Input validation is important to prevent attacks. User input should never be trusted and should be validated using a whitelist approach at the earliest stage. Layers of defense like regular expression validation and bounds checking should be used. Input can be validated using known good, known bad, or exact match approaches against expected values or formats. Escaping input is not enough--invalid input should be rejected rather than processed.
Input validation is important to prevent incorrect or invalid values from being entered into an application which could lead to user frustration or security issues. Exceptions handle errors and unexpected conditions during program execution. Common exceptions include ImportError, ValueError, and IOError. The try-except block allows code to be executed within the try statement and exceptions raised to be handled in the except block through predefined or custom exceptions.
The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
SQL is a language used to access and manipulate databases. It allows users to execute queries, retrieve, insert, update and delete data from databases. SQL injection occurs when malicious code is injected into an SQL query, which can compromise the security of a database. To prevent SQL injection, developers should validate all user input, escape special characters, limit database permissions, and configure databases to not display error information to users.
Authentication verifies a user's identity by validating credentials like a username and password. Authorization then determines what access and permissions an authenticated user has. Authentication methods can include something you know like passwords, something you have like tokens or smartcards, or something you are like biometrics. Common authentication practices for systems include setting password policies, locking accounts after failed logins, and disabling unused accounts. Proper authentication helps implement access controls and security.
The document discusses different types of SQL injection attacks, including tautologies, illegal/logically incorrect queries, union queries, piggybacked queries, and stored procedures. Tautologies aim to bypass authentication by making conditional statements always true. Illegal queries gather database information by causing syntax or type errors. Union queries extract data by combining results from multiple tables. Piggybacked queries maliciously execute additional queries by abusing query delimiters. Stored procedures can be used to escalate privileges or execute remote commands if vulnerabilities exist. Examples are provided for each type of attack along with potential solutions.
Input validation is important to prevent incorrect or invalid values from being entered into an application which could lead to user frustration or security issues. Exceptions handle errors and unexpected conditions during program execution. Common exceptions include ImportError, ValueError, and IOError. The try-except block allows code to be executed within the try statement and exceptions raised to be handled in the except block through predefined or custom exceptions.
The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
SQL is a language used to access and manipulate databases. It allows users to execute queries, retrieve, insert, update and delete data from databases. SQL injection occurs when malicious code is injected into an SQL query, which can compromise the security of a database. To prevent SQL injection, developers should validate all user input, escape special characters, limit database permissions, and configure databases to not display error information to users.
Authentication verifies a user's identity by validating credentials like a username and password. Authorization then determines what access and permissions an authenticated user has. Authentication methods can include something you know like passwords, something you have like tokens or smartcards, or something you are like biometrics. Common authentication practices for systems include setting password policies, locking accounts after failed logins, and disabling unused accounts. Proper authentication helps implement access controls and security.
The document discusses different types of SQL injection attacks, including tautologies, illegal/logically incorrect queries, union queries, piggybacked queries, and stored procedures. Tautologies aim to bypass authentication by making conditional statements always true. Illegal queries gather database information by causing syntax or type errors. Union queries extract data by combining results from multiple tables. Piggybacked queries maliciously execute additional queries by abusing query delimiters. Stored procedures can be used to escalate privileges or execute remote commands if vulnerabilities exist. Examples are provided for each type of attack along with potential solutions.
This document discusses SQL injection attacks and how to mitigate them. It begins by explaining how injection attacks work by tricking applications into executing unintended commands. It then provides examples of how SQL injection can be used to conduct unauthorized access and data modification attacks. The document discusses techniques for finding and exploiting SQL injection vulnerabilities, including through the SELECT, INSERT, UPDATE and UNION commands. It also covers ways to mitigate injection attacks, such as using prepared statements with bound parameters instead of concatenating strings.
The document discusses SQL injection attacks, including what SQL injection is, types of SQL injection attacks such as first and second order attacks, mechanisms for injection through user input or cookies, and techniques for preventing SQL injection like defensive coding practices and input validation. SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution by the backend database, allowing attackers to view or manipulate restricted data in the database. The document provides examples of SQL injection and explores ways attackers can infer information and encode attacks despite prevention methods.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
This document discusses viruses and countermeasures against them. It begins by defining viruses and their operation modes and structure. It describes different types of viruses like macro viruses, email viruses, and Trojan horses. It then discusses recent malicious attacks like Code Red and Nimda. The document outlines various virus countermeasures like prevention, detection, and reaction techniques. It describes advanced techniques like digital immune systems, behavioral blocking software, and antivirus software programs. It concludes by emphasizing the importance of installing antivirus applications, regularly scanning for viruses, gaining knowledge about how viruses work, and using basic internet security applications.
- The document discusses common web application vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery.
- It provides examples of vulnerable code and outlines secure coding practices to prevent these vulnerabilities, such as using parameterized queries to prevent SQL injection, encoding user input to prevent XSS, and using anti-forgery tokens to prevent CSRF.
- Additional topics covered include secure password storage, configuration hardening through web.config settings, and implementation of security controls like encryption and encoding using libraries like ESAPI.
Security Testing involves testing applications and systems to ensure security and proper functionality. It includes testing input validation, internal processing, output validation, and more. Common types of security testing are security auditing, vulnerability scanning, risk assessment, ethical hacking, and penetration testing. The OWASP Top 10 includes SQL injection, cross-site scripting, and broken authentication and session management as common vulnerabilities.
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
The document discusses secure coding principles and vulnerabilities in different programming languages. It provides examples of vulnerabilities in PHP, JavaScript, Ruby, Struts, and C. Key secure coding principles discussed include minimizing the attack surface, establishing secure defaults, least privilege, defense in depth, and failing securely. Specific vulnerabilities addressed include PHP hash collisions, PHP remote code execution, JavaScript type issues, Ruby system commands, and Struts dynamic method invocation.
