際際滷

際際滷Share a Scribd company logo
The Anti pattern
The Anti pattern
The Anti-Pattern
input = GET[ username ]
statement = code  + input
execute( statement )
The Anti-Pattern
 sql
 ldap
 eval
 response.write
 file.open
 reflection
 control.the.computer
INPUT
EXECUTE
Anti-Anti
Patterns
Code not Text!
Text query languages suck.
Critera & Entity API: WIN
Code not Text
Root<Pet> pet = cq.from(Pet.class)
cq.where(cb.equals(pet.get(Pet_.name), input))
s = SELECT FROM pet WHERE pet.name = + input
executeSQL( s )
Fear String.Concat
Parameterized Queries: use
wildcards instead of
concatenating user input
Remove String.Concat
s = SELECT FROM pet WHERE pet.name = @name
ps = prepare( s )
ps.bind(@name, input)
s = SELECT FROM pet WHERE pet.name = + input
executeSQL( s )
Defense
in depth
INPUT
EXECUTE
GUARD Exception
Defense in Depth
input = GET[ username ]
if (whitelist.bad( input )) {
secLog(reject)
throw new Exception()
}
Summary
 Most common security coding vulns are
variants of the same anti-pattern
 Use easy safe-by-design API
 Entity & Criteria API  SQLi is hard =)
 Fear String.Concat
 String operations are the mother of all evil
 Parameterize if you must stick to text!
 Defend in Depth!
 The anti-pattern can also be broken by input
validation.

More Related Content

The Anti pattern