1 / 27

OWASP Encoding Project .NET WebService validation

OWASP Encoding Project .NET WebService validation. Michael Eddington Leviathan Security Group mike@leviathansecurity.com. Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation. Cross-site Scripting, The problem…. Limited encoding support in frameworks

kay-jensen
Download Presentation

OWASP Encoding Project .NET WebService validation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Encoding Project.NET WebService validation Michael Eddington Leviathan Security Group mike@leviathansecurity.com

  2. Contents • OWASP Encoding Project (Reform) • OWASP .NET Web Service Validation

  3. Cross-site Scripting, The problem… • Limited encoding support in frameworks • What about Javascript and VBScript? • Only: & < > “ • No 100% encoding solution • Production quality • Low to no patches • Forward looking • Internationalization support

  4. The solution…Reform! • Best of bread output encoding library • Stable for 4 years • No security impacting bugs…EVER! • Conservative • Prevents all known XSS attacks • All major languages • Used extensively by internationalized sites • Extended Chinese character support

  5. Design goals • Easy to use • Conservative • “Future Proof” • No licensing restrictions • All major platforms supported • Internationalization support

  6. How did we do? • In production use for 4 years • Zero security impacting bugs to date • All relevant cross-site scripting bugs to date prevented • Standard • New • Browser bug based • Basis for Microsoft’s AntiXss

  7. Languages • ASP • ASP.NET (1.1, 2.0, 3.x) • Java • JavaScript • Perl • PHP • Python • Ruby

  8. How it works… • White list based • ABCDEFGHIJKLMNOPQRSTUVWXYZ • abcdefghijklmnopqrstuvwxyz • 0123456789 • Space [ ] • Comma [,] • Period [.]

  9. Cross-site scripting Attacks • Standard XSS injection attacks • HTML injection • HTML attribute injection • Javascript injection • Etc. • Unicode XSS attacks • Browser bugs or related libraries

  10. Unicode • Specifications include optional behaviors • Specs not always 100% clear • Libraries built off different versions of specs • Libraries work differently

  11. Typical Unicode XSS Attack 2 ASP.NET 0x00script0x00 ?script? 1 Unicode v2 3 0x00script0x00 Browser <script> 4 Unicode v1

  12. Typical Unicode XSS Attack…Reformed 2 ASP.NET 0x00script0x00 1 ?script? Unicode v2 Reform 3 4 &#123;script&#124; Browser ?script? 5 Unicode v1

  13. Reform, the pros and cons Pros Cons Performance impact Larger page size • Stable code base • Low patch rate (1 in 4 years) • Conservative approach • Mitigates all known issues

  14. Reform API • HtmlEncode(value, [default]) • JsString(value, [default]) • VbsString(value, [default])

  15. HtmlEncode(value, [default]) Value Return Mary had a little lamb &#60;evil&#62; Tom &#38; Jerry &#34;A famous quote&#34; &#54620;&#44397; &#50896;&#48376;&#51032; &#48372;&#44592; • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  16. JsString(value, [default]) Value Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30' • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  17. VbsString(value, [default]) Value Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34) • Mary had a little lamb • <evil> • Tom & Jerry • “A famous quote” • 한국 원본의 보기

  18. .NET Web Controls • Limited if any cross site scripting prevention • Controls can be extended • Literal • Label • DataGrid • Etc. • Reform provide these!

  19. Questions? • Michael Eddington (mike@leviathansecurity.com) • OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

  20. Project 2 OWASP .NET Web Service Validation

  21. The problem… • WSDL Schema validation • Additional web method validation

  22. Canoodle • Provides WSDL schema validation • Schematron like assertions • Simple to use

  23. Process flow Request Message Canoodle Validation Success WebMethod Invocation Failure SOAP Fault Response Message Web Service Response Message

  24. Partial Schematron support • Schema validation based on xpath queries • Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]

  25. Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] publicvoid CreatePoint(int x, int y) { // ... } 1 2

  26. Performance Impact • Two request XML parses • Validating • Non-validating • Compiled xpath queries cached

  27. Questions? • Michael Eddington (mike@leviathansecurity.com) • .NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)

More Related