Nick Galbreath @ngalbreath • Founder/CTO of Signal Sciences Corp NEW • Before: IponWeb (Moscow, Tokyo) • Before: Etsy (New York City)
What is libinjection? • A small C-library to detect SQLi attacks in user- input • With API in python, lua and php • Introduced at Black Hat USA 2012 • Open source with BSD license • https://github.com/client9/libinjection
Why libinjection? • Existing detection is mostly done with regular expressions • No unit tests • No performance (speed) tests • No coverage tests • No accuracy or precision tests • No false positive tests • “what are they actually doing?”
libinjection SQLi Today • Version 3.9.1 • 8000+ unique SQLi fingerprints • 400+ unit tests • 85,000+ SQLi samples
Similar to SQLi • No standard detection library • Few, if any, have tests • Most are based using regular expressions • Can we do better?
Browser HTML Tokenization • Previously every browser parsed or tokenised HTML differently. • This lead to a number of different attacks using broken html tags, special characters or encodings. • Now, most browsers now use the same algorithm from the HTML5 specification. • The HTML5 algorithm is very specific
Check in Each Context Each input is parsed in at least 6 different HTML contexts, because thats how XSS works! <b>XSS</b> (raw HTML) <foo XSS> (tag attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)
XSS Cheat Sheets • Most are outdated (exploits for Firefox 3! ) • sorry OWASP :-( • Each entry validated to make sure they are valid for HTML5 browsers.
HTML5SEC.org • Fantastic resource • But lists many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
IE Unbalanced Quotes • IE 8+ has strange behaviour with ‘unbalanced quotes’ inside comments and attribute values. • Work in progress
Performance 500,000+ checks per second
TODO 2014-02-17 • It’s alpha — so it’s likely to have some spectacular failures (bypasses) • False-positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).