2 Roads to Redemption - Thoughts on XSS and SQLIA
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

2 Roads to Redemption - Thoughts on XSS and SQLIA

on

  • 1,453 views

presentation about my diploma thesis progress at the Software Engineering working group @ FU Berlin

presentation about my diploma thesis progress at the Software Engineering working group @ FU Berlin

Statistics

Views

Total Views
1,453
Views on SlideShare
1,453
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

2 Roads to Redemption - Thoughts on XSS and SQLIA Presentation Transcript

  • 1. 2 Roads to Redemption Thoughts on fixing SQLIA and XSS Florian Thiel, FU Berlin, 12/18/2008 florian.thiel ät noroute.de
  • 2. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  • 3. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  • 4. © by xckd: http://xkcd.com/327/
  • 5. © by xckd: http://xkcd.com/327/
  • 6. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/
  • 7. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
  • 8. SQLIA threats • data integrity • confidentiality • new attack vector
  • 9. “This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org
  • 10. XSS SQLIA eval(‘user input’)1,2 1) the essence of injections 2) limited only by the execution environment
  • 11. Failure to sanitize data into a different plane
  • 12. technical non-solutions • addslashes() or any one-size-fits-all • blacklisting (IPS, validation, etc.)
  • 13. technical solutions • AntiSamy • ReForm • prepared statements • Safe Query Objects • ...
  • 14. only half-way there
  • 15. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
  • 16. WP MU < 2.6 XSS “In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables quot;squot; and quot;ip_addressquot; of GET method aren't properly sanitized.” --[Full-disclosure], Sept 2008
  • 17. ey ’re er e. Th t! a re h ye Gibson ed illiam io ns ut ing W rib hras solut istparap d -- e Th ot eve nly j ustn
  • 18. The interesting* part * what my thesis is really about
  • 19. Developers more Code
  • 20. Helping developers • raise awareness • facilitate detection/motivate reviews • motivate repair
  • 21. // @userinput(data,source=”webform”, // type=”username”) // [insert data into query, ignore // non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ...
  • 22. What do you use to communicate critical sections?
  • 23. Would you use annotations? Your requirements?
  • 24. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
  • 25. Current approaches • global XSS filter (HTML escapes) on/off • default sanitation of all data
  • 26. Current approaches g h ! n u o on/off • e ledata global XSS filter (HTML escapes) b • default sanitationiof all x t fl e N o
  • 27. Helping the framework • machines are good at doing repetitive work! • if they just knew enough...
  • 28. Rich Types
  • 29. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post”
  • 30. Rich Types • if we had a “firstname” type • and one for “XML” • and one for a “ebay-style post” • we could do flexible validation/sanitation
  • 31. What we’d get • Types for SQL prepared statements • Types for AntiSamy/Template engine • Types for future backends • Types/Constraints for forms (XForms?) • rich constraints on complex types
  • 32. How it’d look like class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”))
  • 33. Drawbacks • needs decent infrastructure form framework • needs good type catalogue to be easy enough to use • what about HTTP headers, cookies? • simpler approaches available (Django)
  • 34. Is it worth it?
  • 35. Questions?
  • 36. Thank You!
  • 37. This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis