Secure Code Warrior - Trust no input
Download as PPTX, PDF0 likes157 views
The document outlines the importance of validating user input in application security to prevent various attacks such as SQL injection and command execution. It emphasizes limiting user options, server-side validation, and proper error handling to mitigate risks associated with malformed data. Key practices include using whitelisting, blacklisting, and rejecting or sanitizing invalid input from various sources.
Secure Code Warrior - Trust no input
- 1. Trust No Input Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. The service or application should not accept input without further validation. This avoids performing the next execution steps with possibly outdated, malformed, or malicious data. What could happen? All kinds of input-based attacks, such as SQL injection, cross-site scripting, cross- site request forgery, command execution, and local file access. Additionally, improper validation of input coming from files, databases, or the network can result in system failure or compromise. How to implement it? Limit the user’s liberty when providing input to the application. Validate all input before execution by using a secure validation scheme, including input coming from files, other services, or databases. What’s the concept about?
- 3. An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The application does not proceed with the calculation, but instead shows the user an error message. To protect against unexpected errors, the application validates the input before further processing. Bad database value Trust No Input Understanding the concept Calculat e: 7 x height 7 x -5 = An error occurred. Application height = -5 If height <= 0 Then show_error() Calculate: 7 x height
- 4. An application allows users to make calculations based on values in a database. The user wants to calculate “7*height”. Because of a mistake, ”height” was set to -5 in the database. However, the application expects height and the result of the calculation to be a positive number. The result is -45, which causes an exception because of the negative sign and crashes the application. The application does not check the value received from the database before doing the calculation. Bad database value Trust No Input What could happen with the concept? Application height = -5 Calculate: 7 x height
- 5. An application could potentially be vulnerable to command injection. A GET parameter ‘fileToDelete’ is passed to the system shell. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. The application matches the / to the blacklist and does not execute the command. Instead the attacker is presented an error message. The application validates the input before executing the command. It has a blacklist of characters that aborts the execution. OS command injection Trust No Input Understanding the concept Blacklist: /:*?”<>| Error: Blacklisted character!http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www file = request.getParameter(‘fileToDelete’); validatedFile = validate(file); execShellCommand(“rm ”+ validatedFile) Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt
- 6. This time, the application is vulnerable to command injection. The GET parameter ‘fileToDelete’ is passed to the system shell without prior validation. An attacker crafts a malicious URL: he appends a shell command to the parameter value of a request. All the web application files are deleted. The web application becomes unavailable. The application appends the GET parameter to the command string and the malicious command is executed. OS command injection Trust No Input What could happen with the concept? http://site.com/action/delete? fileToDelete=oldFile.txt; rm - rf /var/www Application Serverhttp://site.com/action/delete? fileToDelete=aFile.txt file = request.getParameter(‘fileToDelete’); execShellCommand(“rm ”+ file) rm –rf /var/www
- 7. ! NEVER trust user input ! Limit a user’s options when providing input. Example: drop-down list using an index number instead of full context. Perform server-side validation using one of the following schemes: Exact match Whitelisting Blacklisting If possible, reject invalid data. Otherwise, clean or escape it. Consider input coming from all types of sources. Users, files, database, network, external services. Trust No Input Typical controls 1 2 3