This document discusses data validation concepts and best practices. It covers four core concepts: 1) whitelisting and blacklisting known good/bad values, 2) validating data length and format, 3) validating data before use in SQL, eval functions, or writing to buffers, and 4) encoding output to prevent XSS. Real world examples demonstrate how failing to validate data can enable SQL injection, XSS attacks, buffer overflows, and more. The document advocates restricting input length, whitelisting valid characters, encoding output, and using safe functions like strncpy() to avoid security issues.
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
MySQL security is critical to ensure data security. Destruction, falsification or simply unwanted publication are the most serious threat that wait in the dark the first faux-pas of any administrator. During this session, we'll review the common vulnerabilities, the intrusion techniques, MySQL security features, and configurations.
Asegúr@IT IV - Remote File DownloadingChema Alonso
Charla impartida por Chema Alonso (Informática64) el 27 de Octubre de 2008 en Getafe (Madrid) dentro de la conferencia Asegúr@IT IV sobre como descargar ficheros usando Blind SQL injection techniques.
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
This talk is about how SQL firewalls can help to protect databases from SQL injections: the main difference from WAFs, pros and cons, and common usage scenarios. Developing SQL firewall is a hard task – we will share insights about parsing SQL protocols, matching rules, best of configuration and usage patterns.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
透過簡單的攻擊範例,說明四種常見的 SQL Injection (Union Based Injection、Error Based Injection、Boolean Based Blind Injection、Time Based Blind Injection),並介紹一款常用的工具 sqlmap。
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
MongoDB.local DC 2018: Tips and Tricks for Avoiding Common Query PitfallsMongoDB
Query performance can either be a constant headache or the unsung hero of an application. MongoDB provides extremely powerful querying capabilities when used properly. As a member of the solutions architecture team, I will share common mistakes observed as well as tips and tricks to avoiding them.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
MySQL security is critical to ensure data security. Destruction, falsification or simply unwanted publication are the most serious threat that wait in the dark the first faux-pas of any administrator. During this session, we'll review the common vulnerabilities, the intrusion techniques, MySQL security features, and configurations.
Asegúr@IT IV - Remote File DownloadingChema Alonso
Charla impartida por Chema Alonso (Informática64) el 27 de Octubre de 2008 en Getafe (Madrid) dentro de la conferencia Asegúr@IT IV sobre como descargar ficheros usando Blind SQL injection techniques.
Artem Storozhuk "Building SQL firewall: insights from developers"Fwdays
This talk is about how SQL firewalls can help to protect databases from SQL injections: the main difference from WAFs, pros and cons, and common usage scenarios. Developing SQL firewall is a hard task – we will share insights about parsing SQL protocols, matching rules, best of configuration and usage patterns.
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
Web Security: Cookies, Domains and CORS
Юрий Чайковский
О предложенном еще в 1995 году и актуальным до сегодняшнего дня принципе одинакового источника (Same-origin policy) и о применении и ограничениях при междоменных запросах. Пример CSRF атак, а также правила конфигурации сервера для защиты от них. О последних нововведениях, касающихся контроля происхождения контента для предотвращения XSS атак. Кроме того:
- Принцип одинакового источника.
- Использование междоменных запросов.
- CSRF атаки (с демонстрацией).
- Классификация браузерных запросов.
- Ограничения междоменных запросов.
- Серверный контроль доступа.
- Особенности Internet Explorer 8, 9.
- Принцип безопасности контента (CSP).
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
透過簡單的攻擊範例,說明四種常見的 SQL Injection (Union Based Injection、Error Based Injection、Boolean Based Blind Injection、Time Based Blind Injection),並介紹一款常用的工具 sqlmap。
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
MongoDB.local DC 2018: Tips and Tricks for Avoiding Common Query PitfallsMongoDB
Query performance can either be a constant headache or the unsung hero of an application. MongoDB provides extremely powerful querying capabilities when used properly. As a member of the solutions architecture team, I will share common mistakes observed as well as tips and tricks to avoiding them.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
MySQL is an ubiquitous open source database but do you know how make it secure? This talk is from the 2022 Texas Cyber Summit on how to do just that. Make sure you data and database are secure.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems. I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest (=attack) painful, or just rendered the scenarios irrelevant.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
In this talk, we will cover the top 10 development mistakes that lead to security issues. Olivier Dony will go through all the security issues we have had over the past 3 years and give tips on how to avoid the traps for safer Odoo code.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
Similar to 07 application security fundamentals - part 2 - security mechanisms - data validation (20)
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Data Validation Core Concepts
Given that the client can bypass any client-side controls, all data
collected from the client must be considered suspect.
1. Known Good Exact Match (Whitelisting)
2. Known Good Characters (Whitelisting)
3. Known Bad Characters (Blacklisting)
4. Known Bad Exact Match (Blacklisting)
Is the data of a proper length and well formed for what was
expected by the application?
3. Data Validation Words to Live By
Validate data before use in SQL Commands
Validate data before sending back to the client
Validate data before use in ‘eval’ or system commands
Validate all data lengths before writing to buffers
4. Data Validation Words to Live By: #1
The problem
– The software constructs all or part of an SQL command using
externally-influenced input from an upstream component, but it does
not neutralize or incorrectly neutralizes special elements that could
modify the intended SQL command when it is sent to a downstream
component.
Validate data before use in SQL Commands
5. Adam'--
SELECT * FROM users WHERE username = 'Adam'--' AND password = ''
1 string strUser = request.getParameter("user");
2 string strPwd = request.getParameter("password");
3
4 string strQuery = "SELECT * FROM users
5 WHERE username = '" + strUser + "'
6 AND password = '" + strPwd + "'";
7
8 ExecuteQuery( strQuery, db_connection );
6. a' OR 1=1--
SELECT * FROM items WHERE username = 'a' OR 1=1--' AND password = ''
1 string strUser = request.getParameter("user");
2 string strPwd = request.getParameter("password");
3
4 string strQuery = "SELECT * FROM users
5 WHERE username = '" + strUser + "'
6 AND password = '" + strPwd + "'";
7
8 ExecuteQuery( strQuery, db_connection );
7. a'; DELETE FROM username; SELECT * FROM items WHERE 'a'='a
SELECT * FROM username WHERE user = 'a';
DELETE FROM username;
SELECT * FROM username WHERE 'a'='a' AND password = ''
1 string strUser = request.getParameter("user");
2 string strPwd = request.getParameter("password");
3
4 string strQuery = "SELECT * FROM users
5 WHERE username = '" + strUser + "'
6 AND password = '" + strPwd + "'";
7
8 ExecuteQuery( strQuery, db_connection );
8. '; EXEC master..xp_cmdshell 'dir' --
SELECT * FROM username WHERE user = '';
EXEC master..xp_cmdshell 'dir' --' AND password = ''
1 string strUser = request.getParameter("user");
2 string strPwd = request.getParameter("password");
3
4 string strQuery = "SELECT * FROM users
5 WHERE username = '" + strUser + "'
6 AND password = '" + strPwd + "'";
7
8 ExecuteQuery( strQuery, db_connection );
9. Real World – HBGary Federal vs. Anonymous
Bright, P. (2011, February 15). Anonymous speaks: The inside story of the HBGary hack. Retrieved February 16, 2011, from
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/
Image: From Wikimedia Commons – Image taken by Vincent Diamante, February 10, 2008. Retrieved September 20, 2011
from https://secure.wikimedia.org/wikipedia/commons/wiki/File:Anonymous_at_Scientology_in_Los_Angeles.jpg
10. Secure Coding …
Restrict length (username doesn't need to be 100 chars long)
Whitelist characters (only allow a-z and A-Z for username)
Use prepared statements
1 string strUser = request.getParameter("user");
2 if(strUser.length > 100) error();
3 if(strUser.matches("^[a-zA-Z]+$") == false) error();
4
5 string strQuery = "SELECT * FROM users
6 WHERE username = ?
7 AND password = ?";
8
9 PreparedStatement stmnt = null;
10 stmnt = db_connection.prepareStatment(strQuery);
11 stmnt.setString(1,strUser);
12 stmnt.setString(2,strPwd);
13 stmnt.execute();
11. Data Validation Words to Live By: #2
The problem
– The software does not neutralize or incorrectly neutralizes user-
controllable input before it is placed in output that is used as a web
page that is served to other users.
Validate data before sending back to the client
12. XSS (Cross Site Scripting) Flow
server
Attacker
User
Persistent XSS
create malicious site
malicious post
Reflected XSS
vulnerable site
1
2
- wait for user to visit site
- send phishing email
3
- browse to site
- clicks on link
4
attacker's code sent
to user and run in
their browser
17. Real World – Google's URL Redirection
In 2005, Watchfire reported the following XSS issue with Google …
The script http://www.google.com/url?q= was used for redirecting the browser from
Google's website to other sites. When the parameter q was passed to the script in an illegal
format, a "403 Forbidden" page was returned to the user, informing them that the query was
illegal. The parameter's value appeared in the html returned to the user.
For example, if http://www.google.com/url?q=EVIL_INPUT was requested, the text in the "403
Forbidden" response would have been: - "Your client does not have permission to get URL
/url?q=EVIL_INPUT from this server."
While Google escaped common characters used for XSS, such angle brackets and
apostrophes, it failed to handle hazardous UTF-7 encoded payloads. Therefore, when sending
an XSS attack payload encoded in UTF-7, the payload would return in the response without
being altered.
<?php
header('Content-Type: text/html; charset=UTF-7');
$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
echo htmlentities($string, ENT_QUOTES, 'UTF-8');
?>
18. Data Validation Words to Live By: #3
The problem
– The software receives input from an upstream component, but it
does not neutralize or incorrectly neutralizes code syntax before
using the input in a dynamic evaluation call (e.g. "eval").
Validate data before use in ‘eval’ or system commands
19. -lad
/bin/ls -lad
1 my $options = readSocket($sock);
2 my $command = "/bin/ls " . $options;
3 system($command);
21. Real World Example – TWiki Exploit
The search parameter of the website was being placed into an eval function,
allowing remote users to fully exploit the server
22. Secure Coding …
Restrict length (option doesn't need to be 100 chars long)
Whitelist (only allow specific commands)
1 my $options = <STDIN>;
2 if length($options) > 100
3 {
4 error();
5 }
6 if ($options =~ m/^[a-zA-Z- ]+$/)
7 {
8 my $command = "/bin/ls " . $options;
9 system($command);
10 }
23. Data Validation Words to Live By: #4
The problem
– The program copies an input buffer to an output buffer without
verifying that the size of the input buffer is less than the size of the
output buffer, leading to a buffer overflow.
Validate all data lengths before writing to buffers
24. Hello
1 char c[12];
2 char *bar;
3 printf("Please enter your name and press <Enter>n");
4 get bar;
5 strcpy(c, bar);
27. Secure Coding …
Use "safe" functions (e.g., strncpy() )
Validate maximum and minimum size values
Verify that calculations result in valid ranges
Validate length of input strings (plus NULL terminator!)
Consider compiler switches that reduce danger of buffer
overflows
Whitelist when possible
Assume all input is malicious.