Download presentation
Presentation is loading. Please wait.
Published byNigel Sanders Modified over 9 years ago
1
Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation ShmooCon 2009 Washington, DC. – February 2009 http://www.owasp.org/ AntiSamy – and Scrubbr picking a fight with xss Arshan Dabirsiaghi, OWASP Peasant Director of Research, Aspect Security arshan.dabirsiaghi@aspectsecurity.com (301) 604 - 4882
2
ShmooCon 2009 – Washington, DC – Feb 2009 who am i? Name Arshan Dabirsiaghi (gesundheit) Trade Security hobbyist & developer Job Director of Research at Aspect Security Side Job Liverpool fan (go gerrard!) OWASP ISWG and AntiSamy Political Affiliation Plutocrat Quote “poor people are crazy; i’m eccentric”
3
ShmooCon 2009 – Washington, DC – Feb 2009 samy vs arshan aka good vs evil, sammy hagar vs david lee roth ryu vs ken …an old age old battle 3
4
ShmooCon 2009 – Washington, DC – Feb 2009 Taller, better looking Persian (exotic) More chest hair Amazing in the sack Lots of friends Criminal record Iranian (call DHS) Untested in the sack A lot of notoriety and street cred Can’t get friends the old fashioned way, has to hack them 4 Arshansamy
5
ShmooCon 2009 – Washington, DC – Feb 2009 stored xss – the arsenic in the well attacker submits sticky (persisted) input to the app (e.g., blog comment/user profile) i mention the input contains JS? whoops later, some random peasant comes along and views the profile or blog comment application displays comment/profile to user browser and JS inside it gets exec’d instead of displayed on browser hours later, a seagull donkey punches an angry pirate to death (totally unrelated)
6
ShmooCon 2009 – Washington, DC – Feb 2009 the story of samy (1 of 2) myspace™ is one giant advertisement banner that has a hidden social networking site inside of it (like an easter egg) you setup a profile, pics, etc. for other people to see samy wanted an xss worm in his own profile that made the reader his friend and new source of worm
7
ShmooCon 2009 – Washington, DC – Feb 2009 the story of samy (part 2 of 2) myspace did well not to let any JS through samy used ‘ java\nscript ’ since ‘ javascript ’ was filtered out, String.fromCharCode(34) to generate a double quote, etc. 10 hours – 560 friends, 13 hours – 6400, 18 hours – 1,000,000, 19 hours – entire site is down
8
ShmooCon 2009 – Washington, DC – Feb 2009 what did myspace do wrong? they used a word blacklist negative security models are error prone unknown attacks / fragmenting / encoding can usually bypass (sometimes trivially)
9
ShmooCon 2009 – Washington, DC – Feb 2009 do sites really need html from users? users want to customize profiles community sites like eBay/craigslist allow public listings cm solutions like magnolia, dotnetnuke, etc rich comment sharing on blogs, news sites, etc
10
ShmooCon 2009 – Washington, DC – Feb 2009 this is a bad situation… F5 // Defcon 31 // Threat level Midnight DISASTER – what to do?!!?1!? web apps trying to validate that HTML with blacklists sites need to allow users to provide HTML HTML the worst mashup of data and code ever
11
ShmooCon 2009 – Washington, DC – Feb 2009 an HTML validation tool and API funded by an OWASP Spring of Code grant uses a positive security model takes dirty HTML/CSS that could contain xss and spits out a safe version of that input while retaining all formatting code (applause)
12
ShmooCon 2009 – Washington, DC – Feb 2009 goals for anti-samy provide high assurance provide 99% (or close enough) protection against xss browser wars, new w3c directives, etc. cause rules to change be portable works with terribly broken html easy-to-use API or tool use single XML policy file with default settings providing high assurance absorbable by validator implementations in different languages be able to provide friendly feedback, able to just “make it work” users may copy html/js from a site they like not all JavaScript is xss, user intention may not be malicious help user to tune html/js to work with requirements use it to meet girls this goal is not going so well do you know anyone?
13
ShmooCon 2009 – Washington, DC – Feb 2009 anti samy seen from outer space dirty html gets run through nekoHTML for structural sanitization (and legal validation)
14
ShmooCon 2009 – Washington, DC – Feb 2009 neko validation 14 body divb u (text) p img src=javascript:xss() src=hax.js style=expression(…) samy is my hero id=foo samy is my hero \0 - DOM object - fragmenting attacks gone - html now sanitized (text) script <
15
ShmooCon 2009 – Washington, DC – Feb 2009 anti samy seen from outer space Step through DOM tree and validate each node according to the policy file… filter / remove nodes / content or attributes as needed
16
ShmooCon 2009 – Washington, DC – Feb 2009 antisamy.xml – customize to your site’s policy Slashdot - links, markup E-Bay - links, markup, images, etc MySpace - links, markup, images, stylesheets, etc
17
ShmooCon 2009 – Washington, DC – Feb 2009 common stores in antisamy.xml Common Regular Expressions (write once then use anywhere by name) Common Tag Attributes (define attribute once then use in many tags) Global Tag Attributes (define implicit attributes for all tags)
18
ShmooCon 2009 – Washington, DC – Feb 2009 validation step-through (this slide is bananas) 18 head divb(text) a img src=http://evil.com/hax.js style=expression(…) samy is my hero id=foo (text) i < li href=javascript:attax() script content=0;url=javascript:attax() http-equiv=refresh meta src=bar.jpg style=background-image: url(‘javascript:attax()’) p antisamy.xml Tag Not Found!
