OWASP Encoding Project .NET WebService validation. Michael Eddington Leviathan Security Group [email protected]. Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation. Cross-site Scripting, The problem…. Limited encoding support in frameworks - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Limited encoding support in frameworksWhat about Javascript and VBScript?Only: & < > “
No 100% encoding solutionProduction qualityLow to no patchesForward looking Internationalization support
OWASP
The solution…Reform!
Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites
Extended Chinese character support
OWASP
Design goals
Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support
OWASP
How did we do?
In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to
date preventedStandardNewBrowser bug based
Basis for Microsoft’s AntiXss
OWASP
Languages
ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby
OWASP
How it works…
White list basedABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Space [ ]Comma [,]Period [.]
OWASP
Cross-site scripting Attacks
Standard XSS injection attacksHTML injectionHTML attribute injection Javascript injectionEtc.
Unicode XSS attacks
Browser bugs or related libraries
OWASP
Unicode
Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of
specs Libraries work differently
OWASP
Typical Unicode XSS Attack
0x00script0x00
1
0x00script0x003
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
<script>
4
OWASP
Typical Unicode XSS Attack…Reformed
0x00script0x00
1
{script|
4
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
?script?5
Reform3
OWASP
Reform, the pros and cons
Pros Stable code base Low patch rate (1 in 4
years) Conservative
approach Mitigates all known
issues
Cons Performance impact Larger page size
OWASP
Reform API
HtmlEncode(value, [default])
JsString(value, [default])
VbsString(value, [default])
OWASP
HtmlEncode(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote”
한국 원본의 보기
Return Mary had a little lamb <evil> Tom & Jerry "A famous
quote" 한국
원본의 보기
OWASP
JsString(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return 'Mary had a little
lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\
x22' '\uD55C\uAD6D \
uC6D0\uBCF8\uC758 \uBCF4\uAE30'
OWASP
VbsString(value, [default])
Value Mary had a little
lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous