This describes which technics Sqreen is using to protect against various kind of injections at scale (XSS, SQL, NoSQL, XXE, ...).
This is the key concept behind our RASP approach.
3. XSS when: user parameter is not escaped
OK if param in: [a-z0-9]
✅ Cannot change HTML semantics
Potential exploit if param has: [<>”’]
❌ Can change HTML semantics
XSS (reflected)
4. rendered page uses user supplied
data that can inject HTML
The vulnerability is here when
5. How can we detect?
User data
+
Vulnerable
template
data=%3Cscript%3Ealert(0);%3C/script%3E
1
2
div
script
alert(0)
3
div
!{user_data}
6. In practice, there is a vulnerability if...
Arbitrary data
Is used in a context
Data can change the context’s semantics
Context with data is interpreted later
User parameters
HTML template
<script>
→ in a web browser
9. Most of these are open source
Super easy to test:
● “pure” code (no I/O involved)
● Tests are open source
Cannot proactively find issues
...
XSS: HTML parser
SQL injection: SQL parser
Shell injection: shell parser
MongoDB injection: MongoDB parser
...
Need semantics to understand the context
10. At scale:
6 runtimes
many frameworks
Track user inputs
Have reliable parsers
Protect from injection attacks
11. We don’t need patterns
→ only based on context semantics
12. Generic algorithm against injection
Not behavior based
Need to have:
Context awareness
User parameter tracking
Can detect attacks as they occur
Let’s recap