libinjectionFrom SQLi to XSS
Nick Galbreath @ngalbreath!Signal Sciences [email protected]
Code Blue ∙ Tokyo ∙ 2014-02-17
Nick Galbreath @ngalbreath
• Founder/CTO of Signal Sciences Corp
• Before: IponWeb (Moscow, Tokyo)
• Before: Etsy (New York City)
What is libinjection?• A small C-library to detect SQLi attacks in user-
input
• With API in python, lua and php
• Introduced at Black Hat USA 2012
• Open source with BSD license
• https://github.com/client9/libinjection
Why libinjection?• Existing detection is mostly done with regular expressions
• No unit tests
• No performance (speed) tests
• No coverage tests
• No accuracy or precision tests
• No false positive tests
• “what are they actually doing?”
libinjection SQLi Today
• Version 3.9.1
• 8000 unique SQLi fingerprints
• 400+ unit tests
• 85,000+ SQLi samples
In Use At• mod_security WAF - http://www.modsecurity.org/
• ironbee WAF - https://www.ironbee.com/
• glastopf honeypot - http://glastopf.org/
• proprietary WAFs
• internally at many companies
• partial pure-java port
XSS
Similar to SQLi
• No standard detection library
• Few if any have tests
• Regular expression based detection
• Can we do better?
Two Types of XSS
• HTML injection attacks
• Javascript injection attacks
XSS Javascript Injection
• Includes DOM-style attacks
• Attacks existing javascript code.
• Detection can truly be done on client
• A very hard problem
HTML Injection
• HTML injection are attacks against the HTML tokenization algorithm (text “<b>foo</b>” to tags <b>, foo, </b>)
• The goal is to change the context to ‘javascript’ and execute arbitrary code.
• This seems detectable.
HTML Injection Samples<b>XSS</b> (raw HTML)
<foo XSS> (tag attribute from user input)
<foo name=XSS> (tag value from user input)
<foo name='XSS'> (quoted value)
<foo name="XSS"> (quoted value)
<foo name=`XSS`> (IE only!)
Browser HTML Tokenization
• Previously every browser parsed or tokenised HTML differently.
• This lead to a number of different attacks using broken html tags, special characters or encodings.
• Now, most browsers now use the same algorithm specified by HTML5.
Every Tokenization Step
Is Clearly Defined
The remainder are IE
• And IE only has a few versions
• And has some well-known exceptions to the HTML5 parsing rules.
IE6 and IE7
• IE7 has only 2% of market share
• IE6 will, in time, go away.
• Both are likely running on 10 year old machine.
IE8
• Somewhere between 10-20% marketshare
• The most modern MS browser on Windows XP
• Marketshare can only go down.
Opera• 1.33% Global Market Share
• But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems
• Opera has a lot of oddities in HTML functionality and parsing
• Ignoring
libinjection XSS
HTML injection attacks in HTML5 clients.
• No: XML / XSLT injection
• No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year.
• No: DOM style attacks (need a client solution)
libinjection html5
• Full HTML5 Tokenizer.
• Does not build a tree or DOMs
• Just emits tokenizer events.
• Zero copying of data
Tokenization Sample
TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE >
<img src=“junk” onerror=alert(1);>
Check in each ContextEach input is parsed in at least 6 different HTML contexts, because thats how XSS works!
<b>XSS</b> (raw HTML)
<foo XSS> (tag attribute from user input)
<foo name=XSS> (tag value from user input)
<foo name='XSS'> (quoted value)
<foo name="XSS"> (quoted value)
<foo name=`XSS`> (IE only!)
Ban Problematic Tokens • Problematic tags, attributes, and values are
cataloged.
• Tags: <script>, anything XML or SVG related
• Attributes: on*, etc
• Values: javascript URLs in various formats
• and more…
Training Sources
XSS Cheat sheets
• Most are outdated (exploits for Firefox 3! )
• sorry OWASP :-(
• Each entry validated to make sure they are valid for HTML5 browsers.
HTML5SEC.org
• Fantastic resource
• But lists many examples for Firefox 3 and/or obsolete Opera versions
• Pruned to focus on HTML5 browsers
@soaj1664ashar
• Produces interesting new XSS regularly
• If you like XSS you should follow him on Twitter
Attack / Scanners
• Integrate one scanner’s test cases
• Using Shazzer fuzz databases - http://shazzer.co.uk/
Current Status
Available Now
• Available on github
• http://libinjection.client9.com/
• but… still alpha
$ make test-xss ./reader -t -i -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja	vascr	ipt:confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> !XSS : 1628 SAFE : 11 TOTAL : 1639 !Threshold is 10, got 11, failing.
1639 Total Samples 1628 Detected as XSS 11 False Negatives
IE Unbalanced Quotes
• IE 8+ has strange behaviour with ‘unbalanced quotes’ inside comments and attribute values.
• Work in progress
Performance
500,000+ checks per second
TODO 2014-02-17• It’s alpha — so it’s likely to have some spectacular failures
(bypasses)
• False-positive QA not completed.
• Currently does not handle some IE injections
• Does not have a test-bed for experimenting (maybe later this week).
• More QA, code-coverage needed
• No bindings for scripting languages (soon).
