Blog

Avoiding other injections

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

schedule a call

Directory traversal

Pseudocode example:

with open('/tmp/'+json_req["id"],'r') as f:
	process(f.read())

sidenote: URLs

requests.get("https://url/api/object/{}".format(json_req["id"]))

turns into

GET /api/object/asd/../../admin/get_env HTTP/1.1

Mitigation

input validation
taint analysis
WAF

anything-with-a-query-language injection

in general, treat executing string-based queries with caution
even the simplest query languages allow for some form of request tampering examples: connections strings, LDAP, XPath

case: JSON IAM policy injection

application hosts Word documents on an S3 bucket
provides users with a URL with signed policy upon request
JSON treated as a string, injecting JSON chars into the URL allows to add claims

String policy = "{{'resource':'{}'}}"; // example
sign(policy.format(document_name));

Avoiding XSS injection vulnerabilities

In this section, we'll describe some general principles for preventing cross-site scripting vulnerabilities and ways of using various common technologies Read more

Avoiding OS command injection

Every command call and dynamic code generation method is a ticking bomb and must be handled accordingly. Read more

Avoiding Templates injection

The best way to prevent server-side template injection is to not allow any users to modify or submit new templates. Read more