writing secure code
play

Writing Secure Code Wash all user-submitted data Vulnerabilities - PowerPoint PPT Presentation

Sep 06, 2022 •492 likes •681 views

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

  1. Writing Secure Code Wash all user-submitted data

  2. Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a query

  3. How Drupal Handles Input Data is saved as-is into the database. Data gets ‘washed’ on output. Burden lies with module and theme developers. Drupal gives you the tools. You must use them.

  4. Text Formats /admin/config/content/ formats Plain Text Filters Display any HTML as plain text <div class=”blue”>Hello!</div> becomes &lt;div class="blue"&gt;Hello!&lt;/ div&gt;

  5. Text Formats /admin/config/content/ formats Filtered HTML Filters Limit allowed HTML tags <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> JavaScript event attributes, JavaScript URLs, and CSS are always stripped. <div class=”blue”>Hello!</div> becomes Hello! <code class="blue" style="border:1px;">Hello!</code> becomes <code class=”blue”>Hello!</code>

  6. Text Formats /admin/config/content/ formats Full HTML Filters

  7. How You Handle Output Burden lies with module and theme developers. Drupal gives you the tools. You must use them.

  8. Wash Your Output http://api.drupal.org/api/drupal/includes-- common.inc/group/sanitization/7 check_plain() t() check_markup() filter_xss() check_url() & l() filter_xss_admin()

  9. check_plain( $text ) To be used when inserting plain text into HTML. No HTML is output. Uses the encoded special characters instead. <a href='test'>Test</a> &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

  10. check_markup( $text, $format_id = NULL, $langcode = '', $cache = FALSE ) To be used when inserting rich text into HTML. Allows you to specify the format ID that corresponds with the ‘text format’ you want to use. Falls back to the system default. $newtext = check_markup($text, ‘filtered_html’);

  11. check_url( $uri ) l( $text, $path, array $options = array() ) check_url() Strips dangerous protocols (e.g. 'javascript:') from a URI and encodes it for output to an HTML attribute value. Allows 'ftp', 'http', 'https', 'irc', 'mailto', 'news', 'nntp', 'rtsp', 'sftp', 'ssh', 'tel', 'telnet', 'webcal' l() constructs a full HTML link utilizing url() for the href attribute and also sanitizes the link title.

  12. t( $string, $args = array(), $options = array() ) Allows strings to be translatable. Must use variable substitution for ANY variable. $text = t("@name's blog", array('@name' => format_username($account))); !variable: Inserted as is. Use this for text that has already been sanitized. @variable: Escaped to HTML using check_plain(). Use this for anything displayed on a page on the site. %variable: Escaped as a placeholder for user-submitted content using drupal_placeholder(), which shows up as <em>emphasized</em> text.

  13. filter_xss( $string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd') ) Filters an HTML string to prevent cross-site- scripting (XSS) vulnerabilities. Removes characters and constructs that can trick browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-formed. Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:).

  14. filter_xss_admin( $string ) Very permissive XSS/HTML filter for admin-only use. Use only for fields where it is impractical to use the whole filter system, but where some (mainly inline) mark-up is desired (so check_plain() is not acceptable). Allows all tags that can be used inside an HTML body, save for scripts and styles.

  15. Sending Email drupal_mail( $module, $key, $to, $language, $params = array(), $from = NULL, $send = TRUE ); Sending an e-mail works with defining an e-mail template (subject, text and possibly e-mail headers) and the replacement values to use in the appropriate places in the template. Doesn’t allow headers to be injected. Users cannot add a Bcc via the subject line

  16. Drupal Forms Drupal Forms API (FAPI) protects against XSRF using a token and session system that checks for validity of POST data.

  17. SQL Injection The query builder with variable replacement uses the database API to safely handle the data db_merge( 'example' ) ->key( array('name' => $name) ) ->fields( array( 'field1' => $value1, 'field2' => $value2,) ) ->execute();

  18. Wash All User-submitted Data On Output Don’t trust what people enter in your site. Use the tools that Drupal provides to protect yourself against vulnerabilities. Documentation http://drupal.org/writing-secure-code Sanitization functions http://api.drupal.org/api/drupal/includes-- common.inc/group/sanitization/7

Recommend

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
Code profilers and profiling When writing code, we generally have some feel for how

Code profilers and profiling When writing code, we generally have some feel for how

Code profilers and profiling When writing code, we generally have some feel for how effiicient it is (run time and/or memory use) That might be supported by big-O complexity analysis of the algorithms we use (e.g. O(logN), O(N), etc)

357 views • 8 slides
Software Engineering and Architecture Writing Clean Code Motivation Code is written to

Software Engineering and Architecture Writing Clean Code Motivation Code is written to

Software Engineering and Architecture Writing Clean Code Motivation Code is written to Be compiled, deployed, and executed by users in order to serve their need So we make money, get salaries and can buy presents for our spouses (or

684 views • 35 slides
WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE

WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE

WRITING QUALITY CODE IDEAS, TECHNIQUES AND TOOLS FOR IMPROVING THE QUALITY OF WRITTEN CODE Radosaw Jankiewicz / @radek_j / radekj WHO AM I Programming in Python since 2007 Web applications (mostly) RANDOM FACT... AGENDA 1. Definition

