OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting

3,833
-1

Published on

How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,833
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting

  1. 1. How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting
  2. 2. Cross-Site Scripting <ul><li>Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding </li></ul><ul><li>There are three main varieties: </li></ul><ul><ul><li>Stored </li></ul></ul><ul><ul><li>Reflected </li></ul></ul><ul><ul><li>DOM-based </li></ul></ul><ul><li>To guard against: </li></ul><ul><ul><li>Positively validate inputs </li></ul></ul><ul><ul><li>Escape user-supplied data sent back to the browser </li></ul></ul>
  3. 3. OWASP ESAPI <ul><li>Sites: </li></ul><ul><ul><li>Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API </li></ul></ul><ul><ul><li>Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE </li></ul></ul><ul><li>Good: Provides very robust set of encoder functions </li></ul><ul><li>Less good: </li></ul><ul><ul><li>Has a number of dependencies (~29) (currently – work on modularity is in progress) </li></ul></ul><ul><ul><li>Implementations are of varying maturity. Most useful for Java. </li></ul></ul>
  4. 4. OWASP ESAPI (Java) <ul><li>To Use: </li></ul><ul><ul><li>Follow the installation guide </li></ul></ul><ul><ul><li>Must create a folder (.esapi) to store your configuration and preferences </li></ul></ul><ul><li>Get access to library: </li></ul><ul><ul><li>Add all the support jars (31) to your project </li></ul></ul><ul><ul><li>Remove repeated jars </li></ul></ul><ul><ul><li>Add esapi-2.0_rc10.jar to your project </li></ul></ul><ul><ul><li><%@ page import=&quot;org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder&quot; %> </li></ul></ul><ul><li>Make calls to encode tainted data: </li></ul><ul><ul><li>ESAPI.encoder().encodeForHTML() </li></ul></ul><ul><ul><li>ESAPI.encoder().encodeForHTMLAttribute() </li></ul></ul>
  5. 5. ASP.NET Request Validation <ul><li>ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks </li></ul><ul><li>This is turned on by default (yeah!) </li></ul><ul><li>Many applications disable it (boo!) </li></ul><ul><ul><li>Blocked a valid request </li></ul></ul><ul><ul><li>Made trouble with AJAX </li></ul></ul><ul><ul><li>And so on </li></ul></ul>
  6. 6. ASP.NET Request Validation <ul><li>How to configure or check if it is enabled? </li></ul><ul><li>This is turned on by default </li></ul><ul><li>In web.config: </li></ul><ul><ul><li><configuration> </li></ul></ul><ul><ul><ul><li><system.web> </li></ul></ul></ul><ul><ul><ul><ul><li><pages validateRequest=“true|false&quot; /> </li></ul></ul></ul></ul><ul><ul><ul><li></system.web> </li></ul></ul></ul><ul><ul><li></configuration> </li></ul></ul><ul><li>Per-page: </li></ul><ul><ul><li><%@ Page … ValidateRequest=“true|false&quot; %> </li></ul></ul>
  7. 7. Microsoft Web Protection Library <ul><li>Main site: </li></ul><ul><ul><li>http://wpl.codeplex.com/ </li></ul></ul><ul><li>To use: </li></ul><ul><ul><li>Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) </li></ul></ul><ul><ul><ul><li>Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 </li></ul></ul></ul><ul><ul><li>Get access to library: </li></ul></ul><ul><ul><ul><li>In code: </li></ul></ul></ul><ul><ul><ul><ul><li>using Microsoft.Security.Application; </li></ul></ul></ul></ul><ul><ul><ul><li>In ASPX page: </li></ul></ul></ul><ul><ul><ul><ul><li><%@ Import Namespace=&quot;Microsoft.Security.Application&quot; %> </li></ul></ul></ul></ul><ul><ul><li>Make call to encode tainted data: </li></ul></ul><ul><ul><ul><li>AntiXss.HtmlEncode() </li></ul></ul></ul><ul><ul><ul><li>AntiXss.HtmlAttributeEncode() </li></ul></ul></ul><ul><ul><ul><li>And so on… </li></ul></ul></ul>
  8. 8. Exercise: Fixing XSS Vulnerabilities <ul><li>Java </li></ul><ul><ul><li>Reflected XSS </li></ul></ul><ul><ul><li>Stored XSS </li></ul></ul><ul><li>ASP.NET </li></ul><ul><ul><li>Reflected XSS </li></ul></ul><ul><ul><li>Stored XSS </li></ul></ul>
  9. 9. But Your ASP.NET Examples Cheated! <ul><li>This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality </li></ul><ul><li>However: </li></ul><ul><ul><li>This can be (and is often) turned off on a per-page or site-wide basis </li></ul></ul><ul><ul><li>It has been defeated in the past and will be defeated again in the future </li></ul></ul><ul><ul><ul><li>http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/bypassing-dot-NET-ValidateRequest.pdf </li></ul></ul></ul><ul><ul><ul><li>http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf </li></ul></ul></ul><ul><li>If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code </li></ul>
  10. 10. Resources <ul><li>OWASP ESAPI </li></ul><ul><ul><li>http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API </li></ul></ul><ul><li>Microsoft Web Protection Library </li></ul><ul><ul><li>http://wpl.codeplex.com/ </li></ul></ul><ul><li>Denim Group Remediation Resource Center </li></ul><ul><ul><li>www.denimgroup.com/remediation </li></ul></ul>
  11. 11. Questions? <ul><li>Dan Cornell </li></ul><ul><li>[email_address] </li></ul><ul><li>Twitter: @danielcornell </li></ul><ul><li>www.denimgroup.com </li></ul><ul><li>(210) 572-4400 </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×