AppSecEU08-ReformAndCanoodle-Eddington

Download Report

Transcript AppSecEU08-ReformAndCanoodle-Eddington 

OWASP Europe Conference 2008
OWASP Encoding Project
.NET WebService validation
Michael Eddington
Leviathan Security Group
[email protected]
OWASP
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Contents
OWASP Encoding Project (Reform)
OWASP .NET Web Service Validation
OWASP
Cross-site Scripting, The problem…
Limited encoding support in frameworks
What about Javascript and VBScript?
Only: & < > “
No 100% encoding solution
Production quality
Low to no patches
Forward looking
Internationalization support
OWASP
The solution…Reform!
Best of bread output encoding library
Stable for 4 years
No security impacting bugs…EVER!
Conservative
Prevents all known XSS attacks
All major languages
Used extensively by internationalized sites
Extended Chinese character support
OWASP
Design goals
Easy to use
Conservative
“Future Proof”
No licensing restrictions
All major platforms supported
Internationalization support
OWASP
How did we do?
In production use for 4 years
Zero security impacting bugs to date
All relevant cross-site scripting bugs to date
prevented
Standard
New
Browser bug based
Basis for Microsoft’s AntiXss
OWASP
Languages
ASP
ASP.NET (1.1, 2.0, 3.x)
Java
JavaScript
Perl
PHP
Python
Ruby
OWASP
How it works…
White list based
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
0123456789
Space [ ]
Comma [,]
Period [.]
OWASP
Cross-site scripting Attacks
Standard XSS injection attacks
HTML injection
HTML attribute injection
Javascript injection
Etc.
Unicode XSS attacks
Browser bugs or related libraries
OWASP
Unicode
Specifications include optional behaviors
Specs not always 100% clear
Libraries built off different versions of specs
Libraries work differently
OWASP
Typical Unicode XSS Attack
2
0x00script0x00
ASP.NET
1
Unicode v2
?script?
3
Browser
4
Unicode v1
<script>
OWASP
Typical Unicode XSS Attack…Reformed
2
0x00script0x00
ASP.NET
1
Unicode v2
3
Reform
?script?
4
Browser
5
Unicode v1
?script?
OWASP
Reform, the pros and cons
Pros
 Stable code base
 Low patch rate (1 in 4
years)
 Conservative approach
 Mitigates all known issues
Cons
 Performance impact
 Larger page size
OWASP
Reform API
HtmlEncode(value, [default])
JsString(value, [default])
VbsString(value, [default])
OWASP
HtmlEncode(value, [default])
Value
 Mary had a little lamb
 <evil>
 Tom & Jerry
 “A famous quote”
 한국 원본의 보기
Return
 Mary had a little lamb
 &#60;evil&#62;
 Tom &#38; Jerry
 &#34;A famous
quote&#34;
 &#54620;&#44397;
&#50896;&#48376;&#51
032; &#48372;&#44592;
OWASP
JsString(value, [default])
Value
 Mary had a little lamb
 <evil>
 Tom & Jerry
 “A famous quote”
 한국 원본의 보기
Return
 'Mary had a little lamb'
 '\x3Cevil\x3E'
 'Tom \x26 Jerry'
 '\x22A famous quote\x22'
 '\uD55C\uAD6D
\uC6D0\uBCF8\uC758
\uBCF4\uAE30'
OWASP
VbsString(value, [default])
Value
 Mary had a little lamb
 <evil>
 Tom & Jerry
 “A famous quote”
 한국 원본의 보기
Return
 "Mary had a little lamb"
 chrw(60)&"evil"&chrw(62)
 "Tom "&chrw(38)&" Jerry"
 chrw(34)&"A famous quote"&c
 chrw(54620)&chrw(44397)&"
"&chrw(50896)&chrw(48376)&
chrw(51032)&"
"&chrw(48372)&chrw(44592)hr
w(34)
OWASP
.NET Web Controls
Limited if any cross site scripting prevention
Controls can be extended
Literal
Label
DataGrid
Etc.
Reform provide these!
OWASP
Questions?
Michael Eddington
([email protected])
OWASP Encoding Project
(http://www.owasp.org/index.php/Category:OW
ASP_Encoding_Project)
OWASP
Project 2
OWASP .NET WEB SERVICE
VALIDATION
OWASP
The problem…
WSDL Schema validation
Additional web method validation
OWASP
Canoodle
Provides WSDL schema validation
Schematron like assertions
Simple to use
OWASP
Process flow
Request
Message
Canoodle
Validation
Success
WebMethod
Invocation
Failure
SOAP Fault
Response
Message
Web Service
Response
Message
OWASP
Partial Schematron support
Schema validation based on xpath queries
Assert support via Attributes
[Assert(“//x > 10”, “x greater than 10”)]
[Assert(“//y < 100”, “y less than 100”)]
OWASP
Usage Example
[WebMethod]
[Validation]1
[Assert("//t:x > 10", "x greater then 10")]
2
[Assert("//t:y < 100", "y less then 100")]
public void CreatePoint(int x, int y)
{
// ...
}
OWASP
Performance Impact
Two request XML parses
Validating
Non-validating
Compiled xpath queries cached
OWASP
Questions?
Michael Eddington
([email protected])
.NET Web Service Validation
(http://www.owasp.org/index.php/.NET_Web_S
ervice_Validation)
OWASP