Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson offers an overview of defenses against attacks; including: • Neutralize all special characters • Perform input validation • Whitelisting techniques Participants also learn about command injection prevention and JSON injection prevention techniques.

Video Transcription

00:04
Hello and welcome to the cyber very secure coding course my name miss anywhere. And this is the OAS top 10 for 2013
00:14
a one injection mitigations, countermeasures and defenses.
00:19
Now an overall view of defenses really center around three main areas. The neutralization of special characters,
00:29
the performing of input validation in your application code
00:34
and the employing of white listing techniques
00:38
now neutralization of special characters. As we saw in the demos, A lot of times payloads by Attackers will include ticks or comments and other special characters specific two languages and databases. And so what do you want to do is you want to neutralize
00:58
these special
01:00
characters and make them re be received as text or data on Lee,
01:07
instead of being interpreted inadvertently by your database or by your operating system, et cetera.
01:15
Now I recommend that you go with language specific frameworks if you have them available.
01:22
Microsoft has a lot of neutralization techniques available within their framework.
01:29
These are also available in Java based frameworks like struts and spring.
01:34
However, if you don't have a language specific framework that you can draw from,
01:40
a wasp has in HTML sanitizer, which can certainly be used for your output in coding.
01:49
Now the next area is performing input validation.
01:53
As programmers, we tend to code on the happy path where we don't
02:00
We don't code thinking about what could go wrong or,
02:06
UH, input that could come into our program that we're not expecting.
02:09
And so performing input validation is that very thing. And generally input validation needs to be verified through a manual code review of some type
02:22
with others on your development team.
02:25
The third area overall for a defense is tthe e.
02:30
The implementation of white listing techniques now white listing in general is tthe e excepting of values that are allowed,
02:40
and this could be done a number of different ways. You can create a raise or in new Marais shins that have the values that are acceptable to your program. Also, you could set up Constance may be in a header file or some sort of common area, and then
03:00
when you receive input
03:01
from the command line or from the gooey, you could do a match or comparison against what is received against those constance
03:13
regular expression. Pattern matching is also a very common way to employ a white list.
03:20
Now, if we look specifically at the particular injection types that we saw in the demos,
03:25
the 1st 1 was sequel injection.
03:29
Now, for sequel injection, we must perform our input validation, ensuring that we receive what we should really be expecting.
03:38
Secondly, we need to neutralize the input from the presentation tear,
03:45
and how this is commonly done is through the use of parameter rised queries with bind variables. And I wantto stipulate the
03:54
the use of the bind variables. So, for example, if you take a look at the Java code that's presented,
04:00
we have a prepared statement.
04:02
This prepared statement has a sequel statement within it
04:08
of select transaction data from the transaction table, where the batch ideas equal to question mark and customer numbers equal to question mark.
04:17
Now you'll notice that
04:19
both question marks are then filled with values that are received from the presentation here.
04:27
But they've been sanitized through an input validation technique first,
04:31
and then
04:32
they're actually placed within the sequel statement using bind variables. You see, the one in the two corresponds to each question mark.
04:44
What this does is even if the attacker does put some sort of sequel injection into either of these parameters. They're not going to inadvertently be executed by the database. Instead, it's going to be treated just as data.
05:01
Now, in regards to command injection prevention,
05:04
we definitely need to perform some sort of path validation.
05:10
This is usually done by first canonical izing that path, ensuring that it's not a symbolic link,
05:16
that it is a full, absolute path and that it matches the operating system.
05:24
And then what you want to do is perform your input validation. Make sure that you've got some sort of ray, or even in numerator shin
05:32
of the acceptable commands, so that anything that falls outside of that will not be accepted into your program. Finally, for the Jason Injection Prevention,
05:44
as I mentioned in the demo, we need to encode for JavaScript
05:49
to ensure that we're not doing any kind of reflective cross site scripting vulnerability in our response.
05:59
The OAS Jason Sanitizer is a job, a library that's available for addressing some minor
06:09
in coding issues with Jason, and it's also very good at taking in any kind of Jason like content and converting it to an actual, valid or well formed Jason in order to make it easier for parsing

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor