Skip navigation
Help

SQL injections

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.

About

LulzSec (a.k.a Lulz Security) is a computer hacking group that began making headlines in May of 2011 after taking responsibility for compromising the security of a number of high profile targets. They have be known to use Distributed Denial of Service (DDOS) attacks and SQL injections to take down websites. (See also: #OpSony)

Highlights

The group periodically releases stolen information from websites. They post the stolen data on their website in .txt files[9] or in torrents on their page on The Pirate Bay[10]. Releases often are posted on Fridays and thus they made a hash tag called “#fuckfbifriday” that they use to tweet with.

May 5th, 2011: FOX

The earliest known hack attributed to the group began on May 5th, 2011 against Fox Broadcasting Company, which resulted in the breach of TV talent show X Factor contestants database and 73,000 applicants’ personal information. On May 10th, Fox.com sales database and users’ personal information was released.

<!-- http://twitter.com/#!/LulzSec/status/66648067281141760 → .bbpBox66648067281141760 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

We’re releasing the X-Factor contestants database publicly tonight. Stay tuned. Wink, wink, double wink!less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

May 27th – June 6th: SONY

Between late May and early June 2011, international media company Sony’s database was attacked by hackers who took thousands of users’ personal data including “names, passworsd, e-mail addresses, home addresses dates of birth.” Lulzsec claimed that it used a SQL injection attack and was motivated by Sony’s legal action against the original iPhone jailbreak hacker George Hotz, who revealed similar information of Sony’s PlayStation 3 console in December 2010.

<!-- http://twitter.com/#!/LulzSec/status/72823208465805312 → .bbpBox72823208465805312 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Hey guys, we took a cruise! Who wants to play spot the SonyMusic SQLi? #fun #fun #FUNless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

The breached databases include Sony Music Japan, Sony Pictures, SonyBMG Netherlands and SonyBMG Belgium. The group claimed to have compromised over 1,000,000 accounts, though Sony claims the real figure was around 37,500. Some of the compromised information has been reportedly used in scams.

May 29th: PBS

On May 29th, 2011, LulzSec managed to compromise several PBS web properties including their official website and Twitter account. The PBS homepage was defaced with an image of Nyan Cat and the words “all your base are belong to lulzsec” referecing All Your Base Are Belong To Us. They claimed it was in response to a biased documentary about Wikileaks that had aired on an episode of PBS Frontline. They also were responsible for an article which claimed that 2Pac, a rapper who died back in 1996[7], was still alive and was found living in New Zealand with another famous dead rapper, Biggie Smalls[8].

June 15th: CIA

LulzSec took responsibility for taking down the United States Central Intelligence Agency website in a tweet[1] on June 15th, 2010. According to Gawker reporter Adrian Chen[2], the attack was meant to impress Twitter user Quadrapocdacone:

This afternoon, Quadrapodacone and Lulzsec got into a Twitter flame war, after Quadrapodacone mocked Lulzsec for taking on only “soft targets” like video game companies and PBS. (Lulzsec has since deleted its side of the conversation.)

<!-- http://twitter.com/#!/LulzSec/status/81115804636155906 → .bbpBox81115804636155906 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Tango down – http://t.co/2QGXy6f – for the lulz.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 15th: War With 4chan

An article was posted to the website VentureBeat claiming that LulzSec was starting to attack users of the website 4chan.org, and the nebulous group referred to as “Anonymous”, on June 15th, 2011.

The sparring began when LulzSec initiated a “DDoS Party,” which was a set of large-scale distributed denial of service attacks on several gaming servers and websites that brought a lot of games offline. EVE Online, League of Legends and Minecraft all faced outages or significant latency problems. That was enough to get the attention of “/v/,” an internal image sharing board on 4chan.org that focuses on video games.[3]

June 17th: SEGA Attack Denial

On June 17th, 2011, multinational videogame developer company SEGA issued an e-mail to its online network SEGA Pass subscribers revealing that the network was breached by a group of hackers and an unknown number of subscribers’ personal information were stolen, such as e-mails and date of birth:

“Over the last 24 hours we have identified that unauthorised entry was gained to our Sega Pass database,” the company said. “We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.”

