writing secure code
play

Writing Secure Code Wash all user-submitted data Vulnerabilities - PowerPoint PPT Presentation

Sep 06, 2022 •492 likes •681 views

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

  1. Writing Secure Code Wash all user-submitted data

  2. Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a query

  3. How Drupal Handles Input Data is saved as-is into the database. Data gets ‘washed’ on output. Burden lies with module and theme developers. Drupal gives you the tools. You must use them.

  4. Text Formats /admin/config/content/ formats Plain Text Filters Display any HTML as plain text <div class=”blue”>Hello!</div> becomes &lt;div class="blue"&gt;Hello!&lt;/ div&gt;

  5. Text Formats /admin/config/content/ formats Filtered HTML Filters Limit allowed HTML tags <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> JavaScript event attributes, JavaScript URLs, and CSS are always stripped. <div class=”blue”>Hello!</div> becomes Hello! <code class="blue" style="border:1px;">Hello!</code> becomes <code class=”blue”>Hello!</code>

  6. Text Formats /admin/config/content/ formats Full HTML Filters

  7. How You Handle Output Burden lies with module and theme developers. Drupal gives you the tools. You must use them.

  8. Wash Your Output http://api.drupal.org/api/drupal/includes-- common.inc/group/sanitization/7 check_plain() t() check_markup() filter_xss() check_url() & l() filter_xss_admin()

  9. check_plain( $text ) To be used when inserting plain text into HTML. No HTML is output. Uses the encoded special characters instead. <a href='test'>Test</a> &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

  10. check_markup( $text, $format_id = NULL, $langcode = '', $cache = FALSE ) To be used when inserting rich text into HTML. Allows you to specify the format ID that corresponds with the ‘text format’ you want to use. Falls back to the system default. $newtext = check_markup($text, ‘filtered_html’);

  11. check_url( $uri ) l( $text, $path, array $options = array() ) check_url() Strips dangerous protocols (e.g. 'javascript:') from a URI and encodes it for output to an HTML attribute value. Allows 'ftp', 'http', 'https', 'irc', 'mailto', 'news', 'nntp', 'rtsp', 'sftp', 'ssh', 'tel', 'telnet', 'webcal' l() constructs a full HTML link utilizing url() for the href attribute and also sanitizes the link title.

  12. t( $string, $args = array(), $options = array() ) Allows strings to be translatable. Must use variable substitution for ANY variable. $text = t("@name's blog", array('@name' => format_username($account))); !variable: Inserted as is. Use this for text that has already been sanitized. @variable: Escaped to HTML using check_plain(). Use this for anything displayed on a page on the site. %variable: Escaped as a placeholder for user-submitted content using drupal_placeholder(), which shows up as <em>emphasized</em> text.

  13. filter_xss( $string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd') ) Filters an HTML string to prevent cross-site- scripting (XSS) vulnerabilities. Removes characters and constructs that can trick browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-formed. Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

  14. filter_xss_admin( $string ) Very permissive XSS/HTML filter for admin-only use. Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable). Allows all tags that can be used inside an HTML body, save for scripts and styles.

  15. Sending Email drupal_mail( $module, $key, $to, $language, $params = array(), $from = NULL, $send = TRUE ); Sending an e-mail works with defining an e-mail template (subject, text and possibly e-mail headers) and the replacement values to use in the appropriate places in the template. Doesn’t allow headers to be injected. Users cannot add a Bcc via the subject line

  16. Drupal Forms Drupal Forms API (FAPI) protects against XSRF using a token and session system that checks for validity of POST data.

  17. SQL Injection The query builder with variable replacement uses the database API to safely handle the data db_merge( 'example' ) ->key( array('name' => $name) ) ->fields( array( 'field1' => $value1, 'field2' => $value2,) ) ->execute();

  18. Wash All User-submitted Data On Output Don’t trust what people enter in your site. Use the tools that Drupal provides to protect yourself against vulnerabilities. Documentation http://drupal.org/writing-secure-code Sanitization functions http://api.drupal.org/api/drupal/includes-- common.inc/group/sanitization/7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
Code profilers and profiling When writing code, we generally have some feel for how

Code profilers and profiling When writing code, we generally have some feel for how

Code profilers and profiling When writing code, we generally have some feel for how effiicient it is (run time and/or memory use) That might be supported by big-O complexity analysis of the algorithms we use (e.g. O(logN), O(N), etc)

357 views • 8 slides
Software Engineering and Architecture Writing Clean Code Motivation Code is written to

Software Engineering and Architecture Writing Clean Code Motivation Code is written to

Software Engineering and Architecture Writing Clean Code Motivation Code is written to Be compiled, deployed, and executed by users in order to serve their need So we make money, get salaries and can buy presents for our spouses (or

684 views • 35 slides
WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE

WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE

WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE Radosaw Jankiewicz / @radek_j / radekj WHO AM I Programming in Python since 2007 Web applications (mostly) RANDOM FACT... AGENDA 1. Definition

881 views • 53 slides
Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Error Handling Input-Output Writing Better Code Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code Dr. Marina De Vos University of Bath Ext: 5053 Academic Year 2012-2013 Lecture D.10. (MDV)

844 views • 81 slides
CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with CodeBlocks Part 2 : Porting, compiling and testing in Dijkstra Part 3 : Using and understanding header files Part 1: Writing and debugging code with

1.03k views • 74 slides
Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing

Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing

Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing test-driven code Test-driven development (TDD) is a great way to write code and learn about code You can write your test without having to write a

418 views • 27 slides
White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 The Power of Source Code White box testing Testers have intimate knowledge

382 views • 15 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its

Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its

Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its still work in progress, toward making it more reader friendly. At this point, its just a bunch of math formulas you do not want to follow. 2

438 views • 7 slides
Writing better code with Writing better code with help from the compiler help from the compiler

Writing better code with Writing better code with help from the compiler help from the compiler

Writing better code with Writing better code with help from the compiler help from the compiler Thiago Macieira Thiago Macieira Qt Developer Days &amp; LinuxCon Europe October/2014 Qt Developer Days &amp; LinuxCon Europe October/2014

593 views • 32 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

International Workshop on OMNeT++ Code Contribution On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture Mohamad Sbeiti and Christian Wietfeld 05.03.2013 Faculty of Electrical and Computing

463 views • 7 slides
Programming style is a set of rules or guidelines used when writing ... code.

Programming style is a set of rules or guidelines used when writing ... code.

STYLE what ? Programming style is a set of rules or guidelines used when writing ... code. https://en.wikipedia.org/wiki/Programming_style Style concerns everything: files, functions, objects, arguments, names, spacing, indenting,

287 views • 15 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win

482 views • 30 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A

Locking the Throne Room How ES5+ might change views on XSS and Client Side Security A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr-University, Bochum Security Researcher

550 views • 40 slides
VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS &amp; CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is XSS? XSS: Cross Site Scripting Injecting malicious scripts into a web page CWE-79

772 views • 12 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides

More recommend