## Monday, September 12, 2011

### Esorics day 1

Today's sessions were mostly about web security - a welcome break from more theoretical cryptography and a reminder that crypto alone is not enough for building secure systems.

Code injection (usually SQL or HTML/javascript) is a major problem on the web despite its being known for a long time. As people will always make mistakes, several talks looked at automated approaches.

One proposed "complementary character coding" - each character (ASCII or unicode) gets two representations, a normal and a tainted one. Any data received from a client is automatically cast to the tainted representation by the server. The point is that only the non-tainted characters are parsed in SQL and the like, so a tainted quote character is just another character in a string. If web browsers adopted the same approach for HTML, it would get rid of javascript injection too.

Another talk looked at sanitation tools in popular web frameworks (PHP, django and so on) - the more traditional approach. All can do basic HTML sanitation but once you consider different contexts - URIs for example
<a href="$target" /> when $target="javascript:alert('oh dear!');"
or even CSS (which can do JS too) it turns out only one framework of those studied can do it all - and that's one written in C++, not one of those fancy new languages!

Some authors looked at cross-site scripting in the context of scripts that are embedded in the page and thus don't fall under the same-origin policy (some advertisements, for example) but still shouldn't have access to all the page. Here the authors proposed a scheme in which each script runs in a "world" and can only access parts of the page/DOM that are declared writable in this world.

Yet another approach is client-side protection against cross-site requests as demonstrated by the authors of the CsFire firefox extension. The basic idea is to strip cookies from all requests that cross domain boundaries, thus defeating many attacks.
Some scenarios like single sign-on or delegated payment (think PayPal) require requests to pass between two domains with correct cookie handling but only when the delegated site returns control to the delegator - so CsFire allows them in this case only.

The day finished with a reception hosted by the mayor of Leuven.