Your SlideShare is downloading. ×
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting

3,536

Published on

How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting

How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,536
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting
  • 2. Cross-Site Scripting
    • Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding
    • There are three main varieties:
      • Stored
      • Reflected
      • DOM-based
    • To guard against:
      • Positively validate inputs
      • Escape user-supplied data sent back to the browser
  • 3. OWASP ESAPI
    • Sites:
      • Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
      • Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE
    • Good: Provides very robust set of encoder functions
    • Less good:
      • Has a number of dependencies (~29) (currently – work on modularity is in progress)
      • Implementations are of varying maturity. Most useful for Java.
  • 4. OWASP ESAPI (Java)
    • To Use:
      • Follow the installation guide
      • Must create a folder (.esapi) to store your configuration and preferences
    • Get access to library:
      • Add all the support jars (31) to your project
      • Remove repeated jars
      • Add esapi-2.0_rc10.jar to your project
      • <%@ page import=&quot;org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder&quot; %>
    • Make calls to encode tainted data:
      • ESAPI.encoder().encodeForHTML()
      • ESAPI.encoder().encodeForHTMLAttribute()
  • 5. ASP.NET Request Validation
    • ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks
    • This is turned on by default (yeah!)
    • Many applications disable it (boo!)
      • Blocked a valid request
      • Made trouble with AJAX
      • And so on
  • 6. ASP.NET Request Validation
    • How to configure or check if it is enabled?
    • This is turned on by default
    • In web.config:
      • <configuration>
        • <system.web>
          • <pages validateRequest=“true|false&quot; />
        • </system.web>
      • </configuration>
    • Per-page:
      • <%@ Page … ValidateRequest=“true|false&quot; %>
  • 7. Microsoft Web Protection Library
    • Main site:
      • http://wpl.codeplex.com/
    • To use:
      • Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll)
        • Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0
      • Get access to library:
        • In code:
          • using Microsoft.Security.Application;
        • In ASPX page:
          • <%@ Import Namespace=&quot;Microsoft.Security.Application&quot; %>
      • Make call to encode tainted data:
        • AntiXss.HtmlEncode()
        • AntiXss.HtmlAttributeEncode()
        • And so on…
  • 8. Exercise: Fixing XSS Vulnerabilities
    • Java
      • Reflected XSS
      • Stored XSS
    • ASP.NET
      • Reflected XSS
      • Stored XSS
  • 9. But Your ASP.NET Examples Cheated!
    • This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality
    • However:
      • This can be (and is often) turned off on a per-page or site-wide basis
      • It has been defeated in the past and will be defeated again in the future
        • http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/bypassing-dot-NET-ValidateRequest.pdf
        • http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
    • If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code
  • 10. Resources
    • OWASP ESAPI
      • http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
    • Microsoft Web Protection Library
      • http://wpl.codeplex.com/
    • Denim Group Remediation Resource Center
      • www.denimgroup.com/remediation
  • 11. Questions?
    • Dan Cornell
    • [email_address]
    • Twitter: @danielcornell
    • www.denimgroup.com
    • (210) 572-4400

×