Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Europe Conference 2008 OWASP Encoding Project.NET WebService validation Michael Eddington Leviathan Security Group
OWASP Contents OWASP Encoding Project (Reform) OWASP.NET Web Service Validation
OWASP Cross-site Scripting, The problem… Limited encoding support in frameworks What about Javascript and VBScript? Only: & “ No 100% encoding solution Production quality Low to no patches Forward looking Internationalization support
OWASP The solution…Reform! Best of bread output encoding library Stable for 4 years No security impacting bugs…EVER! Conservative Prevents all known XSS attacks All major languages Used extensively by internationalized sites Extended Chinese character support
OWASP Design goals Easy to use Conservative “Future Proof” No licensing restrictions All major platforms supported Internationalization support
OWASP How did we do? In production use for 4 years Zero security impacting bugs to date All relevant cross-site scripting bugs to date prevented Standard New Browser bug based Basis for Microsoft’s AntiXss
OWASP Languages ASP ASP.NET (1.1, 2.0, 3.x) Java JavaScript Perl PHP Python Ruby
OWASP How it works… White list based ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz Space [ ] Comma [,] Period [.]
OWASP Cross-site scripting Attacks Standard XSS injection attacks HTML injection HTML attribute injection Javascript injection Etc. Unicode XSS attacks Browser bugs or related libraries
OWASP Unicode Specifications include optional behaviors Specs not always 100% clear Libraries built off different versions of specs Libraries work differently
OWASP Typical Unicode XSS Attack 0x00script0x ASP.NET Unicode v2 2 ?script? Unicode v1 Browser 4
OWASP Typical Unicode XSS Attack…Reformed 0x00script0x00 1 {script| 4 ASP.NET Unicode v2 2 ?script? Unicode v1 Browser ?script? 5 Reform 3
OWASP Reform, the pros and cons Pros Stable code base Low patch rate (1 in 4 years) Conservative approach Mitigates all known issues Cons Performance impact Larger page size
OWASP Reform API HtmlEncode(value, [default]) JsString(value, [default]) VbsString(value, [default])
OWASP HtmlEncode(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return Mary had a little lamb <evil> Tom & Jerry "A famous quote" 한국 원본3 032; 보기
OWASP JsString(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return 'Mary had a little lamb' '\x3Cevil\x3E' 'Tom \x26 Jerry' '\x22A famous quote\x22' '\uD55C\uAD6D \uC6D0\uBCF8\uC758 \uBCF4\uAE30'
OWASP VbsString(value, [default]) Value Mary had a little lamb Tom & Jerry “A famous quote” 한국 원본의 보기 Return "Mary had a little lamb" chrw(60)&"evil"&chrw(62) "Tom "&chrw(38)&" Jerry" chrw(34)&"A famous quote"&c chrw(54620)&chrw(44397)&" "&chrw(50896)&chrw(48376)& chrw(51032)&" "&chrw(48372)&chrw(44592)hr w(34)
OWASP.NET Web Controls Limited if any cross site scripting prevention Controls can be extended Literal Label DataGrid Etc. Reform provide these!
OWASP Questions? Michael Eddington OWASP Encoding Project ( ASP_Encoding_Project) ASP_Encoding_Project
OWASP OWASP.NET WEB SERVICE VALIDATION Project 2
OWASP The problem… WSDL Schema validation Additional web method validation
OWASP Canoodle Provides WSDL schema validation Schematron like assertions Simple to use
OWASP Process flow Request Message SOAP Fault Response Message SOAP Fault Response Message WebMethod Invocation Web Service Response Message Canoodle Validation Failure Success
OWASP Partial Schematron support Schema validation based on xpath queries Assert support via Attributes [Assert(“//x > 10”, “x greater than 10”)] [Assert(“//y < 100”, “y less than 100”)]
OWASP Usage Example [WebMethod] [Validation] [Assert("//t:x > 10", "x greater then 10")] [Assert("//t:y < 100", "y less then 100")] public void CreatePoint(int x, int y) { //... } 1 2
OWASP Performance Impact Two request XML parses Validating Non-validating Compiled xpath queries cached
OWASP Questions? Michael Eddington .NET Web Service Validation ( ervice_Validation) ervice_Validation