SlideShare une entreprise Scribd logo

2 Roads to Redemption - Thoughts on XSS and SQLIA

G
guestfdcb8a

Intermediate presentation of my diploma thesis topic @ TU Berlin Computer Security working group

Technologie
1  sur  40
Télécharger pour lire hors ligne
2 Roads to Redemption Thoughts on fixing SQLIA and XSS Florian Thiel, TU Berlin, 12/16/2008 florian.thiel ät noroute.de
Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
© by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
© by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘); Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
SQLIA threats • data integrity • confidentiality • new attack vector
XSS. Infamous with PHP due to it’s origins. Not so much cross-site today...
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org The real problem is getting code included in a web page so that it is interpreted by the web browser. Cross-site comes from frames, popular in 1996, include() in PHP
XSS SQLIA eval(‘user input’)1,2 1) the essence of injections 2) limited only by the execution environment The common root of the two problems is that you basically eval user input. In XSS, you do this directly (aka ‘by design’) in SQL this is a matter of missing sophistication in app design.
Failure to sanitize data into a different plane This is the weakness that actually appears in apps. Common Weakness Enumeration What’s perfectly fine in one plane might not be in the other one. Injecting SQL via XSS does no harm (because the browser cannot make sense of it). For SQL: From User Input or HTML to SQL Engine For XSS: From HTML, Strings to Web Browser (HTML, JS, Flash, ... engine)
technical non-solutions • addslashes() or any one-size-fits-all • blacklisting (IPS, validation, etc.) PHP: numeric field (no quotes) and encoding IDS: char(114,111,111,116) (“root” (in MySQL)) white spaces, or for 1=1: do “something” = “some”+”thing”
technical solutions • AntiSamy • ReForm • prepared statements • Safe Query Objects • ... AntiSamy from OWASP, interesting project, supplies “profiles” for pages that need some markup. ReForm is a standard library by OWASP again, escapes HTML in a defined way, multiple languages. Safe Query Objects are an extension of the prepared statements idea, adds types. Makes constraint checking possible. Looks good!
only half-way there technical solutions become more and more sophisticated. There’s light at the end of the tunnel, but...
WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008 This is just an example. Recent WP exploit. Nothing to do with missing technology. Failure to do sanitation correctly.
WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008 This is just an example. Recent WP exploit. Nothing to do with missing technology. Failure to do sanitation correctly.
ey ’re er e. Th t! a re h ye Gibson ed illiam io ns ut ing W rib hras solut istparap d -- e Th ot eve nly j ustn William Gibson knew it: We got the techniques, but not everybody is aware of it. Not evenly distributed yet, heh? So, let’s talk about approaches how to get there and the interesting part (tm)
The interesting* part * what my thesis is really about This part is shorter and has less data, more fuzzy assumptions.
Developers more Code I see two roads to go from here. The first one is to educate developers and make it easier for them to use the future/the tools. Reduce oversight! The second one is a technical solution. Write code that takes care of correct application of measures. Common to both: Take away some cognitive load from the developers.
Helping developers • raise awareness • facilitate detection/motivate reviews • motivate repair awareness: “You wouldn’t recognize iambic pentameter if it bit you on the butt”. We need patterns to find vulnerabilities. (There are broken examples in the wild, many books have them) But: developers have to be constantly aware of the critical spots in their code. That’s where annotations come in. Mark the spots that directly interact with user input, add rich annotations to tell the developer of his/her surroundings. Facilitate detection: If you annotate critical spots you’ll find inconsistencies easier. Add annotations gives you extra value for reviews, turns up in VC. Motivate repair: annotations may show you how many critical sections you have in your code. Tool support will make you embarassed!
// @userinput(data,source=”webform”, // type=”username”) // [insert data into query, ignore // non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ... An example: the @userinput annotation says that data is from userinput and comes from a webform. The idea is to spread knowledge about the data out in the sourcecode. You usually have to know know more about data than its type (it’s “string”, anyway. This can also provide support for tooling in the future. The [] part comes from structured programming. We want to have a light-weight “proof” for code sections. The idea is stepwise abstraction. look at what the innermost annotation says and check the (less than 10) lines of code. Then you can use the abstraction given in the annotation as the effect of the code. The idea is to keep mental load low. Also, this facilitates reuse. If you change a part of code, you only have to see if the surrounding annotation still holds. If you’re constructing code, you can use this the other way round. Give the effect of the outermost annotation, write the next abstraction refinement, prove this, refine further, etc. This is used in Cleanroom software development, which has a really good track record for defect-free software.
