2 Roads to Redemption - Thoughts on XSS and SQLIA
-
Upload
guestfdcb8a -
Category
Technology
-
view
736 -
download
0
description
Transcript of 2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to RedemptionThoughts on fixing SQLIA and XSS
Florian Thiel,florian.thiel ät noroute.de
FU Berlin, 12/18/2008
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
© by xckd: http://xkcd.com/327/
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
© by xckd: http://xkcd.com/327/
SQLIA threats
• data integrity
• confidentiality
• new attack vector
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “
-- Marc Slemko, Apache.org
eval(‘user input’)1,2
1) the essence of injections2) limited only by the execution environment
XSS SQLIA
Failure to sanitize data into a different plane
technical non-solutions
• addslashes() or any one-size-fits-all
• blacklisting (IPS, validation, etc.)
technical solutions
• AntiSamy
• ReForm
• prepared statements
• Safe Query Objects
• ...
only half-way there
WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized.”
--[Full-disclosure], Sept 2008
WP MU < 2.6 XSS
“In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables "s" and "ip_address" of GET method aren't properly sanitized.”
--[Full-disclosure], Sept 2008
The solutions are here. They’re
just not evenly distributed yet!
-- paraphrasing William Gibson
The interesting* part
* what my thesis is really about
Developers more Code
Helping developers
• raise awareness
• facilitate detection/motivate reviews
• motivate repair
// @userinput(data,source=”webform”,// type=”username”)// [insert data into query, ignore// non-alphanums]def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] // @output(target=sql, // type=”username”) query.prepare(...) query.insert(data...) ...
What do you use to communicate critical sections?
Would you use annotations?
Your requirements?
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1Host: msdn.microsoft.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.de/search?q=http+request+header+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-aCache-Control: max-age=0
Current approaches
• global XSS filter (HTML escapes) on/off
• default sanitation of all data
Current approaches
• global XSS filter (HTML escapes) on/off
• default sanitation of all data
Not flexible enough!
Helping the framework
• machines are good at doing repetitive work!
• if they just knew enough...
Rich Types
Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
Rich Types
• if we had a “firstname” type
• and one for “XML”
• and one for a “ebay-style post”
• we could do flexible validation/sanitation
What we’d get
• Types for SQL prepared statements
• Types for AntiSamy/Template engine
• Types for future backends
• Types/Constraints for forms (XForms?)
• rich constraints on complex types
How it’d look like
class MyTextField(models.Field): # may only contain <H1> sqlserializer = SQLFilter(type=”html”) # to SQL htmlserializer = AntiSamy(“H1Profile”) # to HTML validator = HtmlValidator(tagsAllowed=(“h1”))
Drawbacks
• needs decent infrastructure form framework
• needs good type catalogue to be easy enough to use
• what about HTTP headers, cookies?
• simpler approaches available (Django)
Is it worth it?
Questions?
Thank You!
This presentation is licensed under a Creative Commons BY-SA license.
Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Attribution for pictures through links.