SQL injection is a code injection technique that exploits vulnerabilities in database-driven web applications. It occurs when user input is not validated or sanitized for string literal escape characters that are part of SQL statements. This allows attackers to interfere with the queries and obtain unauthorized access to sensitive data or make changes to the database. The document then provides step-by-step instructions on how to scan for vulnerabilities, determine database details like name and tables, extract data like user credentials, bypass protections like magic quotes, and use tools to automate the process.
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
The document provides definitions and concepts related to application security including assets, threats, vulnerabilities, attacks, and security controls. It discusses how application security aims to secure the confidentiality, integrity, and availability of data by protecting against vulnerabilities like SQL injection and cross-site scripting. The document demonstrates how attackers can exploit vulnerabilities in multiple phases, from information gathering to maintaining access. It recommends best practices for developers like following security standards, conducting audits, implementing logging, and keeping software updated. Finally, it discusses Facebook's response to the Cambridge Analytica data privacy scandal.
In this SQL Injection video, we delve into the world of SQL Injection attacks, one of the most prevalent threats to databases today. Join us as we explore the inner workings of this malicious technique and understand how hackers exploit vulnerabilities in web applications to gain unauthorized access to sensitive data. With step-by-step examples and demonstrations, we provide comprehensive insights on the various types of SQL Injection attacks and their potential consequences. Moreover, we equip you with essential knowledge and countermeasures to safeguard your database against these attacks, ensuring the security of your valuable information. Don't let your data fall victim to SQL Injection—watch this video now!
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
This document describes how to validate a form in JavaScript before submission. It includes the XHTML markup for a form with six fields, including four text fields, one dropdown, and one textarea. JavaScript functions are used to enable the submit button when a field is clicked and check that required fields are filled out, displaying an error message if not. Styling is added with CSS. On successful validation, the form will submit, with a confirmation message displayed upon completion.
This document discusses web forms and server-side scripting. It begins by defining different types of servers, including web servers. It then explains that web content can be static HTML or dynamic content generated by user-side programming like JavaScript or server-side programming like PHP, ASP, and JSP. Server-side programming allows for accessibility, manageability, security and scalability. The document reviews the history of dynamic web content and introduces scripting as the third generation approach. It then discusses popular scripting languages and frameworks like PHP, ASP.NET and JSP. Finally, it provides an overview of how to connect PHP to a server through a hosted server, local installation, or using XAMPP.
This document discusses SQL injection attacks and how to mitigate them. It begins by explaining how injection attacks work by tricking applications into executing unintended commands. It then provides examples of how SQL injection can be used to conduct unauthorized access and data modification attacks. The document discusses techniques for finding and exploiting SQL injection vulnerabilities, including through the SELECT, INSERT, UPDATE and UNION commands. It also covers ways to mitigate injection attacks, such as using prepared statements with bound parameters instead of concatenating strings.
The document discusses SQL injection attacks, including what SQL injection is, types of SQL injection attacks such as first and second order attacks, mechanisms for injection through user input or cookies, and techniques for preventing SQL injection like defensive coding practices and input validation. SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution by the backend database, allowing attackers to view or manipulate restricted data in the database. The document provides examples of SQL injection and explores ways attackers can infer information and encode attacks despite prevention methods.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
This document discusses viruses and countermeasures against them. It begins by defining viruses and their operation modes and structure. It describes different types of viruses like macro viruses, email viruses, and Trojan horses. It then discusses recent malicious attacks like Code Red and Nimda. The document outlines various virus countermeasures like prevention, detection, and reaction techniques. It describes advanced techniques like digital immune systems, behavioral blocking software, and antivirus software programs. It concludes by emphasizing the importance of installing antivirus applications, regularly scanning for viruses, gaining knowledge about how viruses work, and using basic internet security applications.
- The document discusses common web application vulnerabilities like SQL injection, cross-site scripting, and cross-site request forgery.
- It provides examples of vulnerable code and outlines secure coding practices to prevent these vulnerabilities, such as using parameterized queries to prevent SQL injection, encoding user input to prevent XSS, and using anti-forgery tokens to prevent CSRF.
- Additional topics covered include secure password storage, configuration hardening through web.config settings, and implementation of security controls like encryption and encoding using libraries like ESAPI.
Security Testing involves testing applications and systems to ensure security and proper functionality. It includes testing input validation, internal processing, output validation, and more. Common types of security testing are security auditing, vulnerability scanning, risk assessment, ethical hacking, and penetration testing. The OWASP Top 10 includes SQL injection, cross-site scripting, and broken authentication and session management as common vulnerabilities.
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
The document discusses secure coding principles and vulnerabilities in different programming languages. It provides examples of vulnerabilities in PHP, JavaScript, Ruby, Struts, and C. Key secure coding principles discussed include minimizing the attack surface, establishing secure defaults, least privilege, defense in depth, and failing securely. Specific vulnerabilities addressed include PHP hash collisions, PHP remote code execution, JavaScript type issues, Ruby system commands, and Struts dynamic method invocation.
SQL injection is a code injection technique that exploits vulnerabilities in database-driven web applications. It occurs when user input is not validated or sanitized for string literal escape characters that are part of SQL statements. This allows attackers to interfere with the queries and obtain unauthorized access to sensitive data or make changes to the database. The document then provides step-by-step instructions on how to scan for vulnerabilities, determine database details like name and tables, extract data like user credentials, bypass protections like magic quotes, and use tools to automate the process.
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
The document provides definitions and concepts related to application security including assets, threats, vulnerabilities, attacks, and security controls. It discusses how application security aims to secure the confidentiality, integrity, and availability of data by protecting against vulnerabilities like SQL injection and cross-site scripting. The document demonstrates how attackers can exploit vulnerabilities in multiple phases, from information gathering to maintaining access. It recommends best practices for developers like following security standards, conducting audits, implementing logging, and keeping software updated. Finally, it discusses Facebook's response to the Cambridge Analytica data privacy scandal.
In this SQL Injection video, we delve into the world of SQL Injection attacks, one of the most prevalent threats to databases today. Join us as we explore the inner workings of this malicious technique and understand how hackers exploit vulnerabilities in web applications to gain unauthorized access to sensitive data. With step-by-step examples and demonstrations, we provide comprehensive insights on the various types of SQL Injection attacks and their potential consequences. Moreover, we equip you with essential knowledge and countermeasures to safeguard your database against these attacks, ensuring the security of your valuable information. Don't let your data fall victim to SQL Injection—watch this video now!
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
This document discusses vulnerability assessment and penetration testing. It defines them as two types of vulnerability testing that search for known vulnerabilities and attempt to exploit vulnerabilities, respectively. Vulnerability assessment uses automated tools to detect known issues, while penetration testing employs hacking techniques to demonstrate how deeply vulnerabilities could be exploited like an actual attacker. Both are important security practices for identifying weaknesses and reducing risks, but require different skills and have different strengths, weaknesses, frequencies, and report outputs. Reasons for vulnerabilities include insecure coding, limited testing, and misconfigurations. The document outlines common vulnerability and attack types as well as how vulnerability assessment and penetration testing are typically conducted.
This document describes how to validate a form in JavaScript before submission. It includes the XHTML markup for a form with six fields, including four text fields, one dropdown, and one textarea. JavaScript functions are used to enable the submit button when a field is clicked and check that required fields are filled out, displaying an error message if not. Styling is added with CSS. On successful validation, the form will submit, with a confirmation message displayed upon completion.
This document discusses web forms and server-side scripting. It begins by defining different types of servers, including web servers. It then explains that web content can be static HTML or dynamic content generated by user-side programming like JavaScript or server-side programming like PHP, ASP, and JSP. Server-side programming allows for accessibility, manageability, security and scalability. The document reviews the history of dynamic web content and introduces scripting as the third generation approach. It then discusses popular scripting languages and frameworks like PHP, ASP.NET and JSP. Finally, it provides an overview of how to connect PHP to a server through a hosted server, local installation, or using XAMPP.
If you don't have knowledge of HTML, CSS & JavaScript than you may face some difficulties in validating a HTML form yet I will make the entire step very easy to understand by you.
The document discusses the first step in Lazar's development lifecycle which is to define the mission and target users of a website. It provides examples of website missions such as to entertain, inform or educate, and market/sell. The key aspects to define include the goals, target user population, and how success will be measured. User requirements should also be collected through methods like questionnaires, interviews, and focus groups to understand people, activities, contexts and technologies involved.
1) Writing secure Flex applications involves using security restrictions on MXML tags, disabling the viewSourceURL property, and removing sensitive information from SWF files.
2) Input validation and password handling are important for security. Validators can validate input client-side, and passwords should be checked on the server rather than client.
3) Other security practices for ActionScript include handling errors properly, suppressing debug output, and using host-based authentication.
This document provides instructions for an assignment to create an HTML file with a shipping form that includes input validation. The form should include drop-down menus for shipping destination and type with required selections. The receiver's name field cannot be empty and must show an error if so. The email field must contain an @ character to validate the email address. A submit button should trigger validation of all fields using the onsubmit event.
This document provides an overview and introduction to JavaScript:
- It discusses JavaScript basics like object-based programming, value types, variables, arrays, user-defined objects and functions.
- It describes how to put JavaScript in HTML pages and common built-in objects like window, document and forms.
- It also covers event handling, JavaScript libraries like jQuery, debugging tools like Firebug, and topics like form and DOM manipulation.
Business Interfaces using Virtual Objects, Visual-Force Forms and JavaScriptSalesforce Developers
Join us as we explore the simplification of business logic using Apex Virtual Objects for solving specific business challenges and enhancing user experiences with a jQuery-based Datatable Library. Enjoy a demonstration of a Hybrid solution that can work wonders where a lot of us struggle to figure out the right mix and balance between Javascript and VF/Apex usage. You'll learn that with minimal Javascript knowledge, you can maximize Visualforce page design and improve overall customer experience. We'll also cover code maintainability and some User Experience design aspects that can be applied to solve day-to-day problems.
This document provides a summary of new features in HTML5 including new tags, attributes, media capabilities, forms, validation, and APIs for canvas and SVG graphics. It discusses changes to existing tags and introduces several new structural tags for outlines, headers, footers, and other sections. It also covers new media elements for embedding audio and video, as well as local storage APIs for persistent client-side storage. Live demos are provided to illustrate features like canvas drawing, SVG graphics, and local storage.
Todd Anglin gave a presentation on HTML5 forms and input types. He discussed the new input types available like email, url, number and date/time. He demonstrated how to use these new input types and attributes like placeholder, required and pattern. Anglin also covered customizing the browser rendered inputs using shadow DOM and styling validation states with CSS. For older browsers without native support, he recommended polyfilling the new functionality with JavaScript.
The document discusses authentication protocols and digital signatures. It describes mutual authentication protocols that allow two parties to verify each other's identities and exchange session keys. It also discusses one-way authentication protocols. The document focuses on explaining the Digital Signature Standard (DSS) and the Digital Signature Algorithm (DSA). It provides details on how DSA uses public/private key pairs to generate and verify digital signatures for authenticating messages and senders.
JavaScript can be used to validate form data before submission. It checks that required fields are filled, emails and dates are valid, and text is not entered in numeric fields. Validation functions return false to stop submission if errors are found. For example, a function checks if the first name field is empty and alerts the user, returning false to prevent form submission. This function can be called on form submit using the onsubmit event.
