ACM.326 Prevent attacks by validating values as specifically as possible
Part of my series on Automation of cybersecurity measures. Lambda. AppSec. security code. Deploy a static website. THE Coded.
Free content on Cybersecurity Jobs | Register at Broadcast list
In the last article I wrote about parsing the values of Lambda function parameters in an event and environment variables. I also showed you how I created a validation.sh file for common validation functions.
In this article, I will add to these functions to prevent unwanted malicious characters from reaching my code.
I wrote here about how malicious submissions to your Lambda functions can lead to cross-site scripting attacks:
Injection, exhaust and coding
In my container I use Bash, which could easily lead to other types of code injection attacks to execute commands in my container. There are several ways to combat this.
First, I could try to escape all bad characters by putting a backslash in front of them. Let’s say someone enters a quote into a parameter like this:
repo='dev.rainierrhododendron's.com'
This would crash the program. But let’s say I want to prevent this.
I could try finding all the single quotes and rewrite the string to put a backslash in front of it like this, which is a common approach taken by developers – and which doesn’t work for the most part:
replace any single quotes with \' = dev.rainierrhodoendron\'s.com
Do not do that. Or insert ampersands for HTML or something similar. Here’s why. An attacker can simply “double escape” what they enter to avoid your mitigation. As an attacker, I will…