On the next day, Lulzsec responded to the news on Twitter by denying an involvement with the attack on Sega Pass. In a tweet expressing their fancy for the aging console Dreamcast, @Lulzsec announced that they will help the company to take down whoever launched this attack in retaliation:

<!-- http://twitter.com/#!/LulzSec/status/81765889329991680 → .bbpBox81765889329991680 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

@Sega – contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 17th: War With Anonymous Denial

On June 17th, 2011, the @LulzSec Twitter account announced that they are not at war with Anonymous, and repeated the sentiment by retweeting @YourAnonNews:

<!-- http://twitter.com/#!/LulzSec/status/81748529609048064 → .bbpBox81748529609048064 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Saying we’re attacking Anonymous because we taunted /b/ is like saying we’re going to war with America because we stomped on a cheeseburger.less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

<!-- http://twitter.com/#!/YourAnonNews/status/81754107299373056 → .bbpBox81754107299373056 {background:url(http://a2.twimg.com/profile_background_images/230702416/14684_1_other_wa...) #C0DEED;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

We are NOT at war with @LulzSec #MediaFagsless than a minute ago via TweetDeck Favorite Retweet ReplyAnonymous
YourAnonNews

<!- end of tweet -->

June 19th – Operation Anti-Security (#AntiSec)

On June 19th, 2011, LulzSec posted a statement on pastebin[5] announcing that they will be teaming up Anonymous to attack government agencies.

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word “AntiSec” on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.

June 20th – SOCA

On June 20th, 2011, LulzSec managed to take down the United Kingdom’s Serious Organized Crime Agency (SOCA) website with a DDoS attack as part of Operation Anti-Security.

<!-- http://twitter.com/#!/LulzSec/status/82836801731043328 → .bbpBox82836801731043328 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Tango down – http://t.co/JhcjgO9 – in the name of #AntiSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 21st: Arrest

On June 21st, 2011, 19-year-old Ryan Cleary was arrested by UK police for allegedly attempting to take down a police website. According to PCWorld[6], his arrest was related to an investigation into LulzSec’s attacks:

The Metropolitan Police Central e-Crime Unit (PCeU) said the teenager was detained following an investigation into network intrusions and distributed denial-of-service (DDOS) attacks against “a number of international business and intelligence agencies by what is believed to be the same hacking group.”

LulzSec denied that Ryan was a part of the hacker group, and only had minor involvement hosting one of thier irc chatrooms on his server.

<!-- http://twitter.com/#!/LulzSec/status/83244937847652352 → .bbpBox83244937847652352 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that’s it. http://t.co/98VflEiless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 21st: Brazilian Government Websites

On June 21st, a South American branch of Lulzsec group (@LulzSecBrazil) launched DDoS attacks against the portal of Brazilian government websites and the homepage of the President under the banner of Operation Anti-sec. The denial-of-service attacks came following the announcement on June 19th of a joint operation seeking to “steal and leak any classified government information, including email spools and documentation.”

Since the beginning of Operation Anti-sec, LulzSec’s support base has expanded from small unknown groups to an international network of Anonymous activists and regional Lulzsec chapters in Brazil and Colombia, as well as the Iranian Cyber Army.

June 23rd: Arizona Department of Public Safety

On June 23rd, Lulzsec also released a new set dubbed “Chinga La Migra,” a Spanish phrase meaning “fuck the border patrol,” which reveals hundreds of private intelligence bulletins, personal information of police officers and confidential documents including training manuals and personal email correspondence. In the press release, the group cited the legislation of SB1070 (Support Our Law Enforcement and Safe Neighborhoods Act), a controversial anti-immigration law that was passed in the state of Arizona in April 2011, as their primary motive behind targeting the Department of Public Safety.

The documents classified as “law enforcement sensitive”, “not for public
distribution”, and “for official use only” are primarily related to border
patrol and counter-terrorism operations and describe the use of informants to
infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest
movements.

<!-- http://twitter.com/#!/LulzSec/status/84032144283938816 → .bbpBox84032144283938816 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Presenting Chinga La Migra: http://t.co/tQZ1uro | http://t.co/apl4g7J #AntiSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

June 25th: LulzSec Retires

On June 25th, 2011, LulzSec released a statement on pastebin[11] saying that after 50 days of hacking, they will be going into retirement.

<!-- http://twitter.com/#!/LulzSec/status/84758628325801984 → .bbpBox84758628325801984 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

50 Days of Lulz statement: http://t.co/GbAD070 | Torrent: http://t.co/lGsJ4PU Thank you, gentlemen. #LulzSecless than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

They later tweeted that Operation Anti-Security would be passed on completely to Anonymous:

<!-- http://twitter.com/#!/LulzSec/status/84771325025075200 → .bbpBox84771325025075200 {background:url(http://a0.twimg.com/profile_background_images/247525400/nyaaaan.png) #103361;padding:20px;} p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px} p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6} p.bbpTweet span.metadata span.author{line-height:19px} p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px} p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}

Finally, we encourage all future #AntiSec enthusiasts to join the AnonOps IRC here: http://t.co/1XLL1Jj and follow @AnonymousIRC for glory!less than a minute ago via web Favorite Retweet ReplyThe Lulz Boat
LulzSec

<!- end of tweet -->

The farewell statements were also accompanied with about 458 MB of data from AOL, AT&T, Navy.mil, pilimited.com, and many other websites that they uploaded from their Pirate Bay account[10].

