Three owasp projects
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

Three OWASP Projects PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on
  • Presentation posted in: General

Three OWASP Projects. Michael Eddington Leviathan Security Group [email protected] Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation Are You a Human. Project 1. OWASP Encoding Project (Reform). Cross-site Scripting, The problem….

Download Presentation

Three OWASP Projects

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Three owasp projects

Three OWASP Projects

Michael Eddington

Leviathan Security Group

[email protected]


Contents

Contents

  • OWASP Encoding Project (Reform)

  • OWASP .NET Web Service Validation

  • Are You a Human


Owasp encoding project reform

Project 1

OWASP Encoding Project (Reform)


Cross site scripting the problem

Cross-site Scripting, The problem…

  • Limited encoding support in frameworks

    • What about Javascript and VBScript?

    • Only: & < > “

  • No 100% encoding solution

    • Production quality

    • Low to no patches

    • Forward looking

    • Internationalization support


The solution reform

The solution…Reform!

  • Best of bread output encoding library

  • Stable for 4 years

  • No security impacting bugs…EVER!

  • Conservative

  • Prevents all known XSS attacks

  • All major languages

  • Used extensively by internationalized sites

    • Extended Chinese character support


Design goals

Design goals

  • Easy to use

  • Conservative

  • “Future Proof”

  • No licensing restrictions

  • All major platforms supported

  • Internationalization support


How did we do

How did we do?

  • In production use for 4 years

  • Zero security impacting bugs to date

  • All relevant cross-site scripting bugs to date prevented

    • Standard

    • New

    • Browser bug based

  • Basis for Microsoft’s AntiXss


Languages

Languages

  • ASP

  • ASP.NET (1.1, 2.0, 3.x)

  • Java

  • JavaScript

  • Perl

  • PHP

  • Python

  • Ruby


How it works

How it works…

  • White list based

    • ABCDEFGHIJKLMNOPQRSTUVWXYZ

    • abcdefghijklmnopqrstuvwxyz

    • 0123456789

    • Space [ ]

    • Comma [,]

    • Period [.]


Cross site scripting attacks

Cross-site scripting Attacks

  • Standard XSS injection attacks

    • HTML injection

    • HTML attribute injection

    • Javascript injection

    • Etc.

  • Unicode XSS attacks

  • Browser bugs or related libraries


Unicode

Unicode

  • Specifications include optional behaviors

  • Specs not always 100% clear

  • Libraries built off different versions of specs

  • Libraries work differently


Typical unicode xss attack

Typical Unicode XSS Attack

2

ASP.NET

0x00script0x00

?script?

1

Unicode v2

3

0x00script0x00

Browser

<script>

4

Unicode v1


Typical unicode xss attack reformed

Typical Unicode XSS Attack…Reformed

2

ASP.NET

0x00script0x00

1

?script?

Unicode v2

Reform

3

4

&#123;script&#124;

Browser

?script?

5

Unicode v1


Reform the pros and cons

Reform, the pros and cons

Pros

Cons

Performance impact

Larger page size

  • Stable code base

  • Low patch rate (1 in 4 years)

  • Conservative approach

  • Mitigates all known issues


Reform api

Reform API

  • HtmlEncode(value, [default])

  • JsString(value, [default])

  • VbsString(value, [default])


Htmlencode value default

HtmlEncode(value, [default])

Value

Return

Mary had a little lamb

&#60;evil&#62;

Tom &#38; Jerry

&#34;A famous quote&#34;

&#54620;&#44397; &#50896;&#48376;&#51032; &#48372;&#44592;

  • Mary had a little lamb

  • <evil>

  • Tom & Jerry

  • “A famous quote”

  • 한국 원본의 보기


Jsstring value default

JsString(value, [default])

Value

Return

'Mary had a little lamb'

'\x3Cevil\x3E'

'Tom \x26 Jerry'

'\x22A famous quote\x22'

'\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30'

  • Mary had a little lamb

  • <evil>

  • Tom & Jerry

  • “A famous quote”

  • 한국 원본의 보기


Vbsstring value default

VbsString(value, [default])

Value

Return

"Mary had a little lamb"

chrw(60)&"evil"&chrw(62)

"Tom "&chrw(38)&" Jerry"

chrw(34)&"A famous quote"&c

chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34)

  • Mary had a little lamb

  • <evil>

  • Tom & Jerry

  • “A famous quote”

  • 한국 원본의 보기


Net web controls

.NET Web Controls


Questions

Questions?

  • Michael Eddington ([email protected])

  • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)


Owasp net web service validation

Project 2

OWASP .NET Web Service Validation


The problem

The problem…

  • WSDL Schema validation

  • Additional web method validation


Canoodle

Canoodle

  • Provides WSDL schema validation

  • Schematron like assertions

  • Simple to use


Process flow

Process flow

Request Message

Canoodle Validation

Success

WebMethod Invocation

Failure

SOAP Fault

Response Message

Web Service Response Message


Three owasp projects

  • Partial Schematron support

  • Schema validation based on xpath queries

  • Assert support via Attributes

    [Assert(“//x > 10”, “x greater than 10”)]

    [Assert(“//y < 100”, “y less than 100”)]


Usage example

Usage Example

[WebMethod]

[Validation]

[Assert("//t:x > 10", "x greater then 10")]

[Assert("//t:y < 100", "y less then 100")]

publicvoid CreatePoint(int x, int y)

{

// ...

}

1

2


Performance impact

Performance Impact

  • Two request XML parses

    • Validating

    • Non-validating

  • Compiled xpath queries cached


Questions1

Questions?

  • Michael Eddington ([email protected])

  • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)


Are you a human

Project 3

Are you a Human


Are you a human1

Are you a human…?

?


Captcha examples

Captcha Examples

VS.


How to break via computer

How to break via computer

P L U S


How to break other

How to break…other


What about phones

What about…phones?

ABCD

ABCD

ABCD


Are you a human2

Are you a human?

  • http://areyouahuman.org

  • Service based, no upgrades needed

  • Multiple Captcha types

    • Visual

    • Audio

    • SMS

    • Etc.


Questions2

Questions???

  • Michael Eddington ([email protected])

  • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

  • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)

  • Are you a human? (http://areyouahuman.org)


  • Login