370 likes | 552 Vues
Three OWASP Projects. Michael Eddington Leviathan Security Group mike@leviathansecurity.com. Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation Are You a Human. Project 1. OWASP Encoding Project (Reform). Cross-site Scripting, The problem….
E N D
Three OWASP Projects Michael Eddington Leviathan Security Group mike@leviathansecurity.com
Contents • OWASP Encoding Project (Reform) • OWASP .NET Web Service Validation • Are You a Human
Project 1 OWASP Encoding Project (Reform)
Cross-site Scripting, The problem… • Limited encoding support in frameworks • What about Javascript and VBScript? • Only: & < > “ • No 100% encoding solution • Production quality • Low to no patches • Forward looking • Internationalization support
The solution…Reform! • Best of bread output encoding library • Stable for 4 years • No security impacting bugs…EVER! • Conservative • Prevents all known XSS attacks • All major languages • Used extensively by internationalized sites • Extended Chinese character support
Design goals • Easy to use • Conservative • “Future Proof” • No licensing restrictions • All major platforms supported • Internationalization support
How did we do? • In production use for 4 years • Zero security impacting bugs to date • All relevant cross-site scripting bugs to date prevented • Standard • New • Browser bug based • Basis for Microsoft’s AntiXss
Languages • ASP • ASP.NET (1.1, 2.0, 3.x) • Java • JavaScript • Perl • PHP • Python • Ruby
How it works… • White list based • ABCDEFGHIJKLMNOPQRSTUVWXYZ • abcdefghijklmnopqrstuvwxyz • 0123456789 • Space [ ] • Comma [,] • Period [.]
Cross-site scripting Attacks • Standard XSS injection attacks • HTML injection • HTML attribute injection • Javascript injection • Etc. • Unicode XSS attacks • Browser bugs or related libraries
Unicode • Specifications include optional behaviors • Specs not always 100% clear • Libraries built off different versions of specs • Libraries work differently
Typical Unicode XSS Attack 2 ASP.NET 0x00script0x00 ?script? 1 Unicode v2 3 0x00script0x00 Browser <script> 4 Unicode v1
Typical Unicode XSS Attack…Reformed 2 ASP.NET 0x00script0x00 1 ?script? Unicode v2 Reform 3 4 {script| Browser ?script? 5 Unicode v1
Reform, the pros and cons Pros Cons Performance impact Larger page size • Stable code base • Low patch rate (1 in 4 years) • Conservative approach • Mitigates all known issues
Reform API • HtmlEncode(value, [default]) • JsString(value, [default]) • VbsString(value, [default])
HtmlEncode(value, [default]) Value Return Mary had a little lamb <evil> Tom & Jerry "A famous quote" 한국 원본의 보기 • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기
JsString(value, [default]) Value Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30' • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기
VbsString(value, [default]) Value Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34) • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기
Questions? • Michael Eddington (mike@leviathansecurity.com) • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)
Project 2 OWASP .NET Web Service Validation
The problem… • WSDL Schema validation • Additional web method validation
Canoodle • Provides WSDL schema validation • Schematron like assertions • Simple to use
Process flow Request Message Canoodle Validation Success WebMethod Invocation Failure SOAP Fault Response Message Web Service Response Message
Partial Schematron support • Schema validation based on xpath queries • Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]
Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] publicvoid CreatePoint(int x, int y) { // ... } 1 2
Performance Impact • Two request XML parses • Validating • Non-validating • Compiled xpath queries cached
Questions? • Michael Eddington (mike@leviathansecurity.com) • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)
Project 3 Are you a Human
Captcha Examples VS.
How to break via computer P L U S
What about…phones? ABCD ABCD ABCD
Are you a human? • http://areyouahuman.org • Service based, no upgrades needed • Multiple Captcha types • Visual • Audio • SMS • Etc.
Questions??? • Michael Eddington (mike@leviathansecurity.com) • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project) • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation) • Are you a human? (http://areyouahuman.org)