1) The document proposes a method called "context-aware output escaping" to defend against XSS attacks in JavaScript template engines. It uses contextual analysis of the template and applies appropriate filtering rules.
2) It presents an architecture that parses templates to build an AST, then uses context parsers like HTML, CSS, and URI parsers to analyze output contexts. Context-sensitive XSS filters are applied based on the analysis.
3) Key aspects of the design include the template parser and walker, handling of branching logic and sub-templates, and dealing with ambiguous contexts. Contextual parsing of HTML is also discussed.
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
- The document discusses the problem of cross-site scripting (XSS) and proposes an approach called Secure Handlebars to automatically apply contextual escaping to templates to prevent XSS.
- Secure Handlebars works by preprocessing templates to insert contextual escaping filters and checks for security issues, then compiles the templates with these filters applied.
- Evaluations found it to provide effective XSS prevention with negligible performance overhead and easy adoption requiring only minor template and code changes.
This document summarizes potential vulnerabilities in how different layers of a web application process data. It discusses how each layer - including hardware, operating system, browser, network, web server, framework, application and database - accepts inputs and produces outputs that could be leveraged maliciously if not properly validated. Many real-world examples are provided of how inputs passed between layers can bypass validation checks if the layers' data processing rules are not well understood by developers. The key message is that all variables not explicitly set in code should be considered untrusted.
The document discusses the goals and design of the IE8 XSS filter, which aims to block cross-site scripting attacks. It outlines scenarios that are protected, such as injections into HTML tags and JavaScript strings. It then describes several ways to potentially bypass the filter, such as using fragmented injections across multiple parameters, HTML-only injections, and same-site navigation checks. The document provides technical details on the filter's heuristics and how certain encoding tricks may allow escaping its rules.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
XPATH, LDAP, and path traversal injections are common vulnerabilities that allow attackers to bypass authentication or access restricted files. XPATH injection occurs when untrusted user input is inserted into an XPATH query without validation, allowing an attacker to craft input that always returns true. LDAP injection works similarly by manipulating AND and OR clauses. Path traversal works by manipulating file paths to access files outside the intended directory, such as using "../../" to traverse up the file tree. Attackers first identify injectable parameters then test different encoding tricks to evade input validation.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
A talk on top 10 Security Vulnerabilities based on OWASP Top Ten Project: https://www.owasp.org/index.php/OWASP_Top_Ten_Project. The presentation is available under Creative Commons Attribution-ShareAlike 2.5 Generic License: https://creativecommons.org/licenses/by-sa/2.5/.
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...adonatwork
- The document discusses the problem of cross-site scripting (XSS) and proposes an approach called Secure Handlebars to automatically apply contextual escaping to templates to prevent XSS.
- Secure Handlebars works by preprocessing templates to insert contextual escaping filters and checks for security issues, then compiles the templates with these filters applied.
- Evaluations found it to provide effective XSS prevention with negligible performance overhead and easy adoption requiring only minor template and code changes.
This document summarizes potential vulnerabilities in how different layers of a web application process data. It discusses how each layer - including hardware, operating system, browser, network, web server, framework, application and database - accepts inputs and produces outputs that could be leveraged maliciously if not properly validated. Many real-world examples are provided of how inputs passed between layers can bypass validation checks if the layers' data processing rules are not well understood by developers. The key message is that all variables not explicitly set in code should be considered untrusted.
The document discusses the goals and design of the IE8 XSS filter, which aims to block cross-site scripting attacks. It outlines scenarios that are protected, such as injections into HTML tags and JavaScript strings. It then describes several ways to potentially bypass the filter, such as using fragmented injections across multiple parameters, HTML-only injections, and same-site navigation checks. The document provides technical details on the filter's heuristics and how certain encoding tricks may allow escaping its rules.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
XPATH, LDAP, and path traversal injections are common vulnerabilities that allow attackers to bypass authentication or access restricted files. XPATH injection occurs when untrusted user input is inserted into an XPATH query without validation, allowing an attacker to craft input that always returns true. LDAP injection works similarly by manipulating AND and OR clauses. Path traversal works by manipulating file paths to access files outside the intended directory, such as using "../../" to traverse up the file tree. Attackers first identify injectable parameters then test different encoding tricks to evade input validation.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
A talk on top 10 Security Vulnerabilities based on OWASP Top Ten Project: https://www.owasp.org/index.php/OWASP_Top_Ten_Project. The presentation is available under Creative Commons Attribution-ShareAlike 2.5 Generic License: https://creativecommons.org/licenses/by-sa/2.5/.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.
- The document discusses blind XML external entity (XXE) attacks against web applications. It provides background on the speaker and describes how XXE vulnerabilities can be exploited to read local files, scan internal networks, and access Windows network shares by abusing XML parser features.
- Several examples are given of exploiting XXE vulnerabilities using document type definitions (DTDs) and XML schema definitions (XSDs) to conduct blind attacks and extract information from external XML files without direct output of file contents. Challenges with these approaches are also outlined.
- Binary search techniques are proposed to more efficiently extract text from external files when only validation errors are returned. The document concludes by noting the relative rarity of XSD validation
This document provides an introduction to cross-site scripting (XSS) attacks over the course of one hour. It defines XSS and its different types (reflected, stored, DOM), discusses common injection points and payloads, and techniques for bypassing filters including encoding, evasion tricks, and tools. The goal is to teach novices the basics needed to find and exploit XSS vulnerabilities, with tips on contexts, detection, encoding, and actual attack vectors like cookie stealing.
This document proposes improvements to traditional virtual patching techniques used by web application firewalls (WAFs). It introduces the concepts of Inspected Application Modules (IAM) which use formal methods to evaluate vulnerability formulas generated by static application security testing (SAST). This aims to address issues where traditional approaches only block a single attack vector. The document further proposes Advanced Runtime Application Self-Protection (A-RASP) which instruments application code to provide values for computations and allow blocking attacks with unknown vectors. Finally, Ultimate Runtime Application Self-Protection (U-RASP) is proposed which leverages its own internal SAST to derive formulas and further improve performance and coverage of vulnerabilities compared to traditional and previous approaches.
The document discusses strategies for defending against input injection attacks, including SQL injection. It recommends centralizing input validation and assuming all input is malicious. Specific strategies covered include constraining, rejecting, and sanitizing input through techniques like type checks, length checks, format checks, range checks, and whitelisting valid characters. It also discusses using validation controls and regular expressions for validation. The document recommends input validation libraries like ESAPI and using prepared statements with SQL parameters to prevent SQL injection.
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
1. The document discusses hacking techniques for web applications, including methodology, discovery techniques, mapping, and tactical fuzzing approaches for XSS, SQLi, file inclusion, and uploads.
2. It provides tips on finding less tested application scopes, port scanning, directory bruteforcing, crawling, and using tools like SQLmap and intrigue for reconnaissance.
3. The document outlines tactics for auth bypass, session hijacking, parameter tampering, and common vulnerabilities like XSS, SQLi, file inclusion, and CSRF with examples of payloads and techniques.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
This document discusses security issues and options related to PHP programming. It begins by outlining common attack vectors like validation circumvention, code injection, SQL injection, and cross-site scripting. It then provides examples of each attack and recommendations for preventing them, such as validating all user input and escaping special characters when outputting data. The document also introduces tools for analyzing PHP code security like PHPSecAudit and browser developer toolbars. It emphasizes the importance of securing applications from the beginning rather than as an afterthought.
Static Analysis: The Art of Fighting without FightingRob Ragan
Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009)
Video of this presentation at Outerz0ne 5:
http://www.irongeek.com/i.php?page=videos/rob-ragan-filter-evasion-houdini-on-the-wire
Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This document compares DOM XSS identification tools by testing them on a real-world DOM XSS vulnerability found on pastebin.com. The vulnerability involves a JavaScript file loaded from an external domain that contains complex code. Most tools had difficulty analyzing this accurately. Runtime tools that use taint analysis were best able to follow the execution flow and identify the vulnerability, while static analyzers struggled with the indirect source and produced false positives or missed it entirely.
Why haven't we stamped out SQL injection and XSS yetRomain Gaucher
More insights about how SQL injections and Cross-Site Scripting (XSS) happens. Data driven survey of Java applications, focusing on finding HTML contexts and SQL contexts where dynamic data is inserted.
This document provides eight rules for writing secure PHP programs:
1. Use proper cryptography and do not invent your own algorithms.
2. Validate all input from external sources before using.
3. Sanitize data sent to databases or other systems to prevent injection attacks.
4. Avoid leaking sensitive information through error messages or other means.
5. Properly manage user sessions to prevent hijacking and ensure users remain authenticated.
6. Enforce authentication and authorization separately using least privilege.
7. Use SSL/TLS to encrypt all authenticated or sensitive communications.
8. Keep security straightforward and avoid relying on obscurity.
SQL injection attacks occur when malicious code is inserted into an SQL query, allowing attackers to read or modify data in a database. They work by exploiting insecure code that fails to properly sanitize user input. To prevent SQL injection, developers should escape quotes, remove dangerous characters from queries, limit user privileges and access, and validate all user-provided data.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
This document discusses various cross-site scripting (XSS) evasion techniques and evaluates the effectiveness of popular XSS filters and intrusion detection systems (IDS), including ModSecurity, PHP-IDS, and Internet Explorer 8. It provides examples of how attacks can bypass these defenses by exploiting Unicode encoding, HTML/JavaScript tricks, and other methods. The author argues that most filters are ineffective at blocking all XSS variations and recommends ways to strengthen XSS filtering.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
This document summarizes an presentation about SQL injection vulnerabilities in PHP frameworks that use the active record pattern. It discusses what active record is, how SQL injection can still occur even with input validation, and recommends following best practices like parameterized queries and implementing defense in depth to help prevent SQL injection attacks. Case studies show how SQL injection vulnerabilities were found in specific frameworks even when developers thought secure coding practices were followed.
- The document discusses blind XML external entity (XXE) attacks against web applications. It provides background on the speaker and describes how XXE vulnerabilities can be exploited to read local files, scan internal networks, and access Windows network shares by abusing XML parser features.
- Several examples are given of exploiting XXE vulnerabilities using document type definitions (DTDs) and XML schema definitions (XSDs) to conduct blind attacks and extract information from external XML files without direct output of file contents. Challenges with these approaches are also outlined.
- Binary search techniques are proposed to more efficiently extract text from external files when only validation errors are returned. The document concludes by noting the relative rarity of XSD validation
This document provides an introduction to cross-site scripting (XSS) attacks over the course of one hour. It defines XSS and its different types (reflected, stored, DOM), discusses common injection points and payloads, and techniques for bypassing filters including encoding, evasion tricks, and tools. The goal is to teach novices the basics needed to find and exploit XSS vulnerabilities, with tips on contexts, detection, encoding, and actual attack vectors like cookie stealing.
