SlideShare ist ein Scribd-Unternehmen logo

Security Code Review 101

Als PPTX, PDF herunterladen
P
Paul Ionescu

Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review can be the most effective measure in preventing vulnerabilities, very early in the development lifecycle, even before the first commit. This is an interactive presentation which will contain the basic elements to get you started. The audience will help review more than a dozen software examples in order to figure out the good from the ugly. The software examples are based on OWASP Top 10 and SANS Top 25 favourites such as Injection, Memory Flaws, Sensitive Data Exposure, Cross-Site Scripting and Broken Access Control.

Software
1 von 69
About Me
The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
LET'S PLAY, SPOT THE VALIDATION PROBLEM!
Answer: Both
Answer: Top
Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
Input Validation Function Example
A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
𝑽𝒖𝒍𝒏𝒆𝒓𝒂𝒃𝒊𝒍𝒊𝒕𝒊𝒆𝒔 = 𝑭( 𝑰𝒏𝒑𝒖𝒕 𝟏 + 𝑽𝒂𝒍𝒊𝒅𝒂𝒕𝒊𝒐𝒏 )
Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
CONCATENATION … causes Injection! COMMAND +INPUT= INJECTION
CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
LET'S PLAY, SPOT THE INJECTION!
Answer: Top
Answer: Top
ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
• Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
LET'S PLAY, SPOT THE MEMORY PROBLEM!
Answer: Bottom (use of dangerous functions)
Answer: Bottom (incorrect calculation of buffer size)
Answer: Top (Format String Injection)
Answer: Top (Off by One)
To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
LET'S PLAY, SPOT THE DATA BREACH!
Answer: Top (Password stored with weak un- salted hash)
Answer: Bottom (User and password transmitted in clear text)
Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
HTML Encoding Neutralizes XSS
LET'S PLAY, SPOT THE XSS!
Answer: Bottom (User input is written into the page as is)
Answer: Bottom (Data is written into a dangerous HTML attribute)
Answer: Top (Code is executing a dangerous function, actually an example of code injection)
Answer: Bottom (Input is being reflected between the <script> tags)
To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
LET'S PLAY, SPOT THE PATH TRAVERSAL!
Answer: Top (Input is concatenated to a system path allowing manipulation)
To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues
Security Code Review 101
Security Code Review 101

Empfohlen

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 

Empfohlen

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack Cysinfo Cyber Security Community
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 

Was ist angesagt? (20)

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
XXE - XML External Entity Attack
XXE - XML External Entity Attack XXE - XML External Entity Attack
XXE - XML External Entity Attack
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 

Ähnlich wie Security Code Review 101

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationdcervigni
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)Sam Bowne
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworkslastrand
 

Ähnlich wie Security Code Review 101 (20)

How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Web Security
Web SecurityWeb Security
Web Security
 
Open source security
Open source securityOpen source security
Open source security
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Cm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitizationCm9 secure code_training_1day_input sanitization
Cm9 secure code_training_1day_input sanitization
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 2 of 3)
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Web Application Security and Modern Frameworks
Web Application Security and Modern FrameworksWeb Application Security and Modern Frameworks
Web Application Security and Modern Frameworks
 

Kürzlich hochgeladen

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 

Kürzlich hochgeladen (20)

CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 

Security Code Review 101

  • 1.
  • 3. The Tip of the Iceberg Input Validation Parameterized Commands Safe functions Indirect Object References Encrypt Data Safe Memory Management Neutralize Output
  • 4. Input Validation • Only allow input that you are expecting • Wouldyou letsomeonein your house ifyou thoughttheyshouldnot bethere? • Block lists are inefficient • Wouldyou maintaina block listofpeoplethatcannot cometoyour house? • Block listing-likegiving keys toyour house toeveryone excepta fewunwanted visitors.
  • 6.
  • 8.
  • 10. Special Characters Not Needed • Many parameter types not intended to contain symbols or punctuation • Many not even intended to contain Unicode characters • Parameters going into database queries such as ID, true/false, asc/desc have even a smaller character set Alphanumeric Alphanumeric + .-_
  • 12. A Simple Multi-Purpose Function isAlphanumOrEx("true") isAlphanumOrEx("desc") isAlphanumOrEx("21845816438168") isAlphanumOrEx("0x0709750fa566") isAlphanumOrEx("Cr2i7nHq6qiMEs") isAlphanumOrEx("site.local",'.')
  • 14. Attacks Prevented by Input Validation •Injection •Path Traversal •Cross-Site Scripting •Open Redirect •Deserialization …
  • 15. How About the Irish? •Names, comments, articles, free text require quotes: •O'Brien, don't, "putting things in quotes" •While input validation reduces the attack surface, it cannot prevent all attacks
  • 16. To sum all it up… •Input Validation reduces the attack surface and prevents many attack types •Block-listing is a bad practice •Many input types are alphanumeric •For those input types that need special characters we need different defenses
  • 18. CONCATENATION Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter … prevent Injection!
  • 20.
  • 22.
  • 24. ORM Frameworks • ORM = Object Relational Mapping • ORM Frameworks keep developers away from SQL Queries • Popular ORM Framework: Hibernate Command Constant Parameter 1 Input Parameter 2 Input Command Interpreter Object Field1 Input Field2 Input
  • 25. To sum all it up… •Parameterized Commands handle situations where hazardous chars are needed •ORM Frameworks prevent mistakes
  • 26. Problems with Memory •Classic Overflow •Incorrect Calculation of Buffer Size •Off by One •Format String Injection •Use-after-free
  • 27. Memory Safer Functions fgets(dest_buff, BUFF_SIZE, stdin) snprintf(dest_buff, BUFF_SIZE, format, …); strncpy(dest_buff, src_buff, BUFF_SIZE); strncmp(buff1, buff2, BUFF_SIZE); If the BUFF_SIZE argument is larger than the size of the buffer: OVERFLOW!
  • 28. Check Boundaries •A simple comparison against a known limit constant can go a long way to prevent serious logical attacks. •Pay special attention to comparison operators • < vs <=, <= can lead to off by one •Make sure the same constant is used to define buffer size and check boundaries
  • 29. • Format String Injection is a type of memory flaw caused by concatenating or using user input in a format parameter. Memory Injection?
  • 30. LET'S PLAY, SPOT THE MEMORY PROBLEM!
  • 31.
  • 32. Answer: Bottom (use of dangerous functions)
  • 33.
  • 35.
  • 37.
  • 39. To sum all it up… •Safer functions allow limiting the number of bytes read into the buffer •Even with safe functions special attention should be paid to size specified, very important to use constants to prevent mistakes •Do not allow user input in format strings •Careful with <= operator
  • 40. Securing Data • The General Data Privacy Regulation (GDPR) has put additional emphasis on maintaining the security and privacy of data • Data should be transmitted and stored securely • Cryptography is one critical way to achieve this mandate • Secure protocols: TLS 1.2, TLS 1.3 • Secure ciphers: ECDHE • Strong digital signatures: SHA-2 • Reject invalid certificates and even more, enforce certificate pinning • Strong authenticated symmetric encryption in transit and at rest: AES 256 GCM • Other ways: • Anonymize private data • Do not collect or send private data • Short data retention • Ensure customer control over own data
  • 42.
  • 43. Answer: Top (Password stored with weak un- salted hash)
  • 44.
  • 45. Answer: Bottom (User and password transmitted in clear text)
  • 46.
  • 47. Answer: Top (Person details and credit card number saved in the clear to S3 bucket)
  • 48. To sum all it up… •Avoid collecting data for individuals •Pseudonymize the data. Strong salted hashes can be used, replace key data with * •Use strong cryptographic algorithms •All communication should be encrypted. •Data classification is risky so when in doubt, encrypt all data
  • 49. Protect the Web UIs • Enterprise applications are using Web UIs • HTML is good looking, platform independent and powerful • JavaScript libraries such as jQuery, React and Angular make UIs responsive and versatile
  • 50. Cross-Site Scripting (XSS) • The ability to inject arbitrary JavaScript into a web page • Reflected • Stored • DOM based • Easy to introduce • Easy to find • Leads to data breaches through spoofing attacks
  • 51. Defending against XSS • Input validation ;) • Neutralize Output • Server Pages -> HTML Encoding (Escaping) • < becomes &lt; • > becomes &gt; • " becomes &quot; • JavaScript (DOM XSS) • Dangerous Attributes • innerHTML • src • onLoad, onClick, etc… • Dangerous Functions • eval • setTimeout • setInterval
  • 54.
  • 55. Answer: Bottom (User input is written into the page as is)
  • 56.
  • 57. Answer: Bottom (Data is written into a dangerous HTML attribute)
  • 58.
  • 59. Answer: Top (Code is executing a dangerous function, actually an example of code injection)
  • 60.
  • 61. Answer: Bottom (Input is being reflected between the <script> tags)
  • 62. To sum all it up… •XSS is easy to introduce and easy to find •Encoding should be applied to all server side generated content. •Additional encoding of single quotes required •Dangerous HTML contexts should be handled with care or avoided
  • 63. Indirect Object References • Object accessed indirectly through an intermediary identifier • Prevent parameter path manipulation • fileId=1 vs file=/etc/passwd • Prevent transmission of potential sensitive data in URLs • userId=2 vs user=john_doe • Input validation facilitated (identifiers are numbers or GUIDs) 1 2 3
  • 64. LET'S PLAY, SPOT THE PATH TRAVERSAL!
  • 65.
  • 66. Answer: Top (Input is concatenated to a system path allowing manipulation)
  • 67. To sum all it up… •Reduce the attack surface by enforcing accessing objects through identifiers rather than actual representation •Identifiers can be input validated easier, also solve encoding issues