Validation rule, validation text and input masksfizahPhd
Validation rules set limits on data entered in fields. They can be created by specifying an expression in the validation rule property of a field or control. Validation text provides a custom error message if invalid data is entered. Input masks format user input, such as automatically adding punctuation to phone numbers entered without punctuation.
ASP.NET provides many server controls that generate HTML elements and simplify web development, including basic controls that map to HTML tags, more advanced controls that generate complex output, and specialized controls for tasks like validation, navigation, and data binding. Server controls inherit from classes in the .NET Framework and have properties and events that make them easier to work with compared to standard HTML elements. ASP.NET offers a variety of server controls to handle common tasks and interface elements on web forms.
HTML5 is all the rage with the cool kids, and although there's a lot of focus on the new language, there's lots of interesting new JavaScript APIs both in the HTML5 spec and separated out. This presentation will take you through demos and code behind the new JavaScript APIs, and explore where these features can be used
This document outlines the topics covered in a course on applied IT security and authentication/security protocols. The course covers network and operating system security, applied cryptography including public key infrastructures and encryption standards, software development security, and an overview of authentication protocols like SSL/TLS, IPSec, and those used in wireless technologies like Bluetooth. It discusses how various protocols provide security at the network, transport, and application layers and examines vulnerabilities of protocols like WEP and concerns regarding Bluetooth security.
Computer hardware devices include webcams, scanners, mice, speakers, trackballs, and light pens. Webcams connect via USB or network and are used for video calls and conferencing. Scanners optically scan images and documents into digital formats. Mice are pointing devices that detect motion to move a cursor. Speakers have internal amplifiers and audio jacks. Trackballs contain ball and sensors to detect rotation for cursor movement. Light pens allow pointing directly on CRT displays.
TEDx Manchester: AI & The Future of WorkVolker Hirsch
TEDx Manchester talk on artificial intelligence (AI) and how the ascent of AI and robotics impacts our future work environments.
The video of the talk is now also available here: https://youtu.be/dRw4d2Si8LA
This document discusses various techniques for improving web application security. It begins with an introduction and overview of the OWASP Top 10 security risks. It then provides more detailed explanations and recommendations for mitigating some of the top risks, including cross-site scripting, SQL injection, input validation, file uploads, direct object references, and session management issues. The document also discusses tools like Microsoft Enterprise Library and techniques like role providers, error handling, and encrypting sensitive information in the web.config file. Overall, the document provides practical advice on a wide range of security best practices for ASP.NET web applications.
This document discusses PHP5 built-in string filtering functions that can be used to sanitize user input and protect against injection attacks. It provides an overview of validation versus sanitization and describes functions like htmlspecialchars, strip_tags, mysql_real_escape_string, and filter_var that can be used to filter strings for different contexts like HTML, SQL, and system commands. It also covers PHP filter options and built-in is_* functions to check variable types.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
This document provides an overview of basic concepts in VB.NET, including variables, data types, constants, arrays, operators, flow control statements, and more. It defines variables as storage locations for values, and describes how to declare different data types like numeric, string, boolean, and object. Constants and enums are introduced as fixed values that cannot change. Arrays are defined as lists that allow storing multiple values of the same type. Common operators for arithmetic, comparison, logical operations and assignments are outlined. Decision making statements like If/Then and Select Case as well as looping constructs such as For, For Each, and Do loops are briefly explained.
The document discusses input validation and error handling in server-side web programming. It covers validating required fields, data types, formats, and more. It emphasizes preventing errors through clear instructions, default values, and tolerant validation. If errors occur, messages should provide specific guidance and errors should be displayed by the source to aid the user.
Respect\Validation is a PHP validation library that provides over 100 validation rules and fluent validation methods. It allows validating data using intuitive method chaining and provides custom validation messages. The library has over 175,000 installations via Composer and averages 13,000 new installations per month. It can be used to validate data from $_POST in several frameworks like Zend, Symfony, and Laravel. The library also supports custom validation rules, internationalization, and unit testing of rules.
This document discusses server-side form validation in PHP. It covers checking for empty fields, field lengths, value ranges, and formats using regular expressions. Specific PHP functions discussed include preg_match() for pattern matching, preg_replace() for search and replace, and ereg() as an alternative to preg_match() for POSIX regular expressions. Examples are provided to validate dates, names, numbers, lengths, and ranges to restrict user-submitted form data to required standards before processing.
In 2010, I told everyone how to start unit testing Zend Framework applications. In 2011, let’s take this a step further by testing services, work flows and performance. Looking to raise the bar on quality? Let this talk be the push you need to improve your Zend Framework projects.
Leveraging Scala Macros for Better ValidationTomer Gabel
A talk given at Scalapeño 2014 and JavaOne 2014 (video links to follow).
Data validation is a common enough problem that numerous attempts have been made to solve it elegantly. The de-facto solution in Java (JSR 303) has a number of shortcomings and fails to leverage the powerful Scala type system. The release of Scala 2.10.x introduced a couple of experimental metaprogramming features, namely reflection and macros. In this talk I'll introduce macros by way of a practical example: implementing a full-blown data validation engine, utilizing def macros and a Scala DSL to enable elegant validator definition syntax and call-site.
This document discusses validations and input formatting in applications. It summarizes:
1) Validations check that users enter data in the correct format and provide warning messages if invalid data is entered. Field-level validation checks individual fields while form-level validation checks entire forms.
2) The MaskedEdit control formats user input using a mask and prevents invalid characters. It is bound to data controls to display and update field values.
3) The Mask property of the MaskedEdit control uses placeholder characters to define the type of data that can be entered, such as numbers, letters, dates. These placeholders guide user input.
This document describes the Database Abstraction Layer (DBTNG) introduced in Drupal 7. DBTNG provides a unified API for database queries that works across different database backends like MySQL, PostgreSQL, and SQLite. It supports both static and dynamic queries. Static queries use placeholders and prepared statements for security, while dynamic queries are built programmatically using a query builder object. Methods are provided for SELECT, INSERT, UPDATE, DELETE, and MERGE queries. Transactions and reading from slave databases are also supported.
The document discusses the LINQ (Language Integrated Query) project in .NET, which allows querying of objects, relational data, and XML in a unified manner. LINQ introduces standard query operators and language features in C# 3.0 and VB 9.0 that enable querying of any .NET collection. It also discusses DLinq for querying relational databases and mapping results to objects, and XLinq for querying XML in a functional, element-centric manner.
This document provides an introduction and overview of the Java programming language. It discusses Java's features such as being simple, object-oriented, portable, platform independent, secured, robust, architecture neutral, interpreted, high performance, multithreaded, distributed, and dynamic. It also lists some common applications of Java like mobile app development, desktop GUI applications, web-based applications, gaming applications, big data technologies, distributed applications, cloud-based applications, IoT applications, enterprise applications, and scientific applications. The document then covers Java data types, control structures like if/else statements and loops, and arrays.
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...GeeksLab Odessa
5.12.15 QA Lab: тестирование программного обеспечения.
Upcoming events: goo.gl/I2gJ4H
Доклад о Play-Swagger, проекте с открытым исходным кодом, разрабатываемом в Zalando с использованием Scala и Play Framework. О том, как использование API First и Swagger позволяет ускорить процесс разработки, упростить взаимодействие команд и повысить качество продукта.
The document describes an email validation project created by five students. The project uses regular expressions and a finite state machine to check if an entered email address matches the standard syntax of a valid email address as defined in RFC 5322. It validates the local part, domain part, and that they are separated by an @ symbol. The code uses a regular expression pattern and Regex.Match method to test entered emails.
The document provides an overview of PHP security topics like input validation, SQL injection, cross-site scripting, code injection, and session security. It discusses the importance of validating all user inputs, escaping data when querying databases, using prepared statements to prevent SQL injection, and regenerating session IDs and validating browser signatures to secure sessions. Specific functions and techniques are presented for preventing vulnerabilities in each area.
API first with Swagger and Scala by Slava SchmidtJavaDayUA
How does one scale the development of a service landscape in a corporate enterprise environment utilizing Typesafe's Play and Akka software stack? How does one achieve API uniformity and coherence accross dozens of development teams, getting them and their subsequently developed subsystems to play together nicely? At Zalando we believe firmly in an API first approach, founded an API guild that ratifies and supports the development of APIs, and define them in a formal manner employing the Swagger API representation language.
This document provides an overview of PHP and MySQL. It discusses key PHP elements like variables, arrays, conditional statements, and loops. It also covers PHP statements, naming variables, outputting values, performing calculations, working with arrays, conditional logic, and loops. The document then discusses connecting to and querying MySQL databases, and how to insert, update, delete data. It also covers building forms, getting form input, and basic file input/output in PHP.
The document discusses strategies for defending against input injection attacks, including SQL injection. It recommends centralizing input validation and assuming all input is malicious. Specific strategies covered include constraining, rejecting, and sanitizing input through techniques like type checks, length checks, format checks, range checks, and whitelisting valid characters. It also discusses using validation controls and regular expressions for validation. The document recommends input validation libraries like ESAPI and using prepared statements with SQL parameters to prevent SQL injection.
The document contains information about HTML forms and form elements, including:
- Examples of form elements like <input>, <select>, <textarea>
- New form element types introduced in HTML5 like date, time, email
- Attributes for form elements like required, pattern, placeholder
- How to style forms and validate user input with CSS
- Using JavaScript with forms by binding to models
The 2023 Vulnerability Stats report as delivered to the IISF.
Covering: PTaaS, Pentesting, Vulnerabilty Managment, EPSS, CISA KEV, Risk, Attack Surface Management. Its based on delivering thousands of PTaaS and RBVM assessments throughout 2022. Why tools and traditional pentesting has failed.
1. Edgescan uses automated validation and analytics to determine if vulnerabilities discovered during scans are true or false positives, automatically publishing issues with over 90% confidence.
2. Vulnerabilities with lower confidence scores or that are high severity undergo expert validation by seasoned penetration testers to further validate findings.
3. This two-step validation process helps ensure Edgescan only delivers accurate vulnerability intelligence to clients.
Does a Hybrid model for vulnerability Management Make Sense.pdfEoin Keary
Combining automation for scale and human expertise for depth. Leveraging thousands of datapoints and cyber analytics to verify security vulnerabilities. Why automation alone does not work because our enemies are humans. Automation does not have the skills to exploit business logic risks. Context is queen when it comes to risk bases priortization.
Vulnerability stats, full stack cyber issues.
Vulnerability management, threat analysis and attack surface management. Exposures, MTTR and cyber risk management.
Bested in the assessment of thousands of systems globally on a continuous basis.
A deck discussing the the findings from the Edgescan 2021 Vulnerability Stats Report. A full stack view of the vulnerabilities discovered in 2020 based on thousands of assessments. Host, network and application layer security metrics -Full stack
This document discusses the failure of traditional vulnerability management and proposes a more effective approach. It argues that vulnerability management needs to be continuous, accurate, integrated across the full technology stack, and augmented with human expertise. Traditional approaches relying solely on automated scans are not keeping pace with rapid technology changes and the sophisticated techniques used by attackers. An effective vulnerability management program requires continuous visibility, automated patching of known issues, secure development practices, and vigilance in detecting new vulnerabilities through a combination of tools and human review.
The 2018 Vulnerability Stats report covering off a fullstack review of cyber security across 1000's of web applictions, end-points and cloud based systems globally.
