際際滷

際際滷Share a Scribd company logo

What's Our Software Doing With All That User Input

Download as ODP, PDF
Kim Carter
Kim Carter

Demonstrate vulnerabilities due to insufficient input sanitisation. Increase knowledge, awareness and desire to test. Discuss practical techniques and approaches that increase our defences

1 of 30
Downloaded 20 times
Dealing with User Input Securely Kim Carter OWASP Day 2013-09-12
Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
What does Poor Sanitisation look like?
OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
Quality What is Quality? Do we as builders care? Why we should care
What's Our Software Doing With All That User Input
Quality But increasing quality is expensive right?
Quality Not necessarily
My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client Server Comms Server side (internet facing) Back end code Data store
Minimising attack surface Field length validation (client side)
Minimising attack surface Field length validation (server side)
Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
Parametrised Queries / Prepared Statements Least privilege
White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
Server Side
Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Client Side
Server Side
Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
Leveraging existing libraries Useful OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET OWASP Enterprise Security API Not so Useful Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
Using: http://google-gruyere.appspot.com/ Stored XSS via AJAX
When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
Resources Threat Modelling https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines
What's Our Software Doing With All That User Input

Recommended

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
Aditya Kamat
1.java script
1.java script1.java script
1.java script
PhD Research Scholar
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshJ
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshaVJoshi
Developing Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform ADeveloping Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform A
auexpo Conference
Ecira CMS script
Ecira CMS scriptEcira CMS script
Ecira CMS script
Eicra_Soft_Limited
Lightning page optimization & best practices
Lightning page optimization & best practicesLightning page optimization & best practices
Lightning page optimization & best practices
Gaurav Jain
7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
HireWPGeeks Ltd
Async
AsyncAsync
Async
Kevin Griffin
Model View Controller
Model View ControllerModel View Controller
Model View Controller
urs_tush
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
msarangam
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
Stew Duncan
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
baabtra.com - No. 1 supplier of quality freshers
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
Anindita Bhattacharya
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
ukdpe
Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
Isset Internet Professionals
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi

More Related Content

What's hot (12)

7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
HireWPGeeks Ltd
Async
AsyncAsync
Async
Kevin Griffin
Model View Controller
Model View ControllerModel View Controller
Model View Controller
urs_tush
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
msarangam
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
Stew Duncan
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
baabtra.com - No. 1 supplier of quality freshers
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
Anindita Bhattacharya
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
ukdpe
7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
HireWPGeeks Ltd
Async
AsyncAsync
Async
Kevin Griffin
Model View Controller
Model View ControllerModel View Controller
Model View Controller
urs_tush
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
msarangam
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
Stew Duncan
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
baabtra.com - No. 1 supplier of quality freshers
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
Anindita Bhattacharya
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
baabtra.com - No. 1 supplier of quality freshers
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
ukdpe

Similar to What's Our Software Doing With All That User Input (20)

Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
Isset Internet Professionals
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
Talal Alsubaie
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
Rahul Singh
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
Lenin Ghazi
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
Alan Richardson
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
Leonard Fingerman
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
Andy West Director of Technology Architecture, Pearson
Andy West Director of Technology Architecture, PearsonAndy West Director of Technology Architecture, Pearson
Andy West Director of Technology Architecture, Pearson
RightScale
Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
Isset Internet Professionals
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
Talal Alsubaie
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
Rahul Singh
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
Lenin Ghazi
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
Alan Richardson
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
Leonard Fingerman
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
Andy West Director of Technology Architecture, Pearson
Andy West Director of Technology Architecture, PearsonAndy West Director of Technology Architecture, Pearson
Andy West Director of Technology Architecture, Pearson
RightScale

Recently uploaded (20)

Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
Real World RAG: 5 common issues encountered when building Real World Applicat...
Real World RAG: 5 common issues encountered when building Real World Applicat...Real World RAG: 5 common issues encountered when building Real World Applicat...
Real World RAG: 5 common issues encountered when building Real World Applicat...
walterheck3
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdfTaking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Precisely
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
All Things Open
Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)
Bhaskar Mitra
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
All Things Open
Don't just talk to AI, do more with AI: how to improve productivity with AI a...
Don't just talk to AI, do more with AI: how to improve productivity with AI a...Don't just talk to AI, do more with AI: how to improve productivity with AI a...
Don't just talk to AI, do more with AI: how to improve productivity with AI a...
All Things Open
Windows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptxWindows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
Graphs & GraphRAG - Essential Ingredients for GenAI
Graphs & GraphRAG - Essential Ingredients for GenAIGraphs & GraphRAG - Essential Ingredients for GenAI
Graphs & GraphRAG - Essential Ingredients for GenAI
Neo4j
CSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptxCSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptx
ystein Moseng
B2B SaaS - Reduce Churn using Proactive Support.pdf
B2B SaaS - Reduce Churn using Proactive Support.pdfB2B SaaS - Reduce Churn using Proactive Support.pdf
B2B SaaS - Reduce Churn using Proactive Support.pdf
Vijay Chandran
Diving into LTI: From the basics to Deep Linking
Diving into LTI: From the basics to Deep LinkingDiving into LTI: From the basics to Deep Linking
Diving into LTI: From the basics to Deep Linking
Rustici Software
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
jamesfolkner123
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
All Things Open
Columbia Weather Systems - Product Overview
Columbia Weather Systems - Product OverviewColumbia Weather Systems - Product Overview
Columbia Weather Systems - Product Overview
Columbia Weather Systems
TrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc Webinar: Strategies for Future-Proofing Privacy for HealthcareTrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc
EaseUS Partition Master Crack 2025 + Serial Key
EaseUS Partition Master Crack 2025 + Serial KeyEaseUS Partition Master Crack 2025 + Serial Key
EaseUS Partition Master Crack 2025 + Serial Key
piolttruth25
Create a Beautiful Terminal for Windows
Create a Beautiful Terminal for Windows Create a Beautiful Terminal for Windows
Create a Beautiful Terminal for Windows
Chris Wahl
The Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta LakeThe Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta Lake
carlyakerly1
Comprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdfComprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdf
RHCSA Guru
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdfPrecisely Showcase - Data Governance, Quality & MDM.pdf
Precisely Showcase - Data Governance, Quality & MDM.pdf
Precisely
Real World RAG: 5 common issues encountered when building Real World Applicat...
Real World RAG: 5 common issues encountered when building Real World Applicat...Real World RAG: 5 common issues encountered when building Real World Applicat...
Real World RAG: 5 common issues encountered when building Real World Applicat...
walterheck3
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdfTaking Your Legacy Data Beyond Modernization with AWS.pdf
Taking Your Legacy Data Beyond Modernization with AWS.pdf
Precisely
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
Leveraging Knowledge Graphs for RAG: A Smarter Approach to Contextual AI Appl...
All Things Open
Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)Emancipatory Information Retrieval (Invited Talk at UCC)
Emancipatory Information Retrieval (Invited Talk at UCC)
Bhaskar Mitra
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
Open-Source GenAI vs. Enterprise GenAI: Navigating the Future of AI Innovatio...
All Things Open
Don't just talk to AI, do more with AI: how to improve productivity with AI a...
Don't just talk to AI, do more with AI: how to improve productivity with AI a...Don't just talk to AI, do more with AI: how to improve productivity with AI a...
Don't just talk to AI, do more with AI: how to improve productivity with AI a...
All Things Open
Windows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptxWindows Client Privilege Escalation-Shared.pptx
Windows Client Privilege Escalation-Shared.pptx
Oddvar Moe
Graphs & GraphRAG - Essential Ingredients for GenAI
Graphs & GraphRAG - Essential Ingredients for GenAIGraphs & GraphRAG - Essential Ingredients for GenAI
Graphs & GraphRAG - Essential Ingredients for GenAI
Neo4j
CSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptxCSUN 2025 - Interactive Charts for Everyone.pptx
CSUN 2025 - Interactive Charts for Everyone.pptx
ystein Moseng
B2B SaaS - Reduce Churn using Proactive Support.pdf
B2B SaaS - Reduce Churn using Proactive Support.pdfB2B SaaS - Reduce Churn using Proactive Support.pdf
B2B SaaS - Reduce Churn using Proactive Support.pdf
Vijay Chandran
Diving into LTI: From the basics to Deep Linking
Diving into LTI: From the basics to Deep LinkingDiving into LTI: From the basics to Deep Linking
Diving into LTI: From the basics to Deep Linking
Rustici Software
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
IObit Driver Booster Pro Crack 12.2.0 with License Key [2025]
jamesfolkner123
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
Artificial Intelligence Needs Community Intelligence - Sriram Raghavan, IBM R...
All Things Open
Columbia Weather Systems - Product Overview
Columbia Weather Systems - Product OverviewColumbia Weather Systems - Product Overview
Columbia Weather Systems - Product Overview
Columbia Weather Systems
TrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc Webinar: Strategies for Future-Proofing Privacy for HealthcareTrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc Webinar: Strategies for Future-Proofing Privacy for Healthcare
TrustArc
EaseUS Partition Master Crack 2025 + Serial Key
EaseUS Partition Master Crack 2025 + Serial KeyEaseUS Partition Master Crack 2025 + Serial Key
EaseUS Partition Master Crack 2025 + Serial Key
piolttruth25
Create a Beautiful Terminal for Windows
Create a Beautiful Terminal for Windows Create a Beautiful Terminal for Windows
Create a Beautiful Terminal for Windows
Chris Wahl
The Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta LakeThe Best of Both Worlds: Hybrid Clustering with Delta Lake
The Best of Both Worlds: Hybrid Clustering with Delta Lake
carlyakerly1
Comprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdfComprehensive Guide to Ansible Application Roles.pdf
Comprehensive Guide to Ansible Application Roles.pdf
RHCSA Guru

What's Our Software Doing With All That User Input

  • 1. Dealing with User Input Securely Kim Carter OWASP Day 2013-09-12
  • 2. Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
  • 3. Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
  • 4. What does Poor Sanitisation look like?
  • 5. OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
  • 6. Quality What is Quality? Do we as builders care? Why we should care
  • 10. My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
  • 11. User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
  • 12. User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
  • 13. Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
  • 14. Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client Server Comms Server side (internet facing) Back end code Data store
  • 15. Minimising attack surface Field length validation (client side)
  • 16. Minimising attack surface Field length validation (server side)
  • 17. Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
  • 18. Parametrised Queries / Prepared Statements Least privilege
  • 19. White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
  • 20. Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
  • 22. Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
  • 25. Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
  • 26. Leveraging existing libraries Useful OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET OWASP Enterprise Security API Not so Useful Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
  • 28. When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
  • 29. Resources Threat Modelling https://www.owasp.org/index.php/Application_Threat_Modeling https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines
AboutCopyright
息 2025 際際滷