Skip to content

Presentation Layer

links: SPA TOC - Layered Security - Index


Presentation Layer

  • Translates data format of sender to the data format of the receiver
  • Provides code conversion, data compression and encryption services (according to ISO / OSI)

Vulnerabilities

  • poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions
  • unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage
    • Example: Attacker providing /etc/passwd in the URL
  • cryptographic flaws may be exploited to circumvent privacy protections
    • Example: Passwords hashed with MD5

Attacks

Controls

  • Careful specification and checking of received input incoming into applications or library functions
    • Example: Using regex to validate if an email address is actually an email address
    • Mitigation against injection attacks
  • Separation of user input and program control functions
    • Input should be sanitized, and sanity checked before being passed into functions that use the input to control operation
    • Use prepared statements and parameterized queries
    • Treat user inputs as data, not as part of a SQL command itself
    • Mitigates against injection attacks
  • Careful and continuous review of cryptography solutions to ensure current security versus known and emerging threats
    • Updating TLS to the latest version

links: SPA TOC - Layered Security - Index