881 views • 53 slides
Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code

Error Handling Input-Output Writing Better Code Principles of Programming CM10227 Lecture D.11: Java: Error Handling &amp; Writing Better Code Dr. Marina De Vos University of Bath Ext: 5053 Academic Year 2012-2013 Lecture D.10. (MDV)

844 views • 81 slides
CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with

CS201 RECITATION 1 Introduction to C++ Outline Part 1 : Writing and debugging code with CodeBlocks Part 2 : Porting, compiling and testing in Dijkstra Part 3 : Using and understanding header files Part 1: Writing and debugging code with

1.03k views • 74 slides
Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing

Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing

Scripting for Multimedia PRE-LAB 2: WRITING, TESTING, AND DEBUGGING JAVASCRIPT Writing test-driven code Test-driven development (TDD) is a great way to write code and learn about code You can write your test without having to write a

418 views • 27 slides
White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing &amp; Code Inspections Engineering Secure Software Last Revised: September 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 The Power of Source Code White box testing Testers have intimate knowledge

382 views • 15 slides
11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing

11-823 Conlanging Writing Writing Systems Different Writing Systems What makes a writing system Standardization vs Historical artifacts Constructed Writing Systems Computing and its influence on writing Types of Writing

528 views • 24 slides
Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its

Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its

Math for VGG 1 Intro I am writing this to help you understand what the code is doing. Its still work in progress, toward making it more reader friendly. At this point, its just a bunch of math formulas you do not want to follow. 2

438 views • 7 slides
Writing better code with Writing better code with help from the compiler help from the compiler

Writing better code with Writing better code with help from the compiler help from the compiler

Writing better code with Writing better code with help from the compiler help from the compiler Thiago Macieira Thiago Macieira Qt Developer Days &amp; LinuxCon Europe October/2014 Qt Developer Days &amp; LinuxCon Europe October/2014

593 views • 32 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture

International Workshop on OMNeT++ Code Contribution On the Implementation Code of the Secure Mesh Routing Protocol PASER in OMNeT++: The Big Picture Mohamad Sbeiti and Christian Wietfeld 05.03.2013 Faculty of Electrical and Computing

463 views • 7 slides
Programming style is a set of rules or guidelines used when writing ... code.

Programming style is a set of rules or guidelines used when writing ... code.

STYLE what ? Programming style is a set of rules or guidelines used when writing ... code. https://en.wikipedia.org/wiki/Programming_style Style concerns everything: files, functions, objects, arguments, names, spacing, indenting,

287 views • 15 slides
Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout

Secure Drupal Development Steven Van den Hout Steven Van den Hout @stevenvdhout http://dgo.to/@svdhout SECURE? 1 IS D DRUPAL AL S IS OPEN SOURCE SECURE? MANY EYES MAKE FOR SECURE CODE - Security by obscurity - Open

641 views • 51 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
$TITLE: M5-3.GMS reading from and writing to EXCEL $ontext demonstrate reading and writing

$TITLE: M5-3.GMS reading from and writing to EXCEL $ontext demonstrate reading and writing

C:\jim\COURSES\8858\code-bk 2012\M5-3.gms Monday, January 09, 2012 7:08:29 AM Page 1 $TITLE: M5-3.GMS reading from and writing to EXCEL $ontext demonstrate reading and writing from/to excel here we read in from file M5.XLS, data is found in

174 views • 4 slides
Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running

Unix Development Data Structures Lab: Comp Sci 1585 Unix Philosophy, Text Editors, IDEs Assignment In-Class Writing code Building / Running Code::Blocks Environments Integrated philosophy Kate Notepad++ Atom Emacs Vim nano Text

579 views • 38 slides
CODE COVERAGE ISNT COVERAGE Wayne Roseberry Microsoft Author of Writing Test Plans Made

CODE COVERAGE ISNT COVERAGE Wayne Roseberry Microsoft Author of Writing Test Plans Made

CODE COVERAGE ISNT COVERAGE Wayne Roseberry Microsoft Author of Writing Test Plans Made Easy The Rules People respond to rewards and punishments Dont Chase The Numbers High Code Coverage &lt;&gt; Good But low coverage

388 views • 12 slides
Functions Ch 4-5 Functions So far we have been writing code inside main() without understanding

Functions Ch 4-5 Functions So far we have been writing code inside main() without understanding

Functions Ch 4-5 Functions So far we have been writing code inside main() without understanding some parts of it copy paste this, else computer throws fit Dunno what this does but I can forget it and Why zero? computer doesn't care

291 views • 14 slides
Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and

Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and

Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and Review Yu Huang University of Michigan Dec 11, 2019 Break Down the Title A standard workday of a software developer Problem Introduction and

1.5k views • 121 slides
Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and

Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and

Understanding User Cognition: from Everyday Behavior and Spatial Ability to Code Writing and Review Yu Huang University of Michigan Dec 11, 2019 Break Down the Title A standard workday of a software developer Problem Introduction and

1.64k views • 114 slides
Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to

Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to

Writing Home 8: Formal and Informal Writing We We use formal language for: Writing to someone we dont know Writing for a large audience such as in a newspaper article Writing non-fiction such as instructions, explanations or

209 views • 6 slides
Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3

Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3

Software Engineering I cs361 Announcements GitKraken gitkraken.com Writing Assignment 3 Feedback Code Reviews Showing off code For the sake of common interest http://fabiensanglard.net/ prince_of_persia/index.php Attribution Much

575 views • 32 slides

More recommend