Web Framework Security

Download Report

Transcript Web Framework Security

Web Framework Security
Alex Wehn
What Are Frameworks?
Web frameworks are software libraries that aim to
speed up development
Most frameworks include abstractions and
automation for common tasks
Database Operations
Session Management
Database Schema Generation
Page Generation
Why Use a Framework?
Frameworks speed up development
Frameworks simplify development
Frameworks exist for all major web languages
Frameworks provide structure
Frameworks mitigate many common security
vulnerabilities
Frameworks Provide Structure
Frameworks enforce software architectures
Most are based on Model View Controller
Folder structure and naming conventions are usually
enforced.
Structure helps organize large applications
Frameworks Mitigate
Security Vulnerabilities
SQL Injection
Object Relation Model (ORM)
Cross Site Request Forgery
Automatic XSRF Tokens
Cross Site Scripting
Security libraries for escaping inputs
Access Control
Built In Access Control Lists
Reasons Against Web
Frameworks
Enforced structure may be too restrictive or not fit
the project
Frameworks do not protect against all security
vulnerabilities
Security Vulnerabilities
in Frameworks
Frameworks provide a common codebase that can be
targeted
Features of frameworks may be unused
Frameworks give attackers knowledge of how an
application is constructed
Ruby on Rails YAML Flaw
Discovered early this year
Rails uses YAML for reading configuration files
Deserialization of well crafted YAML objects can
cause arbitrary code to be executed
Rails used YAML to implement JSON parsing as well
as for many other functions
Questions?