Further reading from ScotSoft 2017

Following David’s presentation “Breaking Bad – Season Two” at ScotSoft 2017, this post contains the remediation advice and further reading notes on the matters presented.

Episode 1 – BREAKAGE

(XML deserialisation attacks for fun and profit)

  • Avoid trusting frameworks with your security!
  • Use alternative data formats
  • Only deserialise signed data

Further reading: https://www.owasp.org/index.php/Deserialization_Cheat_Sheet

Episode 2 – PEEKABOO

(XSS is more than a popup box!)

  • Validate input on what is required
  • White listing
  • Avoid black listing
  • Output encoding

Further reading: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Episode 3 – BIT BY A DEAD BEE

(Undone by 3rd Party Active Content)

  • Avoid trusting external sources
  • Host scripts within your own domain
  • Maintain current versions
  • Due diligence

Further reading: https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet