Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byLouise Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Europe Conference 2008 OWASP AntiSamy Project Jason Li Senior Application Security Engineer jason.li@aspectsecurity.com

2 OWASP Who are you people?  Jason Li is a ballroom dancing, 10-pin bowling maniac  Senior Application Engineer @ Aspect Security  OWASP AntiSamy Contributor  Arshan Dabirsiaghi is a soccer playing, video game rock star  Director of R&D @ Aspect Security  OWASP AntiSamy Creator and Project Lead  Together, they fight crime.

3 OWASP Talk Outline  What is OWASP AntiSamy?  Why did you make it?  How does it work?  When is it going to do more?  Let’s see it!

4 OWASP What is OWASP AntiSamy?  An HTML validation tool and API  Currently a Beta Status Project. Started as an OWASP Spring of Code 2007  Uses a positive security model  Takes HTML/CSS from unknown sources and returns a cleaned version that retains all formatting

5 OWASP Why did you make it?  Websites need user created content:  User generated content can contain XSS attacks User Customized Profiles (ex. MySpace, FaceBook) Public Listings (ex. eBay, Craigslist) Content Management Systems (ex. Drupal, Magnolia) Rich Comments (ex. Blogs, News Site)

6 OWASP What is XSS?  General Problem:  Site takes input that is included in HTML sent to user  Attacker crafts malicious script as the input  Victim has malicious script run in browser  Game Over.  Two types of XSS:  Reflected XSS – attacker tricks victims into clicking a link containing a malicious attack  Stored XSS – attacker stores an attack that victims later stumble upon

7 OWASP Reflected XSS - Illustrated Check out this cool link!!! http://www.example.com/search? alert(‘bang!’) attacker@evil.cominnocent@victim.com Email / Instant Message

8 OWASP Reflected XSS - Illustrated GET /search? alert(‘bang!’) 2.0P/1.1 User-Agent: InterOperFireFari/4.04 Cookie: SESSION_COOKIE: QXJzaGFuIGlzIG15IGhlcm8=; innocent@victim.com HTTP / HTTPS www.example.com

9 OWASP Reflected XSS - Illustrated … You searched for: alert(‘bang!’) … innocent@victim.com HTTP / HTTPS www.example.com

10 OWASP Stored XSS - Illustrated POST /comment? alert(‘bang!’) 2.0P/1.1 User-Agent: InterOperFireFari/4.04 Cookie: SESSION_COOKIE: QXJzaGFuIGlzIG15IGhlcm8=; attacker@evil.com HTTP / HTTPS www.example.com

11 OWASP Stored XSS - Illustrated … Headline News (Waffles, BE): … attacker@evil.com Says: alert(‘bang!’) … innocent@victim.com HTTP / HTTPS www.example.com sacrificial@lamb.com

12 OWASP But That’ll Never Happen to Me!  GMail has cookies stolen via XSS in Google Spreadsheets (April 2008)  U.S. Presidential Candidate Barrack Obama has supporters redirected to Hillary Clinton’s site via XSS (April 2008)  MySpace profiles hijacked via Samy Worm (October 2005)

13 OWASP The Samy Worm  MySpace is a popular social networking website  Users create custom profiles  Includes use of HTML  JavaScript, quotes, and other potentially dangerous characters stripped out by MySpace filters  Link profiles with “friends” (mutually authorized)

14 OWASP The Samy Worm (continued)  Samy wanted to make friends  Used his profile to store an XSS attack  Circumvents JavaScript stripping with: “ java\nscript ”  Generates quotes using: String.fromCharCode(34)

15 OWASP The Samy Worm (continued)  Anyone viewing Samy’s profile:  Made Samy their “friend” (actually, their “hero”)  Had their profile changed to store and perpetuate the attack  10 hours – 560 friends, 13 hours – 6400, 18 hours – 1,000,000, 19 hours – site is down

16 OWASP What If I…  Just strip out tags (i.e. blacklist)!  Requires constant update  Provides low assurance (ex. Samy Worm)  Use a JavaScript editor! (ex. TinyMCE or FCKEditor)  Client side validation easily circumvented  Requires matching server side validation  Use another markup language (ex. BBCode)  Lose richness of HTML  Flawed parsers can allow same attacks

17 OWASP What If I…  Encode text and decode selected tags  Good for small set of formatting tags (ex. em, strong)  For rich HTML, must enumerate all desired tags  Loss of attributes, including style attributes which are a primary source of formatting  Use XSL Transformations  Flexible implementation – wide variety of parsers  Does not provide corrective feedback to user  Difficult to parse style formatting

18 OWASP So What Makes AntiSamy Better?  High Level of Assurance  Settings are safe by default  Unaffected by new standards/tags  Usability  Easy to use API  Custom policy provides flexibility for desired behavior  Validation engine provides feedback to users  Works with broken HTML and CSS