External Links

[1] Twitter – @LulzSec

[2] Gawker – Hackers Take Down CIA Website / 6/15/2011

[3] VentureBeat – Hit the deck: LulzSec and Anonymous start trading blows

[4] Linear Fix – Why LulzSec Hacks: A Timeline of Major Hacks

[5] Pastebin – Operation Anti-Security

[6] PCWorld – UK police arrest teen from Lulz Security for DDOS attack

[7] Wikipedia – Tupac Shakur

[8] cnet News – PBS, hacked, says Tupac is still alive

[9] Lulz Security – Releases

[10] The Pirate Bay – LulzSec

[11] Pastebin – 50 Days of Lulz

0
Your rating: None

I don't usually do news and current events here, but I'm making an exception for the CWE/SANS Top 25 Most Dangerous Programming Errors list. This one is important, and deserves a wide audience, so I'm repeating it here -- along with a brief hand-edited summary of each error.

If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're not familiar with, or that piques your interest.

  1. Improper Input Validation

    Ensure that your input is valid. If you're expecting a number, it shouldn't contain letters. Nor should the price of a new car be allowed to be a dollar. Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today's most common vulnerabilities can be eliminated, or at least reduced, with strict input validation.

  2. Improper Encoding or Escaping of Output

    Insufficient output encoding is at the root of most injection-based attacks. An attacker can modify the commands that you intend to send to other components, possibly leading to a complete compromise of your application - not to mention exposing the other components to exploits that the attacker would not be able to launch directly. When your program generates outputs to other components in the form of structured messages such as queries or requests, be sure to separate control information and metadata from the actual data.

  3. Failure to Preserve SQL Query Structure (aka 'SQL Injection')

    If attackers can influence the SQL that you send to your database, they can modify the queries to steal, corrupt, or otherwise change your underlying data. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security.

  4. Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

    Cross-site scripting (XSS) is a result of combining the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you -- because, after all, it did come from you! Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man.

  5. Failure to Preserve OS Command Structure (aka 'OS Command Injection')

    Your software acts as a bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, and you allow untrusted inputs to be fed into the command string, you are inviting attackers into your operating system.

  6. Cleartext Transmission of Sensitive Information

    Information sent across a network crosses many different nodes in transit to its final destination. If your software sends sensitive, private data or authentication credentials, beware: attackers could sniff them right off the wire. All they need to do is control one node along the path to the final destination, any node within the same networks of those transit nodes, or plug into an available interface. Obfuscating traffic using schemes like Base64 and URL encoding offers no protection.

  7. Cross-Site Request Forgery (CSRF)

    Cross-site request forgery is like accepting a package from a stranger -- except the attacker tricks a user into activating a HTTP request "package" that goes to your site. The user might not even be aware that the request is being sent, but once the request gets to your server, it looks as if it came from the user -- not the attacker. The attacker has masqueraded as a legitimate user and gained all the potential access that the user has. This is especially handy when the user has administrator privileges, resulting in a complete compromise of your application's functionality.

  8. Race Condition

    A race condition involves multiple processes in which the attacker has full control over one process; the attacker exploits the process to create chaos, collisions, or errors. Data corruption and denial of service are the norm. The impact can be local or global, depending on what the race condition affects - such as state variables or security logic - and whether it occurs within multiple threads, processes, or systems.

  9. Error Message Information Leak

    Chatty error messages can disclose secrets to any attacker who misuses your software. The secrets could cover a wide range of valuable data, including personally identifiable information (PII), authentication credentials, and server configuration. They might seem like harmless secrets useful to your users and admins, such as the full installation path of your software -- but even these little secrets can greatly simplify a more concerted attack.

  10. Failure to Constrain Operations within the Bounds of a Memory Buffer

    The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. Attack and detection techniques continue to improve, and today's buffer overflow variants aren't always obvious at first or even second glance. You may think that you're completely immune to buffer overflows because you write your code in higher-level languages instead of C. But what is your favorite "safe" language's interpreter written in? What about the native code you call? What languages are the operating system API's written in? How about the software that runs Internet infrastructure?

  11. External Control of Critical State Data

    If you store user state data in a place where an attacker can modify it, this reduces the overhead for a successful compromise. Data could be stored in configuration files, profiles, cookies, hidden form fields, environment variables, registry keys, or other locations, all of which can be modified by an attacker. In stateless protocols such as HTTP, some form of user state information must be captured in each request, so it is exposed to an attacker out of necessity. If you perform any security-critical operations based on this data (such as stating that the user is an administrator), then you can bet that somebody will modify the data in order to trick your application.

  12. External Control of File Name or Path

    When you use an outsider's input while constructing a filename, the resulting path could point outside of the intended directory. An attacker could combine multiple ".." or similar sequences to cause the operating system to navigate out of the restricted directory. Other file-related attacks are simplified by external control of a filename, such as symbolic link following, which causes your application to read or modify files that the attacker can't access directly. The same applies if your program is running with raised privileges and it accepts filenames as input. Similar rules apply to URLs and allowing an outsider to specify arbitrary URLs.

  13. Untrusted Search Path

    Your software depends on you, or its environment, to provide a search path (or working path) to find critical resources like code libraries or configuration files. If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing.

  14. Failure to Control Generation of Code (aka 'Code Injection')

    While it's tough to deny the sexiness of dynamically-generated code, attackers find it equally appealing. It becomes a serious vulnerability when your code is directly callable by unauthorized parties, if external inputs can affect which code gets executed, or if those inputs are fed directly into the code itself.

  15. Download of Code Without Integrity Check

    If you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can modify that code before it reaches you. They can hack the download site, impersonate it with DNS spoofing or cache poisoning, convince the system to redirect to a different site, or even modify the code in transit as it crosses the network. This scenario even applies to cases in which your own product downloads and installs updates.

  16. Improper Resource Shutdown or Release

    When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.

  17. Improper Initialization

    If you don't properly initialize your data and variables, an attacker might be able to do the initialization for you, or extract sensitive information that remains from previous sessions. If those variables are used in security-critical operations, such as making an authentication decision, they could be modified to bypass your security. This is most prevalent in obscure errors or conditions that cause your code to inadvertently skip initialization.

  18. Incorrect Calculation

    When attackers have control over inputs to numeric calculations, math errors can have security consequences. It might cause you to allocate far more resources than you intended - or far fewer. It could violate business logic (a calculation that produces a negative price), or cause denial of service (a divide-by-zero that triggers a program crash).

  19. Improper Access Control (Authorization)

    If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise that unauthorized functionality.

  20. Use of a Broken or Risky Cryptographic Algorithm

    Grow-your-own cryptography is a welcome sight to attackers. Cryptography is hard. If brilliant mathematicians and computer scientists worldwide can't get it right -- and they're regularly obsoleting their own techniques -- then neither can you.

  21. Hard-Coded Password

    Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

  22. Insecure Permission Assignment for Critical Resource

    Beware critical programs, data stores, or configuration files with default world-readable permissions. While this issue might not be considered during implementation or design, it should be. Don't require your customers to secure your software for you! Try to be secure by default, out of the box.

  23. Use of Insufficiently Random Values

    You may depend on randomness without even knowing it, such as when generating session IDs or temporary filenames. Pseudo-Random Number Generators (PRNG) are commonly used, but a variety of things can go wrong. Once an attacker can determine which algorithm is being used, he can guess the next random number often enough to launch a successful attack after a relatively small number of tries.

  24. Execution with Unnecessary Privileges

    Your software may need special privileges to perform certain operations; wielding those privileges longer than necessary is risky. When running with extra privileges, your application has access to resources that the application's user can't directly reach. Whenever you launch a separate program with elevated privileges, attackers can potentially exploit those privileges.

  25. Client-Side Enforcement of Server-Side Security

    Don't trust the client to perform security checks on behalf of your server. Attackers can reverse engineer your client and write their own custom clients. The consequences will vary depending on what your security checks are protecting, but some of the more common targets are authentication, authorization, and input validation.

Of course there's nothing truly new here; I essentially went over the same basic list in Sins of Software Security almost two years ago. The only difference is the relative priorities, as web applications start to dominate mainstream computing.

This list of software security mistakes serves the same purpose as McConnell's list of classic development mistakes: to raise awareness. A surprisingly large part of success is recognizing the most common mistakes and failure modes. So you can -- at least in theory -- realize when your project is slipping into one of them. Ignorance is the biggest software project killer of them all.

Heck, even if you are aware of these security mistakes, you might end up committing them anyway. I know I have.

Have you?

[advertisement] Did your buddy just get his ear chewed off for another server crash? Help him out by recommending PA Server Monitor. He just might buy you lunch. Download the Free Trial!

0
Your rating: None