Is it secure to remove special character from activation key - security

In my application I am creating a activation key of 64 characters.
It is having special characters like
+ =
While framing url we are doing url encode. But if user do a copy of the url from his email client , in some client url is getting url decoded.
Some suggestion is to remove these special character with charters which don't require url encode.
Will it going to create any issue in security as character set will be limited ?

If you use just alphanumeric characters, and make it case-insensitive, you will have 36 possible characters. Since your key is 64 characters long, you end up with a keyspace that is quite big (Larger than a GUID).
Depending what you are trying to protect this against (I assume brute forcing legitimate keys), so long as your algorithm for generating them is sufficient, you should not be at any risk of generating keys that are easily guessed.

Related

Encode URL parameter values for sensitive content?

For those of you who often build web applications will know that at some point you will need some URL parameters sent.
The values of these parameters might even be sensitive and can be abused.
For instance, User 1 wants to vew User 2 so a URL might be
http://www.example.com/User/2
This works fine and it is easy to read the URL parameter in the code.
However this leads to a problem: If User 1 does not have access to User 2 then User 1 would easily be able to type this URL into his browser. Normally when you want to avoid access you use some form of access control (like ACL), however my question is in cases where the data is sensitive, is it better to make the URL string into an encoded string aswell?
A great example is LinkedIn. Here is a URL with what I think is an encoded parameter:
https://www.linkedin.com/hp/?dnr=wxTvRoX8KGA5n3H4yxFpQfGTcdpfl3PW5Ab5
Is there any rule for when you want to encode or not? And should you always use encoded strings?
In general, you don't want to put sensitive material into an URL. URLs have the tendency of being bookmarked, emailed, logged, etc... All things that make an URL not very private. Encoding the sensitive information is slightly better than not encoding it as the encoded information won't be accidentally viewed by someone. They'll have to intentionally decode before they can view it.
There are reasons beyond security for encoding URL parameters. A common example is to store a small binary data structure in the URL parameter such as page referrer information or a binary key into a table. My assumption is that the LinkedIn dnr parameter is encoded but not sensitive.

Custom HTTP header value - trying to pass umlaut characters

I am using Node.js and Express.js 3.x.
As one of our authorization headers we are passing in the username. Some of our usernames contain umlaut characters: ü ö ä and the likes of.
For usernames with just 'normal' characters, all works fine. But when a jörg tries to make a request, the server doesn't recognize the umlaut character in the header.
Trying to simulate the problem I:
Created some tests that set the username header with the umlaut character. These tests pass, they are able to pass in the umlaut correctly.
Used 'postman' and 'advanced rest client' Chrome extensions and made the request manually against the server - in this case it failed. I saw the server is unable to recognize the umlaut character, it juts interpreted it as some sort of ?.
Is there any limitation on custom HTTP header values characters that forbids using these kind of characters? Any idea why it would work in tests but not from my browser extension? Am I forgetting to set some character set somewhere?
Summary of what was written in the other related question and in comments:
You may put any 'printable' ASCII char in your custom header value field.
If you want to use special characters, encode these characters following whatever rules/charset/encoding you choose. As long as this encoding it uses simple ASCII chars, it's OK. An example is using UTF-8 and encoding string chars to \u%%.
On the server side - you must manually make sense out of the encoded string, probably by decoding it using the rules of the character set/encoding paradigm you chose before.

Securing application against XSS

We are currently using OWASP Antisamy project to protect our application against XSS attacks. Every input field is sanitized when any given form is submitted to server. It works fine, but we have issues with the fields like company name, organization name, etc.
Ex: Ampersand is escaped for AT&T and the company name is displayed wrong (displayed with escaped characters).
We manually update the fields on database to fix this issue. However, this is a pain in the neck as you can imagine.
Is there a way to address this using OWASP antisamy or should we use a different library?
You should only encode on output, not on input. If a user enters AT&T in your application, this should be stored at AT&T in the database. There is no need to encode it, but of course make sure that you are using parameterised queries which will prevent characters such as ' from breaking out of the SQL command context and causing SQL injection.
When you output, this is the only time you need to encode characters. e.g. AT&T should be encoded as AT&T when output to HTML, so it is displayed in the browser as AT&T.
It seems like your application is encoding the input and also encoding the output, so strings like above will be double encoded at then output as AT&T in your HTML, causing the problem. Remove your input encoding to solve this.
The reason you should only encode when output is that if you decide you want to output data to a different format such as JSON or JavaScript, then the encoding is different. O'leary would become O\x27leary if encoded properly for JavaScript, which would not display properly in HTML where the encoding is O'leary.

security for http headers

We'd like to double-check our http headers for security before we send them out. Obviously we can't allow '\r' or '\n' to appear, as that would allow content injection.
I see just two options here:
Truncate the value at the newline character.
Strip the invalid character from the header value.
Also, from reading RFC2616, it seems that only ascii-printable characters are valid for http header values Should also I follow the same policy for the other 154 possible invalid bytes?
Or, is there any authoritative prior art on this subject?
This attack is called "header splitting" or "response splitting".
That OWASP link points out that removing CRLF is not sufficient. \n can be just as dangerous.
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by 0x0D or \r) and LF (line feed, also given by 0x0A or \n)characters into the header.
(I do not know why OWASP (and other pages) list \n as a vulnerability or whether that only applies to query fragments pre-decode.)
Serving a 500 on any attempt to set a header that contains a character not allowed by the spec in a header key or value is perfectly reasonable, and will allow you to identify offensive requests in your logs. Failing fast when you know your filters are failing is a fine policy.
If the language you're working in allows it, you could wrap your HTTP response object in one that raises an exception when a bad header is seen, or you could change the response object to enter an invalid state, set the response code to 500, and close the response body stream.
EDIT:
Should I strip non-ASCII inputs?
I prefer to do that kind of normalization in the layer that receives trusted input unless, as in the case of entity-escaping to convert plain-text to HTML escaping, there is a clear type conversion. If it's a type conversion, I do it when the output type is required, but if it is not a type-conversion, I do it as early as possible so that all consumers of data of that type see a consistent value. I find this approach makes debugging and documentation easier since layers below input handling never have to worry about unnormalized inputs.
When implementing the HTTP response wrapper, I would make it fail on all non-ascii characters (including non-ASCII newlines like U+85, U+2028, U+2029) and then make sure my application tests include a test for each third-party URL input to makes sure that any Location headers are properly %-encoded before the Location reaches setHeader, and similarly for other inputs that might reach the request headers.
If your cookies include things like a user-id or email address, I would make sure the dummy accounts for tests include a dummy account with a user-id or email address containing a non-ASCII letter.
The simple removal of new lines \n will prevent HTTP Response Splitting. Even though a CRLF is used as a delimiter in the RFC, the new line alone is recognized by all browsers.
You still have to worry about user content within a set-cookie or content-type. Attributes within these elements are delimited using a ;, it maybe possible for an attacker to change the content type to UTF-7 and bypass your XSS protection for IE users (and only IE users). It may also be possible for an attacker to create a new cookie, which introduces the possibility of Session Fixation.
Non-ASCII characters are allowed in header fields, although the spec doesn't really clearly say what they mean; so it's up to sender and recipient to agree on their semantics.
What made you think otherwise?

Is my site safe from XSS if I replace all '<' with '<'?

I'm wondering what the bare minimum to make a site safe from XSS is.
If I simply replace < with < in all user submitted content, will my site be safe from XSS?
Depends hugely on context.
Also, encoding less than only isn't that flash of an idea. You should just encode all characters which have special meaning and could be used for XSS...
<
>
"
'
&
For a trivial example of where encoding the less than won't matter is something like this...
Welcome to Dodgy Site. Please link to your homepage.
Malicious user enters...
http://www.example.com" onclick="window.location = 'http://nasty.com'; return false;
Which obviously becomes...
View user's website
Had you encoded double quotes, that attack would not be valid.
There are also case where the encoding of the page counts. Ie - if your page character set is not correct or does not match in all applicable spots, then there are potential vulnerabilities. See http://openmya.hacker.jp/hasegawa/security/utf7cs.html for details.
No. You have to escape all user input, regardless of what it contains.
Depending on the framework you are using, many now have an input validation module. A key piece I tell software students when I do lectures is USE THE INPUT VALIDATION MODULES WHICH ALREADY EXIST!
reinventing the wheel is often less effective than using the tried and tested modules which exist already. .Net has most of what you might need built in - really easy to whitelist (where you know the only input allowed) or blacklist (a bit less effective as known 'bad' things always change, but still valuable)
If you escape all user input you should be safe.
That mean EVERYTHING EVERYWHERE it shows up. Even a username on a profile.

Resources