images/imageResource.jpg”   instead of “http://softwarehard.blogspot.com/images/imageResource.jpg” Doing so will allow for the resource to be served in both HTTP and HTTPS schemes depending on the the page request. However, if an external resource is required, the authority (domain name) needs to be included. The most portable way to include the external resource is to use a scheme-less URL. For example: “//cdn.blogger.com/js/jquery.js” Note that neither HTTP nor HTTPS have been specified and doing so will allow us to skirt the mixed-content issue. This is valid under the URI RFC However, the caveats are that: this works well in web browsers but will likely break in email clients! there is also a minor downs...

Apart from the use of DOCTYPE , IE uses other metadata to influence rendering. You may include the following meta tag in the HMTL document to influence the way Internet Explorer renders content: <meta http-equiv="X-UA-Compatible" content=" Content-Attrib-Value "/> In combination with the DOCTYPE, the value of the content attribute in the above meta tag will result in different rendering modes: Content-Attrib-Value DOCTYPE Doc Mode IE=edge Ignored IE x standards (use the latest IE standard available) IE=9 Ignored IE9 standards IE=8 Ignored IE8 standards IE=EmulateIE8 Known type IE8 standards   Unknown or absent Quirks mode (IE5.5) IE=7 Ignored IE7 standards IE=EmulateIE7 Known type IE7 standards   Unknown or absent Quirks mode IE=5 Ignored Quirks mode At the same time, there are some interesting points to note: in the intranet zone, IE 7 standards rendering mode is used by default these can be overridden by the ...

Acceptable standard doctypes to use for a text/html document as well as the browser rendering modes are shown here: HTML version DTD type Examples Modern non-IE (1) IE9/ IE8/ Opera 9.5 IE7/ Opera 7.1 IE6/ Opera 7.0 HTML 5 N.A. <!DOCTYPE html> S S A A HTML 4.01 Strict <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> or with URL "http://www.w3.org/TR/html4/strict.dtd" S S A A Transitional <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> Q Q Q Q Transitional (with URL) As above with either URLs "http://www.w3.org/TR/html4/loose.dtd" or "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd" A A A A HTML 4.0 Strict <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> S S A A Transitional <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> Q Q Q Q Tra...