Scribd Logo
Upload

Welcome to Scribd!

  • Lecture - 5 - Error Handling

    Uploaded by

    gunarathneisuri11
    10 views9 pages

    Original Title

    Lecture_5 - Error Handling

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views9 pages

    Lecture - 5 - Error Handling

    Uploaded by

    gunarathneisuri11

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    9/10/2023

    Software Security

    Secure Coding Practices for Error Handling

    Hiruna De Alwis
    1

    A Sample Application: ComApp

    ● This application will allow


    ○ Visitors to enter comments on the web site
    ○ Display ten recent comments
    ○ Comments emailed to customer service address

    1
    9/10/2023

    ComApp : List of features

    ● Phase I
    ○ Allow anonymous comments
    ○ Allow users to enter a name along with the comment, regardless of whether or not they
    are logged in to an account
    ● Phase II
    ○ Allow users to create accounts. Once they have created an account, they can view and
    modify their past comments
    ○ Allow users to upload a small image with their comment
    ● Phase III
    ○ Allow administrative users to view and delete user accounts and moderate comments
    3

    ComApp: Sample application

    ● Code and User interface

    2
    9/10/2023

    ComApp

    ● What will happen, If we do these


    ○ Honest mistake as typing errors.
    ○ Boredom - lack of enthusiasm, lack of interest
    ○ The challenge of outsmarting you
    ○ Simple curiosity - strange think they can play with
    ○ Actual malicious intent

    ComApp: Actual malicious intent

    ● If you found script kiddy or hacker he might try following:


    ○ ‘ – as an input
    ○ “ – as an input
    ● What hackers willing to expect ?
    ○ Not sanitized inputs
    ● What will be the next attempt ?
    ○ Injection attack

    3
    9/10/2023

    Injection attack - SQL injection

    this is great"); drop table USERS; --

    ● How is this execute in database?


    ○ SQL statements :
    ○ $sql='INSERT INTO usrcomments(comment) VALUES("'.$user_comment.'")';
    ○ $sql=’INSERT INTO usrcomments(comment) VALUES("this is great"); drop table USERS; --
    ")’;

    ComApp: Issues

    ● Issues in development
    ○ Empty comments
    ○ Lengthy comments
    ○ Raw database errors
    ■ Attackers take advantages to know about your server environment
    ○ Able to Insert scripts and links
    ○ Customer dissatisfactions

    4
    9/10/2023

    ComApp: Boundary Conditions

    ● Sample list of boundary conditions for anonymous comment

    ○ Blank input ○ Guest book spam

    ○ Control characters ○ Binary data

    ○ Non alphanumeric data ○ Alternate encoded data – ASCII, UTF-

    ○ Excessively long inputs 8, Octal ,etc.


    ○ SQL injection

    Goals of the
    boundary conditions
    ● Reject any input that seems suspicious
    ● Simply ignoring input that isn’t what you
    expected, giving users an error message and
    chance to try again

    10

    5
    9/10/2023

    An Error

    ● An action which is inaccurate or incorrect


    ● An error in software or hardware is called a
    bug

    11

    Error-Handling Mechanism

    ● The philosophy of the error handling is :


    ○ Test all the inputs entered by users
    ○ Reject anything that doesn't appear to be legitimate
    ● To do this we have to define what we are expecting user inputs looks like
    ● Ex :
    ○ Alpha numeric with few specific punctuation marks
    ○ Less than the maximum number of characters
    ○ Allow /Deny script codes (HTML tags)

    12

    6
    9/10/2023

    Stripping HTML from User inputs

    ● If we decided not allowed HTML code insert through application, we can remove those from
    the user inputs
    ● Are we going to reject entire message due to presence of HTML content?
    ○ It is your choice
    ● If not:
    ○ We can strip the HTML tags
    ○ strip_tags()
    ■ Function in php removes HTML tags and leaving only the raw data

    13

    Accepting HTML from safely

    ● If you decided to allow HTML tags in user inputs:


    ○ PHP provides two built in function to handle this problem
    ○ htmlentities()
    ■ Convert all applicable characters to HTML entities
    ○ htmlspecialchars()
    ■ Replace few common HTML tags with its equivalent character code
    ■ Ex :
    ● & &amp
    ● “ &quot
    ● ‘ &#039
    14
    ● < &lt

    7
    9/10/2023

    Spammers

    ● Spammers don’t use their accounts to send spam emails


    ● They try to send their spam emails through insecure web applications
    ● Viral email marketing
    ● How to prevent your application from this attack:
    ○ Don’t use email transport system in open web application unless absolutely need it
    ○ Discourage spammers

    15

    Erroneous data

    ● Display error message to user


    ● Write error message to log file depending on its severity
    ● Display formatted error message to users
    ● Don’t provide too much information about error and the security measures
    ○ Ex :
    ■ Sorry , Didn’t understand your comment. Please try it again

    16

    8
    9/10/2023

    Thanks!

    Contact:

    Hiruna De Alwis
    hiruna@effectivesolutions.lk

    17

    You might also like