SlideShare une entreprise Scribd logo

2 Roads to Redemption - Thoughts on XSS and SQLIA

G
guestfdcb8a

presentation about my diploma thesis progress at the Software Engineering working group @ FU Berlin

Technologie
1  sur  40
Télécharger pour lire hors ligne
2 Roads to Redemption Thoughts on fixing SQLIA and XSS Florian Thiel, FU Berlin, 12/18/2008 florian.thiel ät noroute.de
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
© by xckd: http://xkcd.com/327/
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
SQLIA threats • data integrity • confidentiality • new attack vector
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org
XSS SQLIA eval(‘user input’)1,2 1) the essence of injections 2) limited only by the execution environment
Failure to sanitize data into a different plane
technical non-solutions • addslashes() or any one-size-fits-all • blacklisting (IPS, validation, etc.)
technical solutions • AntiSamy • ReForm • prepared statements • Safe Query Objects • ...
only half-way there
WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
ey ’re er e. Th t! a re h ye Gibson ed illiam io ns ut ing W rib hras solut istparap d -- e Th ot eve nly j ustn
The interesting* part * what my thesis is really about
Developers more Code
Helping developers • raise awareness • facilitate detection/motivate reviews • motivate repair
// @userinput(data,source=”webform”, // type=”username”) // [insert data into query, ignore // non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ...
What do you use to communicate critical sections?
Would you use annotations? Your requirements?
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
Current approaches • global XSS filter (HTML escapes) on/off • default sanitation of all data
Current approaches g h ! n u o on/off • e ledata global XSS filter (HTML escapes) b • default sanitationiof all x t fl e N o
Helping the framework • machines are good at doing repetitive work! • if they just knew enough...
Rich Types
Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post”
Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” • we could do flexible validation/sanitation
What we’d get • Types for SQL prepared statements • Types for AntiSamy/Template engine • Types for future backends • Types/Constraints for forms (XForms?) • rich constraints on complex types
How it’d look like class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”))
Drawbacks • needs decent infrastructure form framework • needs good type catalogue to be easy enough to use • what about HTTP headers, cookies? • simpler approaches available (Django)
Is it worth it?
Questions?
Thank You!
This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis

Recommandé

Prevent deadlockswithj meter
Prevent deadlockswithj meterPrevent deadlockswithj meter
Prevent deadlockswithj meter
Oleksii Zozulenko
 
Code Reactions - An Introduction to Reactive Extensions
Code Reactions - An Introduction to Reactive ExtensionsCode Reactions - An Introduction to Reactive Extensions
Code Reactions - An Introduction to Reactive Extensions
jasonbock
 
1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita
Kevin Wu
 
Presentation4
Presentation4Presentation4
Presentation4
Bill Whittome
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Shock
ShockShock
Shock
Amal Raj
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 

Recommandé

Prevent deadlockswithj meter
Prevent deadlockswithj meterPrevent deadlockswithj meter
Prevent deadlockswithj meter
Oleksii Zozulenko
 
Code Reactions - An Introduction to Reactive Extensions
Code Reactions - An Introduction to Reactive ExtensionsCode Reactions - An Introduction to Reactive Extensions
Code Reactions - An Introduction to Reactive Extensions
jasonbock
 
1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita
Kevin Wu
 
Presentation4
Presentation4Presentation4
Presentation4
Bill Whittome
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
Shock
ShockShock
Shock
Amal Raj
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Regex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language InsteadRegex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language Instead
All Things Open
 
Slides
SlidesSlides
Slides
vti
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
 
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimizationGood practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
PrestaShop
 
Api Design
Api DesignApi Design
Api Design
sumithra jonnalagadda
 
XML Schema Patterns for Databinding
XML Schema Patterns for DatabindingXML Schema Patterns for Databinding
XML Schema Patterns for Databinding
Paul Downey
 
Implementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoCImplementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoC
jimfuller2009
 
Rails and security
Rails and securityRails and security
Rails and security
Andrey Tokarchuk
 
Automated Frontend Testing
Automated Frontend TestingAutomated Frontend Testing
Automated Frontend Testing
Neil Crosby
 
CMS content
CMS contentCMS content
CMS content
iemail808
 
NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)
Samnang Chhun
 
Questioning the status quo
Questioning the status quoQuestioning the status quo
Questioning the status quo
Ivano Pagano
 
Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8
Nicolas Thon
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
Tamir Khason
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
Carles Farré
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
webhostingguy
 
