Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What’s Our Software Doing With All That User Input

Kim Carter
September 12, 2013
Technology
1
360

What’s Our Software Doing With All That User Input

What are we doing with all the characters that get shoved into our applications? Have we considered every potential execution context?
It’s often interesting and surprising to see what sort of concoction of characters can be executed in different places… and linking multiple attack vectors together which the builders haven’t thought about.
What are we trusting? Why are we trusting it? What, where and how should we be sanitising?

We have a vast collection of libraries, techniques, cheat sheets, tutorials, guides and tools at our disposal.
I often find myself thinking… how can we commoditise the sanitisation of user input and I keep coming up with the same answer.
It’s not easy. Every application has a completely different set of concerns.

In order for our software to be shielded from an attack, the builders must think like attackers.

In this talk I’ll attempt to:

Increase our knowledge and awareness
Discuss practical techniques and approaches that increase our defences
Break some software

Kim Carter

September 12, 2013
Tweet

More Decks by Kim Carter

See All by Kim Carter
Application Intrusion Detection
binarymist
0
420
owaspnz-chch-meetup-2021-workshop-planning-and-covid
binarymist
0
470
Security Regression Testing on OWASP Zap Node API
binarymist
1
9.5k
Building purpleteam (a Security Regression Testing SaaS) - From PoC to Alpha
binarymist
0
1.2k
OWASP Quiz Night
binarymist
2
1.1k
The Art of Exploitation
binarymist
2
1.1k
Developing a High Performance Security Focussed Agile Team (2 hr workshop)
binarymist
1
740
OWASP NZ Day 2016
binarymist
0
150
Infectious Media with Rubber Ducky
binarymist
1
500

Other Decks in Technology

See All in Technology
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
470
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
290
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
いざ、BSC討伐の旅
nikinusu
2
780
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
560
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.3k
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
490

Featured

See All Featured
KATA
mclloyd
29
14k
It's Worth the Effort
3n
183
27k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Producing Creativity
orderedlist
PRO
341
39k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Ruby is Unlike a Banana
tanoku
97
11k
Being A Developer After 40
akosma
86
590k
Making Projects Easy
brettharned
115
5.9k

Transcript

  1. Dealing with User Input Securely Kim Carter – OWASP Day

    2013-09-12

  2. Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss

    practical techniques and approaches that increase our defences Agenda

  3. Why the hacker always has the advantage Learn to enjoy

    breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code

  4. What does Poor Sanitisation look like?

  5. OWASP ZAP also has a REST API. Useful for regression

    test suites If we have time at the end, we'll go over some AJAX XSS

  6. Quality What is Quality? Do we as builders care? Why

    we should care
  7. None

  8. Quality But increasing quality is expensive right?

  9. Quality Not necessarily

  10. My Philosophy on Quality Everyone on the team needs to

    be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.

  11. User Input Sanitisation Strategies All code should be driven by

    executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app

  12. User Input Sanitisation Strategies Threat modelling Defence in depth Minimising

    attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries

  13. Threat modelling Ideally performed at design time Identify the real

    risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats

  14. Defence in depth Multiple layers may seem redundant Think of

    each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client – Server Comms Server side (internet facing) Back end code Data store

  15. Minimising attack surface Field length validation (client side)

  16. Minimising attack surface Field length validation (server side)

  17. Minimising attack surface Constrain fields to well structured data. Dates,

    post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form

  18. Parametrised Queries / Prepared Statements Least privilege

  19. White lists Decide which characters are essential for each input

    Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas

  20. Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard

    3.right click -> Paste

  21. Server Side

  22. Escaping Escape all characters depending on potential execution contexts they

    may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

  23. Client Side

  24. Server Side

  25. Why bother with client side User Experience Server side sanitisation

    can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation

  26. Leveraging existing libraries Useful • OWASP Encoding Project (Reform library)

    Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET • OWASP Enterprise Security API Not so Useful • Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net

  27. Using: http://google-gruyere.appspot.com/ Stored XSS via AJAX

  28. When the user clicks refresh button, response looks like In

    the mark-up the snippet looks like:

  29. Resources Threat Modelling • https://www.owasp.org/index.php/Application_Threat_Modeling • https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and

    Check Lists I found helpful • https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat _Sheet • https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines
  30. None