Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Navigating through a Hailstorm
Request Handling (Middleware):Request Handling (Middleware):
SANITIZE_ENV_KEYS = %w(
HTTP_R...
Upcoming SlideShare
Loading in …5
×

Hydra Connect 2015 poster from the University of Cincinnati

236 views

Published on

Navigating through a Hailstorm - for information contact Linda Newman (newmanld@ucmail.uc.edu), Thomas Scherz (scherztc@ucmail.uc.edu) or Glen Horton (hortongn@ucmail.uc.edu).

Published in: Education
  • Be the first to comment

  • Be the first to like this

Hydra Connect 2015 poster from the University of Cincinnati

  1. 1. Navigating through a Hailstorm Request Handling (Middleware):Request Handling (Middleware): SANITIZE_ENV_KEYS = %w( HTTP_REFERER PATH_INFO REQUEST_URI REQUEST_PATH QUERY_STRING ) valid = URI.decode(string).force_encoding('UTF-8').valid_encoding? Exception Trapping (Controllers):Exception Trapping (Controllers): unless Rails.application.config.consider_all_requests_local rescue_from Exception, with: :render_404 rescue_from ActionController::RoutingError, with: :render_404 rescue_from ActionController::UnknownController, with: :render_404 rescue_from ActiveRecord::RecordNotFound, with: :render_404 end Parameter Checking (Helpers):Parameter Checking (Helpers): def limit_param_length(parameter, length_limit) render(:file => 'public/404.html', :status => 404, :layout => false) unless parameter.to_s.length < length_limit end TYPICAL HAILSTORM WARNING:TYPICAL HAILSTORM WARNING: Integer Overflow - [OWASP 2013 A 1] Warning Findings Assessment: OWASP-2013 (Set I) - Overflow Run: 07/24/2015 1:16:57PM Traversal: 2015.06.24 scholar user Integer Overflow - [OWASP 2013 A 1] 1 Warning (High, HARM: 115): https://scholar-qa.uc.edu/catalog?utf8=%E2%9C %93&q=testval Message: Integer overflow vulnerability found Injectable request #: 2 Injected item: GET: q Injection length: 6 Request: GET /catalog?utf8=%E2%9C%93&q=-65536 HTTP/1.1 Host: scholar-qa.uc.edu Referer: https://scholar-qa.uc.edu/creators_rights_request Response: <no response> UC’s change management procedures require a passing Hailstorm scan reporting a no harm score. Our strategies include request handling, parameter checking, exception trapping, error page sanitizing and increasing java heap size. For links to our code: http://bit.ly/1Oi1sZd

×