Download presentation
Presentation is loading. Please wait.
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Europe Conference 2008 OWASP Encoding Project.NET WebService validation Michael Eddington Leviathan Security Group mike@leviathansecurity.com
2
OWASP Contents OWASP Encoding Project (Reform) OWASP.NET Web Service Validation
3
OWASP Cross-site Scripting, The problem… Limited encoding support in frameworks What about Javascript and VBScript? Only: & “ No 100% encoding solution Production quality Low to no patches Forward looking Internationalization support
4
OWASP The solution…Reform! Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites Extended Chinese character support
5
OWASP Design goals Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support
6
OWASP How did we do? In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to date prevented Standard New Browser bug based Basis for Microsoft’s AntiXss
7
OWASP Languages ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby
8
OWASP How it works… White list based ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 0123456789 Space [ ] Comma [,] Period [.]
![OWASP How it works… White list based ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz Space [ ] Comma [,] Period [.]](http://images.slideplayer.com/19/5811956/slides/slide_8.jpg "OWASP How it works… White list based ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz Space [ ] Comma [,] Period [.]")
9
OWASP Cross-site scripting Attacks Standard XSS injection attacks HTML injection HTML attribute injection Javascript injection Etc. Unicode XSS attacks Browser bugs or related libraries
10
OWASP Unicode Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of specs Libraries work differently
11
OWASP Typical Unicode XSS Attack 0x00script0x00 1 3 ASP.NET Unicode v2 2 ?script? Unicode v1 Browser 4
12
OWASP Typical Unicode XSS Attack…Reformed 0x00script0x00 1 {script| 4 ASP.NET Unicode v2 2 ?script? Unicode v1 Browser ?script? 5 Reform 3
13
OWASP Reform, the pros and cons Pros Stable code base Low patch rate (1 in 4 years) Conservative approach Mitigates all known issues Cons Performance impact Larger page size
14
OWASP Reform API HtmlEncode(value, [default]) JsString(value, [default]) VbsString(value, [default])
![OWASP Reform API HtmlEncode(value, [default]) JsString(value, [default]) VbsString(value, [default])](http://images.slideplayer.com/19/5811956/slides/slide_14.jpg "OWASP Reform API HtmlEncode(value, [default]) JsString(value, [default]) VbsString(value, [default])")
15
OWASP HtmlEncode(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return Mary had a little lamb <evil> Tom & Jerry "A famous quote" 한국 원본3 032; 보기
![OWASP HtmlEncode(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb <evil> Tom & Jerry A famous quote 한국 원본3 032; 보기](http://images.slideplayer.com/19/5811956/slides/slide_15.jpg "OWASP HtmlEncode(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb <evil> Tom & Jerry A famous quote 한국 원본3 032; 보기")
16
OWASP JsString(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30'
![OWASP JsString(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb \x3Cevil\x3E Tom \x26 Jerry \x22A famous quote\x22 \uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30](http://images.slideplayer.com/19/5811956/slides/slide_16.jpg "OWASP JsString(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb \x3Cevil\x3E Tom \x26 Jerry \x22A famous quote\x22 \uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30")
17
OWASP VbsString(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)& chrw(51032)&" "&chrw(48372)&chrw(44592)hr w(34)
![OWASP VbsString(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb chrw(60)& evil &chrw(62) Tom &chrw(38)& Jerry chrw(34)& A famous quote &c chrw(54620)&chrw(44397)& &chrw(50896)&chrw(48376)& chrw(51032)& &chrw(48372)&chrw(44592)hr w(34)](http://images.slideplayer.com/19/5811956/slides/slide_17.jpg "OWASP VbsString(value, [default]) Value Mary had a little lamb Tom & Jerry A famous quote 한국 원본의 보기 Return Mary had a little lamb chrw(60)& evil &chrw(62) Tom &chrw(38)& Jerry chrw(34)& A famous quote &c chrw(54620)&chrw(44397)& &chrw(50896)&chrw(48376)& chrw(51032)& &chrw(48372)&chrw(44592)hr w(34)")
18
OWASP.NET Web Controls Limited if any cross site scripting prevention Controls can be extended Literal Label DataGrid Etc. Reform provide these!
19
OWASP Questions? Michael Eddington (mike@leviathansecurity.com)mike@leviathansecurity.com OWASP Encoding Project (http://www.owasp.org/index.php/Category:OW ASP_Encoding_Project)http://www.owasp.org/index.php/Category:OW ASP_Encoding_Project
20
OWASP OWASP.NET WEB SERVICE VALIDATION Project 2
21
OWASP The problem… WSDL Schema validation Additional web method validation
22
OWASP Canoodle Provides WSDL schema validation Schematron like assertions Simple to use
23
OWASP Process flow Request Message SOAP Fault Response Message SOAP Fault Response Message WebMethod Invocation Web Service Response Message Canoodle Validation Failure Success
24
OWASP Partial Schematron support Schema validation based on xpath queries Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]
![OWASP Partial Schematron support Schema validation based on xpath queries Assert support via Attributes [Assert( //x > 10 , x greater than 10 )] [Assert( //y < 100 , y less than 100 )]](http://images.slideplayer.com/19/5811956/slides/slide_24.jpg "OWASP Partial Schematron support Schema validation based on xpath queries Assert support via Attributes [Assert( //x > 10 , x greater than 10 )] [Assert( //y < 100 , y less than 100 )]")
25
OWASP Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] public void CreatePoint(int x, int y) { //... } 1 2
![OWASP Usage Example [WebMethod] [Validation] [Assert( //t:x > 10 , x greater then 10 )] [Assert( //t:y < 100 , y less then 100 )] public void CreatePoint(int x, int y) { //...](http://images.slideplayer.com/19/5811956/slides/slide_25.jpg "} 1 2.")
26
OWASP Performance Impact Two request XML parses Validating Non-validating Compiled xpath queries cached
27
OWASP Questions? Michael Eddington (mike@leviathansecurity.com)mike@leviathansecurity.com .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_S ervice_Validation)http://www.owasp.org/index.php/.NET_Web_S ervice_Validation
Similar presentations
