OWASP - User contributions [en]

User:Mike Samuel

2019-05-28T06:49:30Z

Mike Samuel: Updated interests.

Mike Samuel is an engineer in Google's Security Engineering group working on programming language based approaches to web application security.

He is involved in the EcmaScript standards process, was one of the implementors of Caja, a system that allows for secure composition of web applications using existing standards, and has worked on static type reasoning to make template languages robust against XSS.

OWASP JSON Sanitizer

2013-01-17T14:53:08Z

Mike Samuel: Reworked project description

=Main=
Given JSON-like content, converts it to valid JSON.

This can be attached at either end of a data-pipeline to help satisfy Postel's principle:

be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.

Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.

=== Motivation ===

[[Image:http://json-sanitizer.googlecode.com/git/docs/JSON-Sanitizer-Arch.png|frameless|architecture]]

Many applications have large amounts of code that uses ad-hoc methods to generate JSON outputs. Frequently these outputs all pass through a small amount of framework code before being sent over the network. This small amount of framework code can use this library to make sure that the ad-hoc outputs are standards compliant and safe to pass to (overly) powerful deserializers like Javascript's eval operator.

Applications also often have web service APIs that receive JSON from a variety of sources. When this JSON is created using ad-hoc methods, this library can massage it into a form that is easy to parse.

By hooking this library into the code that sends and receives requests and responses, this library can help software architects ensure system-wide security and well-formedness guarantees.

=== Input ===

The sanitizer takes JSON like content, and interprets it as JS eval would. Specifically, it deals with these non-standard constructs.

{|
|-
| <tt>'...'</tt>
| Single quoted strings are converted to JSON strings.
|-
| <tt>\xAB</tt>
| Hex escapes are converted to JSON unicode escapes.
|-
| <tt>\012</tt>
| Octal escapes are converted to JSON unicode escapes.
|-
| <tt>0xAB</tt>
| Hex integer literals are converted to JSON decimal numbers.
|-
| <tt>012</tt>
| Octal integer literals are converted to JSON decimal numbers.
|-
| <tt>+.5</tt>
| Decimal numbers are coerced to JSON's stricter format.
|-
| <tt>[0,,2]</tt>
| Elisions in arrays are filled with <tt>null</tt>.
|-
| <tt>[1,2,3,]</tt>
| Trailing commas are removed.
|-
| <tt>{foo:"bar"}</tt>
| Unquoted property names are quoted.
|-
| <tt>//comments</tt>
| JS style line and block comments are removed.
|-
| <tt>(...)</tt>
| Grouping parentheses are removed.
|}

The sanitizer fixes missing punctuation, end quotes, and mismatched or missing close brackets. If an input contains only white-space then the valid JSON string <tt>null</tt> is substituted.

=== Output ===

The output is well-formed JSON as defined by
[http://www.ietf.org/rfc/rfc4627.txt RFC 4627].
The output satisfies three additional properties:

# The output will not contain the substring (case-insensitively) <tt>"</script"</tt> so can be embedded inside an HTML script element without further encoding.
# The output will not contain the substring <tt>"]]>"</tt> so can be embedded inside an XML CDATA section without further encoding.
# The output is a valid Javascript expression, so can be parsed by Javascript's <tt>eval</tt> builtin (after being wrapped in parentheses) or by <tt>JSON.parse</tt>. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
# The output contains only valid Unicode [http://www.unicode.org/glossary/#unicode_scalar_value scalar values] (no isolated [http://www.unicode.org/glossary/#surrogate_pair UTF-16 surrogates]) that are [http://www.w3.org/TR/xml/#charsets allowed in XML] unescaped.

=== Security ===

Since the output is well-formed JSON, passing it to <tt>eval</tt> will
have no side-effects and no free variables, so is neither a code-injection
vector, nor a vector for exfiltration of secrets.

This library only ensures that the JSON string → Javascript object phase has no side effects and resolves no free variables, and cannot control how other client side code later interprets the resulting Javascript object. So if client-side code takes a part of the parsed data that is controlled by an attacker and passes it back through a powerful interpreter like <tt>eval</tt> or <tt>innerHTML</tt> then that client-side code might suffer unintended side-effects.

=== Performance ===

The sanitize method will return the input string without allocating a new
buffer when the input is already valid JSON that satisfies the properties
above. Thus, if used on input that is usually well formed, it has minimal
memory overhead.

The sanitize method takes O(n) time where n is the length in UTF-16
code-units.

=Project About=
{{:Projects/OWASP_JSON_Sanitizer}}

[[Category:OWASP Project]]

OWASP Java HTML Sanitizer Project

2011-07-26T13:33:52Z

Mike Samuel:

==== Project About ====
{{:Projects/OWASP Java HTML Sanitizer Project | Project About}}

__NOTOC__ <headertabs/>

A fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

The code is hosted on [http://code.google.com/p/owasp-java-html-sanitizer/ Google Code]. The [http://canyouxssthis.com/reflect attack review] is ongoing so please consider it alpha software.

[[Category:OWASP_Tool]]
[[Category:OWASP_Alpha_Quality_Tool]]
[[Category:OWASP_Project|Java HTML Sanitizer]]

Summit 2011 Attendee/Attendee174

2011-02-07T16:52:59Z

Mike Samuel: Added self to attendees page

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP 2011 Global Summit Attendee Tab</noinclude>
|-
| summit_attendee_name1 = Mike Samuel
| summit_attendee_email1 = mikesamuel@gmail.com
| summit_attendee_wiki_username1 = Mike Samuel
|-
| summit_attendee_company = Google, Inc.
|-
| Project Leadership (less than 6 months old) =
| Project Leadership (more than 6 months old) =
| Release Leadership (less than 6 months old) =
| Release Leadership (more than 6 months old) =
| Project Contribution (less than 6 months old) =
| Project Contribution (more than 6 months old) =
| Release Contribution (less than 6 months old) =
| Release Contribution (more than 6 months old) =
| Committee Membership =
| Chapter Co-Leadership =
| Conference Co-Leadership =
| Projected Funding Cost =
|-
| summit_attendee_current_owasp_involvement_name1 =
| summit_attendee_current_owasp_involvement_url_1 =
| summit_attendee_current_owasp_involvement_name2 =
| summit_attendee_current_owasp_involvement_url_2 =
| summit_attendee_current_owasp_involvement_name3 =
| summit_attendee_current_owasp_involvement_url_3 =
| summit_attendee_current_owasp_involvement_name4 =
| summit_attendee_current_owasp_involvement_url_4 =
| summit_attendee_current_owasp_involvement_name5 =
| summit_attendee_current_owasp_involvement_url_5 =
|-
| summit_attendee_reason_for_summit_participation_name1 = Browser Security
| summit_attendee_reason_for_summit_participation_url_1 =
| notes_reason_for_participating_issues_to_be_discussed_1 =
| summit_attendee_reason_for_summit_participation_name2 = XSS eradication
| summit_attendee_reason_for_summit_participation_url_2 =
| notes_reason_for_participating_issues_to_be_discussed_2 =
| summit_attendee_reason_for_summit_participation_name3 =
| summit_attendee_reason_for_summit_participation_url_3 =
| notes_reason_for_participating_issues_to_be_discussed_3 =
| summit_attendee_reason_for_summit_participation_name4 =
| summit_attendee_reason_for_summit_participation_url_4 =
| notes_reason_for_participating_issues_to_be_discussed_4 =
| summit_attendee_reason_for_summit_participation_name5 =
| summit_attendee_reason_for_summit_participation_url_5 =
| notes_reason_for_participating_issues_to_be_discussed_5 =
|-
| summit_attendee_owasp_sponsor =
|-
| summit_attendee_summit_time_paid_by_name1 =
| summit_attendee_summit_time_paid_by_url_1 =
| summit_attendee_summit_time_paid_by_name2 =
| summit_attendee_summit_time_paid_by_url_2 =
|-
| summit_attendee_summit_expenses_paid_by_name1 =
| summit_attendee_summit_expenses_paid_by_url_1 =
| summit_attendee_summit_expenses_paid_by_name2 =
| summit_attendee_summit_expenses_paid_by_url_2 =
|-
| reason_for_sponsorship =
|-
| status =
|-
| letter sent to sponsor =
|-
| notes for Kate =
|-
| attendee_name_mask =  Attendee174
| attendee_home_page =  Summit_2011_Attendee/Attendee174
}}