Uploaded byvti
561 views

Slides

This document discusses common security issues in Perl web applications and provides recommendations to address them. It covers input validation, SQL injections, cross-site scripting (XSS), cookies, CSRF, path traversal, Perl-specific issues like buffer overflows, tainting, system calls, eval, CGI parameters, regular expressions, and randomness. The document recommends using secure Perl modules from CPAN, following best practices, and using web scanners to test for vulnerabilities.

Embed presentation

Download to read offline
Security issues in Perl web apps Viacheslav Tykhanovskyi May 12, 2012
Common web security issues
Validate input data!
SQL injections use DBI; use DBIx::Class; use Rose::DB::Object; use ObjectDB;
XSS Blind escaping <, >, ’, " and & is not enough!
XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...)
XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response
XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code
XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code Escape taking context into account.
Cookies Sign cookies
Cookies Sign cookies XSS preventing is hard. Set HttpOnly cookie flag for better protection.
CSRF Plack::Middleware::CSRF
Path traversal ../../../../../../etc/passwd
Path traversal ../../../../../../etc/passwd Detect ..
Path traversal ../../../../../../etc/passwd Detect .. File::Spec->no_upwards(@paths);
Perl-specific security issues
No buffer overflow
No buffer overflow Most system commands are embedded
No buffer overflow Most system commands are embedded Written by smart people
use strict; use warnings;
Tainting -T
sub is_tainted { return !eval { eval("#" . substr(join("", @_), 0, 0) ); 1 }; }
system() system("program $arg"); vs system(’program’, $arg);
open() open my $fh, ">$file"; vs open my $fh, ’>’, $file;
eval() eval "require $class";
eval() eval "require $class"; load_class("Foo;print ’nice feature!’")
0 0
0 0 $file = "/bin/ls0 /etc|"; if (-e $file) { open my $fh, $file; }
CGI & ARGV script.pl?foo
CGI & ARGV script.pl?foo ... $app->run(@ARGV); ...
Regular expressions if ($string =~ m/$user_supplied_re/) { ... } vs if ($string =~ m/Q$user_supplied_reE/) { ... }
Unicode utf8 vs UTF-8
rand() ”rand()” is not cryptographically secure
How to make life easier?
How to make life easier? Use modules from CPAN. Many of them are time-proved
How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP”
How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices
How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices Use scanners nikto http://cirt.net/nikto2 skipfish http://code.google.com/p/skipfish/ w3af http://w3af.sourceforge.net/
Questions?

More Related Content

PDF
Defeating Cross-Site Scripting with Content Security Policy
byFrancois Marier
 
PDF
Two scoops of Django - Security Best Practices
bySpin Lai
 
PPT
SQL Injection in PHP
byDave Ross
 
PDF
Tips on Securing Drupal Sites
bycgmonroe
 
PDF
OWASP TOP 10 for PHP Programmers
byrjsmelo
 
PDF
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
PPT
Php Mysql
byMudasir Syed
 
PPT
Securing Java EE Web Apps
byFrank Kim
 
Defeating Cross-Site Scripting with Content Security Policy
byFrancois Marier
 
Two scoops of Django - Security Best Practices
bySpin Lai
 
SQL Injection in PHP
byDave Ross
 
Tips on Securing Drupal Sites
bycgmonroe
 
OWASP TOP 10 for PHP Programmers
byrjsmelo
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
byTobias Zander
 
Php Mysql
byMudasir Syed
 
Securing Java EE Web Apps
byFrank Kim
 

What's hot

PDF
Talk NullByteCon 2015
byRoberto Soares
 
PDF
Bünyamin Demir - Secure YourApp
byCypSec - Siber Güvenlik Konferansı
 
PPT
php $_GET / $_POST / $_SESSION
bytumetr1
 
PPTX
Spine.js
bywearefractal
 
PPTX
How did i steal your database
byMostafa Siraj
 
PPTX
Don't Get Stung
byBarry Dorrans
 
PDF
autopkgtest lightning talk
bymartin-pitt
 
PDF
Es part 2 pdf no build
byErik Rose
 
PPT
Zend Con 2008 Slides
bymkherlakian
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
Talk NullByteCon 2015
byRoberto Soares
 
Bünyamin Demir - Secure YourApp
byCypSec - Siber Güvenlik Konferansı
 
php $_GET / $_POST / $_SESSION
bytumetr1
 
Spine.js
bywearefractal
 
How did i steal your database
byMostafa Siraj
 
Don't Get Stung
byBarry Dorrans
 
autopkgtest lightning talk
bymartin-pitt
 
Es part 2 pdf no build
byErik Rose
 
Zend Con 2008 Slides
bymkherlakian
 
What should a hacker know about WebDav?
byMikhail Egorov
 

Similar to Slides

PPT
Training on php by cyber security infotech (csi)
byCyber Security Infotech Pvt. Ltd.
 
PPT
php fundamental
byzalatarunk
 
PPT
php
byRamki Kv
 
PPT
Php introduction with history of php
bypooja bhandari
 
DOC
Perl web programming
byJohnny Pork
 
PPT
Php
byRathan Raj
 
PPTX
Secure programming with php
byMohmad Feroz
 
PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PPTX
Prevent hacking
byViswanath Polaki
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PPT
05php
bysahilshamrma08
 
PDF
Php Security
byguest7cf35c
 
PPTX
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
PPT
Php classes in mumbai
byVibrant Technologies & Computers
 
PPTX
Cgi
byGirish Srivastava
 
PDF
Catalyst - refactor large apps with it and have fun!
bymold
 
PPTX
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
byEric Vanderburg
 
PPT
MIND sweeping introduction to PHP
byBUDNET
 
ODP
How secure is your code?
byMikee Franklin
 
PPT
PHP - Introduction to PHP
byVibrant Technologies & Computers
 
Training on php by cyber security infotech (csi)
byCyber Security Infotech Pvt. Ltd.
 
php fundamental
byzalatarunk
 
php
byRamki Kv
 
Php introduction with history of php
bypooja bhandari
 
Perl web programming
byJohnny Pork
 
Php
byRathan Raj
 
Secure programming with php
byMohmad Feroz
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Prevent hacking
byViswanath Polaki
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
05php
bysahilshamrma08
 
Php Security
byguest7cf35c
 
Security hole #5 application security science or quality assurance
byTjylen Veselyj
 
Php classes in mumbai
byVibrant Technologies & Computers
 
Cgi
byGirish Srivastava
 
Catalyst - refactor large apps with it and have fun!
bymold
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
byEric Vanderburg
 
MIND sweeping introduction to PHP
byBUDNET
 
How secure is your code?
byMikee Franklin
 
PHP - Introduction to PHP
byVibrant Technologies & Computers
 

Recently uploaded

PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
AI Technology important knowledge ......
byutkarshj2007
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 

Slides

  • 1.
    Security issues inPerl web apps Viacheslav Tykhanovskyi May 12, 2012
  • 3.
  • 4.
  • 5.
    SQL injections use DBI; use DBIx::Class; use Rose::DB::Object; use ObjectDB;
  • 6.
    XSS Blind escaping<, >, ’, " and & is not enough!
  • 7.
    XSS Blind escaping<, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...)
  • 8.
    XSS Blind escaping<, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response
  • 9.
    XSS Blind escaping<, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code
  • 10.
    XSS Blind escaping<, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code Escape taking context into account.
  • 11.
    Cookies Sign cookies
  • 12.
    Cookies Sign cookies XSS preventing is hard. Set HttpOnly cookie flag for better protection.
  • 13.
    CSRF Plack::Middleware::CSRF
  • 14.
    Path traversal ../../../../../../etc/passwd
  • 15.
    Path traversal ../../../../../../etc/passwd Detect ..
  • 16.
    Path traversal ../../../../../../etc/passwd Detect .. File::Spec->no_upwards(@paths);
  • 17.
  • 18.
  • 19.
    No buffer overflow Mostsystem commands are embedded
  • 20.
    No buffer overflow Mostsystem commands are embedded Written by smart people
  • 22.
  • 23.
  • 24.
    sub is_tainted { return !eval { eval("#" . substr(join("", @_), 0, 0) ); 1 }; }
  • 25.
    system() system("program $arg"); vs system(’program’, $arg);
  • 26.
    open() open my $fh, ">$file"; vs open my $fh, ’>’, $file;
  • 27.
    eval() eval "require $class";
  • 28.
    eval() eval "require $class"; load_class("Foo;print ’nice feature!’")
  • 29.
    0 0
  • 30.
    0 0 $file = "/bin/ls0 /etc|"; if (-e $file) { open my $fh, $file; }
  • 31.
    CGI & ARGV script.pl?foo
  • 32.
    CGI & ARGV script.pl?foo ... $app->run(@ARGV); ...
  • 33.
    Regular expressions if ($string =~ m/$user_supplied_re/) { ... } vs if ($string =~ m/Q$user_supplied_reE/) { ... }
  • 34.
    Unicode utf8 vs UTF-8
  • 35.
    rand() ”rand()”is not cryptographically secure
  • 36.
    How to makelife easier?
  • 37.
    How to makelife easier? Use modules from CPAN. Many of them are time-proved
  • 38.
    How to makelife easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP”
  • 39.
    How to makelife easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices
  • 40.
    How to makelife easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices Use scanners nikto http://cirt.net/nikto2 skipfish http://code.google.com/p/skipfish/ w3af http://w3af.sourceforge.net/
  • 41.