owasp encoding project .net webservice validation
DESCRIPTION
OWASP Encoding Project .NET WebService validation. Michael Eddington Leviathan Security Group [email protected]. Contents. OWASP Encoding Project (Reform) OWASP .NET Web Service Validation. Cross-site Scripting, The problem…. Limited encoding support in frameworks - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP Europe Conference 2008
OWASP Encoding Project.NET WebService validation
Michael EddingtonLeviathan Security [email protected]
OWASP
Cross-site Scripting, The problem…
Limited encoding support in frameworksWhat about Javascript and VBScript?Only: & < > “
No 100% encoding solutionProduction qualityLow to no patchesForward looking Internationalization support
OWASP
The solution…Reform!
Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites
Extended Chinese character support
OWASP
Design goals
Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support
OWASP
How did we do?
In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to
date preventedStandardNewBrowser bug based
Basis for Microsoft’s AntiXss
OWASP
How it works…
White list basedABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Space [ ]Comma [,]Period [.]
OWASP
Cross-site scripting Attacks
Standard XSS injection attacksHTML injectionHTML attribute injection Javascript injectionEtc.
Unicode XSS attacks
Browser bugs or related libraries
OWASP
Unicode
Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of
specs Libraries work differently
OWASP
Typical Unicode XSS Attack
0x00script0x00
1
0x00script0x003
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
<script>
4
OWASP
Typical Unicode XSS Attack…Reformed
0x00script0x00
1
{script|
4
ASP.NET
Unicode v2
2
?script?
Unicode v1
Browser
?script?5
Reform3
OWASP
Reform, the pros and cons
Pros Stable code base Low patch rate (1 in 4
years) Conservative
approach Mitigates all known
issues
Cons Performance impact Larger page size
OWASP
Reform API
HtmlEncode(value, [default])
JsString(value, [default])
VbsString(value, [default])
OWASP
HtmlEncode(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote”
한국 원본의 보기
Return Mary had a little lamb <evil> Tom & Jerry "A famous
quote" 한국
원본의 보기
OWASP
JsString(value, [default])
Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return 'Mary had a little
lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\
x22' '\uD55C\uAD6D \
uC6D0\uBCF8\uC758 \uBCF4\uAE30'
OWASP
VbsString(value, [default])
Value Mary had a little
lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기
Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous
quote"&c chrw(54620)&chrw(44397)&"
"&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34)
OWASP
.NET Web Controls
Limited if any cross site scripting prevention
Controls can be extendedLiteralLabelDataGridEtc.
Reform provide these!
OWASP
Questions? Michael Eddington
OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)
OWASP
Process flow
Request MessageRequest Message
SOAP FaultResponse Message
SOAP FaultResponse Message
WebMethod Invocation
WebMethod Invocation
Web Service
Response Message
Web Service
Response Message
Canoodle
Validation
Canoodle
Validation
Failure
Success
OWASP
Partial Schematron support Schema validation based on xpath
queries Assert support via Attributes
[Assert(“//x > 10”, “x greater than 10”)][Assert(“//y < 100”, “y less than 100”)]
OWASP
Usage Example
[WebMethod][Validation][Assert("//t:x > 10", "x greater then 10")][Assert("//t:y < 100", "y less then 100")]public void CreatePoint(int x, int y){
// ...}
1
2
OWASP
Performance Impact
Two request XML parsesValidatingNon-validating
Compiled xpath queries cached
OWASP
Questions? Michael Eddington
.NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)