Blog

Avoiding other injections

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

schedule a call

Directory traversal

Pseudocode example:

with open('/tmp/'+json_req["id"],'r') as f:
	process(f.read())

sidenote: URLs

requests.get("https://url/api/object/{}".format(json_req["id"]))

turns into

GET /api/object/asd/../../admin/get_env HTTP/1.1

Mitigation

input validation
taint analysis
WAF

anything-with-a-query-language injection

in general, treat executing string-based queries with caution
even the simplest query languages allow for some form of request tampering examples: connections strings, LDAP, XPath

case: JSON IAM policy injection

application hosts Word documents on an S3 bucket
provides users with a URL with signed policy upon request
JSON treated as a string, injecting JSON chars into the URL allows to add claims

String policy = "{{'resource':'{}'}}"; // example
sign(policy.format(document_name));

Avoiding injection vulnerabilities

Injection attacks refer to a broad class of attack vectors. In an injection attack, an attacker supplies untrusted input to… Read more

Avoiding XSS injection vulnerabilities

In this section, we'll describe some general principles for preventing cross-site scripting vulnerabilities and ways of using various common technologies Read more

Avoiding OS command injection

Every command call and dynamic code generation method is a ticking bomb and must be handled accordingly. Read more