-
Be the first to like this
![The Anti-Pattern
input = GET[ “username” ]
statement = “code “ + input
execute( statement )](https://image.slidesharecdn.com/antipattern-130805080334-phpapp01/95/the-anti-pattern-1-638.jpg?cb=1375690097)
Upcoming SlideShare
The Anti pattern
- 1. The Anti-Pattern input = GET[ “username” ] statement = “code “ + input execute( statement )
- 2. The Anti-Pattern • sql • ldap • eval • response.write • file.open • reflection • control.the.computer INPUT EXECUTE
- 3. Anti-Anti Patterns
- 4. Code not Text! Text query languages suck. Critera & Entity API: WIN
- 5. Code not Text Root<Pet> pet = cq.from(Pet.class) cq.where(cb.equals(pet.get(Pet_.name), input)) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
- 6. Fear String.Concat Parameterized Queries: use wildcards instead of concatenating user input
- 7. Remove String.Concat s = “SELECT FROM pet WHERE pet.name = @name“ ps = prepare( s ) ps.bind(“@name”, input) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
- 8. Defense in depth
- 9. INPUT EXECUTE GUARD Exception
- 10. Defense in Depth input = GET[ “username” ] if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception() }
- 11. Summary • Most common security coding vulns are variants of the same anti-pattern • Use easy safe-by-design API – Entity & Criteria API – SQLi is hard =) • Fear String.Concat – String operations are the mother of all evil – Parameterize if you must stick to text! • Defend in Depth! – The anti-pattern can also be broken by input validation.
Be the first to comment