Part 4 Defenses

Video Activity

This lesson focuses on mitigations, countermeasures and defenses. For defenses, White-listing domains with custom code, tokenization and content security policy (CSP) directives are some of the methods which are discussed and participants are also offered brief examples of these codes.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

This lesson focuses on mitigations, countermeasures and defenses. For defenses, White-listing domains with custom code, tokenization and content security policy (CSP) directives are some of the methods which are discussed and participants are also offered brief examples of these codes.

Video Transcription
00:04
Hello and welcome to the cyber very secure coding course.
00:08
My name is Sonny Wear and this is AWAS top 10 for 2013
00:13
a 10 unveil it dated redirects and forwards Mitigations, Countermeasures and defenses.
00:20
So for our defenses overview, we're gonna take a look at three general areas where we can prevent a kn validated redirects and forwards. Those areas include white listing domains with custom code token ization and the use of content Security Policy directive.
00:40
We're gonna take a look at the white listing of domains with custom code
00:44
and look at how that can be done even if you have to maintain multiple domains
00:51
for token ization, this can be applied for external sight. You are l's that reside beyond the control of your domains.
01:00
And then for the content Security Policy Directive, we're going to specifically look at the Connect source directive and its components. First, the white listing domains with custom code.
01:14
What we're gonna do here is create a white list of acceptable domains. These are usually owned by the company.
01:22
In situations where there have been mergers and acquisitions, there could be many dot com domains that are acceptable and so if you take a look at the tri block here
01:36
we have a canonical host name that's received and we check the address of that, ensuring that the domains actually conform to one of the acceptable names. And so what this will do is it will basically vet
01:55
any location,
01:57
redirect or forward
01:59
prior to executing upon that u R l
02:04
And if something doesn't conform, of course it would be untrusted,
02:08
and we would go ahead and log and error.
02:13
Now, token ization is where we're going to map a token in place of the direct object or, in this case, replace replace a direct U. R L with a token instead.
02:25
Now what you need to do, of course, is to make sure that you have validation in place to check for that white list to token value. In other words, don't leave that the token value open ended. Either make sure that you keep
02:42
the values very tight in new Marais tid etcetera.
02:46
What we have here is actually a rejects pattern match four digits, that is a minimum of one digit maximum of two digits, and then we fall into our switch statement where we're going to match against the particular digit
03:04
and the subsequent case number, and then we actually substitute in
03:08
the literal you Earl. This is just one example. There could be other types of implementation for the same idea, such a cz thean, numerator, shin or ray listings that we had talked about before.
03:23
Now the Contents Security Policy Directive.
03:27
There's a specific directive called connect source, and this is going to restrict which you are rails can actually be loaded. This is the type of directive that can be used with
03:39
several different types of objects commonly used. HTML http. Request object. A Web sockets object
03:46
or an event source connection? So, basically, in order to use this directive, however, you do need to identify your source list, and the source list is nothing more than a list
04:00
of valid hosts, and you're going to identify those in a urinal format.
04:06
And so this is going to be come. You're a white list, and
04:12
any kind of
04:14
you are well, that is either injected or attempted
04:18
that does not conform to that white list will not be executed on the page
Up Next