SlideShare une entreprise Scribd logo

Is XSS Solvable? Don Ankney • LayerOne 2009

D
dankney

Slides from my LayerOne 2009 presentation on cross site scripting.

Technologie
1  sur  50
Télécharger pour lire hors ligne
IS XSS SOLVABLE? Don Ankney • LayerOne 2009 Saturday, May 23, 2009
DISCLAIMER This presentation represents personal work and has not been approved or vetted by Microsoft. I am solely responsible for its content. Saturday, May 23, 2009
OUTLINE • XSS as a generic injection attack. • What makes XSS unique, why it’s important. • Defending against XSS in general. • Web Application Defense • One effective architecture design pattern. • Tool to help. • Where to go from here. Saturday, May 23, 2009
DEFINING THE PROBLEM Saturday, May 23, 2009
INJECTION FLAWS • Any interpreted code can be injected: LDAP, XML, HTTP, XAML, PHP, Python, Ruby, and most infamously, SQL. • XSS is simply another form of interpreter injection, usually using Javascript. • We can solve it just like we would solve any other injection problem*. * except SQL injection -- we have a better solution there. Saturday, May 23, 2009
PREVENTING INJECTION • Always keep track of your trust boundaries. • Validate/sanitize your inputs. • Properly encode your outputs. • Use white lists, not black lists. • Exercise the principal of least privilege. • Validate your assumptions. Saturday, May 23, 2009
TRUST BOUNDARIES User System Forms Files headers services cookies Processes ajax files Application Database SQL LDAP web data stores Saturday, May 23, 2009
WHY XSS IS DIFFERENT • Most injection flaws attack your server. • XSS attacks the end user -- it runs arbitrary code in their browser. • The browser is behind your firewall and is acting within the user’s security context. Saturday, May 23, 2009
YOU CAN DO SOME NASTY THINGS WITH JAVASCRIPT • Javascript can control what appears on screen. • Javascript has access to your history. • Sites often store session tokens in GET request. • Javascript can intercept cookies. • Javascript can enumerate your network. Saturday, May 23, 2009
XSS TAXONOMY Saturday, May 23, 2009
REFLECTED XSS Attack Victim Attacker Attack Web App URL string Browser XSS • Victim browser submits an “evil” request that contains javascript. • The web application then reflects that javascript back to the victim browser, which then executes it. Saturday, May 23, 2009
REFLECTED XSS • Attack does not persist across users, sessions, or pages. • It is only reflected back to the user that submits the malicious url. • This is relatively easy to detect remotely via a scanner/fuzzer. Saturday, May 23, 2009
PERSISTENT XSS Attack string Attacker Webpage Database Victim Webpage XSS • An attacker stores an attack string in a web application. • Visitors to that site access infected pages causing javascript execution. Saturday, May 23, 2009
PERSISTENT XSS • Can persist across user, sessions, and pages. • It depends on application context and who can access the infected pages. • Very difficult to detect remotely via scanning/fuzzing. • There are many paths through an application, scanning is too noisy for a production system. • Best identified by code analysis. Saturday, May 23, 2009
HYBRID XSS Attack Webpage Attack A Attack Victim Attacker Session Data URL Browser XSS Webpage Attack B • Victim browser submits “evil” url. • Attack string is stored as session data. • Session data is returned to browser on another page, executing javascript. Saturday, May 23, 2009
HYBRID XSS • Attacks are not persistent across sessions. • Attacks do persist across pages. • Attacks may persist across users. • Think about “who’s online” functionality. • Extremely difficult to detect remotely. • May require specific request sequences. Saturday, May 23, 2009
DETECTING INJECTION FLAWS REMOTELY Saturday, May 23, 2009
SCANNING FOR REFLECTED XSS VULNERABILITIES • This requires a simple fuzzer. • Send an attack string. • Check for appropriately encoded returns. • The most difficult part is maintaining a current attack string list. Saturday, May 23, 2009
