What’s Our Software Doing With All That User Input

A397cb38965ab9f310e7148b8c3d1105?s=47 Kim Carter
September 12, 2013

What’s Our Software Doing With All That User Input

What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context?
It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about.
What are we trusting? Why are we trusting it? What, where and how should we be sanitising?

We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal.
I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer.
It’s not easy. Every application has a completely different set of concerns.

In order for our software to be shielded from an attack, the builders must think like attackers.

In this talk I’ll attempt to:

Increase our knowledge and awareness
Discuss practical techniques and approaches that increase our defences
Break some software


Kim Carter

September 12, 2013