Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Secure Code Warrior - Trust no input
1. Trust No Input
Application Security Fundamentals
by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
2. The service or application should
not accept input without further
validation. This avoids
performing the next execution
steps with possibly outdated,
malformed, or malicious data.
What could happen?
All kinds of input-based attacks, such as
SQL injection, cross-site scripting, cross-
site request forgery, command execution,
and local file access. Additionally,
improper validation of input coming from
files, databases, or the network can result
in system failure or compromise.
How to implement it?
Limit the user’s liberty when
providing input to the application.
Validate all input before execution by
using a secure validation scheme,
including input coming from files,
other services, or databases.
What’s the concept
about?
3. An application allows users to
make calculations based on
values in a database. The user
wants to calculate “7*height”.
Because of a mistake, ”height” was
set to -5 in the database. However,
the application expects height and
the result of the calculation to be a
positive number.
The application does not
proceed with the calculation,
but instead shows the user
an error message.
To protect against
unexpected errors, the
application validates the input
before further processing.
Bad database
value
Trust No Input
Understanding the concept
Calculat
e:
7 x
height
7 x -5 = An error occurred.
Application
height = -5
If height <= 0
Then show_error()
Calculate:
7 x height
4. An application allows users to
make calculations based on
values in a database. The user
wants to calculate “7*height”.
Because of a mistake, ”height” was
set to -5 in the database. However,
the application expects height and
the result of the calculation to be a
positive number.
The result is -45, which
causes an exception
because of the negative sign
and crashes the application.
The application does not check
the value received from the
database before doing the
calculation.
Bad database
value
Trust No Input
What could happen with the concept?
Application
height = -5
Calculate:
7 x height
5. An application could
potentially be vulnerable to
command injection. A GET
parameter ‘fileToDelete’ is
passed to the system shell.
An attacker crafts a malicious
URL: he appends a shell
command to the parameter
value of a request.
The application matches
the / to the blacklist and
does not execute the
command. Instead the
attacker is presented an
error message.
The application validates the input
before executing the command. It
has a blacklist of characters that
aborts the execution.
OS command
injection
Trust No Input
Understanding the concept
Blacklist: /:*?”<>|
Error: Blacklisted
character!http://site.com/action/delete? fileToDelete=oldFile.txt; rm -
rf /var/www
file = request.getParameter(‘fileToDelete’);
validatedFile = validate(file);
execShellCommand(“rm ”+ validatedFile)
Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt
6. This time, the application is
vulnerable to command
injection. The GET parameter
‘fileToDelete’ is passed to the
system shell without prior
validation.
An attacker crafts a malicious
URL: he appends a shell
command to the parameter
value of a request.
All the web application
files are deleted. The
web application
becomes unavailable.
The application appends the
GET parameter to the command
string and the malicious
command is executed.
OS command
injection
Trust No Input
What could happen with the concept?
http://site.com/action/delete? fileToDelete=oldFile.txt; rm -
rf /var/www
Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt
file =
request.getParameter(‘fileToDelete’);
execShellCommand(“rm ”+ file)
rm –rf /var/www
7. ! NEVER trust user input !
Limit a user’s options when providing input.
Example: drop-down list using an index number instead of full context.
Perform server-side validation using one of the following
schemes:
Exact match
Whitelisting
Blacklisting
If possible, reject invalid data. Otherwise, clean or escape it.
Consider input coming from all types of sources.
Users, files, database, network, external services.
Trust No Input
Typical controls
1
2
3