This describes which technics Sqreen is using to protect against various kind of injections at scale (XSS, SQL, NoSQL, XXE, ...). This is the key concept behind our RASP approach.

1. Protecting against injections
(at scale)
Beerump - 2019/05/29

2. Example: XSS
(forget beerump)

3. XSS when: user parameter is not escaped
OK if param in: [a-z0-9]
✅ Cannot change HTML semantics
Potential exploit if param has: [<>”’]
❌ Can change HTML semantics
XSS (reflected)

4. rendered page uses user supplied
data that can inject HTML
The vulnerability is here when

5. How can we detect?
User data
+
Vulnerable
template
data=%3Cscript%3Ealert(0);%3C/script%3E
1
2
div
script
alert(0)
3
div
!{user_data}

6. In practice, there is a vulnerability if...
Arbitrary data
Is used in a context
Data can change the context’s semantics
Context with data is interpreted later
User parameters
HTML template
<script>
→ in a web browser

7. User input
Context
Semantics
Interpreted
Examples
SQL injection
SQL query
‘ OR 1=1 --
SQL database
XSS
HTML
<script>alert(0);
Web browser
MongoDB injection
MongoDB query
{ $gte: 0 }
MongoDB server
Shell injection
Shell command
“; nc -e /bin/sh
Shell :)

8. And in practice?
(I mean, real world)

9. Most of these are open source
Super easy to test:
● “pure” code (no I/O involved)
● Tests are open source
Cannot proactively find issues
...
XSS: HTML parser
SQL injection: SQL parser
Shell injection: shell parser
MongoDB injection: MongoDB parser
...
Need semantics to understand the context

10. At scale:
6 runtimes
many frameworks
Track user inputs
Have reliable parsers
Protect from injection attacks

11. We don’t need patterns
→ only based on context semantics

12. Generic algorithm against injection
Not behavior based
Need to have:
Context awareness
User parameter tracking
Can detect attacks as they occur
Let’s recap

13. Questions :)?
Please, test! → https://bit.ly/2I3SUql

14. We’re hiring!