What would I, as a humble programmer, do when I'm faced with a pesky programming bug that I don't know how to deal with or a technique that I'm not aware of, such as, let's say parsing XML in Java.
More specifically, let's assume that I want to implement a file upload in ASP.NET MVC with C#. How would I start with? The answer is obvious; "search for it, find a code example and use it", easy-peasy.
Hence, for a long time now, it is quite normal too see high ranked StackOverflow (SO) answers upon a programming how-to search listed in popular search engines. This is due to rich and based-on-vote structure that the successfull site built and runs on.
From the security perspective, though, blatantly searching and using a code piece in our software is insecure and might be a recipe for a disaster. For the sake of the argument, it's like copying a seemingly long shell script from the net and running on your machine without any proof-reading, as long as it claims to solve your original problem.
So using (copying and pasting that is) a nice looking SO answer might create security problems. To make this case solid, I'll try to give some obvious and some not so obvious insecure question-answer examples gathered from SO, which in overall only took my two hours.
Before going through the examples, there are a few stackexchange questions that were actually entered to look for any answers to this exact problem. But yet there's no explicit way of dealing with insecure answers other than down voting the answer/question or writing answers with big WARNING signs, like we all developers care when we are allured with that glorious green checked sign notifying the accepted, hence the "right" answer and the related code piece!
SQL InjectionOur first example SO answer leads to the infamous SQL Injection vulnerability in an Android application. If you are a new programmer you have to read and understand sql injection vulnerability right now, there is no execuse about it.
Read more on SQL Injection
Sure, the comment right under the answer warns the passersby, however, could have been perhaps highlighted in order to draw more attention. This way it may slip through the attention of the other-wise hawk-eyed developers.
Encryption with Insecure Mode
Encryption is a transformation process used for unauthorized access to data. Due to its complexity and temporality, there's a high chance of insecure answers when the topic is asked in SO. Here's another answer that uses an insecure encryption mode, namely ECB.
Read more on Insecure Symmetric Encryption - ECB Mode
Insecure API Usage
We highly depend on 3rd party libraries when coding, there's no escape of it. However, when APIs provided by these 3rd parties are used or when these libraries are configured in a wrong way, then security problems are inevitable. Here's my favorite question and answer on this.
To make it more clear, AntiSamy is a library that are used to validate rich inputs (HTML) in order to prevent any XSS vulnerability but allow rich content. The answer, unfortunately, uses an insecure AntiSamy configuration file that causes XSS, directly opposite of what it has been designed for.
Read more on Cross Site Scripting (XSS)
Other Some of Obvious the Insecure Answers
These examples are just tip of the iceberg, and there are many more other obvious ones;
- PHP, Cross Site Scripting: http://stackoverflow.com/a/15598695
- ASP.NET MVC, Directory Traversal: http://stackoverflow.com/a/752531
- JSP, Local Code Injection: http://stackoverflow.com/a/9110412
- Java, Log Forging: http://stackoverflow.com/a/117535
- Java, Insecure CAPTCHA: http://stackoverflow.com/a/14812726
- Design, Insecure Anti-Brute Force Mechanism: http://stackoverflow.com/a/8637
- HTML5, Insecure CORS: http://stackoverflow.com/a/8719346
- Design, X-Forwarded-For: http://stackoverflow.com/a/6317198
Up to now, we have seen somewhat easy to spot answers that create security vulnerabilities. There are also non-obvious insecure answers, which might be a little harder to realize. Here are two examples;
Insecure CSRF Protection
It's always tricky to customize a good security solution without introducing any new vulnerabilities, such as ASP.NET MVC CSRF protection. This protection ensures that any attacker can't guess a server-side generated token pair. A critical part of this prevention technique is using Cookies, since they can't be modified by a client side code residing in another web site in the same browser.
The SO solution aims ASP.NET MVC CSRF protection to be also used by AJAX calls using JQuery (originally a classical HTML form is required). It achieves the goal, however, by removing the Cookie check, now an attacker can fetch a valid RequestVerificationToken and make user browser to send it to the validation routine with success. Fortunately, this is not the selected answer.
Read more on CSRF
MVC pattern and implemented frameworks are a great way to ease developer life by auto-binding HTTP parameters to model instances. However, the answer providing solution to an update strategy to ASP.NET MVC EF also creates a Mass Assignment vulnerability.
Read more on Mass Assignment
Obviously every developer one of us needs code samples when we have no idea what to do next upon a haunting bug or a new task, unless you don't consider yourself a kind of superhuman developer. Using copy-paste code is fine, however, it's our responsibility to use them with a piece of critical thinking. Otherwise, they create more problems than they are intended to solve.