Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

The Anti pattern

338 Aufrufe

Veröffentlicht am

Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used.
Presented at Opkoko 2012.

Veröffentlicht in: Technologie, Lifestyle
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

The Anti pattern

  1. 1. The Anti-Pattern input = GET[ “username” ] statement = “code “ + input execute( statement )
  2. 2. The Anti-Pattern • sql • ldap • eval • response.write • file.open • reflection • control.the.computer INPUT EXECUTE
  3. 3. Anti-Anti Patterns
  4. 4. Code not Text! Text query languages suck. Critera & Entity API: WIN
  5. 5. Code not Text Root<Pet> pet = cq.from(Pet.class) cq.where(cb.equals(pet.get(Pet_.name), input)) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
  6. 6. Fear String.Concat Parameterized Queries: use wildcards instead of concatenating user input
  7. 7. Remove String.Concat s = “SELECT FROM pet WHERE pet.name = @name“ ps = prepare( s ) ps.bind(“@name”, input) s = “SELECT FROM pet WHERE pet.name =“ + input executeSQL( s )
  8. 8. Defense in depth
  9. 9. INPUT EXECUTE GUARD Exception
  10. 10. Defense in Depth input = GET[ “username” ] if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception() }
  11. 11. Summary • Most common security coding vulns are variants of the same anti-pattern • Use easy safe-by-design API – Entity & Criteria API – SQLi is hard =) • Fear String.Concat – String operations are the mother of all evil – Parameterize if you must stick to text! • Defend in Depth! – The anti-pattern can also be broken by input validation.

×