Tip:
Highlight text to annotate it
X
The Anti Pattern
my theory is that many vulnerabilities are the same thing in code
I think many appsec materials are written from pentest point, not coding
simplify by code / pattern focus not attack focus
Anti Pattern: run a powerful method with unsafe input
lots of vulnerabilities almost the same thing
...in the code
Developers should feel the same as code security auditor when looking at unsafe code
ani pattern: INPUT directly connected to EXECUTE
untrusted input act as control variable to a executing method
eval
ldap
sql
(presenter mess up ;)
response write
file access
java: reflection
simplified everything is allowing input to control powerful method
should not be hard for devs to "feel" that this kind of code is wrong
there are solutions!
solutions slitghtly different depening on which powerful method
sql is a nice example
move from text query languages to code
java: Criteria API
.NET: Entity Framework
code not text impossible for code injection if no text code is evaluated at runtime
why the sql injection vulnerable code is vulnerable
great if user input isn't part of execution
nearly impossible to wrong here
you really need to try hard to find a way to screw up in Criteria API / Entity Framework
impossible to get a standard vulnerablity into this
if you really want to keep string evals, remove concatenations
applies to code base where you cannot easily migrate to safer APIs
"If I concatenate strings, I probably have a vuln"
xss, SQLi etc, user input into powerful methods
sql: parameterized queries, wildcards instead of string concatenations