In this talk, we will cover the top 10 development mistakes that lead to security issues. Olivier Dony will go through all the security issues we have had over the past 3 years and give tips on how to avoid the traps for safer Odoo code.
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
Odoo's security model uses multi-level access controls to restrict data access through groups, access control lists (ACLs), and rules at both the model and field level. Common vulnerabilities include injection, improper access controls, information leaks, and cross-site scripting. To break Odoo's security, one would try to exploit vulnerabilities like SQL injection, accessing data without proper permissions, or leaking sensitive information through unsafe domain combinations.
This slide describes the various components of an Odoo module. it discusses controllers, data, docs, translations, reports, security, static files and folders, unit tests, views, and wizards
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
How To Break Odoo's Security [Odoo Experience 2018]Olivier Dony
Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. The security of business and personal data becomes more and more important every day, and the arrival of new regulation such as GDPR adds legal burden to the existing business risk.
XSS, CSRF, SQL injection, broken authentication, data leak, and so on. All kinds of security problems happen every day, even to the biggest companies. We can't stop that, but we can at least prepare for it, by carefully considering the risks, and integrating best practices into daily coding tasks.
Before trying to break it, the talk will first describe the Odoo Security Model, with a quick recap of the key features built into the framework to help developers design secure Apps.
Then we'll explore a few real-life coding examples. We'll show how the security features are used in practice, and how they can be defeated if the developers are not careful, compromising the whole security of the system. Analyzing these examples will give substance and context to the security primitives, and help new and experienced developers integrate best practices into their development workflow.
This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.
1. The document discusses tools and techniques for solving performance issues in Python and PostgreSQL systems, including profiling Python code, logging PostgreSQL queries, and optimizing parallel query processing.
2. Key recommendations include reproducing performance issues in a reliable, isolated and repeatable way, and using load testing to prevent issues.
3. Analyzing tools like pg_activity and optimizing settings like max_worker_processes and max_parallel_workers can help improve query speed at the cost of higher CPU usage.
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
The document describes four different CPU scheduling algorithms: First Come First Serve (FCFS), Shortest Job First (preemptive and non-preemptive), Priority scheduling (non-preemptive), and Round Robin. For each algorithm, pseudocode is provided to simulate the scheduling of processes and calculate metrics like waiting time and turnaround time. The FCFS algorithm calculates these metrics in a straightforward manner based on arrival time and burst time of each process. Shortest Job First simulates sorting processes by burst time and calculating wait times and turnaround times accordingly. Priority scheduling first sorts by priority then calculates metrics. Round Robin simulates time slicing by allocating a time quantum to each process in turn.
Human:
Odoo Experience 2018 - How to Break Odoo Security (or how to prevent it)ElínAnna Jónasdóttir
Odoo's security model uses multi-level access controls to restrict data access through groups, access control lists (ACLs), and rules at both the model and field level. Common vulnerabilities include injection, improper access controls, information leaks, and cross-site scripting. To break Odoo's security, one would try to exploit vulnerabilities like SQL injection, accessing data without proper permissions, or leaking sensitive information through unsafe domain combinations.
This slide describes the various components of an Odoo module. it discusses controllers, data, docs, translations, reports, security, static files and folders, unit tests, views, and wizards
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
How To Break Odoo's Security [Odoo Experience 2018]Olivier Dony
Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. The security of business and personal data becomes more and more important every day, and the arrival of new regulation such as GDPR adds legal burden to the existing business risk.
XSS, CSRF, SQL injection, broken authentication, data leak, and so on. All kinds of security problems happen every day, even to the biggest companies. We can't stop that, but we can at least prepare for it, by carefully considering the risks, and integrating best practices into daily coding tasks.
Before trying to break it, the talk will first describe the Odoo Security Model, with a quick recap of the key features built into the framework to help developers design secure Apps.
Then we'll explore a few real-life coding examples. We'll show how the security features are used in practice, and how they can be defeated if the developers are not careful, compromising the whole security of the system. Analyzing these examples will give substance and context to the security primitives, and help new and experienced developers integrate best practices into their development workflow.
This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.
1. The document discusses tools and techniques for solving performance issues in Python and PostgreSQL systems, including profiling Python code, logging PostgreSQL queries, and optimizing parallel query processing.
2. Key recommendations include reproducing performance issues in a reliable, isolated and repeatable way, and using load testing to prevent issues.
3. Analyzing tools like pg_activity and optimizing settings like max_worker_processes and max_parallel_workers can help improve query speed at the cost of higher CPU usage.
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
The document describes four different CPU scheduling algorithms: First Come First Serve (FCFS), Shortest Job First (preemptive and non-preemptive), Priority scheduling (non-preemptive), and Round Robin. For each algorithm, pseudocode is provided to simulate the scheduling of processes and calculate metrics like waiting time and turnaround time. The FCFS algorithm calculates these metrics in a straightforward manner based on arrival time and burst time of each process. Shortest Job First simulates sorting processes by burst time and calculating wait times and turnaround times accordingly. Priority scheduling first sorts by priority then calculates metrics. Round Robin simulates time slicing by allocating a time quantum to each process in turn.
Human:
The document provides best practices for handling performance issues in an Odoo deployment. It recommends gathering deployment information, such as hardware specs, number of machines, and integration with web services. It also suggests monitoring tools to analyze system performance and important log details like CPU time, memory limits, and request processing times. The document further discusses optimizing PostgreSQL settings, using tools like pg_activity, pg_stat_statements, and pgbadger to analyze database queries and performance. It emphasizes reproducing issues, profiling code with tools like the Odoo profiler, and fixing problems in an iterative process.
The document discusses the design of a new Sylius API. It began development in 2020 and has covered 100% of shop endpoints and 70% of all endpoints. Various options were considered for API design decisions like versioning, calculating dynamic fields, and handling admin vs shop resources. Architecture decision records were used to document choices. Based on lessons learned, REST was found to be better than GraphQL by default, and calculated data is best handled with read models rather than on entities. UI mockups should not dictate API design, and custom operations are best modeled with new resource endpoints.
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
Top 1000 Java Interview Questions Includes Spring, Hibernate, Microservices, ...Ankit Kumar
This document provides an overview and table of contents for a book titled "Top 1000 Java Interview Questions & Answers" by Knowledge Powerhouse. It includes the copyright information, a dedication, and lists chapter titles covering topics like Java basics, OOP principles, inheritance, static methods, method overloading and overriding, polymorphism, abstraction, final keywords, packages, internationalization, serialization, reflection, garbage collection, inner classes, strings, exception handling, multi-threading, and collections. The document gives a high-level outline of the technical concepts and questions that will be covered in the book.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
Mikhail Egorov and Sergey Soldatov presented their research on exploiting injections in Hibernate ORM. They demonstrated that while Hibernate Query Language (HQL) is more limited than SQL, it is possible to exploit HQL injections to conduct SQL injections on popular databases like MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. They did this by leveraging features of Hibernate and the databases like how Hibernate handles string escaping and allows unicode characters in identifiers. Their talk provided examples of exploiting each database and a takeaway that Hibernate is not a web application firewall and HQL injections can be used to perform SQL injections.
The document provides instructions for deploying and running Odoo. It discusses starting Odoo simply and securely, configuring the addons paths, workers, and ports. It also covers optimizing PostgreSQL, selecting a database, sending emails, logging, sharing the filestore with NFS, sharing code between servers, load balancing requests, and other useful Odoo options.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
This document provides an overview of common security vulnerabilities in Node.js code and their solutions. It discusses injection flaws like SQL injection and log injection, broken authentication and session management issues like insecure cookie handling, cross-site scripting vulnerabilities, insecure direct object references, sensitive data exposure without encryption, cross-site request forgery, and unvalidated redirects/forwards. For each vulnerability, it provides an example of vulnerable Node.js code, how an attacker could exploit it, and recommendations for more secure coding practices. The goal is to help developers learn security best practices through examples of real flaws and their fixes.
- Odoo 13 includes the biggest ORM refactoring since OpenERP 8, focusing on performance improvements by optimizing the in-memory cache, reducing SQL queries, and delaying computations.
- Key changes include a single unified cache, preferring in-memory updates over SQL, optimizing dependency trees, and avoiding unnecessary format conversions to reduce overhead.
- Onchange methods are being deprecated in favor of computed fields, which provide a cleaner separation of business logic and interface concerns. Computed fields work both in Python and JavaScript and have well-defined dependencies.
The document describes various data structures and processes used in an ORM (object-relational mapper) system. The key points are:
1. The registry maps model names to model classes and holds metadata. It returns model class instances from browse() which reflect model definitions.
2. The record cache stores field values for quick access and is prefetched and invalidated based on changes.
3. Fields to write collects updates and flushes multiple records with the same updates in a single SQL query to minimize writes.
4. Fields to compute delays computations by tracking which records need recomputation and coordinating with the cache and writes.
5. Field triggers determine what to recompute or invalidate in the
The document discusses the top vulnerabilities from the OWASP Top 10 list - Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). It provides details on each vulnerability like how injection occurs, types of XSS, and how CSRF allows unauthorized actions. Prevention techniques are also covered, such as input validation, output encoding, and synchronizer token pattern. The presentation is given by Arya Anindyaratna Bal for Wipro and covers their experience in application security and the history of OWASP Top 10 lists.
This document contains programs and algorithms for simulating different CPU scheduling algorithms like FCFS, SJF, Priority and Round Robin. It also contains a program for implementing the Producer-Consumer problem using semaphores and an algorithm for implementing optimal page replacement.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Brief overview of the Rust system programming language. Provides a concise introduction of its basic features, with an emphasis on its memory safety features (ownership, moves, borrowing) and programming style with generic functions, structures, and traits.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
This document provides an overview of software security best practices and common vulnerabilities for Odoo code. It discusses the top 10 risks including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, vulnerable components, and insufficient logging. For each risk, it provides examples of vulnerable code and recommendations for more secure implementations. It emphasizes that the Odoo framework includes mechanisms to prevent many mistakes but knowledge and mindset are also key. The document concludes with recommendations for code reviews to check access control, permissions, templates, evaluations, injections, and cross-site scripting prevention.
The document provides best practices for handling performance issues in an Odoo deployment. It recommends gathering deployment information, such as hardware specs, number of machines, and integration with web services. It also suggests monitoring tools to analyze system performance and important log details like CPU time, memory limits, and request processing times. The document further discusses optimizing PostgreSQL settings, using tools like pg_activity, pg_stat_statements, and pgbadger to analyze database queries and performance. It emphasizes reproducing issues, profiling code with tools like the Odoo profiler, and fixing problems in an iterative process.
The document discusses the design of a new Sylius API. It began development in 2020 and has covered 100% of shop endpoints and 70% of all endpoints. Various options were considered for API design decisions like versioning, calculating dynamic fields, and handling admin vs shop resources. Architecture decision records were used to document choices. Based on lessons learned, REST was found to be better than GraphQL by default, and calculated data is best handled with read models rather than on entities. UI mockups should not dictate API design, and custom operations are best modeled with new resource endpoints.
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
Top 1000 Java Interview Questions Includes Spring, Hibernate, Microservices, ...Ankit Kumar
This document provides an overview and table of contents for a book titled "Top 1000 Java Interview Questions & Answers" by Knowledge Powerhouse. It includes the copyright information, a dedication, and lists chapter titles covering topics like Java basics, OOP principles, inheritance, static methods, method overloading and overriding, polymorphism, abstraction, final keywords, packages, internationalization, serialization, reflection, garbage collection, inner classes, strings, exception handling, multi-threading, and collections. The document gives a high-level outline of the technical concepts and questions that will be covered in the book.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
Mikhail Egorov and Sergey Soldatov presented their research on exploiting injections in Hibernate ORM. They demonstrated that while Hibernate Query Language (HQL) is more limited than SQL, it is possible to exploit HQL injections to conduct SQL injections on popular databases like MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. They did this by leveraging features of Hibernate and the databases like how Hibernate handles string escaping and allows unicode characters in identifiers. Their talk provided examples of exploiting each database and a takeaway that Hibernate is not a web application firewall and HQL injections can be used to perform SQL injections.
The document provides instructions for deploying and running Odoo. It discusses starting Odoo simply and securely, configuring the addons paths, workers, and ports. It also covers optimizing PostgreSQL, selecting a database, sending emails, logging, sharing the filestore with NFS, sharing code between servers, load balancing requests, and other useful Odoo options.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
This document provides an overview of common security vulnerabilities in Node.js code and their solutions. It discusses injection flaws like SQL injection and log injection, broken authentication and session management issues like insecure cookie handling, cross-site scripting vulnerabilities, insecure direct object references, sensitive data exposure without encryption, cross-site request forgery, and unvalidated redirects/forwards. For each vulnerability, it provides an example of vulnerable Node.js code, how an attacker could exploit it, and recommendations for more secure coding practices. The goal is to help developers learn security best practices through examples of real flaws and their fixes.
- Odoo 13 includes the biggest ORM refactoring since OpenERP 8, focusing on performance improvements by optimizing the in-memory cache, reducing SQL queries, and delaying computations.
- Key changes include a single unified cache, preferring in-memory updates over SQL, optimizing dependency trees, and avoiding unnecessary format conversions to reduce overhead.
- Onchange methods are being deprecated in favor of computed fields, which provide a cleaner separation of business logic and interface concerns. Computed fields work both in Python and JavaScript and have well-defined dependencies.
The document describes various data structures and processes used in an ORM (object-relational mapper) system. The key points are:
1. The registry maps model names to model classes and holds metadata. It returns model class instances from browse() which reflect model definitions.
2. The record cache stores field values for quick access and is prefetched and invalidated based on changes.
3. Fields to write collects updates and flushes multiple records with the same updates in a single SQL query to minimize writes.
4. Fields to compute delays computations by tracking which records need recomputation and coordinating with the cache and writes.
5. Field triggers determine what to recompute or invalidate in the
The document discusses the top vulnerabilities from the OWASP Top 10 list - Injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). It provides details on each vulnerability like how injection occurs, types of XSS, and how CSRF allows unauthorized actions. Prevention techniques are also covered, such as input validation, output encoding, and synchronizer token pattern. The presentation is given by Arya Anindyaratna Bal for Wipro and covers their experience in application security and the history of OWASP Top 10 lists.
This document contains programs and algorithms for simulating different CPU scheduling algorithms like FCFS, SJF, Priority and Round Robin. It also contains a program for implementing the Producer-Consumer problem using semaphores and an algorithm for implementing optimal page replacement.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Brief overview of the Rust system programming language. Provides a concise introduction of its basic features, with an emphasis on its memory safety features (ownership, moves, borrowing) and programming style with generic functions, structures, and traits.
This talk walks through the basics of web security without focussing too much on the particular tools that you choose. The concepts are universal, although most examples will be in Perl. We'll also look at various attack vectors (SQL Injection, XSS, CSRF, and more) and see how you can avoid them. Whether you're an experienced web developer (we all need reminding) or just starting out, this talk can help avoid being the next easy harvest of The Bad Guys.
This document provides an overview of software security best practices and common vulnerabilities for Odoo code. It discusses the top 10 risks including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, vulnerable components, and insufficient logging. For each risk, it provides examples of vulnerable code and recommendations for more secure implementations. It emphasizes that the Odoo framework includes mechanisms to prevent many mistakes but knowledge and mindset are also key. The document concludes with recommendations for code reviews to check access control, permissions, templates, evaluations, injections, and cross-site scripting prevention.
This document discusses common security issues in Perl web applications and provides recommendations to address them. It covers input validation, SQL injections, cross-site scripting (XSS), cookies, CSRF, path traversal, Perl-specific issues like buffer overflows, tainting, system calls, eval, CGI parameters, regular expressions, and randomness. The document recommends using secure Perl modules from CPAN, following best practices, and using web scanners to test for vulnerabilities.
Rails aims to be secure by default but developers still need to be careful. The document outlines several common security issues like mass assignment vulnerabilities, XSS risks, and CSRF concerns. It provides examples of each issue and recommends solutions like using strong parameters, output encoding, and adding CSRF tokens. While Rails improves security with each release, the document emphasizes the importance of following security best practices to protect applications.
SQL injection is a common web application security vulnerability that allows attackers to control an application's database by tricking the application into sending unexpected SQL commands to the database. It works by submitting malicious SQL code as input, which gets executed by the database since the application concatenates user input directly into SQL queries. The key to preventing SQL injection is using prepared statements with bound parameters instead of building SQL queries through string concatenation. This separates the SQL statement from any user-supplied input that could contain malicious code.
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
The document discusses how to integrate security into the software development process. It recommends treating security as part of design from the beginning through activities like threat modeling, rather than as an afterthought. It provides examples of common vulnerabilities and mitigations that can be implemented at the requirements, design, code, and testing phases like input validation, output escaping, and static analysis. The document advocates finding and fixing issues earlier and communicating regularly with security experts.
The document discusses various PHP security vulnerabilities like code injection, SQL injection, cross-site scripting (XSS), session hijacking, and remote code execution. It provides examples of each vulnerability and methods to prevent them, such as input validation, output encoding, secure session management, and restricting shell commands. The goal is to teach secure PHP programming practices to avoid security issues and defend against common attacks.
This document provides eight rules for writing secure PHP programs:
1. Use proper cryptography and do not invent your own algorithms.
2. Validate all input from external sources before using.
3. Sanitize data sent to databases or other systems to prevent injection attacks.
4. Avoid leaking sensitive information through error messages or other means.
5. Properly manage user sessions to prevent hijacking and ensure users remain authenticated.
6. Enforce authentication and authorization separately using least privilege.
7. Use SSL/TLS to encrypt all authenticated or sensitive communications.
8. Keep security straightforward and avoid relying on obscurity.
The document summarizes the OWASP Top 10 security risks and provides prevention techniques. It discusses injection, cross-site scripting (XSS), insecure deserialization, XML external entities (XXE), and other risks. For each risk, it recommends validating, sanitizing, and escaping user input, using prepared statements, and other best practices to prevent security vulnerabilities.
The document provides an overview of topics related to web security and hands-on exercises. It discusses SQL injection exploits, cross-site scripting (XSS), and ways to sanitize user inputs to prevent exploits. The document outlines steps to create databases and tables in MySQL, build login and messaging systems, and introduces ways attackers can exploit vulnerabilities, such as blind SQL injections, XSS, and accessing sensitive browser data. It emphasizes the importance of using prepared statements and sanitizing all user inputs to protect against security issues.
Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
- Server-side JavaScript injection, cross-site scripting attacks, SQL injections, and cross-site request forgery are common security vulnerabilities in Node.js and Express applications. The document provides recommendations to prevent each vulnerability, including validating user input, escaping output, using prepared statements, and implementing CSRF tokens.
- Data validation and sanitization should be implemented for all endpoints accepting user data. Packages like express-validator can define validation schemas and sanitize input. Logging each request and response is also important for security monitoring and auditing.
SQL injection is a code injection technique that exploits security vulnerabilities in web applications by inserting malicious SQL statements into input fields. When user-supplied input is inserted into a SQL query without validation or sanitization, an attacker can manipulate the SQL statement and gain unauthorized access to sensitive data or make unauthorized changes by supplying specially crafted input containing SQL keywords and operators. Common defenses include sanitizing all user input, using parameterized queries instead of dynamic SQL, and running database access with least privileges.
Going through the SOC2 audit preparation and audit process at Lexop taught us quite a few interesting lessons as far as security, infrastructure and processes are concerned ... and we'd like to share some of these with you. This presentation will not only be focused on coding but also on what we went through on our way to becoming a SOC2 compliant ruby shop.
Bio
Michel Jamati, CTO and co-founder at Lexop, has accompanied the startup through 2 accelerator programs, 8.1M$ in financing, and many a sleepless night. He received a Bachelors in Computer Engineering from McGill, with a minor in Business and a specialty in Artificial Intelligence, before working for a decade in the Aerospace industry where he scoured the globe tinkering with full flight simulators for the World's biggest airlines.
In his free time, he enjoys feeding his newborn son (who's never thanked him for it) and pestering his sister . He's also an avid sports player and sci-fi reader, and has been a Big Brother for the last 5 years to one of the coolest kid out there.
This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
07 application security fundamentals - part 2 - security mechanisms - data ...appsec
This document discusses data validation concepts and best practices. It covers four core concepts: 1) whitelisting and blacklisting known good/bad values, 2) validating data length and format, 3) validating data before use in SQL, eval functions, or writing to buffers, and 4) encoding output to prevent XSS. Real world examples demonstrate how failing to validate data can enable SQL injection, XSS attacks, buffer overflows, and more. The document advocates restricting input length, whitelisting valid characters, encoding output, and using safe functions like strncpy() to avoid security issues.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
- The document discusses secure Drupal coding practices presented by Balazs Janos Tatar at DrupalCamp London 2019.
- It covers common vulnerabilities like cross-site scripting, access bypass, SQL injection and how to prevent them through input filtering, access control configuration, and using Drupal's database APIs.
- Tatar also discusses security improvements in Drupal 8 like Twig templates, automated CSRF protection, and content security policy compatibility. He encourages learning from security advisories and reviewing sites for vulnerabilities.
Similar to 10 Rules for Safer Code [Odoo Experience 2016] (20)
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Paul Brebner
Closing talk for the Performance Engineering track at Community Over Code EU (Bratislava, Slovakia, June 5 2024) https://eu.communityovercode.org/sessions/2024/why-apache-kafka-clusters-are-like-galaxies-and-other-cosmic-kafka-quandaries-explored/ Instaclustr (now part of NetApp) manages 100s of Apache Kafka clusters of many different sizes, for a variety of use cases and customers. For the last 7 years I’ve been focused outwardly on exploring Kafka application development challenges, but recently I decided to look inward and see what I could discover about the performance, scalability and resource characteristics of the Kafka clusters themselves. Using a suite of Performance Engineering techniques, I will reveal some surprising discoveries about cosmic Kafka mysteries in our data centres, related to: cluster sizes and distribution (using Zipf’s Law), horizontal vs. vertical scalability, and predicting Kafka performance using metrics, modelling and regression techniques. These insights are relevant to Kafka developers and operators.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Preparing Non - Technical Founders for Engaging a Tech AgencyISH Technologies
Preparing non-technical founders before engaging a tech agency is crucial for the success of their projects. It starts with clearly defining their vision and goals, conducting thorough market research, and gaining a basic understanding of relevant technologies. Setting realistic expectations and preparing a detailed project brief are essential steps. Founders should select a tech agency with a proven track record and establish clear communication channels. Additionally, addressing legal and contractual considerations and planning for post-launch support are vital to ensure a smooth and successful collaboration. This preparation empowers non-technical founders to effectively communicate their needs and work seamlessly with their chosen tech agency.Visit our site to get more details about this. Contact us today www.ishtechnologies.com.au
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Odoo releases a new update every year. The latest version, Odoo 17, came out in October 2023. It brought many improvements to the user interface and user experience, along with new features in modules like accounting, marketing, manufacturing, websites, and more.
The Odoo 17 update has been a hot topic among startups, mid-sized businesses, large enterprises, and Odoo developers aiming to grow their businesses. Since it is now already the first quarter of 2024, you must have a clear idea of what Odoo 17 entails and what it can offer your business if you are still not aware of it.
This blog covers the features and functionalities. Explore the entire blog and get in touch with expert Odoo ERP consultants to leverage Odoo 17 and its features for your business too.
An Overview of Odoo ERP
Odoo ERP was first released as OpenERP software in February 2005. It is a suite of business applications used for ERP, CRM, eCommerce, websites, and project management. Ten years ago, the Odoo Enterprise edition was launched to help fund the Odoo Community version.
When you compare Odoo Community and Enterprise, the Enterprise edition offers exclusive features like mobile app access, Odoo Studio customisation, Odoo hosting, and unlimited functional support.
Today, Odoo is a well-known name used by companies of all sizes across various industries, including manufacturing, retail, accounting, marketing, healthcare, IT consulting, and R&D.
The latest version, Odoo 17, has been available since October 2023. Key highlights of this update include:
Enhanced user experience with improvements to the command bar, faster backend page loading, and multiple dashboard views.
Instant report generation, credit limit alerts for sales and invoices, separate OCR settings for invoice creation, and an auto-complete feature for forms in the accounting module.
Improved image handling and global attribute changes for mailing lists in email marketing.
A default auto-signature option and a refuse-to-sign option in HR modules.
Options to divide and merge manufacturing orders, track the status of manufacturing orders, and more in the MRP module.
Dark mode in Odoo 17.
Now that the Odoo 17 announcement is official, let’s look at what’s new in Odoo 17!
What is Odoo ERP 17?
Odoo 17 is the latest version of one of the world’s leading open-source enterprise ERPs. This version has come up with significant improvements explained here in this blog. Also, this new version aims to introduce features that enhance time-saving, efficiency, and productivity for users across various organisations.
Odoo 17, released at the Odoo Experience 2023, brought notable improvements to the user interface and added new functionalities with enhancements in performance, accessibility, data analysis, and management, further expanding its reach in the market.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
3. RULE #1
EVAL is EVIL
Don’t trust strings supposed to contain expressions or code
(even your own!)
4. “eval” breaks the barrier between
code and data
Is this safe?
Maybe… it depends.
Is it a good idea?
No, because eval() is not necessary!
5. There are safer and smarter ways
to parse data in PYTHON
“42” int(x)
float(x)
Parse it
like this
“[1,2,3,true]”
json.loads(x)
‘{“widget”: “monetary”}’
“[1,2,3,True]” ast.literal_eval(x)
”{‘widget’: ‘monetary’}”
Given this
string
6. There are safer and smarter ways
to parse data in JAVASCRIPT
“42” parseInt(x)
parseFloat(x)
Given this
string Parse it
like this
“[1,2,3,true]”
JSON.parse(x)
‘{“widget”: “monetary”}’
7. If you must eval parameters
use a safe eval method
# YES
from odoo.tools import safe_eval
res = safe_eval(’foo’, {’foo’: 42});
# NO
from odoo.tools import safe_eval as eval
res = eval(’foo’, {’foo’: 42});
PYTHON
Alias built-in eval as ”unsafe_eval”
Show your meaning!
# YES
unsafe_eval = eval
res = unsafe_eval(trusted_code);
# NO!
res = eval(trusted_code);
Import as ”safe_eval”, not as ”eval”!
Now
verified
by runbot!
8. If you must eval parameters
use a safe eval method
JAVASCRIPT
// py.js is included by default
py.eval(’foo’, {’foo’: 42});
// require(”web.pyeval”) for
// domains/contexts/groupby evaluation
pyeval.eval(’domains’, my_domain);
Do not use the built-in JS eval!
15. RULE #3
USE THE CURSOR
WISELY
Use the ORM API. And when you can’t, use query parameters.
16. SQL injection is a classical privilege
escalation vector
self.search(domain)The ORM is here to help you build safe
queries:
Psycopg can also help you do that , if you tell
it what is code and what is data:
query = ”””SELECT * FROM res_partner
WHERE id IN %s”””
self._cr.execute(query, (tuple(ids),))
SQL code
SQL data parameters
17. Learn the API to avoid hurting
yourself
and
other people!
18. This method is vulnerable
to SQL injection
def compute_balance_by_category(self, categ=’in’):
query = ”””SELECT sum(debit-credit)
FROM account_invoice_line l
JOIN account_invoice i ON (l.invoice_id = i.id)
WHERE i.categ = ’%s_invoice’
GROUP BY i.partner_id ”””
self._cr.execute(query % categ)
return self._cr.fetchall()
What if someone calls it with
categ = ”””in_invoice’; UPDATE res_users
SET password = ’god’ WHERE id=1; SELECT
sum(debit-credit) FROM account_invoice_line
WHERE name = ’”””
19. This method is still vulnerable
to SQL injection
def _compute_balance_by_category(self, categ=’in’):
query = ”””SELECT sum(debit-credit)
FROM account_invoice_line l
JOIN account_invoice i ON (l.invoice_id = i.id)
WHERE i.categ = ’%s_invoice’
GROUP BY i.partner_id ”””
self._cr.execute(query % categ)
return self._cr.fetchall()
Better, but it could still be called
indirectly!
Now
private!
20. This method is safe against
SQL injection
def _compute_balance_by_category(self, categ=’in’):
categ = ’%s_invoice’ % categ
query = ”””SELECT sum(debit-credit)
FROM account_invoice_line l
JOIN account_invoice i ON (l.invoice_id = i.id)
WHERE i.categ = %s
GROUP BY i.partner_id ”””
self._cr.execute(query, (categ,))
return self._cr.fetchall()
Separates code
and parameters!
23. Most XSS errors are trivial:
QWeb templates
t-raw vs t-esc / t-field
Only use it to insert HTML code
that has been prepared and
escaped by the framework.
Never use it to insert text.
For everything else, use:
• t-esc: variables, URL parameters, …
• t-field: record data
24. Most XSS errors are trivial:
DOM manipulations (JQuery)
$elem.html(value) vs $elem.text(value)
Only use it to insert HTML code
that has been prepared and
escaped by the framework.
Never use it to insert text.
For everything else, use:
• t-esc: variables, URL parameters, …
• t-field: record data
25. @http.route('/web/binary/upload', type='http', auth="user")
@serialize_exception
def upload(self, callback, ufile):
out = """<script language="javascript" type="text/javascript">
var win = window.top.window;
win.jQuery(win).trigger(%s, %s);
</script>"""
# (...)
return out % (json.dumps(callback), json.dumps(args))
Some XSS are less obvious: callbacks
JSON escaping is not sufficient to prevent XSS,
because of the way browsers parse documents!
/web/binary/upload?callback=</script><script>alert(’This works!');//
26. Users can often upload arbitrary files : contact forms, email
gateway, etc.
Upon download, browsers will happily detect the file type and
execute anything that remotely looks like HTML, even if
you return it with an image mime-type !
Some XSS are less obvious: uploads
<svg xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert(’XSS!!’);</script>
</svg>A valid
SVG image
file!
28. Where should we store precious tokens for
external APIs?
On the res.users record of the user!
On the res.company record!
On the record representing the API
endpoint, like the acquirer record!
In the ir.config_parameter
table!
Wherever it makes the most sense, as long as it’s
not readable by anyone!
(field-level group, ACLs, ICP groups, etc.)
30. Do not over-Sudo IT
RULE #6
Review 2x your sudo() usage, particularly controllers/public methods
31. Do you think this form is safe?
Not if it blindly takes the form POST
parameters and calls write() in
sudo mode!
32. RULE #7
CSRF tokens FOR
website forms
HTTP Posts require CSRF tokens since v9.0
33. Do you think this form is safe
from CSRF attacks?
As of Odoo 9, HTTP POST controllers
are CSRF-protected
Do not bypass it with GET controllers
that act like POST!
34. RULE #8
MASTER thE RULES
Odoo ACL and Rules are not trivial, be sure to understand them
35. Odoo ACLs are not always trivial
user
group B
group A
data
C
R
U
D
C
R
U
D
C
R
U
D
Group
Access Rights
(ir.model.access)
Group
Access Rule
(ir.rule)
Global
Access Rule
(ir.rule)
123
Per-modelPer-record
ACCESS
DENIED
36. Odoo ACLs are not always trivial
user
group B
group A
data C
R
U
D
C
R
U
D
C
R
U
D
Group
Access Rule
(ir.rule)
Global
Access Rule
(ir.rule)
123
Per-modelPer-record
ACCESS
GRANTED
Group
Access Rights
(ir.model.access)
37. Odoo ACLs are not always trivial
user
group B
group A
data
C
R
U
D
C
R
U
D
Group
Access Rule
(ir.rule)
Global
Access Rule
(ir.rule)
123
Per-modelPer-record
ACCESS
GRANTED
Group
Access Rights
(ir.model.access)
38. Odoo ACLs are not always trivial
user
group B
group A
data
C
R
U
D
C
R
U
D
Group
Access Rule
(ir.rule)
Global
Access Rule
(ir.rule)
123
Per-modelPer-record
C
R
U
D
ACCESS
DENIED
Group
Access Rights
(ir.model.access)
39. Odoo ACLs are not always trivial
user
group B
group A
data
C
R
U
D
Group
Access Rule
(ir.rule)
Global
Access Rule
(ir.rule)
123
Per-modelPer-record
ACCESS
GRANTED
Group
Access Rights
(ir.model.access)
40. RULE #9
There are better and safer alternatives
Getattr is NOT
YOUR FRIEND
41. Do NOT do this:
def _get_it(self, field=’partner_id’):
return getattr(record, field)
Try this instead:
def _get_it(self, field=’partner_id’):
return record[field]
By passing arbitrary field values, an
attacker could gain access to dangerous
methods!
This will only work with valid field values
42. RULE #10
Do NOT open(), urlopen(), requests.post(), … an arbitrary URL/Path!
OPEN WITH CARE
43. Summary
1. Eval is evil
2. You shall not pickle
3. Use the cursor wisely
4.Fight XSS
5. Guard passwords & tokens fiercely
6.Do not over-sudo it
7.CSRF tokens for weBsite forms
8.master THE rules
9.Getattr is not your friend
10.OPEN WITH care