Presentation Layer¶
links: SPA TOC - Layered Security - Index
Presentation Layer¶
- Translates data format of sender to the data format of the receiver
- Provides code conversion, data compression and encryption services (according to ISO / OSI)
Vulnerabilities¶
- poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions
- Example: SQL-Injection
- unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage
- Example: Attacker providing /etc/passwd in the URL
- cryptographic flaws may be exploited to circumvent privacy protections
- Example: Passwords hashed with MD5
Attacks¶
- Unicode vulnerabilities
- Normally web servers only serve files from certain directories
- Older versions of IIS web server interpreted directory traversal sequences like "../" as illegal
- This rule didn't not trigger when the "/" was provided as unicode encoded version
%c0%af
- This allowed attackers to traverse directories
- Apache UTF-8 directory traversal
- Windows Vista filename spoofing
- Other unicode vulnerabilities
- DNS IDN spoofing
- Using special characters in domain names
- http://www.pŠ°ypal.com/ \(\rightarrow\) http://www.xn--pypal-4ve.com
- .zip TLD
Controls¶
- Careful specification and checking of received input incoming into applications or library functions
- Example: Using regex to validate if an email address is actually an email address
- Mitigation against injection attacks
- Separation of user input and program control functions
- Input should be sanitized, and sanity checked before being passed into functions that use the input to control operation
- Use prepared statements and parameterized queries
- Treat user inputs as data, not as part of a SQL command itself
- Mitigates against injection attacks
- Careful and continuous review of cryptography solutions to ensure current security versus known and emerging threats
- Updating TLS to the latest version
links: SPA TOC - Layered Security - Index