SlideShare a Scribd company logo

What's Our Software Doing With All That User Input

Download as ODP, PDF
Kim Carter
Kim Carter

Demonstrate vulnerabilities due to insufficient input sanitisation. Increase knowledge, awareness and desire to test. Discuss practical techniques and approaches that increase our defences

Technology
1 of 30
Dealing with User Input Securely Kim Carter – OWASP Day 2013-09-12
Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
What does Poor Sanitisation look like?
OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
Quality What is Quality? Do we as builders care? Why we should care
Quality But increasing quality is expensive right?
Quality Not necessarily
My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client – Server Comms Server side (internet facing) Back end code Data store
Minimising attack surface Field length validation (client side)
Minimising attack surface Field length validation (server side)
Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
Parametrised Queries / Prepared Statements Least privilege
White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
Server Side
Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Client Side
Server Side
Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
Leveraging existing libraries Useful ● OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET ● OWASP Enterprise Security API Not so Useful ● Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
Using: http://google-gruyere.appspot.com/ Stored XSS via AJAX
When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
Resources Threat Modelling ● https://www.owasp.org/index.php/Application_Threat_Modeling ● https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful ● https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository ● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat ● https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines
What's Our Software Doing With All That User Input

Recommended

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
1.java script
1.java script1.java script
1.java scriptPhD Research Scholar
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginnersvodQA
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing ApproachHarshJ
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing ApproachHarshaVJoshi
 
Developing Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform ADeveloping Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform Aauexpo Conference
 
Ecira CMS script
Ecira CMS scriptEcira CMS script
Ecira CMS scriptEicra_Soft_Limited
 
Lightning page optimization & best practices
Lightning page optimization & best practicesLightning page optimization & best practices
Lightning page optimization & best practicesGaurav Jain
 

Recommended

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking IntroAditya Kamat
 
1.java script
1.java script1.java script
1.java scriptPhD Research Scholar
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginnersvodQA
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing ApproachHarshJ
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing ApproachHarshaVJoshi
 
Developing Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform ADeveloping Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform Aauexpo Conference
 
Ecira CMS script
Ecira CMS scriptEcira CMS script
Ecira CMS scriptEicra_Soft_Limited
 
Lightning page optimization & best practices
Lightning page optimization & best practicesLightning page optimization & best practices
Lightning page optimization & best practicesGaurav Jain
 
7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developersHireWPGeeks Ltd
 
Async
AsyncAsync
AsyncKevin Griffin
 
Model View Controller
Model View ControllerModel View Controller
Model View Controllerurs_tush
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm patternmsarangam
 
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparisionStew Duncan
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesAnindita Bhattacharya
 
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scriptingbaabtra.com - No. 1 supplier of quality freshers
 
Chapter 9
Chapter 9Chapter 9
Chapter 9application developer
 
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ukdpe
 
Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Internet Professionals
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)Jeremiah Grossman
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 

More Related Content

What's hot

7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developersHireWPGeeks Ltd
 
Model View Controller
Model View ControllerModel View Controller
Model View Controllerurs_tush
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm patternmsarangam
 
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparisionStew Duncan
 
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesAnindita Bhattacharya
 
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ukdpe
 

What's hot (12)

7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
 
Async
AsyncAsync
Async
 
Model View Controller
Model View ControllerModel View Controller
Model View Controller
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
 
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
 
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
 
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
 
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
 

Similar to What's Our Software Doing With All That User Input

Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)Jeremiah Grossman
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASPchadtindel
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2Talal Alsubaie
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)Rahul Singh
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web DevelopersLenin Ghazi
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Leonard Fingerman
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Andy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, PearsonAndy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, PearsonRightScale
 

Similar to What's Our Software Doing With All That User Input (20)

Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Andy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, PearsonAndy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, Pearson
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

What's Our Software Doing With All That User Input

  • 1. Dealing with User Input Securely Kim Carter – OWASP Day 2013-09-12
  • 2. Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
  • 3. Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
  • 4. What does Poor Sanitisation look like?
  • 5. OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
  • 6. Quality What is Quality? Do we as builders care? Why we should care
  • 7.
  • 10. My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
  • 11. User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
  • 12. User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
  • 13. Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
  • 14. Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client – Server Comms Server side (internet facing) Back end code Data store
  • 15. Minimising attack surface Field length validation (client side)
  • 16. Minimising attack surface Field length validation (server side)
  • 17. Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
  • 18. Parametrised Queries / Prepared Statements Least privilege
  • 19. White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
  • 20. Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
  • 22. Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
  • 25. Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
  • 26. Leveraging existing libraries Useful ● OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET ● OWASP Enterprise Security API Not so Useful ● Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
  • 28. When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
  • 29. Resources Threat Modelling ● https://www.owasp.org/index.php/Application_Threat_Modeling ● https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful ● https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository ● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat ● https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines