Protect systems from malware and overloading by regulating the files that are allowed to be uploaded.
- There is one attack that's worse than all the others. Remote code execution. Remote code execution or RCE is when an attacker can remotely execute internal operating system commands on a server. To put it another way, an attacker can type commands as if they were sitting at the keyboard. They can perform any task that a logged in user can perform. They can read, add, modify or delete files. They can change access privileges or passwords. They can turn on and off configurations and services and they can communicate to other servers. When you read a news article or you see a warning about a bug which allows remote code execution, you should pay attention. It's a significant one. Fortunately, remote code execution is also one of the hardest hacks to pull off. Operating systems keep a wall between the operating system and the software running the web server, which is difficult to get through unless you make it easy. Most programming languages have functions which allow them to communicate directly with the underlying OS. It's these special functions that can get you into trouble if you aren't careful. If you use one of these powerful functions and also provide a way that an attacker can slip their own data to it, then they can use that function too. Each programming language uses different names for it's operating system functions. However many use one or more of these common names. Refer to the documentation for the details on your language. All system execution keywords come with big security risks. The best prevention is to avoid using system execution functions at all. Usually there's another solution using less risky code. In some programming languages, it's possible to disable these powerful functions entirely so they cannot be used. If it's absolutely necessary to use them, then avoid pairing them with user submitted or dynamic code. That is the point in which you give an attacker a potential path to the function and should you really, really need to use them with dynamic data, then make sure to validate all data. Use allow-lists to limit the range of actions and sanitize the data for wherever it will be used. Remote code execution attacks are very bad, but they mostly happen because of our own carelessness.
Author
Kevin Skoglund
Released
5/3/2019- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Duration
Views
-
Introduction
-
1. Security Overview
-
What is security?3m 12s
-
Why security matters2m 14s
-
What is a hacker?4m 10s
-
Threat models3m 14s
-
-
2. General Security Principles
-
Least privilege3m 55s
-
Simple is more secure2m 49s
-
Never trust users3m 15s
-
Expect the unexpected2m 20s
-
Defense in depth3m 58s
-
Security through obscurity4m 30s
-
Deny lists and allow lists3m 14s
-
-
3. Filter Input, Control Output
-
Regulate requests3m 46s
-
Validate input3m 54s
-
Sanitize data6m 29s
-
Label variables1m 22s
-
Keep code private2m 27s
-
Keep credentials private4m 36s
-
Keep error messages vague2m 17s
-
Smart logging3m 18s
-
-
4. The Most Common Attacks
-
Types of credential attacks5m 18s
-
Strong passwords4m 24s
-
SQL injection7m 31s
-
Cross-site scripting (XSS)6m 34s
-
Cookie visibility and theft4m 52s
-
Session hijacking5m 32s
-
Session fixation3m 25s
-
Remote code execution2m 19s
-
File upload abuse3m 13s
-
Denial of service5m 19s
-
-
Conclusion
-
Next steps2m 26s
-
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Remote code execution