From the course: Practical Secure by Design: Threat Modeling to Build Resilient Products
Join today to access over 24,900 courses taught by industry experts.
Insecure implementation: Lack of redundancy
From the course: Practical Secure by Design: Threat Modeling to Build Resilient Products
Insecure implementation: Lack of redundancy
- [Instructor] Let us now look at the insecure implementation. Since this is a search products functionality, I'm going to click on bras products, and as you can see, it's looking for a search term. Going to simply search for aa. And as you can see, it shows me different items. What I'm going to do right now to see if there is any input validation, I'm going to pass some special characters and see how the application responds. Ooh, as you can see, even by passing special characters, it's not blocking my input and still showing the default products. From the PRD, it looked like this was definitely vulnerable to command injection. So I'm going to search for ls and see if this works. Interesting. As a search for ls, you can see that this clearly works and I'm now able to read all the files on the web server. I'm going to go a step ahead and also search for whoami? Nice. Whoami also works. This is the perfect example for…
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
-
-
-
-
-
(Locked)
Scenario: Dangers of single-layer security1m 48s
-
(Locked)
Insecure implementation: Lack of redundancy1m 36s
-
(Locked)
Threat model: Defense-in-depth failures and fixes4m 51s
-
(Locked)
Secure implementation: Building layered defenses2m 19s
-
(Locked)
Real-world example: Defense-in-depth implementation2m 44s
-
(Locked)
Challenge: Implement defense in depth in your systems1m 54s
-
(Locked)
-
-
-