A Language-based Perspective on Web Application Security
description
Transcript of A Language-based Perspective on Web Application Security
![Page 1: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
A Language-based Perspective on Web Application Security
Jonas MagaziniusChapter co-leaderChalmers University of [email protected]
2011-08-25
![Page 2: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/2.jpg)
OWASP 2
Introduction
PhD at Chalmers Language-based
Security research group
Co-leader OWASP Gothenburg local
chapter
Security tweeter@internot_
![Page 3: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/3.jpg)
OWASP
Web Applications 15 Years Ago
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer possim assum.
Same-Origin Policy
![Page 4: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/4.jpg)
OWASP
Web Applications Today
4
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer possim assum. Typi non habent claritatem insitam; est usus legentis in iis qui facit eorum claritatem. Investigationes demonstraverunt lectores legere me lius quod ii legunt saepius. Claritas est etiam processus dynamicus, qui sequitur mutationem consuetudium lectorum. Mirum est notare quam littera gothica, quam nunc putamus parum claram, anteposuerit litterarum formas humanitatis per seacula quarta decima et quinta decima. Eodem modo typi, qui nunc nobis videntur parum clari, fiant sollemnes in futurum.
![Page 5: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/5.jpg)
OWASP 5
Mashups
![Page 6: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/6.jpg)
OWASP 6
The Mashup Security Problem
1337 of your friends likes
this
Enter credit card: 1234 5678 9012 3456
![Page 7: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/7.jpg)
OWASP 7
public = secret + 1;
if (secret) {public = true;
} else {public = false;
}
Language-based Security
Secret
Public
Secret
Public
Requires declassificati
on
Escapes
{“secret+1”:Public}
![Page 8: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/8.jpg)
OWASP 8
A Language-based Approach
Public
Public
![Page 9: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/9.jpg)
OWASP 9
Enforcement
Static analysis
secret=false;if (secret) {
public=true;}alert(public);
Dynamic analysis
secret=false;if (secret) {
public=true;}alert(public);
![Page 10: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/10.jpg)
OWASP 10
Public
{owner:
‘chalmers.se’,
readers:[‘google.com’]
}
Shadow variables
Native support?
x = expr;*x = lev(expr);
if (x) {y = expr;*y = lev(x +
expr);}
![Page 11: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/11.jpg)
OWASP 11
Safe
monitored
code
On-the-fly Rewriting
Unsafe code
Trans-formatio
n
PolicyNo assumptions
about programming
practices
Monitor
No change to the runtime environment
is needed
Information flow
Security label tracking
![Page 12: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/12.jpg)
OWASP 12
A Language-based Approach
Public
Public
![Page 13: A Language-based Perspective on Web Application Security](https://reader034.fdocuments.us/reader034/viewer/2022042603/56816850550346895dde4f7e/html5/thumbnails/13.jpg)
OWASP 14
Where Are We Now?
ECMAScript 5 DOM interaction Events Integrity
THANK YOU!