Explore a comprehensive analysis of injection vulnerabilities and their persistent reign in web security in this APPSEC Cali 2018 conference talk. Delve into the reasons behind the long-standing prevalence of injection and cross-site scripting (XSS) vulnerabilities in the OWASP Top 10. Examine the root causes of these security issues and discover potential strategies for their elimination. Learn from Justin Collins, CEO of Brakeman, Inc. and experienced application security engineer, as he shares insights on compiler construction, string manipulation, and ORM usage. Gain valuable knowledge on unsafe interfaces, untrusted libraries, and the importance of query parameters. Understand the role of frameworks, static analysis, and security professionals in combating injection vulnerabilities. Acquire practical tips for building more secure applications and avoiding common pitfalls in code development.
Taking on the King: Killing Injection Vulnerabilities - APPSEC Cali 2018
Overview
Syllabus
Introduction
Vacation pictures
About me
Survey Monkey
Sequel Injection
Top 10
Top 10 2017
Prevalence vs Impact
Hacker One Report
CrowdStrike 2017 Report
Injection Vulnerabilities
Injection Example
Command Injection Example
Crosssite Scripting
Thesis
Compiler Construction
String Manipulation
ORM
Suggestions
Stop providing unsafe interfaces
Examples of unsafe interfaces
Using untrusted libraries
Rails example
Not just developers
Query Parameters
Why the Lucky Stiff
Accepting Code
Restrictions
Building Strings
Tip Floating
C Templates
Parsers
Shell contextaware auto escaping
Frameworks
Lang SEC
Security Professional
Parameter Statements
OverTrusting Input
Example
Static Analysis
Libraries
Building new frameworks
Taught by
OWASP Foundation
