©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane XSS Basics Cross Site Scripting (XSS) Attacker leverages domain trust to exploit a victim Commonly uses JavaScript, but can us AJAX or other technologies
©2009 Justin C. Klein Keane How XSS Works Attacker injects JavaScript into display The Javascript can take many forms: – javascript:foo – alert('foo'); – javascript:alert – Any tag or attribute that supports JavaScript can be used!
©2009 Justin C. Klein Keane Types of XSS Non-persistent (reflected) Persistent (stored) DOM-based
©2009 Justin C. Klein Keane Reflected XSS Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of “Your search for X returned Y records” Developers didn't care if site users cause pop- ups to appear
©2009 Justin C. Klein Keane Reflected XSS Takes Imagination Attackers quickly figured out ways to exploit reflected XSS – URL passed variables used to redirect users to other sites – Combined with or link or form on another site to create a trust compromise – Generally involves social engineering of some sort
©2009 Justin C. Klein Keane Persistent XSS Attacker injects script that is stored on the target and displayed to any user requesting the page At a minimum can cause a denial of service
©2009 Justin C. Klein Keane Dangers of Persistent XSS Attacker can exploit JavaScript to attack victims Can steal cookies by posting them to another site Can use document.write() to display arbitrary text (including links for click fraud) Can do key logging via JavaScript
©2009 Justin C. Klein Keane DOM Based XSS Client side JavaScript includes variables attacker can manipulate to inject script Because the JavaScript is dynamic DOM based XSS can be much more difficult to spot
©2009 Justin C. Klein Keane Typical XSS Attacks Attacker sends an to a user insisting they change their account credentials and includes a link to your site – the link actually includes an XSS that redirects the user to attacker controlled site where credentials are harvested Attacker injects JavaScript to steal cookies which are used for session hijacking
©2009 Justin C. Klein Keane More XSS Attacks Attacker injects JavaScript to manipulate display by hiding or overwriting page elements Attacker injects a link or image that drives traffic to another site (click fraud and Google jacking) Attacker injects JavaScript that records each keystroke Attacker injects JavaScript that calls a malicious URL for drive by downloading Attacker injects JavaScript that exploits browser vulnerabilities (or browser object vulnerabilities such as PDF)
©2009 Justin C. Klein Keane XSRF Attacks Client side scripts that perform background actions using the authentication of a user Can be extremely useful in bypassing authentication XSRF exploits the fact that browsers send cookies by default with every page request Limited somewhat by the same domain origin policy of JavaScript
©2009 Justin C. Klein Keane Typical XSRF User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings
©2009 Justin C. Klein Keane Protecting Against XSRF Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token
©2009 Justin C. Klein Keane Other XSRF Defenses Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however
©2009 Justin C. Klein Keane XSS & XSRF Obfuscation JavaScript is commonly encoded – URL encoding – Base64 encoding – ROT13 JavaScript may be calling externally hosted JavaScript
©2009 Justin C. Klein Keane Obscure XSS Image tags can be used to display JavaScript CSS can also be used to display JavaScript on IE using the exec() statement Iframe source can be JavaScript META refresh tags Object tags For more see
©2009 Justin C. Klein Keane Preventing XSS & XSRF Essentially a problem of validating user input Filters for “known bad” are especially dangerous with XSS – New techniques emerge regularly – Browsers change – New web browsers emerge
©2009 Justin C. Klein Keane Mitigation Strategy Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB! – Do NOT sanitize exclusively on output! Use a library for translation – This can be useful if the library is centrally maintained as it can easily evolve – Still a broadside approach, not as effective as limiting to known good
©2009 Justin C. Klein Keane Useful PHP Functions htmlspecialchars() – '&' to '&' – “ to " – ' to ' – < to < – > to > htmlentities() – Much more thorough, all characters with HTML equivalents are translated.
©2009 Justin C. Klein Keane More PHP strip_tags() - strips out all HTML (and PHP) tags – Can optionally allow certain tags fgetss() - same as fgets(), which gets a line from a pointer, but strips tags
©2009 Justin C. Klein Keane More Useful PHP Functions ereg_replace() – Allow only characters you want eregi_replace() preg_replace()
©2009 Justin C. Klein Keane Finding XSS Tools can sometimes be useful Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
©2009 Justin C. Klein Keane Filter Evasion Techniques Alternating case: <ScRiPt Inject “legal” characters – script/src= – <scr%00ipt URL encoding input – alert('foo'); – <script>al&# 101;rt('foo') 9;</script> – %3cscript%3e – %253script%253e
©2009 Justin C. Klein Keane Filter Exploitation Be careful that any filters you use can't be used against you Filters that remove text might actually be used to de-mangle input: – A filter that removes the string “ ” can be defeated using the input: ipt>
©2009 Justin C. Klein Keane Other Concerns XSS in uploaded files (images, PDF, etc.) Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results