This document proposes improvements to traditional virtual patching techniques used by web application firewalls (WAFs). It introduces the concepts of Inspected Application Modules (IAM) which use formal methods to evaluate vulnerability formulas generated by static application security testing (SAST). This aims to address issues where traditional approaches only block a single attack vector. The document further proposes Advanced Runtime Application Self-Protection (A-RASP) which instruments application code to provide values for computations and allow blocking attacks with unknown vectors. Finally, Ultimate Runtime Application Self-Protection (U-RASP) is proposed which leverages its own internal SAST to derive formulas and further improve performance and coverage of vulnerabilities compared to traditional and previous approaches.
The document discusses strategies for defending against input injection attacks, including SQL injection. It recommends centralizing input validation and assuming all input is malicious. Specific strategies covered include constraining, rejecting, and sanitizing input through techniques like type checks, length checks, format checks, range checks, and whitelisting valid characters. It also discusses using validation controls and regular expressions for validation. The document recommends input validation libraries like ESAPI and using prepared statements with SQL parameters to prevent SQL injection.
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
1. The document discusses hacking techniques for web applications, including methodology, discovery techniques, mapping, and tactical fuzzing approaches for XSS, SQLi, file inclusion, and uploads.
2. It provides tips on finding less tested application scopes, port scanning, directory bruteforcing, crawling, and using tools like SQLmap and intrigue for reconnaissance.
3. The document outlines tactics for auth bypass, session hijacking, parameter tampering, and common vulnerabilities like XSS, SQLi, file inclusion, and CSRF with examples of payloads and techniques.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
This document discusses security issues and options related to PHP programming. It begins by outlining common attack vectors like validation circumvention, code injection, SQL injection, and cross-site scripting. It then provides examples of each attack and recommendations for preventing them, such as validating all user input and escaping special characters when outputting data. The document also introduces tools for analyzing PHP code security like PHPSecAudit and browser developer toolbars. It emphasizes the importance of securing applications from the beginning rather than as an afterthought.
Static Analysis: The Art of Fighting without FightingRob Ragan
Presentation that contrasts static and dynamic analysis of web applications for security vulnerabilities. Describes a technique to combine static and dynamic analysis called hybrid analysis. (SummerCon 2008)
The document discusses common coding errors in ASP scripts that can lead to security vulnerabilities. It covers three main categories: input validation issues, problems with managing state predictably and securely, and source code maintenance issues. Specific problems discussed include insufficient validation of user-supplied input used in SQL queries, which can enable SQL injection attacks, poor randomness or predictability of session IDs, hardcoded credentials, and debugging code left enabled. The document provides examples of each issue and recommendations for more secure coding practices.
Today security filters can be found on our network perimeter, on our servers, in our frameworks and applications. As our network perimeter becomes more secure, applications become more of a target. Security filters such as IDS and WAF are relied upon to protect applications. Intrusion detection evasion techniques were pioneered over a decade ago. How are today's filters withstanding ever evolving evasion tactics? The presentation will examine how evasion techniques worked in the past and provide insight into how these techniques can still work today; with a focus on HTTP attacks. A practical new way to bypass Snort will be demonstrated. A tool to test other IDS for the vulnerability in Snort will be demonstrated. (Outerz0ne 2009)
Video of this presentation at Outerz0ne 5:
http://www.irongeek.com/i.php?page=videos/rob-ragan-filter-evasion-houdini-on-the-wire
Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This document compares DOM XSS identification tools by testing them on a real-world DOM XSS vulnerability found on pastebin.com. The vulnerability involves a JavaScript file loaded from an external domain that contains complex code. Most tools had difficulty analyzing this accurately. Runtime tools that use taint analysis were best able to follow the execution flow and identify the vulnerability, while static analyzers struggled with the indirect source and produced false positives or missed it entirely.
Why haven't we stamped out SQL injection and XSS yetRomain Gaucher
More insights about how SQL injections and Cross-Site Scripting (XSS) happens. Data driven survey of Java applications, focusing on finding HTML contexts and SQL contexts where dynamic data is inserted.
This document provides eight rules for writing secure PHP programs:
1. Use proper cryptography and do not invent your own algorithms.
2. Validate all input from external sources before using.
3. Sanitize data sent to databases or other systems to prevent injection attacks.
4. Avoid leaking sensitive information through error messages or other means.
5. Properly manage user sessions to prevent hijacking and ensure users remain authenticated.
6. Enforce authentication and authorization separately using least privilege.
7. Use SSL/TLS to encrypt all authenticated or sensitive communications.
8. Keep security straightforward and avoid relying on obscurity.
SQL injection attacks occur when malicious code is inserted into an SQL query, allowing attackers to read or modify data in a database. They work by exploiting insecure code that fails to properly sanitize user input. To prevent SQL injection, developers should escape quotes, remove dangerous characters from queries, limit user privileges and access, and validate all user-provided data.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
This document discusses various cross-site scripting (XSS) evasion techniques and evaluates the effectiveness of popular XSS filters and intrusion detection systems (IDS), including ModSecurity, PHP-IDS, and Internet Explorer 8. It provides examples of how attacks can bypass these defenses by exploiting Unicode encoding, HTML/JavaScript tricks, and other methods. The author argues that most filters are ineffective at blocking all XSS variations and recommends ways to strengthen XSS filtering.
This is a very brief overview of core HTML, CSS and javascript elements that every beginner web development professional should know. This is by no means a full encapsulation of web development but a brief overview.
This document provides an overview of various web technologies including HTML, CSS, JavaScript, PHP, and databases. It defines each technology, provides examples of code, and lists some common uses. It also includes links to additional resources for further information on each topic. The document is intended as an introductory guide to foundational web development languages and tools.
