Presentation Layer¶

Translates data format of sender to the data format of the receiver
Provides code conversion, data compression and encryption services (according to ISO / OSI)

poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions
- Example: SQL-Injection
unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage
- Example: Attacker providing /etc/passwd in the URL
cryptographic flaws may be exploited to circumvent privacy protections
- Example: Passwords hashed with MD5

Unicode vulnerabilities
- Normally web servers only serve files from certain directories
- Older versions of IIS web server interpreted directory traversal sequences like "../" as illegal
- This rule didn't not trigger when the "/" was provided as unicode encoded version %c0%af
- This allowed attackers to traverse directories
- Apache UTF-8 directory traversal
- Windows Vista filename spoofing
- Other unicode vulnerabilities
DNS IDN spoofing
- Using special characters in domain names
- http://www.pаypal.com/ \(\rightarrow\) http://www.xn--pypal-4ve.com
.zip TLD

Careful specification and checking of received input incoming into applications or library functions
- Example: Using regex to validate if an email address is actually an email address
- Mitigation against injection attacks
Separation of user input and program control functions
- Input should be sanitized, and sanity checked before being passed into functions that use the input to control operation
- Use prepared statements and parameterized queries
- Treat user inputs as data, not as part of a SQL command itself
- Mitigates against injection attacks
Careful and continuous review of cryptography solutions to ensure current security versus known and emerging threats
- Updating TLS to the latest version