More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Whatever it takes - Fixing SQLIA and XSS in the process
Similar to Whatever it takes - Fixing SQLIA and XSS in the process (20)
Recently uploaded
Recently uploaded (20)
Whatever it takes - Fixing SQLIA and XSS in the process
- 1. Whatever it takes Fixing SQLIA and XSS in the process Diploma Thesis Outline Seminar “Beiträge zum Software Presentation, Florian Thiel Engineering”, FU Berlin, 11/06/2008
- 3. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
- 4. OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
- 5. © by xckd: http://xkcd.com/327/
- 6. © by xckd: http://xkcd.com/327/
- 7. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/
- 8. “SELECT firstname FROM Students WHERE (login = ‘%s’);” % login © by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
- 9. SQLIA threats • data integrity • confidentiality • new attack vector
- 10. “UPDATE Users SET password = ‘%s’ WHERE uid = ‘%s’;” % (pw, uid)
- 11. UPDATE Users SET password = ‘password’ WHERE uid = ‘robert’ OR 1=1; --’; Integrity
- 12. “SELECT product FROM Products WHERE productid = ‘%s’;” % pid
- 13. SELECT product FROM Products WHERE productid = ‘0 UNION SELECT owner, balance FROM Accounts; --’; Confidentiality
- 14. “SELECT product, price FROM products WHERE category = ‘%s’;” % category
- 15. SELECT product, price FROM products WHERE categoryid = exec master..xp_cmdshell “format c:”-- ; New Attack Vector
- 16. Bad Mitigations • PHP: addslashes() • IDS blacklisting • validation blacklisting
- 17. Decent Mitigations stmt = prepare(“SELECT name FROM Users WHERE uid = $1”) db.execute(stmt, uid)
- 18. Why it’s hard Control Data
- 19. More problems • validation context != execution context • really tolerant DBs • “SEL”+”ECT”, anyone? • DBs trying to fix illegal SQL
- 20. Something different!? http://searchsite/search? keyword=”<script>alert(‘you have been XSSed!’)</script>”
- 21. Something different!? http://searchsite/search? keyword=”<script>alert(‘you have been XSSed!’)</script>”
- 22. “This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “ -- Marc Slemko, Apache.org
- 23. eval(‘user input’)1,2 1) the essence of XSS 2) limited only by the execution environment
- 24. XSS • code injection • popular in ECMAScript/Web2.0
- 28. The Worm
- 29. (Non-working) XSS Mitigations • blacklisting of cribs • blacklisting of characters
- 30. helpful mitigations • HTTPOnly cookies • Whitelisting of characters
- 31. Common flaws • HTML/XSS and SQL • mix data and control • have no well-defined execution environment
- 32. Common flaws • HTML/XSS and SQL • mix data and control • have no well-defined execution environment • have no “API”
- 33. Failure to sanitize data into a different plane
- 34. Safe Query Objects • “real” SQL API • adds static types • dynamic queries still runtime evaluated
- 35. AntiSamy • Policy-based sanitation for HTML entities • “Types” (by RegEx) • (no semantics)
- 36. Another job well done!
- 37. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
- 39. Hmm, are we missing something here?
- 40. Absolutely!
- 41. The interesting* part * what my thesis is really about
- 42. Make sure that the technical solutions are thoroughly applied
- 43. 1. Make developers use a reasonable architecture 2. Make developers recognize a weakness when they meet one 3. Make developers find weaknesses 4. Make people actually fix things
- 44. 1) (Architecture) • centralization • canonicalization • have to be conservative
- 45. 2) (Recognition) • patterns? • flawed code examples in the wild
- 46. 3) (Detection) • automated flow analysis • code inspection
- 47. Code inspection • need a reading technique • defect-based reading
- 48. Artifacts • reviewer annotates suspicious code regions • e.g. @userinput, @output • makes review work visible in the source code • and more valuable since annotations can be reused
- 49. // @userinput(data) // [insert data into query, ignore non-alphanums] def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] query.prepare(...) query.insert(data...) ...
- 50. 4) (Repair) • once weakness is known, developers should be motivated enough • focus is on keeping the code secure, minimizing effort
- 51. My tasks • provide practical architectural assumptions • construct effective reading method • + awareness of potential weaknesses • get a project to adopt my methods
- 52. Questions?
- 53. This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
- 54. Thank you!