Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Join us at OWASP AppSec APAC 2014 !!
View analytic
Thursday, March 20 • 11:40am - 12:30pm
HTML5時代の安全なエスケープ手法 / Secure Escaping method for the age of HTML 5

Sign up or log in to save this to your schedule and see who's attending!

HTML5 Syntaxの登場と普及によって現実的解決策となったコンテキスト依存の自動エスケープ手法について紹介する。

XSSは、OWASP Top 10で常に指摘されている脅威である。従来に比べDOM based XSSなど新たな脅威も検出されている。
HTMLとJavaScriptとCSSが混在する現代のWebアプリではすべての出力箇所においてコンテキストに応じた適切なエスケープ処理を開発者が間違いなく行なう必要がある。
たとえば、HTMLテンプレート内で以下のx1~x7を出力するときは、それぞれ異なるエスケープを行なう必要があるが、人間は間違いを犯すもので、ケアレスミスも起きやすい。

<a href=""{{x1}}"" onmouseover=""{{x2}}"">{{x3}}</a>
<script>
 var x = '{{x4}}';
 var y =  {{x5}};
</script>
<style>
 body { background:url(/path?q={{x6}}); }
 div  { font-family: ""{{x7}}""; }
</style>

本発表では、先進的なWebアプリケーションフレームワークで近年採用が進んでいる「Contextual auto-escape」について詳細を解説する。本手法が実用段階になった背景にはHTML5 SyntaxとECMA-262の仕様策定により、各ブラウザのHTMLパーサの挙動やJavaScriptの文法の違いがなくなり、サーバサイドでHTMLのコンテキストを安定的に解析できることになったことが大きい。Googleの開発するClosureTemplatesやAngularJSなどではこれらの手法が実際に応用されており、エスケープのミスが起きにくいシステムの構築方法とその限界点についても考察する。

I will explain the automatic escape method that became a realistic solution to context dependence with the introduction and promulgation of HTML5 Syntax.

XSS is a threat consistently listed in the OWASP Top 10.  Compared to the past, DOM based XSS and other new threats have been detected.  With current web applications and the mixture of HTML, JavaScript and CSS, it is necessary for developers to deal with context-appropriate escape processing for all outputs. 
For instance, if you output x1 to x7 using the following HTML template, although it is necessary to conduct various different escapes, human error can easily lead to careless mistakes.

<a href=""{{x1}}"" onmouseover=""{{x2}}"">{{x3}}</a>
<script>
 var x = '{{x4}}';
 var y =  {{x5}};
</script>
<style>
 body { background:url(/path?q={{x6}}); }
 div  { font-family: ""{{x7}}""; }
</style>

This presentation will explain the details of “contextual auto-escape”, an advanced application framework that in recent years is being implemented more and more.  The background that lead to this method actually being used is the settling of specifications for HTML5 Syntax and ECMA-262 which lead to the elimination of JavaScript synstax differences and HTML Parser behavior as well as the stable parsing of HTML context on the server side.  This method is applied in the Closure templates and Angular JS developed by Google and is being studied as the threshold for methods of developing systems where escape errors become less likely."

Speakers
avatar for Yoshinori Takesako

Yoshinori Takesako

chair, SECCON
Yoshinori Takesako is the executive committee chairperson, organizer, and challenge creator of the SECCON CTF contests in Japan. He is also on the OWASP Japan advisory board, the review board for the CODE BLUE conference and the leader of the Shibuya Perl Mongers group. He was received the Microsoft MVP award for Developer Security in 2008. He has presented at security conferences such as HITCON in 2011 "Disassembling Flash Lite 3.0 SWF Files... Read More →


Thursday March 20, 2014 11:40am - 12:30pm
HP Enterprise Security Hall(HALL EAST)

Attendees (12)