Full stack vulnerability management at scaleEoin Keary
- Full-stack vulnerability management is needed to address security risks across applications, servers, databases, services, and operating systems. Automation is key to assessing security at scale across the full technology stack.
- While automation can detect many technical vulnerabilities, it cannot assess logical vulnerabilities involving business logic, authorization, or compliance issues that require human judgment and context.
- Continuous vulnerability management is needed to keep pace with today's agile development cycles and constantly changing environments, focusing on changes since the last assessment to prioritize remediation.
Vulnerability Intelligence - Standing Still in a world full of changeEoin Keary
The document discusses effective and scalable fullstack vulnerability management. It describes managing thousands of systems globally through continuous assessment and false-positive free vulnerability scanning of web applications, APIs, hosts, and full IT stacks. Recent major data breaches are listed, demonstrating the real threat of cybercrime. The majority of critical and high risks are found in web application layers. Attack vectors include malware, phishing, hacking, and nation state cyber espionage. An agile risk model is advocated to keep pace with frequent code changes and deployment of new systems and services. Integration with security tools like SIEM, firewalls, and bug trackers provides intelligence and visibility.
The document provides statistics and analysis from edgescan's 2018 vulnerability report. Some key findings include:
- 19% of vulnerabilities were in web applications and APIs, while 81% were in network infrastructure. Application layer vulnerabilities posed higher risks.
- Internal systems had higher rates of high/critical risks (24.9% for applications) than internet-facing systems.
- Common web application vulnerabilities included XSS, SQL injection, and vulnerable components. For infrastructure, TLS/SSL issues and SMB vulnerabilities were most prevalent.
- Unsupported Windows 2003 systems and vulnerabilities like EternalBlue accounted for a large portion of risks found.
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
Web security – everything we know is wrong cloud versionEoin Keary
This document summarizes a presentation on web security given by Eoin Keary. The key points made are:
1) Traditional penetration testing is not sufficient for continuous security and the arms race with attackers. Continuous monitoring and testing is needed.
2) Many vulnerabilities come from third party code and dependencies that are not adequately tested or managed.
3) It is difficult for organizations to manage vulnerabilities at scale across many applications without enterprise vulnerability management.
4) Too many reported vulnerabilities can overwhelm developers, so prioritization and explaining issues simply is important.
Why continuous assessment is required. How to keep pace with development and secure constant change. Vulnerability statistics across the fullstack. What are the most common security issues in the web application and host layer.
Talk in Switzerland at European Broadcasting Union cyber security event - Feb 2017.
Discussing some core aspects of secure application development, technical security controls and secure systems development lifecycle....
Vulnerability management and threat detection by the numbersEoin Keary
1. There are many approaches to application security testing like DAST, SAST, IAST, but an attacker only needs to find one vulnerability.
2. Both vulnerabilities in code and inaccuracies in security assessments pose potential risks.
3. Most application code uses open source frameworks, but many organizations do not monitor for vulnerabilities in these components or have open source policies.
4. While automation can help scale security assessments, factors like context, accuracy, and technical constraints make fully scaling security challenging.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
2. Where are we going?
Don’t ever trust user input
Where possible, use whitelist validation
Perform input validation at earliest possible stage
Layers of defense
Use in-built validator routines
3. Data Validation
Input that is not directly entered by the user is typically less prone to
validation
Attacks discussed in this section apply to external input from any client-side
source
Standard form input control
Read-only HTML form controls (drop down lists, radio buttons,
hidden fields, etc)
HTTP Cookie Values
HTTP Headers
Embedded URL parameters (e.g., in the GET request)
4. Data Validation
Known Bad
Known Good
Exact
Match
Data Validation is
typically done using
one of three basic
approaches
All input must be properly
validated on the server
(not the client) to ensure
that malicious data is not
accepted and processed
by the application
5. Data is validated against a list of explicit known values
Application footprint or “application attack surface” defined
Provides the strongest level of protection against malicious data
Often not feasible when a large number of possible good values are
expected
May require code modification any time input values are changed or
updated
Exact Match Validation
Example: Acceptable input is yes or no
if ($input eq“yes” or $input eq “no”)
6. Exact Match Validation Example
Validates the variable gender against 2 known values (.NET)
static bool validateGender(String gender)
{
if (gender.equals(“Female“))
return true;
else if (gender.equals(“Male“))
return true;
else
return false; //attack SOUND THE ALARM! BEEP BEEP!
}
7. Exact Match Validation Example
Validates the variable gender against 2 known values (Java)
static boolean validateGender (String
gender) {
if (gender.equals (“Female“))
return true;
else if (gender.equals (“Male“))
return true;
else
return false; //attack
}
8. Known Good Validation
Often called "white list" validation
Data is validated against a list of allowable characters and patterns
Typically implemented using regular expressions to match known good data patterns
Data type cast/convert functions can be used to verify data conforms to a certain
data type (i.e. Int32)
Expected input character values must be clearly defined for each input variable
Care must be taken if complex regular expressions are used
A common mistake is to forget to anchor the expression with ^ and $
9. Regular Expression Syntax
Symbol Match
^ Beginning of input string
$ End of input string
* Zero or more occurrences of previous character, short for {0,}
+ One or more occurrences of previous character, short for {1,}
? Zero or one occurrences of previous character, short for {0,1}
{n,m} At least n and at most m occurrences of previous character
. Any single character, except ‘n’
[xyz] A character set (i.e. any one of the enclosed characters)
[^xyz] A negative character set (i.e. any character except the enclosed)
[a-z] A range of characters
10. Regular Expression Syntax - shortcuts
Symbol Match
d Any digit, short for [0-9]
D A non-digit, short for [^0-9]
s A whitespace character, short for [ tnx0brf]
S A non-whitespace character, for short for [^s]
w A word character, short for [a-zA-Z_0-9]
W A non-word character [^w]
S+ Several non-whitespace characters
11. Example 1
Validating SSN entry
if ($input=~/^[0-9]{9}$/)
Example 2
Validating entry of a last name
if ($input=~/^[A-Za-z][-.'0-9A-Za-z]{1,256}$/)
Example 3
Validating SSN entry (Short cut)
if ($input=~/^d{9}$/)
Examples 123-56-3454
12. Regular Expressions - Templates
Field Expression Format Samples Description
Name ^[a-zA-Z-'s]{1,40}$ John Doe Validates a name. Allows up to 40 uppercase and lowercase characters and a few special
characters that are common to some names. You can modify this list.
