Upload File

the anti pattern

13
The Anti- Pattern

Upload: blaufish

Post on 22-Nov-2014

266 views

Category:

Technology


0 download

Report

DESCRIPTION

Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used. Presented at Opkoko 2012.

TRANSCRIPT

Page 1: The Anti pattern

The Anti-Pattern

Page 2: The Anti pattern

80%

Page 3: The Anti pattern

The Anti-Pattern

input = GET[ “username” ]

statement = “code “ + input

execute( statement )

Page 4: The Anti pattern

The Anti-Pattern

• sql• ldap• eval• response.write• file.open• reflection• control.the.computer

INPUT

EXECUTE

Page 5: The Anti pattern

Anti-AntiPatterns

Page 6: The Anti pattern

Code not Text!

Text query languages suck.

Critera & Entity API: WIN

Page 7: The Anti pattern

Code not Text

Root<Pet> pet = cq.from(Pet.class)cq.where(cb.equals(pet.get(Pet_.name), input))

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Page 8: The Anti pattern

Fear String.Concat

Parameterized Queries: use wildcards instead of concatenating user input

Page 9: The Anti pattern

Remove String.Concat

s = “SELECT FROM pet WHERE pet.name = @name“ps = prepare( s )ps.bind(“@name”, input)

s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )

Page 10: The Anti pattern

Defensein depth

Page 11: The Anti pattern

INPUT

EXECUTE

GUARD Exception

Page 12: The Anti pattern

Defense in Depth

input = GET[ “username” ]

if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception()}

Page 13: The Anti pattern

Summary

• Most common security coding vulns are variants of the same anti-pattern

• Use easy safe-by-design API– Entity & Criteria API – SQLi is hard =)

• Fear String.Concat– String operations are the mother of all evil– Parameterize if you must stick to text!

• Defend in Depth! – The anti-pattern can also be broken by input

validation.


Farewell Old Application Server The Server Container Anti- Pattern and how to avoid it

Patterns and Anti-Patternsweb.eecs.umich.edu/~weimerw/481/lectures/se-16-patterns.pdf · 2020-03-23 · Anti-Patterns An anti-pattern is a common response to a recurring problem that

Lecture continuous integration · • Continuous delivery • Continuous deployment • Benefits, challenges, different approaches ... Patterns and anti-patterns!5 Anti-pattern: "..just

Innovation Anti-Pattern – Oder: was man tun muss, um nicht innovativ zu sein

Trust anti pattern cards

It's Not You, It's Your Anti-Pattern

Human TLR10 is an anti-inflammatory pattern-recognition ... · PDF fileHuman TLR10 is an anti-inflammatory pattern-recognition receptor Marije ... Ineke C. Verschuerena, Peer Artsc,

Cassandra Day Denver 2014: Cassandra Anti-Pattern Jeopardy

Accentuate - Free Knitting Pattern Lion Brand® Basic Stitch Anti … · 2020. 5. 13. · Lion Brand® Basic Stitch Anti-PillingTM Lake Effect Baby Afghan Pattern Number: L90124 For

Forensic Assertive Community Treatment (FACT): Updating ... · Anti-social attitudes Anti-social friends and peers Anti-social personality pattern Substance abuse Family and/or marital

Design patterns - The Good, the Bad, and the Anti-Pattern

PATTERN FORMATION OF A PREDATOR-PREY MODEL WITH THE COST OF ANTI-PREDATOR BEHAVIORS · 2020-05-03 · PATTERN FORMATION OF A PREDATOR-PREY MODEL WITH THE COST OF ANTI-PREDATOR BEHAVIORS

Characterization for anti-cytoplasmic antibodies ... · Characterization for anti-cytoplasmic antibodies specificity by morphological and ... The confirmation of the staining pattern

@ExpertsLiveAT #ExpertsLive DevOps · Pattern vs. Anti-Pattern. Death March ... • UX must be good from the beginning ... Gamification, Safe to Fail, Everyone must be on board

Anti-pattern free code-first Web Services for state-of-the ...on the WSDL anti-patterns and code-first tools for the Java language. Then, Section 3 introduces the approach for detecting

pattern matching using vf · Pattern Matching Using VFind And The CVDL Language The Leader In Total Security Solutions For Linux, UNIX and Mac OS X • Anti-Virus • Baseline Control

A New Multiple-Pattern Matching Algorithm for the Network ... · Applications like intrusion detection/ prevention, web filtering, anti-vir us, and anti-spam all raise the ... commonly

Design Patterns VIII - Non-GoF Design Patters, Anti-Patternscourses.cecs.anu.edu.au/courses/archive/comp2110.2008/lectures/lec22.pdfAnti-Patterns Singletonitis Anti-Pattern Good Pattern

Anti agile pattern

Ontological Patterns, Anti-Patterns and Pattern …gguizzardi/ER2014-keynote-CR.pdfLanguages for Next-Generation Conceptual ... aspects of the physical and ... the development of engineering

Day Trading with the Anti-Climax Pattern Trading with the Anti-Climax... · iii Disclaimer The information provided within the “Day Trading with Price Action” eBook series and

Pattern JavaScript Design - perso.liris.cnrs.fr · Design Patterns Anti-patrons Idioms ou coding patterns ... Constructor Pattern Module Pattern Revealing Module Pattern Singleton

Pager Anti Pattern(Joke)

Efficient Authenticated Multi-Pattern Matchingusers.umiacs.umd.edu/~zhangyp/papers/pattern.pdfMulti-pattern matching query has a lot of deployed appli-cations such as anti-virus scanning,

ORM is an Offensive Anti-Pattern

An Approach to Design Pattern and Anti-Pattern Detection ... · Abstract A design pattern is a recurring and well-understood design fragment, while an anti- pattern is a common design

Performance comparison of query-based techniques for anti-pattern … · Performance comparison of query-based techniques for anti-pattern detectionq Zoltán Ujhelyia, , Gábor Sz}oke

Free Knitting Pattern Lion Brand® Basic Stitch™ Anti ...€¦ · Collar Extension . Lion Brand® Basic Stitch™ Anti-Pilling Color Block Cardigan. Pattern Number: M20178 For thousands

Guardian Eco Guard Pattern Anti Reflective Solar Glass

An Anti-Pattern for Misuse Cases - Samosweb.Aegean.Gr · An Anti-Pattern for Misuse Cases ... STRIDE Example threats to online banking web application: ... • Identify root cause

Drug Utilization Pattern of Non-Steroidal Anti …...Drug Utilization Pattern of Non-Steroidal Anti-Inflammatory Drugs in Patients Attending Orthopaedic Department of A Hospital in

Free Knitting Pattern Lion Brand® Basic Stitch™ Anti ... · Free Knitting Pattern Lion Brand® Basic Stitch™ Anti-Pilling Color Block Cardigan Pattern Number: M20178 Designed

Selected Methods for Anti-Pattern Detection in the Model ...kvasnicka/Seminar_of_AI/Polasek...Selected Methods for Anti-Pattern Detection in the Model/Source Code Identifying and Visualisation

A Publication of - XTIVIA · 2.4.1 Anti-Pattern #4 – Did Not ImplementSorting and Filtering in ApplicationServices This anti-pattern is usually found when an application has implementeda

Anti pattern se lo conosci lo eviti