[Owasp-leaders] [Owasp-community] Research: Static Detection of Second-Order Vulnerabilities in Web Applications
jim.manico at owasp.org
Fri Aug 29 00:58:33 UTC 2014
Interesting paper. This all stems from developers treating some
"internal" or "partner" data as trusted. This has got to stop. The idea
of "untrusted" vs "trusted" data only confuses the developer.
For complete XSS resistance and other forms of injection resistance, I
feel we need to code using a concept I call "/perfect injection
resistance/". This concept basically states that all variables are to be
treated as untrusted, and protection is required of all variables at the
time of usage. For example a "perfect injection resistance" UI would
output encoding all variables, would only use safe sinks and safe JSON
processing, and would use CSP - regardless of how those variables were
populated. Again, the key is that ALL variables would require encoding,
even static strings. Also, for any variable that contains HTML, HTML
sanitization would need to also be done at the time of UI rendering, not
just on input.
The goal is to build UI's that have no knowledge of what is happening
upstream, and protections are successfully in place even if everything
changes in different layers. This same concept can apply to pretty much
any form of injection.
On 8/26/14, 6:39 AM, Fabio Cerullo wrote:
> Interesting research paper on the so called second order
> vulnerabilities in Web Applications. This paper is included in the
> Proceedings of the 23rd USENIX Security Symposium and is free to
> download & distribute.
> Congrats to Thorsten Holz @thorstenholz and Johannes Dahse
> @FluxReiners from Ruhr-University Bochum, authors of this paper, who
> were just awarded @facebook's inaugural Internet Defense Prize at #sec14!
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders