Slides

679 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
679
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Slides

  1. 1. Security issues in Perl web apps Viacheslav Tykhanovskyi May 12, 2012
  2. 2. Common web security issues
  3. 3. Validate input data!
  4. 4. SQL injections use DBI; use DBIx::Class; use Rose::DB::Object; use ObjectDB;
  5. 5. XSS Blind escaping <, >, ’, " and & is not enough!
  6. 6. XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...)
  7. 7. XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response
  8. 8. XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code
  9. 9. XSS Blind escaping <, >, ’, " and & is not enough! Various HTML attributes (href, refresh meta tag, ...) Not validated JSON response Using template variables in JavaScript code Escape taking context into account.
  10. 10. Cookies Sign cookies
  11. 11. Cookies Sign cookies XSS preventing is hard. Set HttpOnly cookie flag for better protection.
  12. 12. CSRF Plack::Middleware::CSRF
  13. 13. Path traversal ../../../../../../etc/passwd
  14. 14. Path traversal ../../../../../../etc/passwd Detect ..
  15. 15. Path traversal ../../../../../../etc/passwd Detect .. File::Spec->no_upwards(@paths);
  16. 16. Perl-specific security issues
  17. 17. No buffer overflow
  18. 18. No buffer overflowMost system commands are embedded
  19. 19. No buffer overflowMost system commands are embeddedWritten by smart people
  20. 20. use strict;use warnings;
  21. 21. Tainting -T
  22. 22. sub is_tainted { return !eval { eval("#" . substr(join("", @_), 0, 0) ); 1 };}
  23. 23. system() system("program $arg"); vs system(’program’, $arg);
  24. 24. open() open my $fh, ">$file"; vs open my $fh, ’>’, $file;
  25. 25. eval() eval "require $class";
  26. 26. eval() eval "require $class"; load_class("Foo;print ’nice feature!’")
  27. 27. 0 0
  28. 28. 0 0 $file = "/bin/ls0 /etc|"; if (-e $file) { open my $fh, $file; }
  29. 29. CGI & ARGV script.pl?foo
  30. 30. CGI & ARGV script.pl?foo ... $app->run(@ARGV); ...
  31. 31. Regular expressions if ($string =~ m/$user_supplied_re/) { ... } vs if ($string =~ m/Q$user_supplied_reE/) { ... }
  32. 32. Unicode utf8 vs UTF-8
  33. 33. rand() ”rand()” is not cryptographically secure
  34. 34. How to make life easier?
  35. 35. How to make life easier? Use modules from CPAN. Many of them are time-proved
  36. 36. How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP”
  37. 37. How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices
  38. 38. How to make life easier? Use modules from CPAN. Many of them are time-proved Google ”OWASP” Follow Best Practices Use scanners nikto http://cirt.net/nikto2 skipfish http://code.google.com/p/skipfish/ w3af http://w3af.sourceforge.net/
  39. 39. Questions?

×