Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to Use OWASP ESAPI and  Microsoft Web Protection Libraries Against Cross-Site Scripting
Cross-Site Scripting <ul><li>Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it bac...
OWASP ESAPI <ul><li>Sites: </li></ul><ul><ul><li>Main:  http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_...
OWASP ESAPI (Java) <ul><li>To Use: </li></ul><ul><ul><li>Follow the installation guide </li></ul></ul><ul><ul><li>Must cre...
ASP.NET Request Validation <ul><li>ASP.NET provides some blacklist-based input validation to try and guard against HTML in...
ASP.NET Request Validation <ul><li>How to configure or check if it is enabled? </li></ul><ul><li>This is turned on by defa...
Microsoft Web Protection Library <ul><li>Main site: </li></ul><ul><ul><li>http://wpl.codeplex.com/ </li></ul></ul><ul><li>...
Exercise: Fixing XSS Vulnerabilities <ul><li>Java </li></ul><ul><ul><li>Reflected XSS </li></ul></ul><ul><ul><li>Stored XS...
But Your ASP.NET Examples Cheated! <ul><li>This is true: ASP.NET provides some XSS protection via the ValidateRequest func...
Resources <ul><li>OWASP ESAPI </li></ul><ul><ul><li>http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API ...
Questions? <ul><li>Dan Cornell </li></ul><ul><li>[email_address] </li></ul><ul><li>Twitter:  @danielcornell </li></ul><ul>...
Upcoming SlideShare
Loading in …5
×

