[Owasp-leaders] [Owasp-community] Research: Static Detection of Second-Order Vulnerabilities in Web Applications

Jim Manico jim.manico at owasp.org
Fri Aug 29 00:58:33 UTC 2014


Interesting paper. This all stems from developers treating some 
"internal" or "partner" data as trusted. This has got to stop. The idea 
of "untrusted" vs "trusted" data only confuses the developer.

For complete XSS resistance and other forms of injection resistance, I 
feel we need to code using a concept I call "/perfect injection 
resistance/". This concept basically states that all variables are to be 
treated as untrusted, and protection is required of all variables at the 
time of usage. For example a "perfect injection resistance" UI would 
output encoding all variables, would only use safe sinks and safe JSON 
processing, and would use CSP - regardless of how those variables were 
populated. Again, the key is that ALL variables would require encoding, 
even static strings. Also, for any variable that contains HTML, HTML 
sanitization would need to also be done at the time of UI rendering, not 
just on input.

The goal is to build UI's that have no knowledge of what is happening 
upstream, and protections are successfully in place even if everything 
changes in different layers. This same concept can apply to pretty much 
any form of injection.

FWIW,
Jim





On 8/26/14, 6:39 AM, Fabio Cerullo wrote:
> Interesting research paper on the so called second order 
> vulnerabilities in Web Applications. This paper is included in the 
> Proceedings of the 23rd USENIX Security Symposium and is free to 
> download & distribute.
>
> https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-dahse.pdf
>
> Congrats to Thorsten Holz @thorstenholz and Johannes Dahse 
> @FluxReiners from Ruhr-University Bochum, authors of this paper, who 
> were just awarded @facebook's inaugural Internet Defense Prize at #sec14!
>
> Regards,
>
> Fabio
>
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140828/773e5ba8/attachment.html>


More information about the OWASP-Leaders mailing list