Following David’s presentation “Breaking Bad – Season Two” at ScotSoft 2017, this post contains the remediation advice and further reading notes on the matters presented.
Episode 1 – BREAKAGE
(XML deserialisation attacks for fun and profit)
- Avoid trusting frameworks with your security!
- Use alternative data formats
- Only deserialise signed data
Further reading: https://www.owasp.org/index.php/Deserialization_Cheat_Sheet
Episode 2 – PEEKABOO
(XSS is more than a popup box!)
- Validate input on what is required
- White listing
- Avoid black listing
- Output encoding
Further reading: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Episode 3 – BIT BY A DEAD BEE
(Undone by 3rd Party Active Content)
- Avoid trusting external sources
- Host scripts within your own domain
- Maintain current versions
- Due diligence
Further reading: https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet