Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download OWASPAU08_Session_8_Eddington
Transcript
OWASP Asia Pacific Conference 2008 Three OWASP Projects Michael Eddington Leviathan Security Group [email protected] OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org Contents OWASP Encoding Project (Reform) OWASP .NET Web Service Validation Are You a Human OWASP Project 1 OWASP ENCODING PROJECT (REFORM) OWASP Cross-site Scripting, The problem… Limited encoding support in frameworks What about Javascript and VBScript? Only: & < > “ No 100% encoding solution Production quality Low to no patches Forward looking Internationalization support OWASP The solution…Reform! Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites Extended Chinese character support OWASP Design goals Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support OWASP How did we do? In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to date prevented Standard New Browser bug based Basis for Microsoft’s AntiXss OWASP Languages ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby OWASP How it works… White list based ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 0123456789 Space [ ] Comma [,] Period [.] OWASP Cross-site scripting Attacks Standard XSS injection attacks HTML injection HTML attribute injection Javascript injection Etc. Unicode XSS attacks Browser bugs or related libraries OWASP Unicode Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of specs Libraries work differently OWASP Typical Unicode XSS Attack 2 0x00script0x00 ASP.NET 1 Unicode v2 ?script? 3 Browser 4 Unicode v1 <script> OWASP Typical Unicode XSS Attack…Reformed 2 0x00script0x00 ASP.NET 1 Unicode v2 3 Reform ?script? 4 Browser 5 Unicode v1 ?script? OWASP Reform, the pros and cons Pros Stable code base Low patch rate (1 in 4 years) Conservative approach Mitigates all known issues Cons Performance impact Larger page size OWASP Reform API HtmlEncode(value, [default]) JsString(value, [default]) VbsString(value, [default]) OWASP HtmlEncode(value, [default]) Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기 Return Mary had a little lamb <evil> Tom & Jerry "A famous quote" 한국 원본3 032; 보기 OWASP JsString(value, [default]) Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기 Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30' OWASP VbsString(value, [default]) Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기 Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)& chrw(51032)&" "&chrw(48372)&chrw(44592)hr w(34) OWASP .NET Web Controls OWASP Questions? Michael Eddington ([email protected]) OWASP Encoding Project (http://www.owasp.org/index.php/Category:OW ASP_Encoding_Project) OWASP Project 2 OWASP .NET WEB SERVICE VALIDATION OWASP The problem… WSDL Schema validation Additional web method validation OWASP Canoodle Provides WSDL schema validation Schematron like assertions Simple to use OWASP Process flow Request Message Canoodle Validation Success WebMethod Invocation Failure SOAP Fault Response Message Web Service Response Message OWASP Partial Schematron support Schema validation based on xpath queries Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)] OWASP Usage Example [WebMethod] [Validation]1 [Assert("//t:x > 10", "x greater then 10")] 2 [Assert("//t:y < 100", "y less then 100")] public void CreatePoint(int x, int y) { // ... } OWASP Performance Impact Two request XML parses Validating Non-validating Compiled xpath queries cached OWASP Questions? Michael Eddington ([email protected]) .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_S ervice_Validation) OWASP Project 3 ARE YOU A HUMAN OWASP Are you a human…? OWASP Captcha Examples OWASP How to break via computer OWASP How to break…other OWASP What about…phones? OWASP Are you a human? http://areyouahuman.org Service based, no upgrades needed Multiple Captcha types Visual Audio SMS Etc. OWASP Questions??? Michael Eddington ([email protected]) OWASP Encoding Project (http://www.owasp.org/index.php/Category:OW ASP_Encoding_Project) .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_S ervice_Validation) Are you a human? (http://areyouahuman.org) OWASP
