Web Framework Security

1
Web Framework Security

• Alex Wehn

2
What Are Frameworks?

• Web frameworks are software libraries that aim to
  speed up development
• Most frameworks include abstractions and
  automation for common tasks
• Database Operations
• Session Management
• Database Schema Generation
• Page Generation

3
Why Use a Framework?

• Frameworks speed up development
• Frameworks simplify development
• Frameworks exist for all major web languages
• Frameworks provide structure
• Frameworks mitigate many common security
  vulnerabilities

4
Frameworks Provide Structure

• Frameworks enforce software architectures
• Most are based on Model View Controller
• Folder structure and naming conventions are
  usually enforced.
• Structure helps organize large applications

5
Frameworks Mitigate Security Vulnerabilities

• SQL Injection
• Object Relation Model (ORM)
• Cross Site Request Forgery
• Automatic XSRF Tokens
• Cross Site Scripting
• Security libraries for escaping inputs
• Access Control
• Built In Access Control Lists

6
Reasons Against Web Frameworks

• Enforced structure may be too restrictive or not
  fit the project
• Frameworks do not protect against all security
  vulnerabilities

7
Security Vulnerabilities in Frameworks

• Frameworks provide a common codebase that can be
  targeted
• Features of frameworks may be unused
• Frameworks give attackers knowledge of how an
  application is constructed

8
Ruby on Rails YAML Flaw

• Discovered early this year
• Rails uses YAML for reading configuration files
• Deserialization of well crafted YAML objects can
  cause arbitrary code to be executed
• Rails used YAML to implement JSON parsing as well
  as for many other functions

9
Questions?