Secure Web Application Development

Could Interpolique from Recursion Ventures lead to more secure web applications? String injection flaws (which enable Cross-site scripting, SQL injection and such) still occur in spite of memory-safe languages and repetitive encouragement to parametrize and escape strings. Developers still allow inadequately sanitized strings through.

Interpolique attempts to:

  • *Retain* the boundary between code and data
  • *Translate* the string provided by the developer, into one where the receiving language (SQL, Javascript) can unambiguously respect that boundary

Sanitize untrusted data using JavaScript Object Notation (JSON). Despite the name, JSON is a language-independent standard for data interchange. Use a developed and tested JSON implementation to parse untrusted data. See what data looks like when represented in JavaScript Object Notation at jdrop.org.

Do not use the JavaScript eval() function.

Web Security at Google Code University. From Gruyere:

Correctly sanitizing HTML is a tricky problem. The _SanitizeTag function has a number of critical design flaws:

  • It does not validate the well-formedness of the input HTML. As we see, badly formed HTML passes through the sanitizer unchanged. Since browsers typically apply very lenient parsing, it is very hard to predict the browser’s interpretation of the given HTML unless we exercise strict control on its format.
  • It uses blacklisting of attributes, which is a bad technique. One of our exploits got past the blacklist simply by using an uppercase version of the attribute. There could be other attributes missing from this list that are dangerous. It is always better to whitelist known good values.
  • The sanitizer does not do any further sanitization of attribute values. This is dangerous since URI attributes like href and src and the style attribute can all be used to inject javascript.

The right approach to HTML sanitization is to:

  • Parse the input into an intermediate DOM structure, then rebuild the body as well-formed output.
  • Use strict whitelists for allowed tags and attributes.
  • Apply strict sanitization of URL and CSS attributes if they are permitted.

Whenever possible it is preferable to use an already available known and proven HTML sanitizer.

Microsoft Anti-Cross Site Scripting Library V4.2 (AntiXSS V4.2) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks.

Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP (32-bit) (64-bit) CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

PHP data sanitizing discussion at stackoverflow and stackoverflow.

The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed.

RIPS is a static source code analyzer for vulnerabilities in PHP web applications. It was released during the Month of PHP Security (www.php-security.org).

Building Secure Web Applications

Infographic by Veracode Application Security

Advertisements

Comments are closed.