Intro to mobile web application developmentzonathen
Learn all the basics of web app development including bootstrap, handlebars templates, jquery and angularjs, as well as using hybrid app deployment on a phone.
This document discusses the need for tools and techniques to analyze malicious web content and JavaScript obfuscation, as more malware is delivered through the web. It describes Websense's approach of emulating a browser without rendering content, to allow pages to decode themselves and log all activity. This includes implementing DOM and JavaScript engines. Their system found over 124,000 infected pages from analyzing 111 million URLs in 24 hours. Limitations and other resources are also outlined.
OrientDB for real & Web App developmentLuca Garulli
The document discusses how NoSQL databases like OrientDB can improve web application development compared to traditional relational databases. OrientDB provides a fast, scalable, and flexible storage solution with transactions, SQL, and security. It combines the best features of newer NoSQL solutions with relational databases. OrientDB supports document, graph, and object-oriented data models and can be used for both online backup solutions and CRM applications. It also introduces OrientWEB.js, a new JavaScript library for building web applications with OrientDB.
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるSadaaki HIRAI
This document provides an overview of HTML5 technologies including HTML5 markup, microdata/RDFa, WebFonts, Canvas, MediaQueries, performance optimizations like SPDY and HTTP 2.0. It discusses specifications from the W3C and implementations by companies. Tools for testing responsive design, fonts and browser compatibility are also mentioned. The document is written in Japanese and references the author's blog for code samples.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Slides for Agile Testers Conference 2018
Technology Based Testing by Alan Richardson
What do you learn if you want to test 'beyond the acceptance criteria'? Technical risk based testing can help. In this case I'm going to use the phrase Technical Testing to cover: "identify technology based risks to drive testing". This thought process can help us make informed decisions about the scope of exploratory testing we will carry out. It also helps focus your studies on the technical knowledge appropriate for the project you are testing.
## Blurb
This requires:
- understanding of the technology
- risk identification
- tools applicable to the technology
This presentation will use a simple example to demonstrate that:
- Even simple technology can pose risk
- Combining simple technology can increase risk
- Understanding technology allows us to evaluate risk
* http://www.eviltester.com
* http://www.compendiumdev.co.uk
* https://twitter.com/eviltester
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
This is an updated version of this talk given at DrupalCamp Atlanta (DCA)
This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes.
The session will cover the following main topics with tips on how to protected against each of these.
An overview of security threats
Server Level Attacks
Code Level Attacks
User Access Attacks
Internal Attacks
Some suggestions on developing a security plan
People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.
The document summarizes a security analysis report of the LinkedIn website performed by Minded Security using the DOMinatorPro Enterprise security scanner. The analysis found a reflected DOM-based cross-site scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML and JavaScript into the browser DOM context of LinkedIn. The vulnerability is due to unsanitized user input being used to generate HTML output without encoding. A proof-of-concept exploit is provided to demonstrate the vulnerability by triggering a popup alert on the victim's browser when a specially crafted URL is visited while logged into LinkedIn.
This document discusses common web application security vulnerabilities like cross-site scripting (XSS) and SQL injection. It provides several approaches to prevent these vulnerabilities, including filtering HTML characters, allowing a limited character set, and safely allowing some HTML tags. It also demonstrates how XSS and SQL injection attacks can occur if user input is not sanitized properly before being displayed or used in database queries. The document recommends validating all user input and escaping special characters to prevent these attacks from being successful.
Speed up your developments with Symfony2Hugo Hamon
Symfony2 is a PHP full-stack framework that provides tools and components to speed up web development. It emphasizes separation of concerns, standards compliance, and best practices. Symfony2 allows developers to create Request-Response applications using its routing, templating, validation, forms, database abstraction, and other features in a decoupled and reusable way. It also provides debugging tools, code generators, and other utilities to improve developer productivity.
ModSecurity is an open source web application firewall module for Apache that includes filters to detect and block cross-site scripting (XSS) attacks. However, its XSS filters are ineffective and infrequently updated. The filters primarily rely on matching keywords and regular expressions related to JavaScript and other client-side scripting languages in the HTTP response, but do not handle different character encodings well. While ModSecurity is easy to install as an Apache module, its limitations mean attacks can still evade detection.
A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.
Thug is a new low-interaction honeyclient for analyzing malicious web content and browser exploitation. It uses the Google V8 JavaScript engine and emulates different browser personalities to detect exploits. Thug analyzes content using static and dynamic analysis and logs results using MAEC format. Future work includes improving DOM emulation and JavaScript analysis to better identify vulnerabilities and exploit kits. The source code for Thug will be publicly released after the presentation.
Similar to Efficient Context-sensitive Output Escaping for Javascript Template Engines (20)
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Efficient Context-sensitive Output Escaping for Javascript Template Engines
1. Efficient Context-aware Output Escaping
for JavaScript Template Engines
PRESENTED BY
Nera Liu, Adonis Fung, and Albert Yu
Paranoids Labs, Yahoo!
SEPT 24, 2015
2. How to defend against XSS in Javascript Template
Engines using contextual analysis?
Background, Related Work & Implementation > Design >
Evaluation > Conclusion
Problem Statement
2
4. What is Cross Site Scripting (XSS)?
Given no proper output filtering:
<h1>Hello <?php echo $_GET['name']; ?></h1>
A typical attack vector coming through XXX of query
string at victim.com/?name=XXX:
"'><script>alert(1)</script>
HTML of victim.com ends up being:
<h1>Hello "'><script>alert(1)</script></h1>
4
5. Cross-Site Scripting (XSS) & OWASP Top
10■ Ranked No. 3 / OWASP Top 10 WebApp Security Risks
■ Root Cause
● Untrusted inputs executed as scripts under a victim’s origin/domain.
■ Consequences
● Cookie stealing, user privacy leaking.
● Fully control the web content / defacing.
Screen-captured from https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) 5
6. How to defend against XSS?
- Filtering at the Front Gate
6Image from Rob, On guard, 2007, flickr.com, License: creative common
7. 7Image from 呉 松本, Pipes! Pipes! Pipes!, 2009, flickr.com, License: creative common
It is the internal data flow of
your web application…
● with databases
● with APIs
● with browsers
● …
all interconnecting with each
other, how would you design
filtering rules for both APIs
and databases?
How to defend against XSS?
- Systems are getting more complicated
8. 8
Fundamental Limitations
- NO universal filtering rule that is flexible yet secure
e.g., filtering for <a href="..."> ≠ <div>...</div>
- Impossible to settle at the front gate on
- how data should be further mangled,
- and predict how it would be output in the resultant HTML
- As a result, subject to XSS attacks and over-filtering issues
Input Filtering
- Limitations
9. ■ Template Engines
● Handlebars, DustJS
- Escape & < > " ' ` into & < > " '
`
- {{untrustedData}} is escaped by default.
9
How to defend against XSS?
- Output Filtering in Template Engines
The industry is
shifting from input
filtering to output
filtering
Image from Tom Page, CRW_1978, 2008, flickr.com, License: creative common
10. 10Image from john, Secure, 2009, flickr.com, License: creative common
Not Yet!!!
Are your web applications safe now?
11. Most Template Engines are still vulnerable!
- Blindly escaping
Blindly-escaping (&<>"'`) would not stop XSS
- {{url}} is an untrusted user input (assumed thereafter)
- {{url}}is javascript:alert(1), or
- {{url}}is # onclick=alert(1)
→ Solution: Context-Aware Output Escaping
(aka. contextual escaping)
A template is typically written like so:
<a href={{url}}>{{data}}</a>
11
12. Partial
Automatic
Contextual Escaping
Ember.js1
,
Facebook React2
,
Google Angular.js3
Automatic
Contextual Escaping
Google Closure,
Google Go Template4
No Contextual
Escaping
Handlebars,
LinkedIn Dust.js
(making use of the blindly-
escaping filter)
Notes:
1
Ember.js does not apply contextual filtering rules in <style>, <script> and style attributes.
2
Facebook React does not apply contextual filtering rules in <style>, <script>, style attributes and URI contexts.
3
AngularJS does not apply contextual filtering rules in style attributes.
4
Google Go Template is not a JavaScript Template Engine.
12
Related Work
- Template Engines vs Contextual Escaping
13. Handlebars
Context Parser
Contextual Analyzer
Handlebars
Template
Parser
Handlebars
Template AST
HTML5 Parser
(w/auto HTML canonicalization)
AST
Walker
Handlebars
Template
w/filter markups
CSS Parser
Pre-
compiler
Contextual XSS Filters
(registered as helpers/callbacks)
HTML
Data
(possibly untrusted)
Runtime
Compiler
Template
Spec.
Our solution (comprised of the blue boxes)
rewrites templates before Handlebars
(2)
online
13
(1)
offline
Secure Handlebars
- Software Architecture
14. 14
■ Handlebars with Default Escaping.
■ Secure-Handlebars with Contextual Escaping.
Demo videos!!
original handlebars, secure handlebars
Demonstration
- Handlebars vs. Secure Handlebars
15. Express Secure Handlebars
15
var express = require('express');
// simply replace the original express-handlebars with
express-secure-handlebars, our implementation will
preprocess the template(s) before passing to the
original handlebars compiler.
// exphbs = require('express-handlebars');
exphbs = require('express-secure-handlebars');
17. 17Image from Andrea Goh, baking ingredients, 2012, flickr.com, License: creative common
What are the ingredients?
● Template Parser & Walker
○ for extracting template markups
● Standard Compliant Context
Parsers
○ for analyzing output contexts
○ for auto-correcting browser quirks
● Context-sensitive XSS Filters
○ for applying contextual filtering rules
to defend against XSS!
19. <div style="{{cssContext}} ">{{htmlContext}} </div>
{{#if data}}
<a href="{{uriContext}}">link</a>
{{else}}
<div>Data not found</div>
{{/if}}
19
■ Extract template markups and build an AST for further
contextual analysis
H T/C H T/H H T/B
H T/U H H
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in
HTML context, T/U: template output in URI context, T/B: a branching node in template
R
Template Parser & Walker
20. 20
■ Template walker traverses the AST, and triggers different parsers
We trigger an HTML5
context parser for
analysis! (green & blue)
We trigger a CSS context
parser for analysis!
(orange)
We trigger a URI parser
for analysis! (red)
H H H T/B
H H H
R
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in
HTML context, T/U: template output in URI context, T/B: a branching node in template
T/C T/H
T/U
Context Parsers (HTML, CSS etc.)
21. 21
■ Based on the contextual analysis, precise filtering rules can be
applied!
We apply the filtering
rules (i.e. the most
basic HTML escaping)
for an HTML context
We apply the
filtering rules
for an HTML
double-quoted
attribute value
context and
CSS context
We apply the filtering rules for an HTML double-quoted
attribute value context and URI context
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in
HTML context, T/U: template output in URI context, T/B: a branching node in template
H H H T/B
H H H
R
T/C T/H
T/U
Contextual-Sensitive XSS Filters
22. 22
The parsing sequence of the AST
● R → H → T/C → H → T/H → H → H → T/U → H
● R → H → T/C → H → T/H → H → H
The end context of
this HTML chunk
will copy to each
branch as a start
context for further
contextual analysis
H H H T/B
H H H
R
T/C T/H
T/U
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in HTML
context, T/U: template output in URI context, T/B: a branching node in template
Template Parser & Walker
- Handling of branching logic
Branch A Branch B
23. 23
... T/B
<a href=" <a style="
T/?
Ambiguous Context!
CSS or URI?
...{{#if data}}
<a href="
{{else}}
<a style="
{{/if}}
{{ambiguousContext}}
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in
HTML context, T/U: template output in URI context, T/B: a branching node in template
Template Parser & Walker
- Ambiguous context after branching
-
24. 24
<input sub-tmpl
style=" T/H
<input sub-tmplstyle=" T/C
Parent template AST
Sub-template AST
AST with sub-template
expansions
WITHOUT sub-template expansions,
templates are analyzed separately.
WITH sub-template expansions,
templates are analyzed together.
parent template content
<input {{>sub-tmpl}}
sub-template content
style="{{output}}"
HTML context?
CSS context!!
Template Parser & Walker
- Sub-template Expansion
Legend:
R: Root, H: HTML context, T/C: template output in css context, T/H: template out in
HTML context, T/U: template output in URI context, T/B: a branching node in template
26. 26
Given a piece of HTML, find out which portions of it are in
executable context. E.g.
■ <html> <script> ... </script> </html>
■ <a href=javascript:... >
■ <img src=x onerror=... >
Contextual Parsing
- Problem Definition
27. Day 1: "Parsing Html The Cthulhu Way"
Quoted from Coding Horror,
http://blog.codinghorror.com/parsing-html-the-cthulhu-way/
27
# pull out data between <script> tags
($script_data) = $html =~ /<script>(.*?)</script>/gis;
28. Day 2: Search npmjs, and pick the first one.
28
Less horrible, until you see it...
29. HTML 5 seems like fun
<a<b<c>
<! comment !> <? comment >
</d id=e/>
<f g = h > , <f g=<h>, or <f g=h> ?
<script> what
<!-- this
<script> actually
</script> means
--> ?
</script>
29
view-source:https://rawgit.com/yukinying/appsecusa-2015-jsdemo/master/sample1.html
31. Dilemma - Reuse or Build?
31
■ Programming Language
■ Speed
■ Compliance with HTML5 Specification
■ Ease for maintenance
32. Day 20: I need a high speed racing car
32
■ Libraries that are compliant to HTML5 specification:
● Google's CTemplate and Closure Template
33. Day 20: Use a library that's compliant
33
■ Server side binding C with nodejs
■ Client side?
■ Can't extend easily for our use case (templating)
34. ■ Get a coffee machine, tons of coffee bean
■ Read section "The HTML syntax" (sect 8 and sect 12, resp.)
Day 21: https://html.spec.whatwg.org/ and
http://www.w3.org/TR/html5/
34
35. HTML := TOKEN | TEXT | TAG
TAG := TAGNAME + TAGATTR*
Day 50: HTML Grammar?
35
if tag name == "Script" { alert }
36. • Erroneous HTML will always be accepted.
Day 50: HTML := ANY*
36
37. Day 99: Flows can be visualized
37
https://rawgit.com/yukinying/appsecusa-2015-jsdemo/master/svg/everything.svg
38. Key Observation #1
Section 12.2.4 - HTML Tokenization
1. HTML are tokenized as DATA (TEXT), TAG, ATTR using
the flow.
2. Special tokens are defined as RAWDATA, RCDATA,
SCRIPT.
Section 12.2.5 - HTML Tree Construction
1. describes how DATA -> RAWDATA / RCDATA / SCRIPT
38
39. Key Observation #2
Describing flows can be cumbersome. But there are patterns.
• token state changes only when seeing
• WHITESPACE
• < , /, > (for tag)
• & (for html entity)
• ', " , = (for attribute)
• !, - , ? (for comment)
• A-z (valid start character for tag name)
39
43. Key Observation #3
One state transition table can cover the normal cases.
Special cases:
1. a<b< , algorithm ask for reconsumption of b when b is
followed by non-tag related element.
2. tag matching is required for in RAWTEXT (noframes, xmp,
style, iframe, noembed, noscript), RCDATA (textarea,
title), SCRIPT, PLAINTEXT.
- Thus no tag nesting allowed in RAWTEXT / RCDATA / SCRIPT
- <textarea><script><textarea>
Quick and dirty solution: Use 3 state transition tables altogether.
Formal solution: expand state space to N^3.
43
45. Exercise: Parse the following.
45
<script> what
<!-- this
<script> actually
</script> means
--> ?
</script>
https://rawgit.com/yukinying/appsecusa-2015-jsdemo/master/demo.html
46. 46
Hint: use state diagram of <script> tag flow
https://rawgit.com/yukinying/appsecusa-2015-jsdemo/master/svg/script.svg
47. HTML5 Context Parser
- design principle
- Standard Compliance
- Cross browser compatibility.
- Speed and Efficiency.
47
QR code points to the repo of the standalone CSS Parser
Command line version of our context parser
report state (aka
context) of each
character
48. - Our implementation is based on WHATWG
- HTML5 compliance
- Language
- Context as output
HTML5 Context Parser
- standard compliance
QR code points to the repo of the standalone Context Parser
Figure from Overview of HTML 5 Parsing Model: https://html.spec.whatwg.org/multipage/syntax.html#overview-of-the-parsing-model 48
Gumbo - DOM tree as an output
html5lib - Python implementation
49. HTML5 Context Parser
- speed & efficiency
Lightweight & Efficient
- State transitions reduction
- (e.g., omit 16 doctype transitions, i.e., 23%
of all states)
- No tree/DOM construction
QR code points to standalone Context Parser github repo
Figure from Overview of HTML 5 Parsing Model: https://html.spec.whatwg.org/multipage/syntax.html#overview-of-the-parsing-model 49
50. Standard-compliant Parser is NOT Enough
50
■ Purpose: Add filters based on
the determined context
■ Problem:
Context inferred by browsers
≠
Context inferred by our parsers
■ Worst case: filters voided; XSS
51. Some Browser-specific Quirks
<a href="..." <script>{{inScriptInSafari5/Data}}</a>
51
<!--[if IE]><script>{{inScriptInIE/Comment}}</script><![endif]-->
<textarea><!-- </textarea>{{inRawText/DataHTML5}}--></textarea>
Compatibility issues by HTML 5 (e.g., in IE7)
<div><!-- Comment1 --!> {{inComment/DataHTML5}} --></div>
<div id=`{{inGraceAccentQuotedinIE/UnquotedAttrVal}}`></div>
etc...
etc...
52. Auto HTML Canonicalization
52
■ Comparisons
● Prior work: manual corrections, or no warning at all
● Our work: auto. rewrite HTML to clear parse errors
■ Goals
● Ensure parsing experience aligned across browsers/parsers
● Decisions: honor HTML 5 standard; secure-by-default
● Hence, contextual filtering can work accordingly
54. Security Model
54
Go Template Security Model: http://golang.org/pkg/html/template/#hdr-Security_Model
Closure Security Model: http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition
Templates: Trusted; Data from output expressions: Untrusted
Context-aware Filterings are specific to the determined context
Data Self-contained Untrusted data cannot break out from its context
Non-executable Data Untrusted data cannot be executed as script
Preserve Trusted Code Trusted code and logics should be preserved
Security Goals for filters
Assumption
p.s. Go Temp. and Closure have similar security models
56. Prior Work Assumption
56
Untrusted variable assumed non-empty;
In reality, ever thought an empty variable could break security?
Go Template Security Model: http://golang.org/pkg/html/template/#hdr-Security_Model
Closure Security Model: http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition
57. #1: Data self-contained; Trusted Code Preserved
- Sample: Output Markup in Unquoted Attribute Value
+ <input value=� name=email> by our work
- <input value={{email}} name=email>
57
+ <input value= name=email> by Closure/Go
When data is empty, the resulted HTML after filtering and data binding:
- Browser/HTML interprets “ name=email” as the attribute value
- trusted structure broken. reference to email’s value lost; surprise to devel.
- legit use of document.querySelector('[name=email]').value throws error
- To mitigate, our filter inserts U+FFFD (meaning NULL) when empty
- good faith: developers still have a chance to validate the value (e.g., email)
- preserved developers’ logics (if not help quoting it)
58. 58
State transition in DATA state (e.g., <div>↑</div>)
Are existing filters really designed for the
era of contextual escaping?
59. #2: More Context-sensitive and Efficient
59
Go Template Security Model: http://golang.org/pkg/html/template/#hdr-Security_Model
Closure Security Model: http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#problem_definition
Output Markup Prior Work Our Work
in Data Context
Apply the same
HTML Filter
(i.e., encode &<>"'`)
Apply yd Filter
(i.e., encode < only)
in Double-quoted Attr
Value Context
Apply yavd Filter
(i.e., encode " only)
<input type="hidden" value="{{email}}" name="email">{{email}}
■ Insight: Context Parser accurately determined the contexts
● Why over-encode? Let’s embrace just-sufficient encoding
● Runtime performance > 5x faster, as a result
60. Double-encoding Issue
● Input filtering likely applied in
existing website:
<3 becomes <3
● Output filtering encodes it again:
finally becomes &lt;3
rendered as in the diagram
#3: Life is worthless without love <3
60
Can we omit encoding the & character?
61. Graceful Output and Input Filtering
- A brave attempt not to encode &
■ & cannot lead to script executions, as defined by HTML 5
“JS includes” <br size="&{alert(1)}"> became history (IE5)
61
■ Require HTML decoding in case of blacklisting,
e.g., to filter javascript:alert(1),
● prior work tests value, : becomes &colon;
● we html decode first, then tests the resulted value
● Our decoder: correct (>a → >a), fastest (using FSM, trie)
63. 63
Evaluations
- Contextual Analysis on a Yahoo! website
● 90.9% of output markups automatically secured with the
contextual filtering
Location of output expressions (aka. Context) No of findings Notes
Simple HTML Contexts (e.g., data, dqAttr ...) 52 (~10.5%) Secured by default handlebars.
ATTRIBUTE_VALUE_UNQUOTED state 5 (~1.0%) Secured also by secure-handlebars.
ATTRIBUTE_VALUE states + URI 280 (~56.8%)
ATTRIBUTE_VALUE states + CSS 111 (~22.5%)
ATTRIBUTE_VALUE states + JS (e.g., onclick) 1 (~0.2%) Manual review is required.
Dangerous contexts.SCRIPT state (i.e., <script>) 37 (~7.5%)
ATTRIBUTE_NAME state 4 (~0.8%)
RAW_TEXT state (e.g., <style>) 3 (~0.6%)
64. ■ Offline/one-off overhead (for contextual analysis)
● It takes 63s to pre-process and canonicalize 512 templates
(i.e. 0.35MB/sec).
