the anti pattern
DESCRIPTION
Most common application security vulnerabilities are more or less variants on the same thing - "the anti pattern". The anti pattern is typically: 1 - an externally supplied input, and 2 - a powerful API operating directly on input supplied by previously mentioned input. The big point of the presso was to highlight why Criteria API (and Parameterized Queries if Criteria style APIs are not available) are to be used. Presented at Opkoko 2012.TRANSCRIPT
![Page 1: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/1.jpg)
The Anti-Pattern
![Page 2: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/2.jpg)
80%
![Page 3: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/3.jpg)
The Anti-Pattern
input = GET[ “username” ]
statement = “code “ + input
execute( statement )
![Page 4: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/4.jpg)
The Anti-Pattern
• sql• ldap• eval• response.write• file.open• reflection• control.the.computer
INPUT
EXECUTE
![Page 5: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/5.jpg)
Anti-AntiPatterns
![Page 6: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/6.jpg)
Code not Text!
Text query languages suck.
Critera & Entity API: WIN
![Page 7: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/7.jpg)
Code not Text
Root<Pet> pet = cq.from(Pet.class)cq.where(cb.equals(pet.get(Pet_.name), input))
s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )
![Page 8: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/8.jpg)
Fear String.Concat
Parameterized Queries: use wildcards instead of concatenating user input
![Page 9: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/9.jpg)
Remove String.Concat
s = “SELECT FROM pet WHERE pet.name = @name“ps = prepare( s )ps.bind(“@name”, input)
s = “SELECT FROM pet WHERE pet.name =“ + inputexecuteSQL( s )
![Page 10: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/10.jpg)
Defensein depth
![Page 11: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/11.jpg)
INPUT
EXECUTE
GUARD Exception
![Page 12: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/12.jpg)
Defense in Depth
input = GET[ “username” ]
if (whitelist.bad( input )) { secLog(“reject…”) throw new Exception()}
![Page 13: The Anti pattern](https://reader038.vdocument.in/reader038/viewer/2022102922/5472ba52b4af9fae0a8b506b/html5/thumbnails/13.jpg)
Summary
• Most common security coding vulns are variants of the same anti-pattern
• Use easy safe-by-design API– Entity & Criteria API – SQLi is hard =)
• Fear String.Concat– String operations are the mother of all evil– Parameterize if you must stick to text!
• Defend in Depth! – The anti-pattern can also be broken by input
validation.