19
ShmooCon 2009 – Washington, DC – Feb 2009 anti samy seen from outer space Return as string or DOM object
20
ShmooCon 2009 – Washington, DC – Feb 2009 CleanResults object getCleanHTML() - String getCleanXMLDocumentFragment() - DOM getScanTime() – double getErrorMessages() – String[]
21
ShmooCon 2009 – Washington, DC – Feb 2009 how do i get started? figure out policy on what tags and attributes to allow for your site customize one of the default antisamy.xml files add 5-10 lines of code to your app done! congratulate self with guilt free visit to singles.net (look for tom stracener’s alternative profile)
22
ShmooCon 2009 – Washington, DC – Feb 2009 using antisamy api is really hard
23
ShmooCon 2009 – Washington, DC – Feb 2009 project goals work to create a peer reviewed, time tested solution for validating html destroy the idea that letting users provide their own html is too dangerous enable the next gen of user generated content sites samy is a threat to western society
24
ShmooCon 2009 – Washington, DC – Feb 2009 what about CSRF? simple – go through antisamy.xml and remove the ability to have offsite resources changing common attributes make this real easy hosting csrf attacks is an accepted risk for many
25
ShmooCon 2009 – Washington, DC – Feb 2009 interesting attacks 25 1.spot the vuln ^[a-zA-Z’&-\@] 2. hijacking co-browse window with target click ze link 4 lulz... window.open(“http://www.somethingelse.com”) 3. lots of vulns in neko ”.> SAX parsers + loops = hahahahahahaha
26
ShmooCon 2009 – Washington, DC – Feb 2009 known vulns? ... for now (gulp) us-ascii, utf-7 – ANY time the browser is on a different planet than the input few crashes (uncaught exceptions) tx noticed debug code enabling XSS (whoops) 26
27
ShmooCon 2009 – Washington, DC – Feb 2009 socioeconomic enabler why should ebay, google, mysp ace be the only people able to ha ve this functionality? 27 this is my pdp slide
28
ShmooCon 2009 – Washington, DC – Feb 2009 demo time
29
ShmooCon 2009 – Washington, DC – Feb 2009 demo time (0 of 3 – few javascript tests) everything on rsnake’s cheat sheet Solution: already defended against in default policy files 29
30
ShmooCon 2009 – Washington, DC – Feb 2009 demo time (1 of 3 –absolute div overlay) create a div in our profile that overlays the entire page (or a subsection) extremely effective phishing vector SSL certificate is valid look and feel matches expectations Solution: insert a stylesheet rule in the policy file to prevent access to any position value except those we want 30
31
ShmooCon 2009 – Washington, DC – Feb 2009 demo time (2 of 3 – div hijacking) redefine an existing div “above” our profile most stylesheets defined at the beginning of the page in or “at the top” Solution: blacklist the IDs and selector names you want to prevent the user from being able to modify 31
32
ShmooCon 2009 – Washington, DC – Feb 2009 demo time (3 of 3 – all your base are belong to us) insert a tag to hijack internal resources used to define a base for all relative URLs on the page isn’t used a whole lot as it doesn’t work within javascript & some other issues Solution: remove tag from policy file 32
33
ShmooCon 2009 – Washington, DC – Feb 2009 … not done yet! Announcing Scrubbr! database scanning tool looks for stored XSS or presentation layer attacks (phishing) best part: it’s got an ugly UI but you have no alternative free as in free beer; BSD license 33
34
ShmooCon 2009 – Washington, DC – Feb 2009 what can’t Scrubbr do? it can’t find: dom-based xss attribute-based xss it’s not a good XSS detector like NoScript or PHPIDS we’ looking at re-implementing PHPIDS in Java – that would make it JavaIDS – or javAIDS it can’t fix: probably some Oracle stuff your vulnerabilities your sdlc 34
35
ShmooCon 2009 – Washington, DC – Feb 2009 Thanks to: the shmoo group for having me all the contributors, bughunters, supporters: jason li jerry hoff raziel alvarez marcin yeelllshefsomething diazepam owasp 35
36
ShmooCon 2009 – Washington, DC – Feb 2009 ¿questions?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.