OWASP Europe Conference 2008 OWASP Anti Samy Project

Скачать презентацию OWASP Europe Conference 2008 OWASP Anti Samy Project

45fa33a8e1d0768df384e1a1112c89bd.ppt

Количество слайдов: 40

OWASP Europe Conference 2008 OWASP Anti. Samy Project Jason Li Senior Application Security Engineer jason. li@aspectsecurity. com OWASP Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http: //www. owasp. org

Who are you people? <Jason Li is a ballroom dancing, 10 -pin bowling maniac Who are you people?

Talk Outline <What is OWASP Anti. Samy? <Why did you make it? <How does Talk Outline

What is OWASP Anti. Samy? <An HTML validation tool and API <Currently a Beta What is OWASP Anti. Samy?

Why did you make it? <Websites need user created content: User Customized Profiles (ex. Why did you make it?

What is XSS? <General Problem: 4 Site takes input that is included in HTML What is XSS?

Reflected XSS - Illustrated Email / Instant Message attacker@evil. com innocent@victim. com Check out this cool link!!! http: //www. example. com/search? OWASP

Reflected XSS - Illustrated HTTP / HTTPS innocent@victim. com www. example. com GET /search? 2. 0 P/1. 1 User-Agent: Inter. Oper. Fire. Fari/4. 04 Cookie: SESSION_COOKIE: QXJza. GFu. IGlz. IG 15 IGhlcm 8=; OWASP

Reflected XSS - Illustrated HTTP / HTTPS innocent@victim. com www. example. com … You searched for: … OWASP

Stored XSS - Illustrated HTTP / HTTPS attacker@evil. com www. example. com POST /comment? 2. 0 P/1. 1 User-Agent: Inter. Oper. Fire. Fari/4. 04 Cookie: SESSION_COOKIE: QXJza. GFu. IGlz. IG 15 IGhlcm 8=; OWASP

Stored XSS - Illustrated HTTP / HTTPS innocent@victim. com sacrificial@lamb. com www. example. com … Headline News (Waffles, BE): … attacker@evil. com Says: … OWASP

But That’ll Never Happen to Me!

The Samy Worm <My. Space is a popular social networking website <Users create custom The Samy Worm

The Samy Worm (continued) <Samy wanted to make friends <Used his profile to store The Samy Worm (continued)

The Samy Worm (continued) <Anyone viewing Samy’s profile: 4 Made Samy their “friend” (actually, The Samy Worm (continued)

What If I… <Just strip out <script> tags (i. e. blacklist)! 4 Requires constant What If I… tags (i. e. blacklist)! 4 Requires constant update 4 Provides low assurance (ex. Samy Worm)

What If I… <Encode text and decode selected tags 4 Good for small set What If I…

So What Makes Anti. Samy Better?

How does it work? Turn HTML into XML Scan Each Node Take Responsive Action OWASP

How does it work? (cont) Turn HTML into XML

How does it work? (cont) Scan Each Node

How does it work? (cont) Take Responsive Action

How does it work? (cont) Stylesheet Behavior Parse • Parse CSS using SAC (Simple API for CSS) • SAC is event-driven (a la SAX) • Validate selector names against policy Validate • Validate property values against policy • Remove failed properties and selectors Serialize • Canonicalize style output OWASP

How does it work? (cont) <body> <p> This is <b onclick=“alert(bang!)”>so</b> cool!! <img src=“http: How does it work? (cont)

This is so cool!!