presentation about my diploma thesis progress at the Software Engineering working group @ FU Berlin

1. 2 Roads to Redemption
Thoughts on fixing SQLIA and XSS
Florian Thiel,
FU Berlin, 12/18/2008
florian.thiel ät noroute.de

3. OWASP Top 10 2007
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery

4. OWASP Top 10 2007
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery

5. © by xckd: http://xkcd.com/327/

6. © by xckd: http://xkcd.com/327/

7. “SELECT firstname FROM Students
WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/

8. “SELECT firstname FROM Students
WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
SELECT firstname FROM Students WHERE
(login = ‘Robert’); DROP TABLE Students; -- ‘);

9. SQLIA threats
• data integrity
• confidentiality
• new attack vector

11. “This issue isn't just about scripting, and
there isn't necessarily anything cross site
about it. So why the name? It was coined
earlier on when the problem was less
understood, and it stuck. Believe me, we have
had more important things to do than think
of a better name. <g>. “
-- Marc Slemko, Apache.org

12. XSS SQLIA
eval(‘user input’)1,2
1) the essence of injections
2) limited only by the execution environment

13. Failure to sanitize data
into a different plane

14. technical non-solutions
• addslashes() or any one-size-fits-all
• blacklisting (IPS, validation, etc.)

15. technical solutions
• AntiSamy
• ReForm
• prepared statements
• Safe Query Objects
• ...

16. only half-way there

17. WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can
inject javascript code, the input variables quot;squot; and
quot;ip_addressquot; of GET method aren't properly
sanitized.”
--[Full-disclosure], Sept 2008

18. WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can
inject javascript code, the input variables quot;squot; and
quot;ip_addressquot; of GET method aren't properly
sanitized.”
--[Full-disclosure], Sept 2008

19. ey ’re
er e. Th t!
a re h ye Gibson
ed illiam
io ns ut ing W
rib hras
solut istparap
d --
e
Th ot eve nly
j ustn

20. The interesting* part
* what my thesis is really about

21. Developers more Code

22. Helping developers
• raise awareness
• facilitate detection/motivate reviews
• motivate repair

23. // @userinput(data,source=”webform”,
// type=”username”)
// [insert data into query, ignore
// non-alphanums]
def insertAlphaNum(query, data):
// [make sure data is
canonical]
c_data = data.toCharSet(...)
c_data.replace(...)
...
// [insert data into query]
// @output(target=sql,
// type=”username”)
query.prepare(...)
query.insert(data...)
...

24. What do you use to
communicate critical sections?

25. Would you use annotations?
Your requirements?

26. GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1
Host: msdn.microsoft.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:
1.9.0.3) Gecko/2008092414 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.google.de/search?q=http+request+header
+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a
Cache-Control: max-age=0

28. Current approaches
• global XSS filter (HTML escapes) on/off
• default sanitation of all data

29. Current approaches
g h !
n u
o on/off
• e
ledata
global XSS filter (HTML escapes)
b
• default sanitationiof all
x
t fl e
N o

30. Helping the framework
• machines are good at doing repetitive
work!
• if they just knew enough...

31. Rich Types

32. Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”

33. Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
• we could do flexible validation/sanitation

34. What we’d get
• Types for SQL prepared statements
• Types for AntiSamy/Template engine
• Types for future backends
• Types/Constraints for forms (XForms?)
• rich constraints on complex types

35. How it’d look like
class MyTextField(models.Field):
# may only contain <H1>
sqlserializer = SQLFilter(type=”html”) # to SQL
htmlserializer = AntiSamy(“H1Profile”) # to HTML
validator = HtmlValidator(tagsAllowed=(“h1”))

36. Drawbacks
• needs decent infrastructure form
framework
• needs good type catalogue to be easy
enough to use
• what about HTTP headers, cookies?
• simpler approaches available (Django)

37. Is it worth it?

38. Questions?

39. Thank You!

40. This presentation is
licensed under a Creative
Commons BY-SA license.
Attribution for pictures through links.
Slides, materials, progress etc. can be found @
http://www.noroute.de/blog/diplomathesis