90 likes | 222 Views
Web Framework Security. Alex Wehn. What Are Frameworks?. Web frameworks are software libraries that aim to speed up development Most frameworks include abstractions and automation for common tasks Database Operations Session Management Database Schema Generation Page Generation.
E N D
Web Framework Security Alex Wehn
What Are Frameworks? • Web frameworks are software libraries that aim to speed up development • Most frameworks include abstractions and automation for common tasks • Database Operations • Session Management • Database Schema Generation • Page Generation
Why Use a Framework? • Frameworks speed up development • Frameworks simplify development • Frameworks exist for all major web languages • Frameworks provide structure • Frameworks mitigate many common security vulnerabilities
Frameworks Provide Structure • Frameworks enforce software architectures • Most are based on Model View Controller • Folder structure and naming conventions are usually enforced. • Structure helps organize large applications
Frameworks Mitigate Security Vulnerabilities • SQL Injection • Object Relation Model (ORM) • Cross Site Request Forgery • Automatic XSRF Tokens • Cross Site Scripting • Security libraries for escaping inputs • Access Control • Built In Access Control Lists
Reasons Against Web Frameworks • Enforced structure may be too restrictive or not fit the project • Frameworks do not protect against all security vulnerabilities
Security Vulnerabilities in Frameworks • Frameworks provide a common codebase that can be targeted • Features of frameworks may be unused • Frameworks give attackers knowledge of how an application is constructed
Ruby on Rails YAML Flaw • Discovered early this year • Rails uses YAML for reading configuration files • Deserialization of well crafted YAML objects can cause arbitrary code to be executed • Rails used YAML to implement JSON parsing as well as for many other functions