Menu
▾
▴
owasp-input-api-developers
|
From: Alex R. <al...@se...> - 2002-06-18 21:48:18
|
INTRODUCTION: ------------------------------------------------------------------------------ On June 17th, the development team from the Open Web Application Security Project (OWASP) filters project met to discuss the goals of the project and to lay out general design principles that will be followed in the course of their development effort. What follows is a summary of the primary points of agreement that resulted from this meeting. Those who attended the meeting were: Nathan Groupp, ve...@pa... Gabriel Lawrence, ga...@bu... Alex Russell, al...@Se..., al...@ne... Matt Wirges, wi...@ce... Nik Cubrilovic, ni...@ni... PROJECT GOALS: ------------------------------------------------------------------------------ The chief goal of the OWASP filters project will be to develop a set of "drop in" functions/objects/methods that provide web application developers with a powerful and effective way of managing inputs to their applications. These filters will be designed in such a way as to minimize the amount of syntax needed to filter content for a range of possible malicious inputs. PROBLEM STATEMENT: ------------------------------------------------------------------------------ The current state of web application security (in the large) is a mess, in some cases even more so than that of traditional applications. Few web application developers are familiar with even basic security design principles and even fewer understand the options available to them with regards to securing their applications. While structural solutions to the large security problems facing web applications are strongly preferred, we recognize the need for tools that will allow developers harden their applications with a minimum of effort and security-domain knowledge. Through use of our tools, developers should become educated about the issues involved with input validation to their applications, and it is our hope that they will also make use of the other tools and document that OWASP produces in their efforts to improve security. Yet we are also realistic. We understand that the path of least resistance is that which lazy developers will follow, and security tools must be presented in a way that decrease resistance to their adoption. The OWASP Filters Team accepts this challenge and is committed to providing simple yet powerful tools for developers that enhance security. DESIGN GOALS: ------------------------------------------------------------------------------ Filters MUST be developed in many languages to allow end developers to use a similar framework for filtering input regardless of their development environment. Language specific idioms for sanity checking MAY be supported where they make sense, but never at the expense of simplicity. The default policy for filter rules MUST be "reject all not explicitly allowed", forcing developers to consider what they want to allow instead of attempting to cover all corner cases for input that may be malicious. Filtering will be addressed in 3 discrete steps: 1.) canonicalization 2.) threat specific filtering 3.) output specific filtering Note that each of these steps SHOULD be addressed both on information inbound to the system from external sources and for information originating from internal sources destined for output to end users. 1.) Canonicalization Canonicalization is the process of putting data into a common format. This step is critical to the effectiveness of input filtering, as it guards against entire classes of attacks that make use of character set conversion to bypass attempts at intput filtering. While multiple character sets SHOULD be supported, a sane default SHOULD be assumed (UTF-8 restricted?). 2.) Threat Specific Filtering A default "reject" rule MUST be in place for input passed to OWASP filters, however users MAY be given the ability to specifically allow types of input that my in some contexts be harmful. Examples of these types of input may be HTML, JavaScript, SQL, etc... There are instances where a developer may wish to allow punctuation that may have syntactic significance, and so an interface MAY be exposed to allow developers to explicitly define such syntax exceptions. Language specific filtering capability SHOULD be available to deal with threats such as interpreted command insertion. Where possible the OWASP filters team will discourage use of eval() type functions on the part of developers, yet should realize that the job of a filter can only cover so much ground. Protecting developers from misuse of system and language features is better dealt with via a source code scanner. 3.) Output Specific Filtering Output formats MAY have special formatting considerations, and the filters API MAY choose to provide simple methods for converting to "storage safe" escaped versions of content (and back again). CONCLUSION: ------------------------------------------------------------------------------ This is only a draft of this document and MAY be subject to change as the requirements of the project become more clearly defined and iterative development and developer feedback more tightly define the scope of the problem. |
|
From: vertigo <ve...@pa...> - 2002-06-18 22:03:57
|
Better. Thanks. Believe it or not, I was a lit major, not C.S. Nathan On Tue, 18 Jun 2002, Alex Russell wrote: > INTRODUCTION: > ------------------------------------------------------------------------------ > > On June 17th, the development team from the Open Web Application Security > Project (OWASP) filters project met to discuss the goals of the project and > to lay out general design principles that will be followed in the course of > their development effort. What follows is a summary of the primary points of > agreement that resulted from this meeting. > > Those who attended the meeting were: > Nathan Groupp, ve...@pa... > Gabriel Lawrence, ga...@bu... > Alex Russell, al...@Se..., al...@ne... > Matt Wirges, wi...@ce... > Nik Cubrilovic, ni...@ni... > > PROJECT GOALS: > ------------------------------------------------------------------------------ > > The chief goal of the OWASP filters project will be to develop a set of > "drop in" functions/objects/methods that provide web application developers > with a powerful and effective way of managing inputs to their applications. > These filters will be designed in such a way as to minimize the amount of > syntax needed to filter content for a range of possible malicious inputs. > > PROBLEM STATEMENT: > ------------------------------------------------------------------------------ > > The current state of web application security (in the large) is a mess, in > some cases even more so than that of traditional applications. Few web > application developers are familiar with even basic security design > principles and even fewer understand the options available to them with > regards to securing their applications. While structural solutions to the > large security problems facing web applications are strongly preferred, we > recognize the need for tools that will allow developers harden their > applications with a minimum of effort and security-domain knowledge. > > Through use of our tools, developers should become educated about the issues > involved with input validation to their applications, and it is our hope > that they will also make use of the other tools and document that OWASP > produces in their efforts to improve security. Yet we are also realistic. > We understand that the path of least resistance is that which lazy > developers will follow, and security tools must be presented in a way that > decrease resistance to their adoption. The OWASP Filters Team accepts this > challenge and is committed to providing simple yet powerful tools for > developers that enhance security. > > DESIGN GOALS: > ------------------------------------------------------------------------------ > > Filters MUST be developed in many languages to allow end developers to use a > similar framework for filtering input regardless of their development > environment. Language specific idioms for sanity checking MAY be supported > where they make sense, but never at the expense of simplicity. > > The default policy for filter rules MUST be "reject all not explicitly > allowed", forcing developers to consider what they want to allow instead of > attempting to cover all corner cases for input that may be malicious. > > Filtering will be addressed in 3 discrete steps: > > 1.) canonicalization > 2.) threat specific filtering > 3.) output specific filtering > > Note that each of these steps SHOULD be addressed both on information > inbound > to the system from external sources and for information originating from > internal sources destined for output to end users. > > > 1.) Canonicalization > > Canonicalization is the process of putting data into a common format. > This step is critical to the effectiveness of input filtering, as it > guards against entire classes of attacks that make use of character > set conversion to bypass attempts at intput filtering. While multiple > character sets SHOULD be supported, a sane default SHOULD be assumed > (UTF-8 restricted?). > > 2.) Threat Specific Filtering > > A default "reject" rule MUST be in place for input passed to OWASP > filters, however users MAY be given the ability to specifically > allow types of input that my in some contexts be harmful. Examples of > these types of input may be HTML, JavaScript, SQL, etc... > > There are instances where a developer may wish to allow punctuation > that may have syntactic significance, and so an interface MAY be > exposed to allow developers to explicitly define such syntax > exceptions. > > Language specific filtering capability SHOULD be available to deal > with threats such as interpreted command insertion. Where possible the > OWASP filters team will discourage use of eval() type functions on > the part of developers, yet should realize that the job of a filter > can only cover so much ground. Protecting developers from misuse of > system and language features is better dealt with via a source code > scanner. > > 3.) Output Specific Filtering > > Output formats MAY have special formatting considerations, and the > filters API MAY choose to provide simple methods for converting to > "storage safe" escaped versions of content (and back again). > > > CONCLUSION: > ------------------------------------------------------------------------------ > > This is only a draft of this document and MAY be subject to change as the > requirements of the project become more clearly defined and iterative > development and developer feedback more tightly define the scope of the > problem. > > ---------------------------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: Gabriel L. <ga...@bu...> - 2002-06-18 22:45:26
|
Thanx for putting this out so quick. Sounds to me like there is still some disagreement on what and where this project should go. I'd like to try and facilitate a discussion on this. So, up to now I've been more of a facilitator then a participant... Let me participate a little. First, I kind of feel like we've been setting our sites a little low - and have been oversimplifying what we need to do. What I think we should be trying to do is to build a multi-layered multi-language set of tools to make developing secure web applications simple and easy. What I think this goal implies is that we need to look at tools to help in most of the situations web applications developers find themselves in trouble. From the simple side of things which is data validation/cleaning to the more complex side which includes things like helping detect parameter tampering and such (basically where critical information is foolishly encoded into hidden values in forms) and such. So, I see the first step of this process being developing some simple api's that allow developers to start incorporating this stuff into their applications. I think at this level it would be key to make this stuff as generic as possible as the code will need to be ported to multiple environments: Python, Java, PHP, Perl, C/C++, ColdFusion and so on... Then once this basic layer is built, we need to start looking at how to incorporate this stuff into the general flow of things to make it somewhat easy and automatic for developers to incorporate it. And finally, we need to incorporate technology specific solutions into the api so that we can become a layer of protection wrapped around the technology supporting it where those technologies are weak or create holes. So, I actually think that alex's document describes the foundation of what my vision is for at least the first phase of what I think we should do... -gabe |
|
From: Steven J. S. <sj...@Ju...> - 2002-06-19 02:59:48
|
On 18 Jun 2002, Gabriel Lawrence wrote: > So, I see the first step of this process being developing some simple > api's that allow developers to start incorporating this stuff into their > applications. I think at this level it would be key to make this stuff > as generic as possible as the code will need to be ported to multiple > environments: Python, Java, PHP, Perl, C/C++, ColdFusion and so on... (Apologies for not making it to irc yesterday) I don't know how "generic" we'll be able to make the code... > And finally, we need to incorporate technology specific solutions into > the api so that we can become a layer of protection wrapped around the > technology supporting it where those technologies are weak or create > holes. Is our goal to make this stuff transparent to John Q. Webappdeveloper? -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me... |
|
From: vertigo <ve...@pa...> - 2002-06-19 16:30:06
|
Making this transparent to the average webdev is a little too much to ask. Also, making it "generic" is a little too much to ask for when considering the broad range of implementation languages available. Making something "generic" is often times equivalent to simplification. I think rather than concentrating on how to make this generic as possible, we make some decisions regarding the following: 1) Core features 2) Public Interface 3) Configuration 4) Signature Definition, Storage, and Loading 5) Rule/Policy Definition, Storage, and Loading 5) Reporting Framework 6) Compatibility (between implementations) The Java version, for example, will be running in its own thread, and could possibly by accessed by several servlets many times throughout the lifecycle of the application server in which it is running. As are the servlets, it is conceivable that the filter could be loaded once--minimizing complex object construction, and have a fairly long lifecycle. This is due to the nature of the Java language and virtual machine. This long lifecycle, approach, however, does not make sense in Perl, unless one uses Apache and mod_perl. While Java can afford fairly expensive instantiation, a Perl CGI cannot. Instantiation may be handled differently, if at all. It may not even be OO. I think we should remember that there are fundamental architectural differences between implementation languages that cannot be generalized away into the aether. And rather than trying to fit square pegs into round holes, we should create prism-shaped containers for each peg and push these through triangular holes. (I kind of lost the metaphor at the end there, sorry.) Nathan Nathan On Tue, 18 Jun 2002, Steven J. Sobol wrote: > On 18 Jun 2002, Gabriel Lawrence wrote: > > > So, I see the first step of this process being developing some simple > > api's that allow developers to start incorporating this stuff into their > > applications. I think at this level it would be key to make this stuff > > as generic as possible as the code will need to be ported to multiple > > environments: Python, Java, PHP, Perl, C/C++, ColdFusion and so on... > > (Apologies for not making it to irc yesterday) > > I don't know how "generic" we'll be able to make the code... > > > And finally, we need to incorporate technology specific solutions into > > the api so that we can become a layer of protection wrapped around the > > technology supporting it where those technologies are weak or create > > holes. > > Is our goal to make this stuff transparent to John Q. Webappdeveloper? > > > -- > Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET > - I do my best work with one of my cockatiels sitting on each shoulder - > 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance > stance towards abusive priests. The fact that 20% didn't, scares me... > > > > ---------------------------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: Steven J. S. <sj...@Ju...> - 2002-06-19 16:48:17
|
