Conquering injections

RU

This talk is about the problem of .NET apps vulnerability to injection attacks to the languages of different grammars (HTML, JavaScript, URL, SQL, Path, etc.). In the first part of the talk we'll cover the formal model of an app that is vulnerable to the given attack class and the versatile approach to this app protection based on this model.

The second part of this talk is devoted to the review of the LibProtection open source library that allows developers to safely use the familiar API for their work with format and interpolated strings while working with input data and hides behind it a fully functional instrument of built-in protection of execution time.

Download presentation


Vladimir Kochetkov
Vladimir Kochetkov

Positive Technologies

Has been working in information security domain knowledge since 2006. Started working at Positive Technologies in 2012 as a leading expert in web application security analysis group. Was taking part in application security analysis projects, was doing research on application testing methodologies. Was taking part in PT Application Inspector realization. In 2014-2016 was leading the compiled applications analyzer development, along with binary code analysis module development project. Is leading the department of application security analysis research. Is directly involved in theoretical findings in app security analysis and promising company products prototyping. Writes articles for HITB Magazine, "Hacker" and RSDN Magazine. Is an avid speaker at the international forum Positive Hack Days (which he organizes as well), at the DotNext conference of .NET developers and at user group meetings. Participates in the development of Russian software developer network RSDN. Is one of the organizers of Positive Development User Group — the initiative that is aimed to immerse developers into the applications security domain knowledge. Has a blog kochetkov.github.io.


All talks