Upload
tylor-fortune
View
218
Download
3
Embed Size (px)
Citation preview
ANTISAMY JAVA INTRODUCTION
Wang WenjunJune 2011
Who am I?
Name Wang Wenjun(王文君 )
EMail [email protected]
Job HP Shanghai Engineering Lab
Side Job Roger Federer’s hot fan
Quote 博观而约取,厚积而薄发
Agenda
• Story of Samy
• How AntiSamy works?
• Case study
• Advanced topic
Part 1 Story of Samy
Story of Samy
• Myspace is a social networking site(SNS), and you can setup your own profile.
• Samy made one XSS-Worm in his own profile, which made his reader as the new XSS-worm source.
Attack theory of Samy Worm
Samy’s profile
friend1 profile
friend2 profile
friend2 profile
friend1 profile
friend2 profile
Why MySpace is wrong?
It uses a black word list, but you can’t foresee all the possible attack ways.
User needs to input HTML code?
SNS needs to provide a
customized profile
Rich editor to some enterprise
application
Community site like ebay allow
public list
Yes, the need HTML
It is your turn, AntiSamy!
Part 2How AntiSamy work
AntiSamy introduction
• An HTML input validation API• It uses a white word list(defined in policy file)
Dirty input
Policy file
Clean output
Dive to AntiSamy (1) - Sanitize
body
div b
u
a
p
imgsrc=javascript:xss()
style=expression(…)
samy is my hero
id=foo
<body><div id="foo"><img src="javascript:xss()"></div><b><u><p style="expression(…) ">samy is my hero</p></u></b><a href="http://www.google.com">Google</a><script src="hax.js"></script>
(text)
script href=… src=hax.js
(text)
Dive to AntiSamy (2) - validate
Tag • <tag-rules>
Attribute• <common-
attributes>• <global-tag-
attributes>
Expression • <common-regexps>
Dive to AntiSamy (3) - configuration
Dive to AntiSamy (4) - result
<div> </div> <b> <p> samy is my hero</p> </b> <a href="http://www.google.com"> Google</a>
How can I start?
Definition
• Think which tags and attributes you need• Define the regular expression to the allowed values
Configurati
on
• Find the similar policy file sample• Modify it to meet your requirement
Coding
• Very easy, refer to the next page
Very easy to code
Part 3Case study
Case 1 – show html content
NO AntiSamy
With AntiSamy,remove script
With AntiSamy,Remove link
Case 2 – prevent CSRF
3
2
Attacker sets the trap on some website on the internet(or simply via an e-mail)1
While logged into vulnerable site,victim views attacker site
Vulnerable site sees legitimate request from victim and performs the action requested
<img> tag loaded by browser – sends GET request (including credentials) to vulnerable site
Custom Code
Acco
unts
Fina
nce
Adm
inis
trati
onTr
ansa
ction
s
Com
mun
icati
onKn
owle
dge
Mgm
tE-
Com
mer
ceBu
s. F
uncti
ons
Hidden <img> tag contains attack against vulnerable site
Application with CSRF vulnerability
• Add a token to each protected resource(url) as a hidden parameter
• Can leverage ESAPI
General solution
• Define the attribute value expression to href
• As a result, all the offsite url will be removed.
AntiSamy
Remove offsite URL
Case 3 – Rich editor
Usability VS SecurityWe want to improve the usability to satisfy customer
We have to guarantee the application security
Directly output user’s input
Use policy to filter the input
Policy file content
Part 4Advanced topic
Topic 1 – XSS prevention
Modify / Keep / Break
AntiSamy ESAPI Stinger
• Use whitelist to get clean output• Remove some words to handle XSSAntiSamy
• A set of security control acess• Use encode to handle XSSESAPI
• Use blacklist to validate the input• Break one rule, break the chainStinger
ESAPI encode
Use ESAPI to encode the input
Java code and html code
Stinger
Topic 2 - Scrubb
Database scanning tool
Focus on stored XSS
BSD license
Summary
AntiSamy is used to get a clean HTML• Policy file
Typical use case for AntiSamy• Display the HTML file• Security to rich editor• CSRF
Handle XSS • AntiSamy• ESAPI encode• Stinger
Resources• OWASP China AntiSamy Java http://www.owasp.org.cn/owasp-project/Projects/OWASP_AntiSamy_Java
• OWASP AntiSamy Javahttp://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
• AntiSamy smoke test site http://antisamysmoketest.com/go/attack
• ESAPI https://www.owasp.org/index.php/Esapi
• XSS Cheat sheethttp://ha.ckers.org/xss.html
QUESTIONS?