|
|
Application security has to start during the development process. That means fixing vulnerable code before applications are ever pushed out to the public. Much has been written about the secure software development lifecycle—now its time to test security pros and developers alike. Can you find the vulnerabilities in the code?
Sorry—there is no prize involved, just a minor brainteaser for those of you who design applications or are charged with assessing their security. The code on the slides was provided by Veracode and Qualys.
|
|
|
|
- Whodunit? Finding Security Vulnerabilities in Application Code
by Brian Prince
code provided by Veracode and Qualys - File/Path Manipulation
This occurs when the software allows user input to control or influence paths that are used in filesystem operations. This vulnerability could permit an attacker to access or change system files and other files critical to the application. - The Answer
The code is vulnerable to file/path manipulation because of insufficient input validation (cwe 20) on the fn parameter, which leads to arbitrary file retrieval. - Hands Off the Database
SQL injection is one of the most popular vectors of attack. When executed, the SQL statement fetches a different set of results from the database than the application would have originally requested. The attacker gains unauthorized access to or manipulates the data residing in the database on the server. - The Answer
The code is vulnerable to SQL injection because it creates an ad-hoc query using the employeeID parameter, which is untrusted. - Solving Cross-site Scripting
Cross-site scripting (XSS) remains one of the most common vulnerabilities affecting Web applications. If successful, an exploit could allow hackers to bypass access controls such as same origin policy. - The Answer
In this case, moving the <title> to after the <meta> tag prevents XSS attacks that trick the browser into using UTF-7 to decode the payload when the page should be actually rendered as UTF-8.
|
�������xڽZ[s۸�~~�d_nw7�ŗXbw�IHB��,�JV��eS�j�y�|8�o�i�&4�oAu�B�>�K9�lHbc.!KvfzC7o`�`ƛV�YQ|v$�UK*7�-;RL�DL1OwҨxLO^>.B࿎F�:���|=F#mX021q�#�yF.#An{R�7Yh[((6j{A،L���QLD�ruzH&$fvȿ�+����|>o~QLg\�M�<4#9
"��L7'f*Ή{'_t�t6g�4Wln(3сױ1,�?ۈnS3�a�ܰ)M�)vtZ4ܪwP臑WhNd�m�\)I�;-<><:�1)+Vʢ M�&x9tKS:f:bL��ÃnF1>�PC
�';�!{0#p\V5�Ra�5�G\攪1O|؈{G{(�a(;}�eq+)P�0nC�-U�̥z�U\Ɋn�'p�`� Ձ
^2R`-*��T� հq셜Þݙo&)?���>d R_�E!*aR= �>I�qv*
.[1aCuTD,O4͌3�Ky �W&�?�׀c:�sBrZ)ĺQĴdv-[�9Ϛ 7s.9n
�ٝօr�I�/ �ah��~I%_zlgŎv�jf�]f�fSO0[h>\
!I$STؖN�
ik'?aWy�Qq�& XR?Ó,)uN~t@���|@>��c/1)rd|�>s\�Mb�SH�;�{�$+}7i�c�q�D�8 +9�(<
^0Z�V� ��{7Ve�Lt"�dY>� "6#�h9p\+ɻt�qO@�"f.[㑙C�B0e�_�.Ն^ovﶍ#+𫄐Х$^�X�r:=
vA͘�wsN%!�JfI+knsqeQ�ap�S�#���Z7�>g6�7c�
3O�#�$��vjڧD�w�%
vӂ��ֽ�WˆלWestOuO~)\9c.��4ga-q�
a�cp+)=�jѤ:�>*7p}SU��A^8/V��K@V�nc�F��јf�TT>�g�_�Y#xO3+�(XP.�u1sg�ֽ]0?� �V|ț�jUxמ�o4g{l
qEig��`oiXI%k#x`+,B!�S]O�LmSg�NVӪ2�讞]BU:���m-.�U��3g`GG�*a�r�;LmTkq�ء�9��j[Xo�2cQ�J�v�V_�ܔ�&˼C]`I`z#p7PD'RMApuP�y#�y&յy8$Pc.kEb
�oDz j�*cnW~#�Z3�H䈘 �M؞(�.�D-bt7��"�)t�h8ɗn�&�5 ;όF�)xp98R.'2]([y�w~��ޑZuU�)RX^c݆��̪f�;OY�*@Λ�5`(�3<>яv&NXyB�)@
SPp�xdMADfTaz8�a��k`�9� &�*nZS�4,PB
qٓu"f�I^K�erDd�T�Ǫl�o�r AmkB� Cs.)�(i��ͩu ?YdbPds[�6d$ͺ4X9X���$��ww�v��3�]�»C.0x`
���acmA4sǑg,Rm�.!����?^>qL玩&G
�\01cX{�}=+�rx>�qek�ZFEbp\|rv�P~|x{/:
�L"s}{z�a��p�'xtOO{W��p
�QXa,m7:~y�3N�e`�)7}x/�\t|�Z�h3�Ow�?7mXΊF+c+�Ѩ�~=ŴYI2UeTF,7vZFS��Ƽ
ܟ.^�:��w%16:�tq@N㭲P�ƫ�Jڄ�>,��
|
Network Security & Hardware 
See All Slideshows