SlideShare a Scribd company logo

What's Our Software Doing With All That User Input

Download as ODP, PDF
Kim Carter
Kim Carter

Demonstrate vulnerabilities due to insufficient input sanitisation. Increase knowledge, awareness and desire to test. Discuss practical techniques and approaches that increase our defences

Technology
1 of 30
Dealing with User Input Securely Kim Carter – OWASP Day 2013-09-12
Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
What does Poor Sanitisation look like?
OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
Quality What is Quality? Do we as builders care? Why we should care
Quality But increasing quality is expensive right?
Quality Not necessarily
My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client – Server Comms Server side (internet facing) Back end code Data store
Minimising attack surface Field length validation (client side)
Minimising attack surface Field length validation (server side)
Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
Parametrised Queries / Prepared Statements Least privilege
White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
Server Side
Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Client Side
Server Side
Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
Leveraging existing libraries Useful ● OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET ● OWASP Enterprise Security API Not so Useful ● Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
Using: http://google-gruyere.appspot.com/ Stored XSS via AJAX
When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
Resources Threat Modelling ● https://www.owasp.org/index.php/Application_Threat_Modeling ● https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful ● https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository ● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat ● https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines
What's Our Software Doing With All That User Input

Recommended

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
Aditya Kamat
 
1.java script
1.java script1.java script
1.java script
PhD Research Scholar
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshJ
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshaVJoshi
 
Developing Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform ADeveloping Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform A
auexpo Conference
 
Ecira CMS script
Ecira CMS scriptEcira CMS script
Ecira CMS script
Eicra_Soft_Limited
 
Lightning page optimization & best practices
Lightning page optimization & best practicesLightning page optimization & best practices
Lightning page optimization & best practices
Gaurav Jain
 

Recommended

Web Hacking Intro
Web Hacking IntroWeb Hacking Intro
Web Hacking Intro
Aditya Kamat
 
1.java script
1.java script1.java script
1.java script
PhD Research Scholar
 
An approach to app security - For beginners
An approach to app security - For beginnersAn approach to app security - For beginners
An approach to app security - For beginners
vodQA
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshJ
 
Ajax Testing Approach
Ajax Testing ApproachAjax Testing Approach
Ajax Testing Approach
HarshaVJoshi
 
Developing Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform ADeveloping Profitable APIs - John Fraser - Platform A
Developing Profitable APIs - John Fraser - Platform A
auexpo Conference
 
Ecira CMS script
Ecira CMS scriptEcira CMS script
Ecira CMS script
Eicra_Soft_Limited
 
Lightning page optimization & best practices
Lightning page optimization & best practicesLightning page optimization & best practices
Lightning page optimization & best practices
Gaurav Jain
 
7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
HireWPGeeks Ltd
 
Async
AsyncAsync
Async
Kevin Griffin
 
Model View Controller
Model View ControllerModel View Controller
Model View Controller
urs_tush
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
msarangam
 
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
baabtra.com - No. 1 supplier of quality freshers
 
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
Stew Duncan
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
baabtra.com - No. 1 supplier of quality freshers
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
baabtra.com - No. 1 supplier of quality freshers
 
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
Anindita Bhattacharya
 
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
baabtra.com - No. 1 supplier of quality freshers
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
 
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
ukdpe
 
Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
Isset Internet Professionals
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
adonatwork
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 

More Related Content

What's hot

Model View Controller
Model View ControllerModel View Controller
Model View Controller
urs_tush
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
msarangam
 

What's hot (12)

7 must have word press plugins for web developers
7 must have word press plugins for web developers7 must have word press plugins for web developers
7 must have word press plugins for web developers
 
Async
AsyncAsync
Async
 
Model View Controller
Model View ControllerModel View Controller
Model View Controller
 
Mvvm pattern
Mvvm patternMvvm pattern
Mvvm pattern
 
Client side and server side scripting
Client side and server side scriptingClient side and server side scripting
Client side and server side scripting
 
Server and Client side comparision
Server and Client side comparisionServer and Client side comparision
Server and Client side comparision
 
Client side scripting and server side scripting
Client side scripting and server side scriptingClient side scripting and server side scripting
Client side scripting and server side scripting
 
Client & server side scripting
Client & server side scriptingClient & server side scripting
Client & server side scripting
 
Sug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sitesSug bangalore - front end coding workflow for sitecore sites
Sug bangalore - front end coding workflow for sitecore sites
 
Client and server side scripting
Client and server side scriptingClient and server side scripting
Client and server side scripting
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009ASP.NET MVC Reading July 2009
ASP.NET MVC Reading July 2009
 

Similar to What's Our Software Doing With All That User Input

OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
Jeremiah Grossman
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
Talal Alsubaie
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
Rahul Singh
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
Alan Richardson
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 

Similar to What's Our Software Doing With All That User Input (20)

Isset Presentation @ EECI2009
Isset Presentation @ EECI2009Isset Presentation @ EECI2009
Isset Presentation @ EECI2009
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)OWASP Top 10 (2010 release candidate 1)
OWASP Top 10 (2010 release candidate 1)
 
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
Frontend Security: Applying Contextual Escaping Automatically, or How to Stop...
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based Testing
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Andy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, PearsonAndy West – Director of Technology Architecture, Pearson
Andy West – Director of Technology Architecture, Pearson
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

What's Our Software Doing With All That User Input

  • 1. Dealing with User Input Securely Kim Carter – OWASP Day 2013-09-12
  • 2. Demonstrate vulnerabilities Increase knowledge, awareness and desire to test Discuss practical techniques and approaches that increase our defences Agenda
  • 3. Why the hacker always has the advantage Learn to enjoy breaking your own software. It'll make you a better developer. Our builders must think like breakers Developers Day Job Write Code Hackers Day Job Break Code
  • 4. What does Poor Sanitisation look like?
  • 5. OWASP ZAP also has a REST API. Useful for regression test suites If we have time at the end, we'll go over some AJAX XSS
  • 6. Quality What is Quality? Do we as builders care? Why we should care
  • 7.
  • 10. My Philosophy on Quality Everyone on the team needs to be thinking about it. Not just the testers. Reducing faults much earlier in the cycle.
  • 11. User Input Sanitisation Strategies All code should be driven by executable specifications. Especially sanitisation logic Based around my following two blog posts http://blog.binarymist.net/2012/11/04/sanitising-user-input-from-browser-part-1/ http://blog.binarymist.net/2012/11/16/sanitising-user-input-from-browser-part-2/ Main components were a WCF service which dished up XSL'd XML as HTML to an existing web app
  • 12. User Input Sanitisation Strategies Threat modelling Defence in depth Minimising attack surface Field length validation, incl structured data Parametrised Queries / Prepared Statements Least privilege White lists How to escape untrusted data for the different execution contexts File uploads not covered Why bother with client side Leveraging existing libraries
  • 13. Threat modelling Ideally performed at design time Identify the real risks. How? Decomposition Determine entry points, assets, trust levels of users Analyse dependencies Determine & rank threats Determine security controls to prevent threats
  • 14. Defence in depth Multiple layers may seem redundant Think of each layer as the only layer Attempt to stop the attack as soon as possible User Interface (Mark-up, JavaScript, CSS) Client – Server Comms Server side (internet facing) Back end code Data store
  • 15. Minimising attack surface Field length validation (client side)
  • 16. Minimising attack surface Field length validation (server side)
  • 17. Minimising attack surface Constrain fields to well structured data. Dates, post codes, e-mail addresses, check boxes, radio buttons Minimise free-form text input Hard to create small white lists with free-form
  • 18. Parametrised Queries / Prepared Statements Least privilege
  • 19. White lists Decide which characters are essential for each input Can now use the HTML5 pattern attribute on input tag. Doesn't cover textareas
  • 20. Client Side 1.type the characters in 2.[ctrl]+[v] characters in clipboard 3.right click -> Paste
  • 22. Escaping Escape all characters depending on potential execution contexts they may end up in. Even if they are not in your white lists Get away with the following escaping example only if you deal with untrusted data in HTML elements and you're sure your attributes are all quoted Escaping details for additional contexts here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
  • 25. Why bother with client side User Experience Server side sanitisation can be a lot slower When an honest user submits their data, they're not going to get server side exceptions due to validation
  • 26. Leveraging existing libraries Useful ● OWASP Encoding Project (Reform library) Supports Perl, Python, PHP, JavaScript, ASP, Java, .NET ● OWASP Enterprise Security API Not so Useful ● Microsoft Anti-Cross Site Scripting Library A lot more detail on my blog blog.binarymist.net
  • 28. When the user clicks refresh button, response looks like In the mark-up the snippet looks like:
  • 29. Resources Threat Modelling ● https://www.owasp.org/index.php/Application_Threat_Modeling ● https://www.owasp.org/index.php/Threat_Risk_Modeling Cheat Sheets and Check Lists I found helpful ● https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_Validation_Regex_Repository ● https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat ● https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet ● https://www.owasp.org/index.php/OWASP_AJAX_Security_Guidelines