Hello and welcome to the cyber very secure coding course.
My name is Sonny Wear and this is AWAS top 10 for 2013
a 10 unveil it dated redirects and forwards Mitigations, Countermeasures and defenses.
So for our defenses overview, we're gonna take a look at three general areas where we can prevent a kn validated redirects and forwards. Those areas include white listing domains with custom code token ization and the use of content Security Policy directive.
We're gonna take a look at the white listing of domains with custom code
and look at how that can be done even if you have to maintain multiple domains
for token ization, this can be applied for external sight. You are l's that reside beyond the control of your domains.
And then for the content Security Policy Directive, we're going to specifically look at the Connect source directive and its components. First, the white listing domains with custom code.
What we're gonna do here is create a white list of acceptable domains. These are usually owned by the company.
In situations where there have been mergers and acquisitions, there could be many dot com domains that are acceptable and so if you take a look at the tri block here
we have a canonical host name that's received and we check the address of that, ensuring that the domains actually conform to one of the acceptable names. And so what this will do is it will basically vet
prior to executing upon that u R l
And if something doesn't conform, of course it would be untrusted,
and we would go ahead and log and error.
Now, token ization is where we're going to map a token in place of the direct object or, in this case, replace replace a direct U. R L with a token instead.
Now what you need to do, of course, is to make sure that you have validation in place to check for that white list to token value. In other words, don't leave that the token value open ended. Either make sure that you keep
the values very tight in new Marais tid etcetera.
What we have here is actually a rejects pattern match four digits, that is a minimum of one digit maximum of two digits, and then we fall into our switch statement where we're going to match against the particular digit
and the subsequent case number, and then we actually substitute in
the literal you Earl. This is just one example. There could be other types of implementation for the same idea, such a cz thean, numerator, shin or ray listings that we had talked about before.
Now the Contents Security Policy Directive.
There's a specific directive called connect source, and this is going to restrict which you are rails can actually be loaded. This is the type of directive that can be used with
several different types of objects commonly used. HTML http. Request object. A Web sockets object
or an event source connection? So, basically, in order to use this directive, however, you do need to identify your source list, and the source list is nothing more than a list
of valid hosts, and you're going to identify those in a urinal format.
And so this is going to be come. You're a white list, and
you are well, that is either injected or attempted
that does not conform to that white list will not be executed on the page