Everything you know about Injection Attack is Wrong · 2020-01-17 · Expose “control”...
Transcript of Everything you know about Injection Attack is Wrong · 2020-01-17 · Expose “control”...
SQL Injection
SQL Injection
Prepared Statement
Now what?
Input Validation!!!
Input Validation???
Input Validation
Cross Site Scripting
XSS – HTML
XSS – Attribute
XSS – CSS
XSS – Javascript
XSS – URL
So what’s the real problem here?
LDAP Injection
Malicious Input: foo (| (objectclass=*))
XPath Injection
Malicious Input: ’ or 1=1 or ‘’=‘
Log Injection
Malicious Input: abc\nUser “admin” logged in successfully
So how do we prevent it?
Protect output contexts by design
Output
Assembler
Known-Safe
Output Value
HTML Encoder
Escaping Function
...
Parameterization
Logic
Untrusted
Input Value(s)
Output Template
Where the API isn’t given by your platforms/libraries, BUILD IT!
Expose “control” resources indirectly
Internal Reference Map
Direct
References (real resource
names)
Indirect
References(random,
unguessable)
Client's Value Services
Database
...