Why haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yetWhy haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yet
Romain Gaucher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 

Contenu connexe

Similaire à 2 Roads to Redemption - Thoughts on XSS and SQLIA

Slides
SlidesSlides
Slides
vti
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
guestd34230
 
NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)
Samnang Chhun
 
Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8
Nicolas Thon
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
Carles Farré
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
webhostingguy
 

Similaire à 2 Roads to Redemption - Thoughts on XSS and SQLIA (20)

Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Regex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language InsteadRegex Considered Harmful: Use Rosie Pattern Language Instead
Regex Considered Harmful: Use Rosie Pattern Language Instead
 
Slides
SlidesSlides
Slides
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
 
Good practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimizationGood practices for PrestaShop code security and optimization
Good practices for PrestaShop code security and optimization
 
Api Design
Api DesignApi Design
Api Design
 
XML Schema Patterns for Databinding
XML Schema Patterns for DatabindingXML Schema Patterns for Databinding
XML Schema Patterns for Databinding
 
Implementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoCImplementing the Genetic Algorithm in XSLT: PoC
Implementing the Genetic Algorithm in XSLT: PoC
 
Rails and security
Rails and securityRails and security
Rails and security
 
Automated Frontend Testing
Automated Frontend TestingAutomated Frontend Testing
Automated Frontend Testing
 
CMS content
CMS contentCMS content
CMS content
 
NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)NHibernate (The ORM For .NET Platform)
NHibernate (The ORM For .NET Platform)
 
Questioning the status quo
Questioning the status quoQuestioning the status quo
Questioning the status quo
 
Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8Nhibernatethe Orm For Net Platform 1226744632929962 8
Nhibernatethe Orm For Net Platform 1226744632929962 8
 
Smart Client Development
Smart Client DevelopmentSmart Client Development
Smart Client Development
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Why haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yetWhy haven't we stamped out SQL injection and XSS yet
Why haven't we stamped out SQL injection and XSS yet
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

2 Roads to Redemption - Thoughts on XSS and SQLIA

  • 1. 2 Roads to Redemption Thoughts on fixing SQLIA and XSS Florian Thiel, FU Berlin, 12/18/2008 florian.thiel ät noroute.de
  • 2.
  • 3. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  • 4. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  • 5. © by xckd: http://xkcd.com/327/
  • 6. © by xckd: http://xkcd.com/327/
  • 7. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/
  • 8. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
  • 9. SQLIA threats • data integrity • confidentiality • new attack vector
  • 10.
  • 11. “This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org
  • 12. XSS SQLIA eval(‘user input’)1,2 1) the essence of injections 2) limited only by the execution environment
  • 13. Failure to sanitize data into a different plane
  • 14. technical non-solutions • addslashes() or any one-size-fits-all • blacklisting (IPS, validation, etc.)
  • 15. technical solutions • AntiSamy • ReForm • prepared statements • Safe Query Objects • ...
  • 17. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
  • 18. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
  • 19. ey ’re er e. Th t! a re h ye Gibson ed illiam io ns ut ing W rib hras solut istparap d -- e Th ot eve nly j ustn
  • 20. The interesting* part * what my thesis is really about
  • 21. Developers more Code
  • 22. Helping developers • raise awareness • facilitate detection/motivate reviews • motivate repair
  • 23. // @userinput(data,source=”webform”, // type=”username”) // [insert data into query, ignore // non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ...
  • 24. What do you use to communicate critical sections?
  • 25. Would you use annotations? Your requirements?
  • 26. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
  • 27.
  • 28. Current approaches • global XSS filter (HTML escapes) on/off • default sanitation of all data
  • 29. Current approaches g h ! n u o on/off • e ledata global XSS filter (HTML escapes) b • default sanitationiof all x t fl e N o
  • 30. Helping the framework • machines are good at doing repetitive work! • if they just knew enough...
  • 32. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post”
  • 33. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” • we could do flexible validation/sanitation
  • 34. What we’d get • Types for SQL prepared statements • Types for AntiSamy/Template engine • Types for future backends • Types/Constraints for forms (XForms?) • rich constraints on complex types
  • 35. How it’d look like class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”))
  • 36. Drawbacks • needs decent infrastructure form framework • needs good type catalogue to be easy enough to use • what about HTTP headers, cookies? • simpler approaches available (Django)
  • 37. Is it worth it?
  • 40. This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis