SlideShare une entreprise Scribd logo

Secure Scripting

Aung Khant
Aung Khant
Technologie
1  sur  5
Télécharger pour lire hors ligne
A BRIEF INTRODUCTION TO SECURE SCRIPTING Contents 1. Introduction 2. Input taint checking 3. String manipulation 4. File manipulation 5. Use of system calls 6. Variable declaration 1. Introduction These days there are a lot of people that release scripts and programs on to the Internet which people will then download and use without a second thought that they may contain the simplest of security holes which can allow malicious people to attack their servers. In this paper i intend to address some of the common mistakes that are made by the programmers releasing these programs, and how it should be written properly. The paper will mainly focus on Common Gateway Interface (CGI) scripts with examples written in perl (in my opinion the most common language used to write CGI scripts). The paper is, however, relevant to all languages, not just perl. The main way in which CGI scripts are exploited is by a user presenting it with values that
Secure Scripting
Secure Scripting
Secure Scripting
Secure Scripting

Recommandé

Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 dandb-technology
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Web Security Overview and Demo
Web Security Overview and DemoWeb Security Overview and Demo
Web Security Overview and DemoTony Bibbs
 

Recommandé

Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Frameworkn|u - The Open Security Community
 
Continuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityContinuous security testing - sharing responsibility
Continuous security testing - sharing responsibilityVodqaBLR
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 dandb-technology
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Web Security Overview and Demo
Web Security Overview and DemoWeb Security Overview and Demo
Web Security Overview and DemoTony Bibbs
 
Web App Sec Tisc
Web App Sec TiscWeb App Sec Tisc
Web App Sec TiscAung Khant
 
Protecting Web Based Applications
Protecting Web Based ApplicationsProtecting Web Based Applications
Protecting Web Based ApplicationsAung Khant
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Web Firewall Criteriav1.0
Web Firewall Criteriav1.0Web Firewall Criteriav1.0
Web Firewall Criteriav1.0Aung Khant
 
Trust Survey Online Banking
Trust Survey Online BankingTrust Survey Online Banking
Trust Survey Online BankingAung Khant
 
Securing Php App
Securing Php AppSecuring Php App
Securing Php AppAung Khant
 
Security Engineeringwith Patterns
Security Engineeringwith PatternsSecurity Engineeringwith Patterns
Security Engineeringwith PatternsAung Khant
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tourGiacomo De Liberali
 
Common Gateway Interface ppt
Common Gateway Interface pptCommon Gateway Interface ppt
Common Gateway Interface pptOECLIB Odisha Electronics Control Library
 
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)CSCJournals
 
‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud ‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud acijjournal
 
10290057.ppt
10290057.ppt10290057.ppt
10290057.pptImXaib
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Cgi
CgiCgi
CgiGirish Srivastava
 
Online java compiler with security editor
Online java compiler with security editorOnline java compiler with security editor
Online java compiler with security editorIRJET Journal
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
FuzzyDbg_Report.pdf
FuzzyDbg_Report.pdfFuzzyDbg_Report.pdf
FuzzyDbg_Report.pdfritviktanksalkar1
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
php blunders
php blundersphp blunders
php blundersdecatv
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 

Contenu connexe

En vedette

Web App Sec Tisc
Web App Sec TiscWeb App Sec Tisc
Web App Sec TiscAung Khant
 
Protecting Web Based Applications
Protecting Web Based ApplicationsProtecting Web Based Applications
Protecting Web Based ApplicationsAung Khant
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Web Firewall Criteriav1.0
Web Firewall Criteriav1.0Web Firewall Criteriav1.0
Web Firewall Criteriav1.0Aung Khant
 
Trust Survey Online Banking
Trust Survey Online BankingTrust Survey Online Banking
Trust Survey Online BankingAung Khant
 
Securing Php App
Securing Php AppSecuring Php App
Securing Php AppAung Khant
 
Security Engineeringwith Patterns
Security Engineeringwith PatternsSecurity Engineeringwith Patterns
Security Engineeringwith PatternsAung Khant
 

En vedette (7)

Web App Sec Tisc
Web App Sec TiscWeb App Sec Tisc
Web App Sec Tisc
 
Protecting Web Based Applications
Protecting Web Based ApplicationsProtecting Web Based Applications
Protecting Web Based Applications
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Web Firewall Criteriav1.0
Web Firewall Criteriav1.0Web Firewall Criteriav1.0
Web Firewall Criteriav1.0
 
Trust Survey Online Banking
Trust Survey Online BankingTrust Survey Online Banking
Trust Survey Online Banking
 
Securing Php App
Securing Php AppSecuring Php App
Securing Php App
 
Security Engineeringwith Patterns
Security Engineeringwith PatternsSecurity Engineeringwith Patterns
Security Engineeringwith Patterns
 

Similaire à Secure Scripting

Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)CSCJournals
 
‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud ‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud acijjournal
 
10290057.ppt
10290057.ppt10290057.ppt
10290057.pptImXaib
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Online java compiler with security editor
Online java compiler with security editorOnline java compiler with security editor
Online java compiler with security editorIRJET Journal
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
php blunders
php blundersphp blunders
php blundersdecatv
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Program security
Program securityProgram security
Program securityG Prachi
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingFelipe Prado
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 

Similaire à Secure Scripting (20)

Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Node.js security tour
Node.js security tourNode.js security tour
Node.js security tour
 
Common Gateway Interface ppt
Common Gateway Interface pptCommon Gateway Interface ppt
Common Gateway Interface ppt
 
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
 
‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud ‘CodeAliker’ - Plagiarism Detection on the Cloud
‘CodeAliker’ - Plagiarism Detection on the Cloud
 
10290057.ppt
10290057.ppt10290057.ppt
10290057.ppt
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Cgi
CgiCgi
Cgi
 
Online java compiler with security editor
Online java compiler with security editorOnline java compiler with security editor
Online java compiler with security editor
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
FuzzyDbg_Report.pdf
FuzzyDbg_Report.pdfFuzzyDbg_Report.pdf
FuzzyDbg_Report.pdf
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
php blunders
php blundersphp blunders
php blunders
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
Program security
Program securityProgram security
Program security
 
Staying above a rising security waterline.
Staying above a rising security waterline.Staying above a rising security waterline.
Staying above a rising security waterline.
 
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzingDEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
DEF CON 23 - Saif el-sherei and etienne stalmans - fuzzing
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 

Plus de Aung Khant

Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
Securing Web Server Ibm
Securing Web Server IbmSecuring Web Server Ibm
Securing Web Server IbmAung Khant
 
Security Design Patterns
Security Design PatternsSecurity Design Patterns
Security Design PatternsAung Khant
 
Security Code Review
Security Code ReviewSecurity Code Review
Security Code ReviewAung Khant
 
Security Engineering Executive
Security Engineering ExecutiveSecurity Engineering Executive
Security Engineering ExecutiveAung Khant
 
Security Web Servers
Security Web ServersSecurity Web Servers
Security Web ServersAung Khant
 
Security Testing Web App
Security Testing Web AppSecurity Testing Web App
Security Testing Web AppAung Khant
 
Session Fixation
Session FixationSession Fixation
Session FixationAung Khant
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
Php Security Iissues
Php Security IissuesPhp Security Iissues
Php Security IissuesAung Khant
 
Sql Injection White Paper
Sql Injection White PaperSql Injection White Paper
Sql Injection White PaperAung Khant
 
S Vector4 Web App Sec Management
S Vector4 Web App Sec ManagementS Vector4 Web App Sec Management
S Vector4 Web App Sec ManagementAung Khant
 
Php Security Value1
Php Security Value1Php Security Value1
Php Security Value1Aung Khant
 
Privilege Escalation
Privilege EscalationPrivilege Escalation
Privilege EscalationAung Khant
 
Php Security Workshop
Php Security WorkshopPhp Security Workshop
Php Security WorkshopAung Khant
 
Preventing Xs Sin Perl Apache
Preventing Xs Sin Perl ApachePreventing Xs Sin Perl Apache
Preventing Xs Sin Perl ApacheAung Khant
 
Protecting Web App
Protecting Web AppProtecting Web App
Protecting Web AppAung Khant
 
Search Attacks
Search AttacksSearch Attacks
Search AttacksAung Khant
 

Plus de Aung Khant (20)

Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
 
Securing Web Server Ibm
Securing Web Server IbmSecuring Web Server Ibm
Securing Web Server Ibm
 
Security Design Patterns
Security Design PatternsSecurity Design Patterns
Security Design Patterns
 
Security Code Review
Security Code ReviewSecurity Code Review
Security Code Review
 
Security Engineering Executive
Security Engineering ExecutiveSecurity Engineering Executive
Security Engineering Executive
 
Security Web Servers
Security Web ServersSecurity Web Servers
Security Web Servers
 
Security Testing Web App
Security Testing Web AppSecurity Testing Web App
Security Testing Web App
 
Session Fixation
Session FixationSession Fixation
Session Fixation
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
Php Security Iissues
Php Security IissuesPhp Security Iissues
Php Security Iissues
 
Sql Injection White Paper
Sql Injection White PaperSql Injection White Paper
Sql Injection White Paper
 
S Shah Web20
S Shah Web20S Shah Web20
S Shah Web20
 
S Vector4 Web App Sec Management
S Vector4 Web App Sec ManagementS Vector4 Web App Sec Management
S Vector4 Web App Sec Management
 
Php Security Value1
Php Security Value1Php Security Value1
Php Security Value1
 
Privilege Escalation
Privilege EscalationPrivilege Escalation
Privilege Escalation
 
Php Security Workshop
Php Security WorkshopPhp Security Workshop
Php Security Workshop
 
Preventing Xs Sin Perl Apache
Preventing Xs Sin Perl ApachePreventing Xs Sin Perl Apache
Preventing Xs Sin Perl Apache
 
Protecting Web App
Protecting Web AppProtecting Web App
Protecting Web App
 
Ruby Security
Ruby SecurityRuby Security
Ruby Security
 
Search Attacks
Search AttacksSearch Attacks
Search Attacks
 

Dernier

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Dernier (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 

Secure Scripting

  • 1. A BRIEF INTRODUCTION TO SECURE SCRIPTING Contents 1. Introduction 2. Input taint checking 3. String manipulation 4. File manipulation 5. Use of system calls 6. Variable declaration 1. Introduction These days there are a lot of people that release scripts and programs on to the Internet which people will then download and use without a second thought that they may contain the simplest of security holes which can allow malicious people to attack their servers. In this paper i intend to address some of the common mistakes that are made by the programmers releasing these programs, and how it should be written properly. The paper will mainly focus on Common Gateway Interface (CGI) scripts with examples written in perl (in my opinion the most common language used to write CGI scripts). The paper is, however, relevant to all languages, not just perl. The main way in which CGI scripts are exploited is by a user presenting it with values that