Three OWASP Projects

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP Asia Pacific Conference 2008

Three OWASP Projects

Michael EddingtonLeviathan Security Groupmike@leviathansecurity.com

OWASP

Contents

OWASP Encoding Project (Reform)

OWASP .NET Web Service Validation

Are You a Human

OWASP

OWASP ENCODING PROJECT (REFORM)

Project 1

OWASP

Cross-site Scripting, The problem…

Limited encoding support in frameworksWhat about Javascript and VBScript?Only: & < > “

No 100% encoding solutionProduction qualityLow to no patchesForward looking Internationalization support

OWASP

The solution…Reform!

Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites

Extended Chinese character support

OWASP

Design goals

Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support

OWASP

How did we do?

In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to

date preventedStandardNewBrowser bug based

Basis for Microsoft’s AntiXss

OWASP

Languages

ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby

OWASP

How it works…

White list basedABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789Space [ ]Comma [,]Period [.]

OWASP

Cross-site scripting Attacks

Standard XSS injection attacksHTML injectionHTML attribute injection Javascript injectionEtc.

Unicode XSS attacks

Browser bugs or related libraries

OWASP

Unicode

Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of

specs Libraries work differently

OWASP

Typical Unicode XSS Attack

0x00script0x00

1

0x00sc

ript0

x

00

3

ASP.NET

Unicode v2

2

?script?

Unicode v1

Browser

<script>

4

OWASP

Typical Unicode XSS Attack…Reformed

0x00script0x00

1

&#123;scrip

t&#1

24;

4

ASP.NET

Unicode v2

2

?script?

Unicode v1

Browser

?script?5

Reform3

OWASP

Reform, the pros and cons

Pros Stable code base Low patch rate (1 in 4

years) Conservative

approach Mitigates all known

issues

Cons Performance impact Larger page size

OWASP

Reform API

HtmlEncode(value, [default])

JsString(value, [default])

VbsString(value, [default])

OWASP

HtmlEncode(value, [default])

Value Mary had a little lamb <evil> Tom & Jerry “A famous quote”

한국 원본의 보기

Return Mary had a little lamb &#60;evil&#62; Tom &#38; Jerry &#34;A famous

quote&#34; &#54620;&#44397;

&#50896;&#48376;&#51032; &#48372;&#44592;

OWASP

JsString(value, [default])

Value Mary had a little lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기

Return 'Mary had a little

lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\

x22' '\uD55C\uAD6D \

uC6D0\uBCF8\uC758 \uBCF4\uAE30'

OWASP

VbsString(value, [default])

Value Mary had a little

lamb <evil> Tom & Jerry “A famous quote” 한국 원본의 보기

Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous

quote"&c chrw(54620)&chrw(44397)&"

"&chrw(50896)&chrw(48376)&chrw(51032)&" "&chrw(48372)&chrw(44592)hrw(34)

OWASP

.NET Web Controls

OWASP

Questions? Michael Eddington

(mike@leviathansecurity.com)

OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

OWASP

OWASP .NET WEB SERVICE VALIDATION

Project 2

OWASP

The problem…

WSDL Schema validation Additional web method validation

OWASP

Canoodle

Provides WSDL schema validation Schematron like assertions Simple to use

OWASP

Process flow

Request MessageRequest Message

SOAP FaultResponse Message

SOAP FaultResponse Message

WebMethod Invocation

WebMethod Invocation

Web Service

Response Message

Web Service

Response Message

Canoodle

Validation

Canoodle

Validation

Failure

Success

OWASP

Partial Schematron support Schema validation based on xpath

queries Assert support via Attributes

[Assert(“//x > 10”, “x greater than 10”)][Assert(“//y < 100”, “y less than 100”)]

OWASP

Usage Example

[WebMethod][Validation][Assert("//t:x > 10", "x greater then 10")][Assert("//t:y < 100", "y less then 100")]public void CreatePoint(int x, int y){

// ...}

1

2

OWASP

Performance Impact

Two request XML parsesValidatingNon-validating

Compiled xpath queries cached

OWASP

Questions? Michael Eddington

(mike@leviathansecurity.com)

.NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)

OWASP

ARE YOU A HUMANProject 3

OWASP

Are you a human…?

OWASP

Captcha Examples

OWASP

How to break via computer

OWASP

How to break…other

OWASP

What about…phones?

OWASP

Are you a human?

http://areyouahuman.org Service based, no upgrades needed Multiple Captcha types

VisualAudioSMSEtc.

OWASP

Questions??? Michael Eddington

(mike@leviathansecurity.com)

OWASP Encoding Project (http://www.owasp.org/index.php/Category:OWASP_Encoding_Project)

.NET Web Service Validation (http://www.owasp.org/index.php/.NET_Web_Service_Validation)

Are you a human? (http://areyouahuman.org)