1 / 36

Three OWASP Projects

Three OWASP Projects. Michael Eddington Leviathan Security Group mike@leviathansecurity.com. Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation Are You a Human. Project 1. OWASP Encoding Project (Reform). Cross-site Scripting, The problem….

meli
Download Presentation

Three OWASP Projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Three OWASP Projects Michael Eddington Leviathan Security Group mike@leviathansecurity.com

  2. Contents • OWASP Encoding Project (Reform) • OWASP .NET Web Service Validation • Are You a Human

  3. Project 1 OWASP Encoding Project (Reform)

  4. Cross-site Scripting, The problem… • Limited encoding support in frameworks • What about Javascript and VBScript? • Only: & < > “ • No 100% encoding solution • Production quality • Low to no patches • Forward looking • Internationalization support

  5. The solution…Reform! • Best of bread output encoding library • Stable for 4 years • No security impacting bugs…EVER! • Conservative • Prevents all known XSS attacks • All major languages • Used extensively by internationalized sites • Extended Chinese character support

  6. Design goals • Easy to use • Conservative • “Future Proof” • No licensing restrictions • All major platforms supported • Internationalization support

  7. How did we do? • In production use for 4 years • Zero security impacting bugs to date • All relevant cross-site scripting bugs to date prevented • Standard • New • Browser bug based • Basis for Microsoft’s AntiXss

  8. Languages • ASP • ASP.NET (1.1, 2.0, 3.x) • Java • JavaScript • Perl • PHP • Python • Ruby

  9. How it works… • White list based • ABCDEFGHIJKLMNOPQRSTUVWXYZ • abcdefghijklmnopqrstuvwxyz • 0123456789 • Space [ ] • Comma [,] • Period [.]

  10. Cross-site scripting Attacks • Standard XSS injection attacks • HTML injection • HTML attribute injection • Javascript injection • Etc. • Unicode XSS attacks • Browser bugs or related libraries

  11. Unicode • Specifications include optional behaviors • Specs not always 100% clear • Libraries built off different versions of specs • Libraries work differently

  12. Typical Unicode XSS Attack 2 ASP.NET 0x00script0x00 ?script? 1 Unicode v2 3 0x00script0x00 Browser <script> 4 Unicode v1

  13. Typical Unicode XSS Attack…Reformed 2 ASP.NET 0x00script0x00 1 ?script? Unicode v2 Reform 3 4 &#123;script&#124; Browser ?script? 5 Unicode v1

  14. Reform, the pros and cons Pros Cons Performance impact Larger page size • Stable code base • Low patch rate (1 in 4 years) • Conservative approach • Mitigates all known issues

  15. Reform API • HtmlEncode(value, [default]) • JsString(value, [default]) • VbsString(value, [default])

  16. HtmlEncode(value, [default]) Value Return Mary had a little lamb &#60;evil&#62; Tom &#38; Jerry &#34;A famous quote&#34; &#54620;&#44397; &#50896;&#48376;&#51032; &#48372;&#44592; • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  17. JsString(value, [default]) Value Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30' • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  18. VbsString(value, [default]) Value Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34) • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  19. .NET Web Controls

  20. Questions? • Michael Eddington (mike@leviathansecurity.com) • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

  21. Project 2 OWASP .NET Web Service Validation

  22. The problem… • WSDL Schema validation • Additional web method validation

  23. Canoodle • Provides WSDL schema validation • Schematron like assertions • Simple to use

  24. Process flow Request Message Canoodle Validation Success WebMethod Invocation Failure SOAP Fault Response Message Web Service Response Message

  25. Partial Schematron support • Schema validation based on xpath queries • Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]

  26. Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] publicvoid CreatePoint(int x, int y) { // ... } 1 2

  27. Performance Impact • Two request XML parses • Validating • Non-validating • Compiled xpath queries cached

  28. Questions? • Michael Eddington (mike@leviathansecurity.com) • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)

  29. Project 3 Are you a Human

  30. Are you a human…? ?

  31. Captcha Examples VS.

  32. How to break via computer P L U S

  33. How to break…other

  34. What about…phones? ABCD ABCD ABCD

  35. Are you a human? • http://areyouahuman.org • Service based, no upgrades needed • Multiple Captcha types • Visual • Audio • SMS • Etc.

  36. Questions??? • Michael Eddington (mike@leviathansecurity.com) • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project) • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation) • Are you a human? (http://areyouahuman.org)

More Related