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting

4,714 views

Published on

How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting

Published in: Technology
  • Be the first to comment

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting

  1. 1. How to Use OWASP ESAPI and Microsoft Web Protection Libraries Against Cross-Site Scripting
  2. 2. Cross-Site Scripting <ul><li>Cross-Site Scripting (XSS) occurs when an application takes data from a user and sends it back to a web browser without validation or encoding </li></ul><ul><li>There are three main varieties: </li></ul><ul><ul><li>Stored </li></ul></ul><ul><ul><li>Reflected </li></ul></ul><ul><ul><li>DOM-based </li></ul></ul><ul><li>To guard against: </li></ul><ul><ul><li>Positively validate inputs </li></ul></ul><ul><ul><li>Escape user-supplied data sent back to the browser </li></ul></ul>
  3. 3. OWASP ESAPI <ul><li>Sites: </li></ul><ul><ul><li>Main: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API </li></ul></ul><ul><ul><li>Java: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Java_EE </li></ul></ul><ul><li>Good: Provides very robust set of encoder functions </li></ul><ul><li>Less good: </li></ul><ul><ul><li>Has a number of dependencies (~29) (currently – work on modularity is in progress) </li></ul></ul><ul><ul><li>Implementations are of varying maturity. Most useful for Java. </li></ul></ul>
  4. 4. OWASP ESAPI (Java) <ul><li>To Use: </li></ul><ul><ul><li>Follow the installation guide </li></ul></ul><ul><ul><li>Must create a folder (.esapi) to store your configuration and preferences </li></ul></ul><ul><li>Get access to library: </li></ul><ul><ul><li>Add all the support jars (31) to your project </li></ul></ul><ul><ul><li>Remove repeated jars </li></ul></ul><ul><ul><li>Add esapi-2.0_rc10.jar to your project </li></ul></ul><ul><ul><li><%@ page import=&quot;org.owasp.esapi.ESAPI, org.owasp.esapi.Encoder&quot; %> </li></ul></ul><ul><li>Make calls to encode tainted data: </li></ul><ul><ul><li>ESAPI.encoder().encodeForHTML() </li></ul></ul><ul><ul><li>ESAPI.encoder().encodeForHTMLAttribute() </li></ul></ul>
  5. 5. ASP.NET Request Validation <ul><li>ASP.NET provides some blacklist-based input validation to try and guard against HTML injection and cross-site scripting (XSS) attacks </li></ul><ul><li>This is turned on by default (yeah!) </li></ul><ul><li>Many applications disable it (boo!) </li></ul><ul><ul><li>Blocked a valid request </li></ul></ul><ul><ul><li>Made trouble with AJAX </li></ul></ul><ul><ul><li>And so on </li></ul></ul>
  6. 6. ASP.NET Request Validation <ul><li>How to configure or check if it is enabled? </li></ul><ul><li>This is turned on by default </li></ul><ul><li>In web.config: </li></ul><ul><ul><li><configuration> </li></ul></ul><ul><ul><ul><li><system.web> </li></ul></ul></ul><ul><ul><ul><ul><li><pages validateRequest=“true|false&quot; /> </li></ul></ul></ul></ul><ul><ul><ul><li></system.web> </li></ul></ul></ul><ul><ul><li></configuration> </li></ul></ul><ul><li>Per-page: </li></ul><ul><ul><li><%@ Page … ValidateRequest=“true|false&quot; %> </li></ul></ul>
  7. 7. Microsoft Web Protection Library <ul><li>Main site: </li></ul><ul><ul><li>http://wpl.codeplex.com/ </li></ul></ul><ul><li>To use: </li></ul><ul><ul><li>Import reference to AntiXSS.dll (optionally include HtmlSanitizationLibrary.dll) </li></ul></ul><ul><ul><ul><li>Found in C:Program Files (x86)Microsoft Information SecurityAntiXSS Library v4.0 </li></ul></ul></ul><ul><ul><li>Get access to library: </li></ul></ul><ul><ul><ul><li>In code: </li></ul></ul></ul><ul><ul><ul><ul><li>using Microsoft.Security.Application; </li></ul></ul></ul></ul><ul><ul><ul><li>In ASPX page: </li></ul></ul></ul><ul><ul><ul><ul><li><%@ Import Namespace=&quot;Microsoft.Security.Application&quot; %> </li></ul></ul></ul></ul><ul><ul><li>Make call to encode tainted data: </li></ul></ul><ul><ul><ul><li>AntiXss.HtmlEncode() </li></ul></ul></ul><ul><ul><ul><li>AntiXss.HtmlAttributeEncode() </li></ul></ul></ul><ul><ul><ul><li>And so on… </li></ul></ul></ul>
  8. 8. Exercise: Fixing XSS Vulnerabilities <ul><li>Java </li></ul><ul><ul><li>Reflected XSS </li></ul></ul><ul><ul><li>Stored XSS </li></ul></ul><ul><li>ASP.NET </li></ul><ul><ul><li>Reflected XSS </li></ul></ul><ul><ul><li>Stored XSS </li></ul></ul>
  9. 9. But Your ASP.NET Examples Cheated! <ul><li>This is true: ASP.NET provides some XSS protection via the ValidateRequest functionality </li></ul><ul><li>However: </li></ul><ul><ul><li>This can be (and is often) turned off on a per-page or site-wide basis </li></ul></ul><ul><ul><li>It has been defeated in the past and will be defeated again in the future </li></ul></ul><ul><ul><ul><li>http://www.procheckup.com/vulnerability_manager/documents/document_1258758664/bypassing-dot-NET-ValidateRequest.pdf </li></ul></ul></ul><ul><ul><ul><li>http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf </li></ul></ul></ul><ul><li>If you want your code to be “Rugged” then you need to actually guard against cross-site scripting vulnerabilities in your code </li></ul>
  10. 10. Resources <ul><li>OWASP ESAPI </li></ul><ul><ul><li>http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API </li></ul></ul><ul><li>Microsoft Web Protection Library </li></ul><ul><ul><li>http://wpl.codeplex.com/ </li></ul></ul><ul><li>Denim Group Remediation Resource Center </li></ul><ul><ul><li>www.denimgroup.com/remediation </li></ul></ul>
  11. 11. Questions? <ul><li>Dan Cornell </li></ul><ul><li>[email_address] </li></ul><ul><li>Twitter: @danielcornell </li></ul><ul><li>www.denimgroup.com </li></ul><ul><li>(210) 572-4400 </li></ul>

×