19 OWASP How does it work? Turn HTML into XMLScan Each NodeTake Responsive Action

20 OWASP How does it work? (cont)  Uses Neko HTML Parser to clean XML  Allows creation of DOM  Removes fragmenting attacks  Provides sanitized HTML Turn HTML into XML

21 OWASP How does it work? (cont)  Scan each node against policy file  Policy file defines corresponding action for tag Scan Each Node

22 OWASP How does it work? (cont)  Filter – Promotes content but erases tag  Truncate – Strips all attributes and child tags  Remove – Deletes the entire node  Validate – Validates the tag against policy file *special behavior for style tags/attributes Take Responsive Action

23 OWASP How does it work? (cont) Parse Parse CSS using SAC (Simple API for CSS) SAC is event-driven (a la SAX) Validate Validate selector names against policy Validate property values against policy Serialize Remove failed properties and selectors Canonicalize style output Stylesheet Behavior

24 OWASP How does it work? (cont) body p img src=“…” script src=“…” (text) b onclick=“…” (text) This is so cool!! Clean via Neko

25 OWASP How does it work? (cont) body p img src=“…” script src=“…” (text) b antisamy-policy.xml onclick=“…”

26 OWASP How does it work? (cont)  Clean Result:  Error Messages: The onclick attribute of the b tag has been removed for security reasons. This removal should not affect the display of the HTML submitted. The script tag has been removed for security reasons. This is so cool!!

27 OWASP How do I use it?  AntiSamy class:  scan(taintedHtml[, policy]) – CleanResults  CleanResults class:  getCleanHTML() – String  getCleanXMLDocumentFragment() – DocumentFragment  getScanTime() – double  getErrorMessages() – ArrayList

28 OWASP How do I use it? (cont)

29 OWASP That’s nice, but I don’t want…  Policy allows customization based on site policy  Policy file consists of:  Directives  Common Regular Expressions  Common Attributes  Global Tag Attributes  Tag Rules  CSS Rules

30 OWASP That’s nice, but I don’t want…  I don’t want users to:  Have offsite images  Use HTML tags  I don’t want to do any work  Standard policy file is safe by default  Multiple policy files for typical use cases available (eBay, MySpace, Slashdot, anything goes)

31 OWASP OK, I’m sold – where do I get it?  Project Homepage: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project  Source Code: http://code.google.com/p/owaspantisamy/ http://code.google.com/p/owaspantisamy/  Over 3,000 downloads of AntiSamy resources since project was released

32 OWASP Demo Time

33 OWASP Demo Time (JavaScript tests)  Standard XSS Attacks  RSnake’s cheat sheet  Solution: Already defended against in default policy files

34 OWASP Demo Time – Absolute Div Overlay  Create a div in our profile that overlays the entire page (or a subsection)  Extremely effective phishing vector  SSL certificate is valid  Look and feel matches expectations  Solution: Add a stylesheet rule in the policy file to whitelist allowed position values

35 OWASP Demo Time – Div Hijacking  Redefine an existing div “above” our profile  Most stylesheets defined at the beginning of the page in or “at the top”  Solution: Blacklist the IDs and selector names used by site to prevent the user from modifying them

36 OWASP Demo Time – Base Hijacking  Insert a tag to hijack internal resources  Used to define a base for all relative URLs on the page  Isn’t used a whole lot as it doesn’t work within javascript & some other issues  Solution: remove tag from policy file

37 OWASP When is it going to do more? (cont)  Version 1.1.1 released April 17, 2008  Java 1.4 compatible  HTML entities recognized using (X)HTMLSerializer  Added XHTML support  Input/Output encoding can now be specified  Policy files internationalized  Incorporated into OWASP ESAPI project

38 OWASP When is it going to do more?  Support For Other languages: .NET version in development as part of OWASP Summer of Code 2008  PHP version is ongoing in coordination with Zend  ColdFusion support through native Java interface  Future Features:  Internationalization of error messages  Full CSS2 support

39 OWASP Thanks  Arshan Dabirsiaghi for bringing me into the project  Jeff Williams, Gareth Heyes, Michael Coates, Joel Worral, Raziel Alvarez for helping improve AntiSamy  OWASP for its continued support of the project

40 OWASP Questions?

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Tutorial 6 Creating a Web Form

Tutorial 6 Creating a Web Form
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
HTML5 and CSS3 Illustrated Unit B: Getting Started with HTML

HTML5 and CSS3 Illustrated Unit B: Getting Started with HTML
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Python and Web Programming

Python and Web Programming
Tutorial 3: Adding and Formatting Text. 2 Objectives Session 3.1 Type text into a page Copy text from a document and paste it into a page Check for spelling.

Tutorial 3: Adding and Formatting Text. 2 Objectives Session 3.1 Type text into a page Copy text from a document and paste it into a page Check for spelling.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Javascript and the Web Whys and Hows of Javascript.

Javascript and the Web Whys and Hows of Javascript.

Similar presentations

Ads by Google