■ Negligible runtime overhead (for filtering only)
● for contexts defendable by default filter, ours is >5x faster
● to secure other contexts, by design, least amount of chars
Ref: https://github.com/yahoo/xss-filters/blob/benchmarks/tests/benchmarks/compare-default.js#L9-L22
64
Evaluations
- Performance
65. 65
Yahoo Secure
Handlebars
Google
Angular.js
Google
Closure
Facebook
React
Ember.js
Contextual Escaping Supported
HTML Contexts ✓ ✓ ✓ ✓ ✓
URI Contexts ✓ ✓ ✓ no ✓
CSS Contexts ✓ ✓ / no1
✓ no no
JS Contexts no no ✓ no no
Important Features
Auto HTML Canonicalization ✓ no no no no
Auto Sub-template Analysis ✓ ✓2
✓3
✓2
✓2
Secure Filters for > 90% of
Browser Market Share
(incl., IE 7+, Safari 5+, FF &
Chrome)
✓ no ✓ no no
Framework Comparisons
1
AngularJS does not apply contextual filtering rules on style attribute.
2
AngularJS, React and EmberJS restrict the sub-template in HTML Data context only.
3
Google Closure requires manual annotation for sub-template analysis.
66. ■ When developers don’t know how to sanitize...
● use of SafeString/dangerouslySetInnerHTML
66
■ No need to sanitize individual fields
■ Usable on client side or server side
■ Whitelist based approach
QR code points to html-purify github repo
Future Work / Rich HTML Sanitization
safeHtml = Purifier.purify(untrustedRichHtml);
Image from https://www.flickr.com/photos/tnarik/3416160916 (CC BY 2.0)
67. ■ Efficient HTML5 compliant parser w/auto corrections
■ Auto apply contextual, just-sufficient, and faster escaping
■ Effortless adoption w/express-secure-handlebars
■ Open-sourced at github.com/yahoo and npmjs.com
Portal: https://yahoo.github.io/secure-handlebars
Conclusion: Building A Safer Internet for All
Automatic contextual escaping made easy
67
68. Thank you!
Nera, Adon, Albert
{neraliu, adon, albertyu}@yahoo-inc.com
Twitter: @neraliu, @adonatwork, @yukinying
68
We’d like to acknowledge
the support and help from:
- Stuart Larsen
- Alaa Mubaied
- Aditya Mahendrakar
- Eric Ferraiuolo
- Christopher Harrell
- Christopher Rohlf
- Jeremy Ruppel
Bug Bounty Program Contributors
● https://github.com/yahoo/secure-handlebars/blob/master/CONTRIBUTORS.md
● https://github.com/yahoo/xss-filters/blob/master/CONTRIBUTORS.md
70. Besides, client-side use with secure-handlebars
- Contextual analyzer can preprocess templates during the build process (at
server side)
- Handlebars pre-compiles the rewritten templates
Filters registered at client-side allow handlebars to filter data at data binding
stage.
Hassle-free server-side adoption
- To switch from express-handlebars to express-secure-handlebars npm:
- 2 LOCs changes: (1) dependency in package.json, (2) require(...)
-
70
Deployability of Secure-Handlebars
- secure-handlebars & express-secure-handlebars
71. ■ Work as a Preprocessor
● Parse template and build an Abstract Syntax Tree (AST)
● Walk thru every branch, trigger different parser for contextual analysis
● Insert filter markups to {{outputExpression}} based on its context
● Produce a rewritten template, compatible w/handlebars (unlike ember.js)
■ Facilitate Seamless Upgrade
● Existing template logics must all be preserved
QR code points to the secure-handlebars github repo
71
Secure Handlebars
- Design Principles
72. + <a href="{{{yavd (yubl (yufull url))}}}">{{{yd url}}}</a>
● Handlebars applies the filters (aka helpers) during compilation.
○ {{{ }}} - disable the default blindly-escaping.
○ yufull - encodeURI() with IPvFuture support
○ yubl - disable dangerous protocols such as javascript:
○ yavd - html-escape double-quote character (" → ")
○ yd - html-escape less-than character (< → <)
● Contextual Analyzer adds filter markups specific to output contexts
- <a href="{{url}}">{{url}}</a>
72
Rewrite template before Handlebars
73. ■ Same considerations as HTML5 Context Parser
● Standard compliance.
● Cross-browser compatibility.
■ Design Goal
- All browsers MUST parse the CSS with the same contextual
result.
73
QR code points to the standalone CSS Parser github repo
CSS Context Parser
- design principles
74. ■ Approach:
● Rewrite the CSS grammar into a stricter grammar.
● The original grammar allows escape char (i.e. {6digits}), the
stricter grammar only allows known set of chars (i.e. [a-zA-Z0-9])
and special chars (i.e. :, ;).
● It is unusual to use escape char in CSS template.
74
QR code points to the standalone CSS Parser github repo
CSS Context Parser
- strict mode
// this is a valid syntax, but our parser would
reject it!
<div style="color:{{output}}">...</div>
75. Why are we reluctant to support auto JS
Context filtering? Static vs. Dynamic
75
■ What XSS filters should we apply?
single-quoted JS string? double-quoted URI attr?
● Static (incl related) approach can only apply the former one
● Warn & manual check; Avoid false sense of security
<script>
var html = '<a href="{{untrustedUrl}}"><b>link</b></a>...';
document.write(html);
</script>