2 roads to redemption - thoughts on xss and sqlia
DESCRIPTION
presentation about my diploma thesis progress at the Software Engineering working group @ FU BerlinTRANSCRIPT
![Page 1: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/1.jpg)
2 Roads to RedemptionThoughts on fixing SQLIA and XSS
Florian Thiel,florian.thiel ät noroute.de
FU Berlin, 12/18/2008
![Page 3: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/3.jpg)
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
![Page 4: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/4.jpg)
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
![Page 5: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/5.jpg)
© by xckd: http://xkcd.com/327/
![Page 6: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/6.jpg)
© by xckd: http://xkcd.com/327/
![Page 7: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/7.jpg)
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
![Page 8: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/8.jpg)
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
© by xckd: http://xkcd.com/327/
![Page 9: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/9.jpg)
SQLIA threats
• data integrity
• confidentiality
• new attack vector
![Page 10: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/10.jpg)
![Page 11: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/11.jpg)
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “
-- Marc Slemko, Apache.org
![Page 12: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/12.jpg)
eval(‘user input’)1,2
1) the essence of injections2) limited only by the execution environment
XSS SQLIA
![Page 13: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/13.jpg)
Failure to sanitize data into a different plane
![Page 14: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/14.jpg)
technical non-solutions
• addslashes() or any one-size-fits-all
• blacklisting (IPS, validation, etc.)
![Page 15: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/15.jpg)
technical solutions
• AntiSamy
• ReForm
• prepared statements
• Safe Query Objects
• ...
![Page 16: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/16.jpg)
only half-way there
![Page 17: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/17.jpg)
WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized.”
--[Full-disclosure], Sept 2008
![Page 18: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/18.jpg)
WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized.”
--[Full-disclosure], Sept 2008
![Page 19: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/19.jpg)
The solutions are here. They’re
just not evenly distributed yet!
-- paraphrasing William Gibson
![Page 20: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/20.jpg)
The interesting* part
* what my thesis is really about
![Page 21: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/21.jpg)
Developers more Code
![Page 22: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/22.jpg)
Helping developers
• raise awareness
• facilitate detection/motivate reviews
• motivate repair
![Page 23: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/23.jpg)
// @userinput(data,source=”webform”,// type=”username”)// [insert data into query, ignore// non-alphanums]def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ...
![Page 24: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/24.jpg)
What do you use to communicate critical sections?
![Page 25: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/25.jpg)
Would you use annotations?
Your requirements?
![Page 26: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/26.jpg)
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1Host: msdn.microsoft.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.de/search?q=http+request+header+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-aCache-Control: max-age=0
![Page 27: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/27.jpg)
![Page 28: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/28.jpg)
Current approaches
• global XSS filter (HTML escapes) on/off
• default sanitation of all data
![Page 29: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/29.jpg)
Current approaches
• global XSS filter (HTML escapes) on/off
• default sanitation of all data
Not flexible enough!
![Page 30: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/30.jpg)
Helping the framework
• machines are good at doing repetitive work!
• if they just knew enough...
![Page 31: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/31.jpg)
Rich Types
![Page 32: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/32.jpg)
Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
![Page 33: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/33.jpg)
Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
• we could do flexible validation/sanitation
![Page 34: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/34.jpg)
What we’d get
• Types for SQL prepared statements
• Types for AntiSamy/Template engine
• Types for future backends
• Types/Constraints for forms (XForms?)
• rich constraints on complex types
![Page 35: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/35.jpg)
How it’d look like
class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”))
![Page 36: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/36.jpg)
Drawbacks
• needs decent infrastructure form framework
• needs good type catalogue to be easy enough to use
• what about HTTP headers, cookies?
• simpler approaches available (Django)
![Page 37: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/37.jpg)
Is it worth it?
![Page 38: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/38.jpg)
Questions?
![Page 39: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/39.jpg)
Thank You!
![Page 40: 2 Roads to Redemption - Thoughts on XSS and SQLIA](https://reader033.vdocuments.net/reader033/viewer/2022052903/557589dad8b42ae7708b4948/html5/thumbnails/40.jpg)
This presentation is licensed under a Creative Commons BY-SA license.
Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Attribution for pictures through links.