What do you use to communicate critical sections? Audience participation: How many of you work in a multi-person project? How do you tell your colleagues about critical sections? Documentation? Annotations? Do you have a technical solution?
Would you use annotations? Your requirements? Does this annotation thing make sense to you? Would you use it? How easy would it have to be? What functions would you like? I promised you another approach. Let’s just motivate this a bit...
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0 This is the zoo! there are many sources of potential user input. Basically everything that is external to the system. HTTP Header parameters (anyone know exploits for the Referer? I would expect some for ad companies :-) Cookies (the cookie monster didn’t know, but cookies can be evil) Environment variables (maybe) Forms We have to trace EVERY SINGLE occurrence of user input! -> Flow analysis Tainting functionality only takes us so far. String-based taint is missing granularity. Character-based tainting is better but still cannot determine if the programmer is doing the right thing. Oh, and types. We still need the programmer to decide on sensible types for EVERY SINGLE input value and implement the sanitation correctly.
This is the zoo! there are many sources of potential user input. Basically everything that is external to the system. HTTP Header parameters (anyone know exploits for the Referer? I would expect some for ad companies :-) Cookies (the cookie monster didn’t know, but cookies can be evil) Environment variables (maybe) Forms We have to trace EVERY SINGLE occurrence of user input! -> Flow analysis Tainting functionality only takes us so far. String-based taint is missing granularity. Character-based tainting is better but still cannot determine if the programmer is doing the right thing. Oh, and types. We still need the programmer to decide on sensible types for EVERY SINGLE input value and implement the sanitation correctly.
Current approaches • global XSS filter (HTML escapes) on/off • default sanitation of all data That’s how it’s done currently. E.g. Code Igniter, PHP framework or Django, Python. Global sanitation does not allow for some markup. It does not address the SQLIA problem, too. There are SQLIA attacks that rely on the differing execution context of the validator and the DB.
Current approaches g h ! n u o on/off • e ledata global XSS filter (HTML escapes) b • default sanitationiof all x t fl e N o That’s how it’s done currently. E.g. Code Igniter, PHP framework or Django, Python. Global sanitation does not allow for some markup. It does not address the SQLIA problem, too. There are SQLIA attacks that rely on the differing execution context of the validator and the DB.
Helping the framework • machines are good at doing repetitive work! • if they just knew enough... OK, the other approach. Why let humans do what machines are best at? Oh, they don’t know enough to be good enough.
Rich Types Let’s educate the framework. If we had semantic types that could do more than naïve operations.
Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” Let’s educate the framework. If we had semantic types that could do more than naïve operations.
Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” • we could do flexible validation/sanitation Let’s educate the framework. If we had semantic types that could do more than naïve operations.
What we’d get • Types for SQL prepared statements • Types for AntiSamy/Template engine • Types for future backends • Types/Constraints for forms (XForms?) • rich constraints on complex types We could use something like Safe Query Objects because we knew enough. We could automatically use AntiSamy without custom profile specifications. We could do rich validation in forms, maybe XForms engines. We could have internal constraints on types, maybe good for overall system security.
How it’d look like class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”)) This is a very simple example. A textfield that should only contain <H1>s. SQL Serializer can take care of charset conversion (encode everything). htmlserializer only lets H1s through. Validator can make sure that input is valid HTML (all characters are encoded). There is some redundancy, but that’s good for security, right?
Drawbacks • needs decent infrastructure form framework • needs good type catalogue to be easy enough to use • what about HTTP headers, cookies? • simpler approaches available (Django) We would need quite a heavyweight frameworks were we could attach validators/filters/ whatever to all data interactions. Nobody would use it if the default types were not covered. Maybe create a public catalogue usable in different languages. Central updates To be consistens, HTTP Headers and Cookies would need types. As long as applications don’t do crazy things, we could think up a generic type for that... There’s Django: They don’t allow any HTML and stuff. Use RST, Textile, Markdown instead. You have to explicitly say if you want something not htmlescaped. Secure by default. Benefits for Django: - Better form validation - internal type checking - allow HTML in apps
Is it worth it? What do you think? How difficult is it? Does it provide good benefits? Enough to be useful? I need my approach to be actually adopted by developers.
Questions? Coming to an end. Do you have more questions or suggestions?
Thank You! Than I’d like to thank you for attending and for your input.
This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis

Recommandé

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
Stefano Di Paola
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
F _
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
F _
 

Recommandé

(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe(In)Security Implication in the JS Universe
(In)Security Implication in the JS Universe
Stefano Di Paola
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
Stefano Di Paola
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
Stefano Di Paola
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
F _
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
beched
 
whats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurpswhats wrong with modern security tools and other blurps
whats wrong with modern security tools and other blurps
F _
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Shock
ShockShock
Shock
Amal Raj
 
Art2trade4 Ltd
Art2trade4 LtdArt2trade4 Ltd
Art2trade4 Ltd
Bill Whittome
 
Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]
RichF62
 
Presentation4
Presentation4Presentation4
Presentation4
Bill Whittome
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 
1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita
Kevin Wu
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
José Ignacio
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
Alex Payne
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
OWASP
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
Jim Manico
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
Joe McCray
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
OWASP Russia
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
d0nn9n
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 

Contenu connexe

En vedette

Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
Bill Whittome
 
Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]
RichF62
 
1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita
Kevin Wu
 

En vedette (8)

Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
 
Welcome to art2trade4 presentation
Welcome to art2trade4 presentationWelcome to art2trade4 presentation
Welcome to art2trade4 presentation
 
Shock
ShockShock
Shock
 
Art2trade4 Ltd
Art2trade4 LtdArt2trade4 Ltd
Art2trade4 Ltd
 
Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]Copy Of Black And White Sunshine[1]
Copy Of Black And White Sunshine[1]
 
Presentation4
Presentation4Presentation4
Presentation4
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita1011寒假海外成長計畫 anita
1011寒假海外成長計畫 anita
 

Similaire à 2 Roads to Redemption - Thoughts on XSS and SQLIA

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
d0nn9n
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
richardnorman90310
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
Gavin Holt
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
Alan Richardson
 

Similaire à 2 Roads to Redemption - Thoughts on XSS and SQLIA (20)

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
PCI OWASP Course Storyboard
PCI OWASP Course StoryboardPCI OWASP Course Storyboard
PCI OWASP Course Storyboard
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And Hardening
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 

Dernier

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Dernier (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

2 Roads to Redemption - Thoughts on XSS and SQLIA

  • 1. 2 Roads to Redemption Thoughts on fixing SQLIA and XSS Florian Thiel, TU Berlin, 12/16/2008 florian.thiel ät noroute.de
  • 2. Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
  • 3. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
  • 4. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery Source: OWASP (Open Web Application Security Project) works on awareness and best practices for WAS. Open approach. based on MITRE Vulnerability Trends 2006 - biased a little, not based on a controlled population (various research bodies) I will talk about the first two. OWASP differentiates between XSS and injection flaws (such as SQLIA) but I’ll show you that they have much in common. The two vulnerabilities are very common and high-profile websites have been attacked. I’ll explain the background and than what I’m going to do about it.
  • 5. © by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
  • 6. © by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
  • 7. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
  • 8. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘); Let’t start with SQLIA. Who knows this comic strip from XKCD? This is a really simple form of SQLIA. This is one of the threats of SQLIA, namely to data integrity.
  • 9. SQLIA threats • data integrity • confidentiality • new attack vector
  • 10. XSS. Infamous with PHP due to it’s origins. Not so much cross-site today...
  • 11. “This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org The real problem is getting code included in a web page so that it is interpreted by the web browser. Cross-site comes from frames, popular in 1996, include() in PHP
  • 12. XSS SQLIA eval(‘user input’)1,2 1) the essence of injections 2) limited only by the execution environment The common root of the two problems is that you basically eval user input. In XSS, you do this directly (aka ‘by design’) in SQL this is a matter of missing sophistication in app design.
  • 13. Failure to sanitize data into a different plane This is the weakness that actually appears in apps. Common Weakness Enumeration What’s perfectly fine in one plane might not be in the other one. Injecting SQL via XSS does no harm (because the browser cannot make sense of it). For SQL: From User Input or HTML to SQL Engine For XSS: From HTML, Strings to Web Browser (HTML, JS, Flash, ... engine)
  • 14. technical non-solutions • addslashes() or any one-size-fits-all • blacklisting (IPS, validation, etc.) PHP: numeric field (no quotes) and encoding IDS: char(114,111,111,116) (“root” (in MySQL)) white spaces, or for 1=1: do “something” = “some”+”thing”
  • 15. technical solutions • AntiSamy • ReForm • prepared statements • Safe Query Objects • ... AntiSamy from OWASP, interesting project, supplies “profiles” for pages that need some markup. ReForm is a standard library by OWASP again, escapes HTML in a defined way, multiple languages. Safe Query Objects are an extension of the prepared statements idea, adds types. Makes constraint checking possible. Looks good!
  • 16. only half-way there technical solutions become more and more sophisticated. There’s light at the end of the tunnel, but...
  • 17. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008 This is just an example. Recent WP exploit. Nothing to do with missing technology. Failure to do sanitation correctly.
  • 18. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008 This is just an example. Recent WP exploit. Nothing to do with missing technology. Failure to do sanitation correctly.
  • 19. ey ’re er e. Th t! a re h ye Gibson ed illiam io ns ut ing W rib hras solut istparap d -- e Th ot eve nly j ustn William Gibson knew it: We got the techniques, but not everybody is aware of it. Not evenly distributed yet, heh? So, let’s talk about approaches how to get there and the interesting part (tm)
  • 20. The interesting* part * what my thesis is really about This part is shorter and has less data, more fuzzy assumptions.
  • 21. Developers more Code I see two roads to go from here. The first one is to educate developers and make it easier for them to use the future/the tools. Reduce oversight! The second one is a technical solution. Write code that takes care of correct application of measures. Common to both: Take away some cognitive load from the developers.
  • 22. Helping developers • raise awareness • facilitate detection/motivate reviews • motivate repair awareness: “You wouldn’t recognize iambic pentameter if it bit you on the butt”. We need patterns to find vulnerabilities. (There are broken examples in the wild, many books have them) But: developers have to be constantly aware of the critical spots in their code. That’s where annotations come in. Mark the spots that directly interact with user input, add rich annotations to tell the developer of his/her surroundings. Facilitate detection: If you annotate critical spots you’ll find inconsistencies easier. Add annotations gives you extra value for reviews, turns up in VC. Motivate repair: annotations may show you how many critical sections you have in your code. Tool support will make you embarassed!
  • 23. // @userinput(data,source=”webform”, // type=”username”) // [insert data into query, ignore // non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ... An example: the @userinput annotation says that data is from userinput and comes from a webform. The idea is to spread knowledge about the data out in the sourcecode. You usually have to know know more about data than its type (it’s “string”, anyway. This can also provide support for tooling in the future. The [] part comes from structured programming. We want to have a light-weight “proof” for code sections. The idea is stepwise abstraction. look at what the innermost annotation says and check the (less than 10) lines of code. Then you can use the abstraction given in the annotation as the effect of the code. The idea is to keep mental load low. Also, this facilitates reuse. If you change a part of code, you only have to see if the surrounding annotation still holds. If you’re constructing code, you can use this the other way round. Give the effect of the outermost annotation, write the next abstraction refinement, prove this, refine further, etc. This is used in Cleanroom software development, which has a really good track record for defect-free software.
  • 24. What do you use to communicate critical sections? Audience participation: How many of you work in a multi-person project? How do you tell your colleagues about critical sections? Documentation? Annotations? Do you have a technical solution?
  • 25. Would you use annotations? Your requirements? Does this annotation thing make sense to you? Would you use it? How easy would it have to be? What functions would you like? I promised you another approach. Let’s just motivate this a bit...
  • 26. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0 This is the zoo! there are many sources of potential user input. Basically everything that is external to the system. HTTP Header parameters (anyone know exploits for the Referer? I would expect some for ad companies :-) Cookies (the cookie monster didn’t know, but cookies can be evil) Environment variables (maybe) Forms We have to trace EVERY SINGLE occurrence of user input! -> Flow analysis Tainting functionality only takes us so far. String-based taint is missing granularity. Character-based tainting is better but still cannot determine if the programmer is doing the right thing. Oh, and types. We still need the programmer to decide on sensible types for EVERY SINGLE input value and implement the sanitation correctly.
  • 27. This is the zoo! there are many sources of potential user input. Basically everything that is external to the system. HTTP Header parameters (anyone know exploits for the Referer? I would expect some for ad companies :-) Cookies (the cookie monster didn’t know, but cookies can be evil) Environment variables (maybe) Forms We have to trace EVERY SINGLE occurrence of user input! -> Flow analysis Tainting functionality only takes us so far. String-based taint is missing granularity. Character-based tainting is better but still cannot determine if the programmer is doing the right thing. Oh, and types. We still need the programmer to decide on sensible types for EVERY SINGLE input value and implement the sanitation correctly.
  • 28. Current approaches • global XSS filter (HTML escapes) on/off • default sanitation of all data That’s how it’s done currently. E.g. Code Igniter, PHP framework or Django, Python. Global sanitation does not allow for some markup. It does not address the SQLIA problem, too. There are SQLIA attacks that rely on the differing execution context of the validator and the DB.
  • 29. Current approaches g h ! n u o on/off • e ledata global XSS filter (HTML escapes) b • default sanitationiof all x t fl e N o That’s how it’s done currently. E.g. Code Igniter, PHP framework or Django, Python. Global sanitation does not allow for some markup. It does not address the SQLIA problem, too. There are SQLIA attacks that rely on the differing execution context of the validator and the DB.
  • 30. Helping the framework • machines are good at doing repetitive work! • if they just knew enough... OK, the other approach. Why let humans do what machines are best at? Oh, they don’t know enough to be good enough.
  • 31. Rich Types Let’s educate the framework. If we had semantic types that could do more than naïve operations.
  • 32. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” Let’s educate the framework. If we had semantic types that could do more than naïve operations.
  • 33. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” • we could do flexible validation/sanitation Let’s educate the framework. If we had semantic types that could do more than naïve operations.
  • 34. What we’d get • Types for SQL prepared statements • Types for AntiSamy/Template engine • Types for future backends • Types/Constraints for forms (XForms?) • rich constraints on complex types We could use something like Safe Query Objects because we knew enough. We could automatically use AntiSamy without custom profile specifications. We could do rich validation in forms, maybe XForms engines. We could have internal constraints on types, maybe good for overall system security.
  • 35. How it’d look like class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”)) This is a very simple example. A textfield that should only contain <H1>s. SQL Serializer can take care of charset conversion (encode everything). htmlserializer only lets H1s through. Validator can make sure that input is valid HTML (all characters are encoded). There is some redundancy, but that’s good for security, right?
  • 36. Drawbacks • needs decent infrastructure form framework • needs good type catalogue to be easy enough to use • what about HTTP headers, cookies? • simpler approaches available (Django) We would need quite a heavyweight frameworks were we could attach validators/filters/ whatever to all data interactions. Nobody would use it if the default types were not covered. Maybe create a public catalogue usable in different languages. Central updates To be consistens, HTTP Headers and Cookies would need types. As long as applications don’t do crazy things, we could think up a generic type for that... There’s Django: They don’t allow any HTML and stuff. Use RST, Textile, Markdown instead. You have to explicitly say if you want something not htmlescaped. Secure by default. Benefits for Django: - Better form validation - internal type checking - allow HTML in apps
  • 37. Is it worth it? What do you think? How difficult is it? Does it provide good benefits? Enough to be useful? I need my approach to be actually adopted by developers.
  • 38. Questions? Coming to an end. Do you have more questions or suggestions?
  • 39. Thank You! Than I’d like to thank you for attending and for your input.
  • 40. This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis