Download as PDF, PPTX
![JavaScript
Types Differences
{} + {} = NaN
{} + [] = 0
[] + {} = "[object Object]"
[] + [] = ""
{} - 1 = -1
[] - 1 = -1
-1 + {} = "-1[object Object]"
-1 + [] = "-1"](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/85/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-32-320.jpg)
![JavaScript
Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")
[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$
$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$
$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.
$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=
$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+
$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+
$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.
$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__
+"("+$.__$+""+$.$__+$.___+")"+""")())();
!
// equal to
!
alert(1);](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/85/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-33-320.jpg)
![JavaScript
Types Differences
{} + {} = NaN
{} + [] = 0
[] + {} = "[object Object]"
[] + [] = ""
{} - 1 = -1
[] - 1 = -1
-1 + {} = "-1[object Object]"
-1 + [] = "-1"](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/75/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-32-2048.jpg)
![JavaScript
Obfuscation
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")
[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$
$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$
$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.
$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=
$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+
$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+
$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+$.
$_$_+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$$_+$._$_+$.__
+"("+$.__$+""+$.$__+$.___+")"+""")())();
!
// equal to
!
alert(1);](https://image.slidesharecdn.com/sc3-140725125400-phpapp02/75/Secure-Coding-Web-Application-Security-Vulnerabilities-and-Best-Practices-33-2048.jpg)
Uploaded byWebsecurify
Secure Coding - Web Application Security Vulnerabilities and Best Practices
The document discusses secure coding principles and vulnerabilities in different programming languages. It provides examples of vulnerabilities in PHP, JavaScript, Ruby, Struts, and C. Key secure coding principles discussed include minimizing the attack surface, establishing secure defaults, least privilege, defense in depth, and failing securely. Specific vulnerabilities addressed include PHP hash collisions, PHP remote code execution, JavaScript type issues, Ruby system commands, and Struts dynamic method invocation.
Softwareโฆ
More Related Content
Similar to Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
- 1. Secure Coding Web ApplicationSecurityVulnerabilities and Best Practices
- 2.
- 3.
- 4.
- 5.
- 6. Security Principles โข MinimiseAttack Surface Area โข Establish Secure Defaults โข Principle of Least Privilege โข Principle of Defence in Depth โข Fail Securely โข Separation of Duties โข Avoid Security by Obscurity โข Keep Security Simple โข Fix Security Issues Correctly
- 7. Minimise Attack Surface โขEvery feature or technology is a risk. โข Secure development is all about reducing the risk by minimising the attack surface.
- 8.
- 9. Establish Secure Defaults โข Bydefault a system should be secure out- of-the-box. โข It should be up to the user to reduce their security if allowed.
- 10.
- 11. Principle of Least Privilege โขUse the least possible privilege to perform the required business task.
- 12. Donโt be theluser!
- 13. Principle of Defencein Depth โข Always consider that upper layers are already compromised.
- 14. This is howwe do it.
- 15. Fail Securely โข Codefails regularly.
- 16. Fail Securely isAdmin =true; ! try { codeWhichMayFail(); isAdmin = isUserInRole("Administrator"); } catch (Exception ex) { log.write(ex.toString()); }
- 17. Separation of Duties โขSome roles have different levels of trust than normal users.
- 18.
- 19. Avoid Security By Obscurity โขSecurity By Obscurity is a weak security control. โข Security By Obscurity depends on knowledge.
- 20. Donโt be likeDawson!
- 21. Keep Security Simple โขSimplicity leads to better understanding the system and its constraints.
- 22.
- 23. Fix Security Issues Correctly โขUnderstand the root cause of the problem. โข Identify the the pattern of the problem. โข Some issues are wide-spread across the code base. โข Develop a Fix โข Develop Tests
- 24. Fix Security IssuesCorrectly PHP Hash Collision DOS(CVE-2011-4885) โข Problem: PHP was found vulnerable to a denial of service by submitting a large amount of specially crafted variables โข Solution: max_input_vars was introduced to limit the number of variables that can be used in a request
- 25. Fix Security IssuesCorrectly PHP Remote Code Execution(CVE-2012-0830) if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC); } ! ... code removed ... ! PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC) { ! ... code removed ... ! if (is_array) { ! ... code removed ... ! if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } ! ... code removed ... ! symtable1 = Z_ARRVAL_PP(gpc_element_p); ! ... code removed ... ! }
- 26. Fix Security IssuesCorrectly PHP Remote Code Execution(CVE-2012-0830) โข Vulnerability occurs when max_input_vars is exceeded and the variable is an array. โข Code execution occurs when Z_ARRVAL_PP is called to obtain reference of an updated hashtable. โข If number of variables is greater than max_input_vars, gpc_element will point to the previous variable value, which is not initialised memory.
- 27.
- 28. Rails/Grails/MVC โข Model/View/Controller andscaffolding paradigm is often abused.
- 29. Python โข Python hasa funny way of dealing with different data types.
- 30.
- 31. JavaScript Type Problems โข JavaScripthas loose semantics on its types.
- 32. JavaScript Types Differences {} +{} = NaN {} + [] = 0 [] + {} = "[object Object]" [] + [] = "" {} - 1 = -1 [] - 1 = -1 -1 + {} = "-1[object Object]" -1 + [] = "-1"
- 33.
- 34. C โข In Cthe type system is completely arbitrary. You can do whatever you like with pointers.
- 35. Ruby โข The Rubylanguage supports the use of system commands. โข Kernel.system provides means of injecting malicious input into the application to bypass security measures.
- 36. Struts โข Struts allowsyou to do dynamic method invocation โข http://host/struts2_security_vulnerability/ changepassword!changePassword.action? newPassword=my_new_password&username=bruce โข <init-param>โจ <param- name>struts.enable.DynamicMethodInvocation</ param-name><param-value>false</param- value></init-param>
- 37.