SlideShare a Scribd company logo

Secure Code Warrior - Trust no input

Download as PPTX, PDF
Secure Code Warrior
Secure Code Warrior

Application Security Fundamentals - Slidepack on "Trust No Input" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

Technology
1 of 7
Trust No Input Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
The service or application should not accept input without further validation. This avoids performing the next execution steps with possibly outdated, malformed, or malicious data. What could happen? All kinds of input-based attacks, such as SQL injection, cross-site scripting, cross- site request forgery, command execution, and local file access. Additionally, improper validation of input coming from files, databases, or the network can result in system failure or compromise. How to implement it? Limit the user’s liberty when providing input to the application. Validate all input before execution by using a secure validation scheme, including input coming from files, other services, or databases. What’s the concept about?
An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The application does not proceed with the calculation, but instead shows the user an error message. To protect against unexpected errors, the application validates the input before further processing. Bad database value Trust No Input Understanding the concept Calculat e: 7 x height 7 x -5 = An error occurred. Application height = -5 If height <= 0 Then show_error() Calculate: 7 x height
An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The result is -45, which causes an exception because of the negative sign and crashes the application. The application does not check the value received from the database before doing the calculation. Bad database value Trust No Input What could happen with the concept? Application height = -5 Calculate: 7 x height
An application could potentially be vulnerable to command injection. A GET parameter ‘fileToDelete’ is passed to the system shell. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. The application matches the / to the blacklist and does not execute the command. Instead the attacker is presented an error message. The application validates the input before executing the command. It has a blacklist of characters that aborts the execution. OS command injection Trust No Input Understanding the concept Blacklist: /:*?”<>| Error: Blacklisted character!http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www file = request.getParameter(‘fileToDelete’); validatedFile = validate(file); execShellCommand(“rm ”+ validatedFile) Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt
This time, the application is vulnerable to command injection. The GET parameter ‘fileToDelete’ is passed to the system shell without prior validation. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. All the web application files are deleted. The web application becomes unavailable. The application appends the GET parameter to the command string and the malicious command is executed. OS command injection Trust No Input What could happen with the concept? http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt file = request.getParameter(‘fileToDelete’); execShellCommand(“rm ”+ file) rm –rf /var/www
! NEVER trust user input ! Limit a user’s options when providing input. Example: drop-down list using an index number instead of full context. Perform server-side validation using one of the following schemes: Exact match Whitelisting Blacklisting If possible, reject invalid data. Otherwise, clean or escape it. Consider input coming from all types of sources. Users, files, database, network, external services. Trust No Input Typical controls 1 2 3

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 

Recommended

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputsSecure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputsSecure Code Warrior
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptxwaleejhaider1
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 

More Related Content

What's hot

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputsSecure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputsSecure Code Warrior
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptxwaleejhaider1
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 

What's hot (20)

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputsSecure Code Warrior - Security decisions via untrusted inputs
Secure Code Warrior - Security decisions via untrusted inputs
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 

Viewers also liked

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 

Viewers also liked (15)

Secure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessionsSecure Code Warrior - Cookies and sessions
Secure Code Warrior - Cookies and sessions
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Secure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checkingSecure Code Warrior - Robust error checking
Secure Code Warrior - Robust error checking
 
Secure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file uploadSecure Code Warrior - Unrestricted file upload
Secure Code Warrior - Unrestricted file upload
 
Secure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encodingSecure Code Warrior - Insufficient data encoding
Secure Code Warrior - Insufficient data encoding
 
Secure Code Warrior - Client side injection
Secure Code Warrior - Client side injectionSecure Code Warrior - Client side injection
Secure Code Warrior - Client side injection
 
Secure Code Warrior - Least privilege
Secure Code Warrior - Least privilegeSecure Code Warrior - Least privilege
Secure Code Warrior - Least privilege
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Secure Code Warrior - Issues with origins
Secure Code Warrior - Issues with originsSecure Code Warrior - Issues with origins
Secure Code Warrior - Issues with origins
 
Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
 
Secure Code Warrior - Privacy
Secure Code Warrior - PrivacySecure Code Warrior - Privacy
Secure Code Warrior - Privacy
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 

Similar to Secure Code Warrior - Trust no input

Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Netsparker
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022SkillCertProExams
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Application security [appsec]
Application security [appsec]Application security [appsec]
Application security [appsec]Judy Ngure
 

Similar to Secure Code Warrior - Trust no input (20)

Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 
Security 101
Security 101Security 101
Security 101
 
Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Vulnerability manager v1.0
Vulnerability manager v1.0Vulnerability manager v1.0
Vulnerability manager v1.0
 
Php security
Php securityPhp security
Php security
 
Application security [appsec]
Application security [appsec]Application security [appsec]
Application security [appsec]
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Secure Code Warrior - Trust no input

  • 1. Trust No Input Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
  • 2. The service or application should not accept input without further validation. This avoids performing the next execution steps with possibly outdated, malformed, or malicious data. What could happen? All kinds of input-based attacks, such as SQL injection, cross-site scripting, cross- site request forgery, command execution, and local file access. Additionally, improper validation of input coming from files, databases, or the network can result in system failure or compromise. How to implement it? Limit the user’s liberty when providing input to the application. Validate all input before execution by using a secure validation scheme, including input coming from files, other services, or databases. What’s the concept about?
  • 3. An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The application does not proceed with the calculation, but instead shows the user an error message. To protect against unexpected errors, the application validates the input before further processing. Bad database value Trust No Input Understanding the concept Calculat e: 7 x height 7 x -5 = An error occurred. Application height = -5 If height <= 0 Then show_error() Calculate: 7 x height
  • 4. An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The result is -45, which causes an exception because of the negative sign and crashes the application. The application does not check the value received from the database before doing the calculation. Bad database value Trust No Input What could happen with the concept? Application height = -5 Calculate: 7 x height
  • 5. An application could potentially be vulnerable to command injection. A GET parameter ‘fileToDelete’ is passed to the system shell. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. The application matches the / to the blacklist and does not execute the command. Instead the attacker is presented an error message. The application validates the input before executing the command. It has a blacklist of characters that aborts the execution. OS command injection Trust No Input Understanding the concept Blacklist: /:*?”<>| Error: Blacklisted character!http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www file = request.getParameter(‘fileToDelete’); validatedFile = validate(file); execShellCommand(“rm ”+ validatedFile) Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt
  • 6. This time, the application is vulnerable to command injection. The GET parameter ‘fileToDelete’ is passed to the system shell without prior validation. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. All the web application files are deleted. The web application becomes unavailable. The application appends the GET parameter to the command string and the malicious command is executed. OS command injection Trust No Input What could happen with the concept? http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt file = request.getParameter(‘fileToDelete’); execShellCommand(“rm ”+ file) rm –rf /var/www
  • 7. ! NEVER trust user input ! Limit a user’s options when providing input. Example: drop-down list using an index number instead of full context. Perform server-side validation using one of the following schemes: Exact match Whitelisting Blacklisting If possible, reject invalid data. Otherwise, clean or escape it. Consider input coming from all types of sources. Users, files, database, network, external services. Trust No Input Typical controls 1 2 3