On Wed, 19 Jun 2002, vertigo wrote: > Making this transparent to the average webdev is a little too much to ask. > Also, making it "generic" is a little too much to ask for when considering > the broad range of implementation languages available. That was going to be the next point I made. > Making something > "generic" is often times equivalent to simplification. I think rather > than concentrating on how to make this generic as possible, we make some > decisions regarding the following: > > 1) Core features > 2) Public Interface > 3) Configuration > 4) Signature Definition, Storage, and Loading > 5) Rule/Policy Definition, Storage, and Loading > 5) Reporting Framework > 6) Compatibility (between implementations) Within 4 and 5 I'd think we need to subclassify for the different types of exploits - SQL injection, XSS, etc. > The Java version, for example, will be running in its own thread, and > could possibly by accessed by several servlets many times throughout > the lifecycle of the application server in which it is running. Same with the PHP module, if we do this project as a PHP extension. > This long lifecycle, approach, however, does not make sense in Perl, > unless one uses Apache and mod_perl. While Java can afford fairly > expensive instantiation, a Perl CGI cannot. Instantiation may be > handled differently, if at all. It may not even be OO. Why not? -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me... |
|
From: vertigo <ve...@pa...> - 2002-06-20 01:45:27
|
On Wed, 19 Jun 2002, Steven J. Sobol wrote: > > This long lifecycle, approach, however, does not make sense in Perl, > > unless one uses Apache and mod_perl. While Java can afford fairly > > expensive instantiation, a Perl CGI cannot. Instantiation may be > > handled differently, if at all. It may not even be OO. > > Why not? No reason at all (to do OO Perl). I'm just worried about Perl having to parse a potentially large signature file every time a request is made. I've never had the misfortune of working with a Perl CGI that was actually slower than a servlet (at Phlair, the bottlenecks were always the Java), so I'm not terribly concerned--but it's just one of those things I worry about. Nathan |
|
From: Steven J. S. <sj...@Ju...> - 2002-06-20 02:10:39
|
On Wed, 19 Jun 2002, vertigo wrote: > > > This long lifecycle, approach, however, does not make sense in Perl, > > > unless one uses Apache and mod_perl. While Java can afford fairly > > > expensive instantiation, a Perl CGI cannot. Instantiation may be > > > handled differently, if at all. It may not even be OO. > > > > Why not? > > No reason at all (to do OO Perl). I'm just worried about Perl having > to parse a potentially large signature file every time a request is made. > I've never had the misfortune of working with a Perl CGI that was actually > slower than a servlet (at Phlair, the bottlenecks were always the > Java), so I'm not terribly concerned--but it's just one of those things I > worry about. If you're worried about the amount of resources a process running a Perl CGI might use, perhaps using a module like Fastcgi would address those issues. -- Steve Sobol, CTO JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET - I do my best work with one of my cockatiels sitting on each shoulder - 6/4/02:A USA TODAY poll found that 80% of Catholics advocated a zero-tolerance stance towards abusive priests. The fact that 20% didn't, scares me... |
|
From: vertigo <ve...@pa...> - 2002-06-18 23:03:11
|
Ok, I'll be nicer this time. I apologize for sounding harsh. (A little payback for the comment regarding buzzword compliant I guess.) I'm sure you worked hard on that. I propose the following changes: 1) "drop in functions/object/methods" change to: "drop in functions or classes." (objects are, traditionally, instantiated classes, though this terminology was challenged in the book "Object Oriented Methods.") 2) "The current state of web application security . . . a mess." change to: "The current state of web-application security is disastrous, and in some cases weaker than the security of traditional applications." (a __little__ hyperbole helps sometimes) 3) "These filters will be designed in such a way as to minimize the amount of syntax needed to filter content for a range of possible malicious inputs." change to: "The Filters API will be designed to provide the greatest effect with the least effort--filtering a large number of attacks by making only minor modifications to existing code." 4) "Few web application developers are familiar with even basic security design principles and even fewer understand the options available to them with regards to securing their applications. While structural solutions to the large security problems facing web applications are strongly preferred, we recognize the need for tools that will allow developers harden their applications with a minimum of effort and security-domain knowledge." change to: "Few web application developers are familiar with even basic security design principles. Fewer still are aware of the security solutions available to them. While the preferred method of securing a web-application is a complete redesign incorporating secure design principles, we are aware of the time, effort, and money involved in undertaking such a project. This API will allow developers to harden their applications with a minimum of effort and security-domain knowledge." 5) "We understand that the path of least resistance is that which lazy > developers will follow, and security tools must be presented in a way that decrease resistance to their adoption. The OWASP Filters Team accepts this challenge and is committed to providing simple yet powerful tools for developers that enhance security." change to: "We understand that budget constraints and deadlines are often more important than security. Security tools must be presented in a way that will allow rapid integration with existing applications. The OWASP Filters Team accepts this challenge and is committed to providing simple yet powerful tools for developers that enhance security." (I am not a big fan of the "lazy developer" stereotype.) I think we also need to fill-out the section on request.allow/request.deny. The policy section is a little unclear. I think once we make some decisions regarding a policy framework, we can include this in another document. For now, we might try saying something like: "Filters will be skeptical by default, denying application access to all requests except those that match well-defined criteria." Or something similar. That's all for now. I apologize again for being harsh. I've been a little stressed. Nathan On Tue, 18 Jun 2002, Alex Russell wrote: > INTRODUCTION: > ------------------------------------------------------------------------------ > > On June 17th, the development team from the Open Web Application Security > Project (OWASP) filters project met to discuss the goals of the project and > to lay out general design principles that will be followed in the course of > their development effort. What follows is a summary of the primary points of > agreement that resulted from this meeting. > > Those who attended the meeting were: > Nathan Groupp, ve...@pa... > Gabriel Lawrence, ga...@bu... > Alex Russell, al...@Se..., al...@ne... > Matt Wirges, wi...@ce... > Nik Cubrilovic, ni...@ni... > > PROJECT GOALS: > ------------------------------------------------------------------------------ > > The chief goal of the OWASP filters project will be to develop a set of > "drop in" functions/objects/methods that provide web application developers > with a powerful and effective way of managing inputs to their applications. > These filters will be designed in such a way as to minimize the amount of > syntax needed to filter content for a range of possible malicious inputs. > > PROBLEM STATEMENT: > ------------------------------------------------------------------------------ > > The current state of web application security (in the large) is a mess, in > some cases even more so than that of traditional applications. Few web > application developers are familiar with even basic security design > principles and even fewer understand the options available to them with > regards to securing their applications. While structural solutions to the > large security problems facing web applications are strongly preferred, we > recognize the need for tools that will allow developers harden their > applications with a minimum of effort and security-domain knowledge. > > Through use of our tools, developers should become educated about the issues > involved with input validation to their applications, and it is our hope > that they will also make use of the other tools and document that OWASP > produces in their efforts to improve security. Yet we are also realistic. > We understand that the path of least resistance is that which lazy > developers will follow, and security tools must be presented in a way that > decrease resistance to their adoption. The OWASP Filters Team accepts this > challenge and is committed to providing simple yet powerful tools for > developers that enhance security. > > DESIGN GOALS: > ------------------------------------------------------------------------------ > > Filters MUST be developed in many languages to allow end developers to use a > similar framework for filtering input regardless of their development > environment. Language specific idioms for sanity checking MAY be supported > where they make sense, but never at the expense of simplicity. > > The default policy for filter rules MUST be "reject all not explicitly > allowed", forcing developers to consider what they want to allow instead of > attempting to cover all corner cases for input that may be malicious. > > Filtering will be addressed in 3 discrete steps: > > 1.) canonicalization > 2.) threat specific filtering > 3.) output specific filtering > > Note that each of these steps SHOULD be addressed both on information > inbound > to the system from external sources and for information originating from > internal sources destined for output to end users. > > > 1.) Canonicalization > > Canonicalization is the process of putting data into a common format. > This step is critical to the effectiveness of input filtering, as it > guards against entire classes of attacks that make use of character > set conversion to bypass attempts at intput filtering. While multiple > character sets SHOULD be supported, a sane default SHOULD be assumed > (UTF-8 restricted?). > > 2.) Threat Specific Filtering > > A default "reject" rule MUST be in place for input passed to OWASP > filters, however users MAY be given the ability to specifically > allow types of input that my in some contexts be harmful. Examples of > these types of input may be HTML, JavaScript, SQL, etc... > > There are instances where a developer may wish to allow punctuation > that may have syntactic significance, and so an interface MAY be > exposed to allow developers to explicitly define such syntax > exceptions. > > Language specific filtering capability SHOULD be available to deal > with threats such as interpreted command insertion. Where possible the > OWASP filters team will discourage use of eval() type functions on > the part of developers, yet should realize that the job of a filter > can only cover so much ground. Protecting developers from misuse of > system and language features is better dealt with via a source code > scanner. > > 3.) Output Specific Filtering > > Output formats MAY have special formatting considerations, and the > filters API MAY choose to provide simple methods for converting to > "storage safe" escaped versions of content (and back again). > > > CONCLUSION: > ------------------------------------------------------------------------------ > > This is only a draft of this document and MAY be subject to change as the > requirements of the project become more clearly defined and iterative > development and developer feedback more tightly define the scope of the > problem. > > ---------------------------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X