ANTISAMY JAVA INTRODUCTION

Wang WenjunJune 2011

Who am I?

Name Wang Wenjun(王文君 )

EMail shanda.wang@gmail.com

Job HP Shanghai Engineering Lab

Side Job Roger Federer’s hot fan

Quote 博观而约取，厚积而薄发

Agenda

• Story of Samy

• How AntiSamy works?

• Case study

• Advanced topic

Part 1 Story of Samy

Story of Samy

• Myspace is a social networking site(SNS), and you can setup your own profile.

• Samy made one XSS-Worm in his own profile, which made his reader as the new XSS-worm source.

Attack theory of Samy Worm

Samy’s profile

friend1 profile

friend2 profile

friend2 profile

friend1 profile

friend2 profile

Why MySpace is wrong?

It uses a black word list, but you can’t foresee all the possible attack ways.

User needs to input HTML code?

SNS needs to provide a

customized profile

Rich editor to some enterprise

application

Community site like ebay allow

public list

Yes, the need HTML

It is your turn, AntiSamy!

Part 2How AntiSamy work

AntiSamy introduction

• An HTML input validation API• It uses a white word list(defined in policy file)

Dirty input

Policy file

Clean output

Dive to AntiSamy (1) - Sanitize

body

div b

u

a

p

imgsrc=javascript:xss()

style=expression(…)

samy is my hero

id=foo

<body><div id="foo"><img src="javascript:xss()"></div><b><u><p style="expression(…) ">samy is my hero</p></u></b><a href="http://www.google.com">Google</a><script src="hax.js"></script>

(text)

script href=… src=hax.js

Google

(text)

Dive to AntiSamy (2) - validate

Tag • <tag-rules>

Attribute• <common-

attributes>• <global-tag-

attributes>

Expression • <common-regexps>

Dive to AntiSamy (3) - configuration

Dive to AntiSamy (4) - result

<div> </div> <b> <p> samy is my hero</p> </b> <a href="http://www.google.com"> Google</a>

How can I start?

Definition

• Think which tags and attributes you need• Define the regular expression to the allowed values

Configurati

on

• Find the similar policy file sample• Modify it to meet your requirement

Coding

• Very easy, refer to the next page

Very easy to code

Part 3Case study

Case 1 – show html content

NO AntiSamy

With AntiSamy,remove script

With AntiSamy,Remove link

Case 2 – prevent CSRF

3

2

Attacker sets the trap on some website on the internet(or simply via an e-mail)1

While logged into vulnerable site,victim views attacker site

Vulnerable site sees legitimate request from victim and performs the action requested

<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site

Custom Code

Acco

unts

Fina

nce

Adm

inis

trati

onTr

ansa

ction

s

Com

mun

icati

onKn

owle

dge

Mgm

tE-

Com

mer

ceBu

s. F

uncti

ons

Hidden <img> tag contains attack against vulnerable site

Application with CSRF vulnerability

• Add a token to each protected resource(url) as a hidden parameter

• Can leverage ESAPI

General solution

• Define the attribute value expression to href

• As a result, all the offsite url will be removed.

AntiSamy

Remove offsite URL

Case 3 – Rich editor

Usability VS SecurityWe want to improve the usability to satisfy customer

We have to guarantee the application security

Directly output user’s input

Use policy to filter the input

Policy file content

Part 4Advanced topic

Topic 1 – XSS prevention

Modify / Keep / Break

AntiSamy ESAPI Stinger

• Use whitelist to get clean output• Remove some words to handle XSSAntiSamy

• A set of security control acess• Use encode to handle XSSESAPI

• Use blacklist to validate the input• Break one rule, break the chainStinger

ESAPI encode

Use ESAPI to encode the input

Java code and html code

Stinger

Topic 2 - Scrubb

Database scanning tool

Focus on stored XSS

BSD license

Summary

AntiSamy is used to get a clean HTML• Policy file

Typical use case for AntiSamy• Display the HTML file• Security to rich editor• CSRF

Handle XSS • AntiSamy• ESAPI encode• Stinger

Resources• OWASP China AntiSamy Java http://www.owasp.org.cn/owasp-project/Projects/OWASP_AntiSamy_Java

• OWASP AntiSamy Javahttp://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

• AntiSamy smoke test site http://antisamysmoketest.com/go/attack

• ESAPI https://www.owasp.org/index.php/Esapi

• XSS Cheat sheethttp://ha.ckers.org/xss.html

QUESTIONS?