Three OWASP Projects
description
Transcript of Three OWASP Projects
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Asia Pacific Conference 2008
Three OWASP Projects
Michael EddingtonLeviathan Security [email protected]
OWASP
Contents
OWASP Encoding Project (Reform)
OWASP .NET Web Service Validation
Are You a Human
OWASP
OWASP ENCODING PROJECT (REFORM)
Project 1
OWASP
Cross-site Scripting, The problem…
Limited encoding support in frameworksWhat about Javascript and VBScript?Only: & < > “
No 100% encoding solutionProduction qualityLow to no patchesForward looking Internationalization support
OWASP
The solution…Reform!
Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites
Extended Chinese character support
OWASP
Design goals
Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support
OWASP
How did we do?
In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to
date preventedStandardNewBrowser bug based
Basis for Microsoft’s AntiXss
OWASP
Languages
ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby
OWASP
How it works…
White list basedABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Space [ ]Comma [,]Period [.]
OWASP
Cross-site scripting Attacks
Standard XSS injection attacksHTML injectionHTML attribute injection Javascript injectionEtc.
Unicode XSS attacks
Browser bugs or related libraries
OWASP
Unicode
Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of
specs Libraries work differently
OWASP
Typical Unicode XSS Attack
0x00script0x00
1
0x00sc
ript0
x
00
3
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
<script>
4
OWASP
Typical Unicode XSS Attack…Reformed
0x00script0x00
1
{scrip
t
24;
4
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
?script?5
Reform3
OWASP
Reform, the pros and cons
Pros Stable code base Low patch rate (1 in 4
years) Conservative
approach Mitigates all known
issues
Cons Performance impact Larger page size
OWASP
Reform API
HtmlEncode(value, [default])
JsString(value, [default])
VbsString(value, [default])
OWASP
HtmlEncode(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote”
한국 원본의 보기
Return Mary had a little lamb <evil> Tom & Jerry "A famous
quote" 한국
원본의 보기
OWASP
JsString(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return 'Mary had a little
lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\
x22' '\uD55C\uAD6D \
uC6D0\uBCF8\uC758 \uBCF4\uAE30'
OWASP
VbsString(value, [default])
Value Mary had a little
lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous
quote"&c chrw(54620)&chrw(44397)&"
"&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34)
OWASP
.NET Web Controls
OWASP
Questions? Michael Eddington
OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)
OWASP
OWASP .NET WEB SERVICE VALIDATION
Project 2
OWASP
The problem…
WSDL Schema validation Additional web method validation
OWASP
Canoodle
Provides WSDL schema validation Schematron like assertions Simple to use
OWASP
Process flow
Request MessageRequest Message
SOAP FaultResponse Message
SOAP FaultResponse Message
WebMethod Invocation
WebMethod Invocation
Web Service
Response Message
Web Service
Response Message
Canoodle
Validation
Canoodle
Validation
Failure
Success
OWASP
Partial Schematron support Schema validation based on xpath
queries Assert support via Attributes
[Assert(“//x > 10”, “x greater than 10”)][Assert(“//y < 100”, “y less than 100”)]
OWASP
Usage Example
[WebMethod][Validation][Assert("//t:x > 10", "x greater then 10")][Assert("//t:y < 100", "y less then 100")]public void CreatePoint(int x, int y){
// ...}
1
2
OWASP
Performance Impact
Two request XML parsesValidatingNon-validating
Compiled xpath queries cached
OWASP
Questions? Michael Eddington
.NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)
OWASP
ARE YOU A HUMANProject 3
OWASP
Are you a human…?
OWASP
Captcha Examples
OWASP
How to break via computer
OWASP
How to break…other
OWASP
What about…phones?
OWASP
Are you a human?
http://areyouahuman.org Service based, no upgrades needed Multiple Captcha types
VisualAudioSMSEtc.
OWASP
Questions??? Michael Eddington
OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)
.NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)
Are you a human? (http://areyouahuman.org)