Safe encoding — what it is?



So you think you can encode? Well that`s great to know & # 8230; The world definitely needs more fans and nerds like you and me & # 8230; But are your programs safe? That`s what this article is all about.

, it is not only your job, but also a moral responsibility to ensure that your codes do not have boundaries that could subsequently be exploited by any other Black Hat hacker. This is what coding safe is all about. If you do a quick Google search about coding safe, the first link that grabs your attention will be our own wiki.

Secure Encoding — it is the practice of developing computer software in such a way as to prevent the accidental introduction of security vulnerabilities. Defects, bugs, and logic errors are invariably the root cause of commonly used software vulnerabilities.

Okay! Enough jargon & # 8230; What does this actually mean? Let me give you an example. Now, since I am a snake charmer, I will be using Python 2.7x …

 

# test_run.py

pswd = "MY PASSWORD"

not_secret = "Geeks rock!"

 

inputVal = input ( "Please enter number of geeks" ) # VERY BAD IDEA

print "There are" , inputVal, "geeks here, chanting" , not_secret

Now try and try & # 8230; It compiles successfully, and you know what, it gives the desired output! So, this is what I got when I tried different inputs & # 8230;

Run — 1

Please enter the number of geeks 5

   There are  5  geeks here, chanting  Geeks rock!  

Run — 2

  Please enter the number of geeks dir ()

 There are  [`pswd` , `not_secret`, `__builtins__`, `__doc__`, `__file__`, `__name__`, `__package__`]  geeks here, chanting  Geeks rock!  

Run — 3

  Please enter the number of geeks PSWD

   There are  MY PASSWORD  geeks here, chanting  Geeks rock!  

If you still didn`t realize it, let me state this & # 8230; The program worked great! But not the way we wanted & # 8230; He printed out our secret data & # 8230; Now you cannot blame the language for this, and you cannot blame the programmer & # 8230; He / she did what he was asked to do & # 8230; This is where secure coding comes into play. Now this example was just small, very small. There are endless possibilities of using the program. All you need is intelligence and experience in exploiting vulnerabilities. And if you work in the network security area, hiring a programmer who knows little or nothing about secure coding standards can be the biggest mistake you can make. Thus, in order to have a secure professional future, it becomes a necessity to have complete knowledge of secure coding standards.

Now who can decide which is secure way of encoding? This is not something that one programmer can do. Fortunately, we don`t need to worry about this. Go and check SEI CERT Coding Standards . It contains a very good set of recommended steps to take to make sure your program is safe and also sorted according to programming languages ​​— C, C ++, Java, Perl and Android. But, unfortunately, for the simplest language (in my opinion) no such standards are given. Does this mean that a Python program is always safe? NOT !! Fortunately, some Python enthusiasts have come up with a list of similar guidelines for Python and led to the birth of what is known today as PEP 0008 . Known as the Python Code Style Guide , it was created in 2001.

With an exhaustive list of “safe” and ” unsafe “programs, it is a must for any Python programmer.

Enough theory now! Let`s get back to some coding stuff! Now I`m going to use the term “Hi-Fi”, which you can use later to impress someone, and this term is called “ Cross Site Scripting” (XSS) . In this scenario, where each site has a comment section where visitors can share their experiences, XSS has become a commonly used hacker technique (not a good term!) Distributed Denial of Service (DDOS) attacks / installs viruses and malware into the client system and many other “not-so-good” actions.

Most comment sections allow users to write in HTML to provide formatting capabilities. This means that the comment is first processed and then the result is printed on the site. So, suppose instead of commenting, I write JavaScript code like this:

 window.alert (“Your comment has been received! - Geeks4Geeks”); 

Now, based on what I just discussed, the code will be processed and the client will receive a popup that says “ Your comment received! — Geeks4Geeks “. Sounds good & # 8230; But imagine the possibilities. It is possible to write a simple script that will upload malware / virus to the client`s system, or serve ads with content that will attract him / her to click on it, which will be present in an IFrame that can steal cookies (this is called Clickjacking ), which also leads to what is known as Session Hijacking ; The options are unlimited! So what should we do? Again, the solution is coding securely! Just to give you an example of how you can avoid XSS and Clickjacking with Django:

 #  Clickjacking  response = render_to_response (“webpage.html”, {} , context_instance = RequestContext (request)) response [`X-Frame-Options`] = `DENY` #Frame Killing reponse [`Content-Security-Policy`] = “frame-ancestors `none`” return response 

# XSS

#Django escapes HTML by default, so most programs will be protected from # XSS attacks

** {{content}} ** # safe

** {{content | safe}} ** # Excellent escape, not a good idea