Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Asia Pacific Conference 2008 Three OWASP Projects Michael Eddington Leviathan Security Group

OWASP Contents  OWASP Encoding Project (Reform)  OWASP.NET Web Service Validation  Are You a Human

OWASP OWASP ENCODING PROJECT (REFORM) Project 1

OWASP Cross-site Scripting, The problem…  Limited encoding support in frameworks  What about Javascript and VBScript?  Only: & “  No 100% encoding solution  Production quality  Low to no patches  Forward looking  Internationalization support

OWASP The solution…Reform!  Best of bread output encoding library  Stable for 4 years  No security impacting bugs…EVER!  Conservative  Prevents all known XSS attacks  All major languages  Used extensively by internationalized sites  Extended Chinese character support

OWASP Design goals  Easy to use  Conservative  “Future Proof”  No licensing restrictions  All major platforms supported  Internationalization support

OWASP How did we do?  In production use for 4 years  Zero security impacting bugs to date  All relevant cross-site scripting bugs to date prevented  Standard  New  Browser bug based  Basis for Microsoft’s AntiXss

OWASP Languages  ASP  ASP.NET (1.1, 2.0, 3.x)  Java  JavaScript  Perl  PHP  Python  Ruby

OWASP How it works…  White list based  ABCDEFGHIJKLMNOPQRSTUVWXYZ  abcdefghijklmnopqrstuvwxyz   Space [ ]  Comma [,]  Period [.]

OWASP Cross-site scripting Attacks  Standard XSS injection attacks  HTML injection  HTML attribute injection  Javascript injection  Etc.  Unicode XSS attacks  Browser bugs or related libraries

OWASP Unicode  Specifications include optional behaviors  Specs not always 100% clear  Libraries built off different versions of specs  Libraries work differently

OWASP Typical Unicode XSS Attack 0x00script0x ASP.NET Unicode v2 2 ?script? Unicode v1 Browser 4

OWASP Typical Unicode XSS Attack…Reformed 0x00script0x00 1 {script| 4 ASP.NET Unicode v2 2 ?script? Unicode v1 Browser ?script? 5 Reform 3

OWASP Reform, the pros and cons Pros  Stable code base  Low patch rate (1 in 4 years)  Conservative approach  Mitigates all known issues Cons  Performance impact  Larger page size

OWASP Reform API  HtmlEncode(value, [default])  JsString(value, [default])  VbsString(value, [default])

OWASP HtmlEncode(value, [default]) Value  Mary had a little lamb   Tom & Jerry  “A famous quote”  한국 원본의 보기 Return  Mary had a little lamb  <evil>  Tom & Jerry  "A famous quote"  한국 원본&#51 032; 보기

OWASP JsString(value, [default]) Value  Mary had a little lamb   Tom & Jerry  “A famous quote”  한국 원본의 보기 Return  'Mary had a little lamb'  '\x3Cevil\x3E'  'Tom \x26 Jerry'  '\x22A famous quote\x22'  '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30'

OWASP VbsString(value, [default]) Value  Mary had a little lamb   Tom & Jerry  “A famous quote”  한국 원본의 보기 Return  "Mary had a little lamb"  chrw(60)&"evil"&chrw(62)  "Tom "&chrw(38)&" Jerry"  chrw(34)&"A famous quote"&c  chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)& chrw(51032)&" "&chrw(48372)&chrw(44592)hr w(34)

OWASP.NET Web Controls

OWASP Questions?  Michael Eddington  OWASP Encoding Project ( ASP_Encoding_Project) ASP_Encoding_Project

OWASP OWASP.NET WEB SERVICE VALIDATION Project 2

OWASP The problem…  WSDL Schema validation  Additional web method validation

OWASP Canoodle  Provides WSDL schema validation  Schematron like assertions  Simple to use

OWASP Process flow Request Message SOAP Fault Response Message SOAP Fault Response Message WebMethod Invocation Web Service Response Message Canoodle Validation Failure Success

OWASP  Partial Schematron support  Schema validation based on xpath queries  Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]

OWASP Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] public void CreatePoint(int x, int y) { //... } 1 2

OWASP Performance Impact  Two request XML parses  Validating  Non-validating  Compiled xpath queries cached

OWASP Questions?  Michael Eddington .NET Web Service Validation ( ervice_Validation) ervice_Validation

OWASP ARE YOU A HUMAN Project 3

OWASP Are you a human…?

OWASP Captcha Examples

OWASP How to break via computer

OWASP How to break…other

OWASP What about…phones?

OWASP Are you a human?   Service based, no upgrades needed  Multiple Captcha types  Visual  Audio  SMS  Etc.

OWASP Questions???  Michael Eddington  OWASP Encoding Project ( ASP_Encoding_Project) ASP_Encoding_Project .NET Web Service Validation ( ervice_Validation) ervice_Validation  Are you a human? (