Social Security
Number
^d{3}-d{2}-d{4}$ 111-11-1111 Validates the format, type, and length of the supplied input field. The input must consist of 3
numeric characters followed by a dash, then 2 numeric characters followed by a dash, and
then 4 numeric characters.
Phone Number ^[01]?[- .]?(([2-9]d{2})|[2-
9]d{2})[- .]?d{3}[- .]?d{4}$
(425) 555-0123 Validates a U.S. phone number. It must consist of 3 numeric characters, optionally enclosed in
parentheses, followed by a set of 3 numeric characters and then a set of 4 numeric
characters.
E-mail ^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-
]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-
]+)*$
someone@exampl
e.com
Validates an e-mail address. (per the HTML5 specification
http://www.w3.org/TR/html5/forms.html#valid-e-mail-address).
URL ^(ht|f)tp(s?)://[0-9a-zA-Z]([-
.w]*[0-9a-zA-Z])*(:(0-
9)*)*(/?)([a-zA-Z0-9-
.?,'/+&%$#_]*)?$
http://www.micros
oft.com
Validates a URL
ZIP Code ^(d{5}-d{4}|d{5}|d{9})$|^([a-
zA-Z]d[a-zA-Z] d[a-zA-Z]d)$
12345 Validates a U.S. ZIP Code. The code must consist of 5 or 9 numeric characters.
Password (?!^[0-9]*$)(?!^[a-zA-Z]*$)^([a-
zA-Z0-9]{8,10})$
Validates a strong password. It must be between 8 and 10 characters, contain at least one
digit and one alphabetic character, and must not contain special characters.
Non- negative
integer
^d+$ 0 Validates that the field contains an integer greater than zero.
Currency (non-
negative)
^d+(.dd)?$ 1 Validates a positive currency amount. If there is a decimal point, it requires 2 numeric
characters after the decimal point. For example, 3.00 is valid but 3.1 is not.
Currency
(positive or
negative)
^(-)?d+(.dd)?$ 1.2 Validates for a positive or negative currency amount. If there is a decimal point, it requires 2
numeric characters after the decimal point.
13. Regular Expressions
Regular Expressions is a term used to refer to a pattern-matching technology
for processing text
Although there is no standards body governing the regular expression
language, Perl 5, by virtue of its popularity, has set the standard for regular
expression syntax
A Regular Expression itself is a string that represents a pattern, encoded
using the regular expression language and syntax
15. Data Validation Techniques
Validates against a regular expression representing the proper expected data format
(10 alphanumeric characters) (.NET)
using System.Text.RegularExpressions;
static bool validateUserFormat(String userName) {
bool isValid = false; //Fail by default
// Verify that the UserName is 1-10 character alphanumeric
isValid = Regex.IsMatch(userName, @"^[A-Za-z0-9]{10}$");
return isValid;
}
16. Regular Expressions - assertions
Assert a string is 8 or more characters:
(?=.{8,})
Assert a string contains at least 1 lowercase letter (zero or more characters followed by
a lowercase character):
(?=.*[a-z])
Assert a string contains at least 1 uppercase letter (zero or more characters followed by
an uppercase character):
(?=.*[A-Z])
Assert a string contains at least 1 digit:
(?=.*[d])
So if you want to match a string at least 6 characters long, with at least one lower case
and at least one uppercase letter you could use something like:
^.*(?=.{6,})(?=.*[a-z])(?=.*[A-Z]).*$
17. Known Good Validation Example
Validates against a regular expression representing the proper expected data
format (10 alphanumeric characters) (Java)
import java.util.regex.*;
static boolean validateUserFormat(String userName){
boolean isValid = false; //Fail by default
try{
// Verify that the UserName is 10 character alphanumeric
if (Pattern.matches(“^[A-Za-z0-9]{10}$”, userName))
isValid=true;
} catch(PatternSyntaxException e) {
System.out.println(e.getDescription());
}
return isValid;
}
18. Known Good Example
$validator = new Zend_Validate_Alnum();
if ($validator->isValid('Abcd12')) {
// value contains only allowed chars
} else {
// false
}
19. Known Good Example - Chains
// Create a validator chain and add validators to it
$validatorChain = new Zend_Validate();
$validatorChain->addValidator(
new Zend_Validate_StringLength(array('min' => 6, 'max' => 12)))
->addValidator(new Zend_Validate_Alnum());
// Validate the username
if ($validatorChain->isValid($username)) {
// username passed validation
} else {
// username failed validation; print reasons or whatever…..
foreach ($validatorChain->getMessages() as $message) {
echo "$messagen";
}
20. Often called "BlackList" validation
Data is validated against a list of characters that are deemed to be dangerous
or unacceptable
Useful for preventing specific characters from being accepted by the
application
Provides the weakest method of validation against malicious data
Susceptible to bypass using various forms of character encoding
Known Bad Validation
Example: Validating entry into generic text field
if ($input !~/[rtn><();+&%’”*|]/)
21. Known Bad Validation Example
Validates against a regular expression of known bad input strings (.Net)
using System.Text.RegularExpressions;
static boolean checkMessage(string messageText){
bool isValid = false; //Fail by default
// Verify input doesn’t contain any < , >
isValid = !Regex.IsMatch(messageText, @"[><]");
return isValid;
}
22. Known Bad Validation Example
Validates against a regular expression of known bad input strings (Java)
import java.util.regex.*;
static boolean checkMessage (string messageText) {
boolean isValid = false; //Fail by default
try {
Pattern P = Pattern.compile (“<|>”,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE);
Matcher M = p.matcher(messageText);
if (!M.find())
isValid = true;
} catch(Exception e) {
System.out.println(e.toString());
}
return isValid;
}
23. Bounds Checking
All external input must
also be properly validated
to ensure that excessively
large input is rejected
Length checking: A maximum length check should be
performed on all incoming application data.
Careful about name length! Lokelani
Keihanaikukauakahihuliheekahaunaele is a real
person!
Input that exceeds the
appropriate length or size
limits must be rejected
and not processed by the
application
Size checking: A maximum size check should be
performed on all incoming data files
24. The following code reads a String from a file.
Because it uses the readLine() method, it will read an unbounded amount of input until
a <newline> (n) charter is read.
InputStream Input = inputfileFile.getInputStream(Entry);
Reader inpReader = new InputStreamReader(Input);
BufferedReader br = new BufferedReader(inpReader);
String line = br.readLine();
This could be taken advantage of and cause an OutOfMemoryException or to consume a
large amount of memory which shall affect performance and initiate costly garbage
collection routines.
Bounds Checking – Example
Unbounded Reading of a file
26. Bounds checking – File size
$upload = new Zend_File_Transfer();
// Limit the size of all files to be uploaded to 40000 bytes
$upload->addValidator('FilesSize', false, 40000);
// Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB
$upload->addValidator('FilesSize', false, array('min' => '10kB', 'max' => '4MB'));
27. .NET Validator Controls:
RequiredFieldValidator, CompareValidator, RangeValidator,
RegularExpressionValidator, CustomValidator, ValidateRequest
Jakarta Commons Validator:
required, mask, range, maxLength, minLength, datatype, date,
creditCard, email, regularExpression
Native Validation Controls
Many development platforms have native validator controls, such as Jakarta and .NET
28. Escaping vs. Rejecting
When validating data, one can either reject data failing to meet validation
requirements or attempt to “clean” or escape dangerous characters
Failed validation attempts should always reject the data to minimise the risk
that sanitisation routines will be ineffective or can be bypassed
Error messages displayed when rejecting data should specify the proper
format for the user to enter appropriate data
Error messages should not redisplay the input the user has entered
29. The Problem with Escaping
--- Snip ---
page_template = request.queryString("page")
replace(page_template , "/", "")
replace(page_template, "..", "")
getFile(page_template)
--- End Snip ---
http://www.example.com/content/default.jsp?page=info.htm
Page_template = info.htm <- First Pass
Page_template = info.htm <- Second Pass
http://www.example.com/content/default.jsp?page=../web.xml
Page_template = .. web.xml <- First Pass
Page_template = web.xml <- Second Pass
http://www.example.com/content/default.jsp?page=....//web.xml
Page_template = ....web.xml <- First Pass
Page_template = ..web.xml <- Second Pass
30. Input Based Attacks
Malicious user input can be used to launch a variety of attacks against an application. These
attacks include, but are not limited to:
Parameter
Manipulation
Cookie poisoning
Hidden field manipulation
Content
injection
SQL
HTTP Response Splitting
Operating system calls
Command insertion
XPath
Cross site
scripting
…
Buffer
overflows
Format string attacks
31. Parameter Manipulation
Applications typically pass parameters that determine what the user can do
or see
Unauthorised access to application data can be obtained by manipulating
parameter values, if record-level authorisation checks are not performed
within the application code
Many applications tend to pass sensitive parameters back and forth rather
than using server session variables to store the information
Very common to see this in
HTTP cookies
“hidden” HTML form fields
32. Parameter Manipulation
Database record index numbers are often passed as page parameters to
view a specific record
If there is a relatively small range of possible index values, sequential
parameter values can by cycled to view other records
Even-non sequential indexing can be attacked within a small range of
potential values
Manipulating parameter values can be trivial when other obvious valid
Values exist:
Username=joe (change to username=mary)
Privilege=user (change to privilege=admin)
Price=100.00 (change to price=1.00)
33. Testing for Parameter Manipulation
Identify areas in the application where records appear to be displayed based
on input parameters
Attempt to access records using other known valid parameter values
For parameter values that seem to fall within a variable range, cycle through
the range to search for other valid records
Identify all data being passed in hidden fields. Attempt to determine:
What the data is being used for
Whether use of a hidden field seems appropriate
34. Defenses Against Parameter
Manipulation
Data that should not be altered should never be passed to the client
Always perform validation on the server
Use the most restrictive input validation method possible
Use Exact Match Validation to verify that parameters values are
appropriate for the specific transaction or user’s permission level
In situations where a query or hash table lookup is required, Known Good
Validation should be used to validate the parameter before performing
the lookup
Retrieve the information from the client once, validate it and keep it on the
server associated with that user’s session
35. Summary
Don’t ever trust user input
Where possible, use whitelist validation
Perform input validation at earliest possible stage
Layers of defense
Use in-built validator routines
Editor's Notes
1
^ (Caret) Matches at the start of the string the regex pattern is applied to.
$ (dollar) Matches at the end of the string the regex pattern is applied to.
Set up a mask for certain types of fields
It’s very difficult to list all known bad input – harder to protect against potential future problems.
Strings – especially in C-based applications
Numbers – negative numbers may have unintended consequences
.NET Web.config<httpRuntime maxRequestLength="2048" />
C#
if (Upload.PostedFile.ContentLength < 1048576){…
J2EE: struts-config.xml:
<controller maxFileSize="2M" />