Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
skfchatbot
@skfchatbot
@lsec0ni 47 Code system commands (10:22:42 AM)
@lsec0ni 45 Code enforce secure password (10:22:42 AM)
lsec0ni
@lsec0ni
52
@skfchatbot 52
skfchatbot
@skfchatbot
@lsec0ni 0 Code xsl injection prevention in java (10:23:15 AM)
@lsec0ni 2 Code xsl injection prevention in flask (10:23:15 AM)
@lsec0ni 4 Code xsl injection prevention in ruby (10:23:15 AM)
@lsec0ni 3 Code xsl injection prevention in django (10:23:15 AM)
@lsec0ni 1 Code xsl injection prevention in php (10:23:15 AM)
lsec0ni
@lsec0ni
@skfchatbot 4
skfchatbot
@skfchatbot

@lsec0ni Code for XSL Injection prevention

Example:

// In order to prevent XSL injections you must enforce strict policy's whenever the
// files are loaded from a source controlled by an possible attacker.

// Let's say for example that the user can choose from several XSL files on your application.

// ABC.xsl arranges your employee names on alphabetical order
// CBA.xsl does not care and just shows the input by order of your XML file.

// Before we want to attach the XSL files to the style sheet we first want to
// do validation on the request to make sure the included file was one of our own pre
// defined files, example:
// check_pattern(params[:xslfile], "file1.xsl,file2.xsl,etc")

require 'nokogiri'

// Include the classes of which you want to use objects from
require_relative 'classes'

class IncludeXSL
  def including(param, white_list)
    // check "Whitelisting" for method declaration
    if check_pattern(param, white_list)
      document = Nokogiri::XML(File.read('input.xml'))
      template = Nokogiri::XSLT(File.read('template.xslt'))

      transformed_document = template.transform(document)
    end
  end
end

Code language is ruby (10:23:26 AM)

lsec0ni
@lsec0ni
@skfchatbot ASVS clause
skfchatbot
@skfchatbot
@lsec0ni Please be more specific (10:24:06 AM)
lsec0ni
@lsec0ni
@skfchatbot "Server Side Request Forgery"
skfchatbot
@skfchatbot
@lsec0ni 2 Solution client side authentication (4:00:40 AM)
@lsec0ni 10 Solution client side input validation (4:00:40 AM)
@lsec0ni 5 Solution do not support untrusted client side technologies (4:00:40 AM)
@lsec0ni 13 Solution cross site request forgery (4:00:40 AM)
@lsec0ni 0 Solution client side storage (4:00:40 AM)
@lsec0ni 4 Solution user generated session ids should be rejected by the server (4:00:40 AM)
@lsec0ni 6 Solution session information is not stored server side (4:00:40 AM)
@lsec0ni 3 Solution http request methods (4:00:40 AM)
@lsec0ni 14 Solution servers must not be trusted without explicit authentication (4:00:40 AM)
@lsec0ni 1 Solution server side validation (4:00:40 AM)
@lsec0ni 16 Solution aggregate user requests (4:00:40 AM)
@lsec0ni 8 Solution logging implemented on the serverside (4:00:40 AM)
@lsec0ni 7 Solution client side state management (4:00:40 AM)
@lsec0ni 12 Solution file upload outside document root (4:00:40 AM)
@lsec0ni 15 Solution get post requests (4:00:40 AM)
@lsec0ni 11 Solution sensitive information stored alongside the source code (4:00:40 AM)
@lsec0ni 17 Solution client side constraints (4:00:40 AM)
@lsec0ni 9 Solution html caching and client side caching (4:00:40 AM)
Hemant
@hemantj99
@skfchatbot code example for xml
skfchatbot
@skfchatbot
@Hemant (hemantj99) 4 Code crossdomain xml (9:04:28 PM)
@Hemant (hemantj99) 0 Code crossdomain.xml (9:04:28 PM)
@Hemant (hemantj99) 2 Code xml injection prevention (9:04:28 PM)
@Hemant (hemantj99) 7 Code xml external entities (9:04:28 PM)
@Hemant (hemantj99) 6 Code crossdomain.xml (9:04:28 PM)
@Hemant (hemantj99) 5 Code encoder (9:04:28 PM)
@Hemant (hemantj99) 1 Code encoder sql esapi (9:04:28 PM)
@Hemant (hemantj99) 3 Code xmlprevention (9:04:28 PM)
Hemant
@hemantj99
@skfchatbot 2
skfchatbot
@skfchatbot
@Hemant (hemantj99) 0 Code xml injection prevention in asp (9:04:39 PM)
@Hemant (hemantj99) 4 Code xml injection prevention in ruby (9:04:39 PM)
@Hemant (hemantj99) 3 Code xml injection prevention in django (9:04:39 PM)
@Hemant (hemantj99) 2 Code xml injection prevention in flask (9:04:39 PM)
@Hemant (hemantj99) 1 Code xml injection prevention in php (9:04:39 PM)
Hemant
@hemantj99
@skfchatbot 0
skfchatbot
@skfchatbot

@Hemant (hemantj99) Code for XML injection prevention

Example:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
using System.IO;
using System.Xml;

namespace MvcApplication1.Controllers
{
    public class storeXML
    {
        public void storeFunction(string name, string lastName, string gender)
        {
            /*
            First we import our inputvalidation control class. for more detailed information about 
            input validation check the code examples for "Input validation" & "Single input validation".
            */
            inputValidationControl validate = new inputValidationControl();

            bool doFunction = true;
            //If the function returns false, we do not execute the function
            //see the "input validation" code example for more detailed information about this function
            if (validate.validateInput(name, "alphanumeric", "Invalid userinput name", "HIGH") == false)     { doFunction = false; }
            if (validate.validateInput(lastName, "alphanumeric", "Invalid userinput name", "HIGH") == false) { doFunction = false; }
            if (validate.validateInput(gender, "alphanumeric", "Invalid userinput name", "HIGH") == false)    { doFunction = false; }

            if (doFunction == true)
            {
                //Only after validation we proceed to the XMLwriter class where we insert the parameters
                using (XmlWriter writer = XmlWriter.Create(@"C:\Users\Public\xml\register.xml"))
                {
                    writer.WriteStartElement("person");
                    writer.WriteElementString("name", name);
                    writer.WriteElementString("lastname", lastName);
                    writer.WriteElementString("gender", gender);
                    writer.WriteEndElement();
                    writer.Flush();
                }
            }
        }
    }
}

/*
Now we prevented malicious userinput from coming into your XML file.
NOTE: Do not forget to also properly encode your input as a last line of defense, 
      also In this example the XmlReader disables external entities by default.
      If you should choose another parser make sure your parser disables these entities 
      in order to prevent XXE injections.
*/

Code language is asp (9:04:51 PM)

asurwade
@asurwade
@skfchatbot what is XSS?