SCANNING FOR PERSISTENT XSS VULNERABILITIES • This sort of scanner is immature. • Requires mapping input cause vs. output effect without knowledge of application state. •A persistent XSS scan is extremely noisy. • Each form has to have unique data submitted in order to map persistent data across the site. • Running an attack list against the mapped site creates one persistent record per attack string. Saturday, May 23, 2009
DETECTING INJECTION FLAWS LOCALLY Saturday, May 23, 2009
AVAILABLE TECHNIQUES • Static code analysis • Examines the source code • Dynamic analysis • Examines application state Saturday, May 23, 2009
STATIC CODE ANALYSIS • Manual code review. • Static code analyzers: • Pixy (PHP) • CAT.NET (ASP.NET) • CodeSecure (Java/ASP.NET/PHP) Saturday, May 23, 2009
WHAT STATIC ANALYSIS CAN DETECT • Input sanitization • Really only boolean, doesn’t evaluate quality. • Output encoding • Are both application (html) and character encoding explicit? • Data flow • Does anything skip sanitization or encoding? Saturday, May 23, 2009
DYNAMIC CODE ANALYSIS • The only way to consider application state. • Remember that persistent and hybrid XSS are state- dependent. • Internal representation of data is tied to risk. • There aren’t a lot of existing tools. • Most existing are run-time IPS-style tools. Saturday, May 23, 2009
DEFENDING AGAINST XSS Saturday, May 23, 2009
THERE ARE THREE CONTROL POINTS FOR XSS Web Browser Application Database IT Infrastructure XSS can be mitigated at all three points. Saturday, May 23, 2009
THE BROWSER • Different browsers will execute different code snippets. • O9, IE6: <BODY BACKGROUND=quot;javascript:alert('XSS');quot;> • FF2, O9: <META HTTP-EQUIV=quot;refreshquot; CONTENT=quot;0;url=data:text/ html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4Kquot;> • Current browsers are much better than previous generations. Saturday, May 23, 2009
IT INFRASTRUCTURE • Web application firewalls. • Intrusion prevention systems. • Web application sandboxes. • All of these are signature-based defenses. Saturday, May 23, 2009
WEB APPLICATION DEFENSE Saturday, May 23, 2009
IT’S ALL ABOUT PROCESS Request Return Security Decode Logic Encode Checks • This requires a consistent and enforced architectural approach. • JSP, PHP 3/4, and classic ASP don’t lend themselves to this approach. Saturday, May 23, 2009
DECODE YOUR INPUT Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 • If the request specified an encoding, you might want to assume that encoding for parameters. • HTTP defaults to ISO-8859-1 • Convert the request to your application’s internal representation. Saturday, May 23, 2009
SECURITY CHECKS • This is where you apply your whitelists. • Remember the principal of least privilege and use the most restrictive patterns possible. • If you must accept markup tags, parse the tags and replace them with tokens. • Consider whitelisting any paths or URLs. Saturday, May 23, 2009
SANITIZING HTML • There are a number of libraries available to do this for you. • Microsoft AntiXSS (.NET), • OWASP AntiSamy (Java, .NET, Python). • HTML Purifier (PHP) Saturday, May 23, 2009
WRITING YOUR OWN SANITIZATION LIBRARY • Whitelist HTML tags. • Be as restrictive as possible. • If allowing high-risk tasks (such as <a> and <img>), consider whitelisting their targets. • Replace all the allowed tags with symbols. Parse them for properties. • Store them this way. • Replace the symbols prior to encoding. This way, everything is constructed in your code and not passed from the user. Saturday, May 23, 2009
ENCODE YOUR OUTPUT • Most commonly, encode using html entities. • After entity encoding, replace your tokens with actual tags. • If the final output is not html, encode accordingly. • XML if outputting AJAX, XAML, etc. Saturday, May 23, 2009
EXPLICITLY DECLARE YOUR CHARACTER SET • Your web server can do it for you: • AddCharset UTF-8 .php (Apache .htaccess) • If in doubt, override your web server: • header('Content-type: text/html; charset=utf-8'); (PHP .htaccess) • <%Response.charset=quot;utf-8quot;%> (ASP.NET) • print quot;Content-Type: text/html; charset=utf-8nnquot;; (Perl) Saturday, May 23, 2009
DO YOUR SECURITY CHECKS ACTUALLY WORK? foreach ($_GET as $secvalue) { if ((eregi(quot;<[^>]*script*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*object*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*iframe*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*applet*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*meta*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*style*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*form*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;([^>]*quot;?[^)]*)quot;, $secvalue)) || (eregi(quot;quot;quot;, $secvalue))) { die (quot;<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</ b><br><br>[ <a href=quot;javascript:history.go(-1)quot;><b>Go Back</b></a> ]quot;); } } foreach ($_POST as $secvalue) { if ((eregi(quot;<[^>]*script*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*style*quot;?[^>]*>quot;, $secvalue))) { die (quot;<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</ b><br><br>[ <a href=quot;javascript:history.go(-1)quot;><b>Go Back</b></a> ]quot;); } } This is actual code in a popular CMS. Saturday, May 23, 2009
TESTING ARCHITECTURAL PATTERN IMPLEMENTATION Saturday, May 23, 2009
VALIDATES INPUT SANITIZATION Web Fuzzer attack strings Sanitization Validator attack strings Stored strings Target Database App Virtual Machine Saturday, May 23, 2009
VALIDATES OUTPUT ENCODING Endcoding Validator attack strings Database Fuzzer Stored strings attack strings Target Database App Virtual Machine Saturday, May 23, 2009
[DEMO] Saturday, May 23, 2009
TOOL BENEFITS • Finds fundamental problems in software design • More complex attacks rely on either sanitization or encoding to be broken. • Detects persistent XSS attack vectors. • In a dedicated VM, noise doesn’t matter. Saturday, May 23, 2009
TOOL LIMITATIONS • Only works with database-resident state data • Cookies, header, etc are also valid XSS threats. • Only works against HTML forms • Can be extended to include AJAX, headers, cookies, etc. Saturday, May 23, 2009
TOOL PLANS • Move it from PHP to C#. • Create a PM-friendly interface so that anyone can run it. • Add authentication integration: • Web forms, OpenID. • Expand it to include non-form fuzzing. Saturday, May 23, 2009
WHY IS THIS HARD? • Legacy applications and languages often don’t lend themselves to this architectural pattern. • Browser behavior is often unexpected and gibberish code can be executed. • Application complexity makes it difficult to predict state, just like a client application. • Applications and developers change over time. Saturday, May 23, 2009
CALL TO ACTION • Write better code. • Use current browser technology. • Honestly assess your enterprise. • Do you have lots of legacy code? Saturday, May 23, 2009
I’M WEB 2.0 • Blog: http://hackerco.de • LinkedIn: http://www.linkedin.com/pub/don-ankney/6/213/651 • Twitter: http://twitter.com/dankney • E-mail: dankney@hackerco.de Saturday, May 23, 2009
BIBLIOGRAPHY • Alshanetsky, Ilia. Php|Architect's Guide to Php Security|. Marco Tabini & Associates, Inc, 2005. • Ernst, M., Artzi, S., Kiezun, A., Dolby, J., Tip, F., and Dig, D. “Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit State Model Checking.” dspace.mit.edu (2009): • Ernst, M., Kiezun, A., Guo, P. J., Jayaraman, K., and Ernst, M. D. “Automatic Creation of Sql Injection and Cross-Site Scripting Attacks.” dspace.mit.edu (2008): • Fogie, Seth, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. Xss Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007. Saturday, May 23, 2009
BIBLIOGRAPHY • Johns, M., Engelmann, B., and Posegga, J. “Xssds: Server-Side Detection of Cross- Site Scripting Attacks.” Proceedings of the 2008 Annual Computer Security Applications Conference (2008): 335-44. • Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, 2007. • Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. “Cross-Site Scripting Prevention With Dynamic Data Tainting and Static Analysis.” Proceeding of the Network and Distributed System Security Symposium (NDSS’07) (2007): • Wassermann, G., and Su, Z. “Static Detection of Cross-Site Scripting Vulnerabilities.” Proceedings of the 30th international conference on Software engineering (2008): 171-80. Saturday, May 23, 2009
QUESTIONS? Saturday, May 23, 2009

Recommandé

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Convincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting SeriouslyConvincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting Seriouslyjpubal
 
Insecurities 2.0
Insecurities 2.0 Insecurities 2.0
Insecurities 2.0 Martin Johns
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
Web hack & attacks
Web hack & attacksWeb hack & attacks
Web hack & attacksApurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 

Recommandé

Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Convincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting SeriouslyConvincing Developers to take Cross-Site Scripting Seriously
Convincing Developers to take Cross-Site Scripting Seriouslyjpubal
 
Insecurities 2.0
Insecurities 2.0 Insecurities 2.0
Insecurities 2.0 Martin Johns
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
Web hack & attacks
Web hack & attacksWeb hack & attacks
Web hack & attacksApurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Dakiry
 
Api xss
Api xssApi xss
Api xssArnold Williams Alukwe
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...IJECEIAES
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...IBM Rational software
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSSRonan Dunne, CEH, SSCP
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish PandaPreetish Panda
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingHarishKumar1779
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxGitam Gadtaula
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Contenu connexe

Similaire à Is XSS Solvable? Don Ankney • LayerOne 2009

Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Dakiry
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsZiv Ginsberg
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...IJECEIAES
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...IBM Rational software
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish PandaPreetish Panda
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlassian
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxGitam Gadtaula
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersAdam Doupe
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 

Similaire à Is XSS Solvable? Don Ankney • LayerOne 2009 (20)

Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”Денис Жевнер: “Aliens in da web: XSS explained”
Денис Жевнер: “Aliens in da web: XSS explained”
 
Api xss
Api xssApi xss
Api xss
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
What is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgetsWhat is xss, blind xss and xploiting google gadgets
What is xss, blind xss and xploiting google gadgets
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Cyber Security By Preetish Panda
Cyber Security By Preetish PandaCyber Security By Preetish Panda
Cyber Security By Preetish Panda
 
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny WyattAtlasCamp 2010: Securing your Plugin - Penny Wyatt
AtlasCamp 2010: Securing your Plugin - Penny Wyatt
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptxA Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
A Survey of Exploitation and Detection Methods of XSS Vulnerabilities.pptx
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability ScannersWhy Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
BsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBsidesDelhi 2018: DomGoat - the DOM Security Playground
BsidesDelhi 2018: DomGoat - the DOM Security Playground
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 

Dernier

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Dernier (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Is XSS Solvable? Don Ankney • LayerOne 2009

  • 1. IS XSS SOLVABLE? Don Ankney • LayerOne 2009 Saturday, May 23, 2009
  • 2. DISCLAIMER This presentation represents personal work and has not been approved or vetted by Microsoft. I am solely responsible for its content. Saturday, May 23, 2009
  • 3. OUTLINE • XSS as a generic injection attack. • What makes XSS unique, why it’s important. • Defending against XSS in general. • Web Application Defense • One effective architecture design pattern. • Tool to help. • Where to go from here. Saturday, May 23, 2009
  • 5. INJECTION FLAWS • Any interpreted code can be injected: LDAP, XML, HTTP, XAML, PHP, Python, Ruby, and most infamously, SQL. • XSS is simply another form of interpreter injection, usually using Javascript. • We can solve it just like we would solve any other injection problem*. * except SQL injection -- we have a better solution there. Saturday, May 23, 2009
  • 6. PREVENTING INJECTION • Always keep track of your trust boundaries. • Validate/sanitize your inputs. • Properly encode your outputs. • Use white lists, not black lists. • Exercise the principal of least privilege. • Validate your assumptions. Saturday, May 23, 2009
  • 7. TRUST BOUNDARIES User System Forms Files headers services cookies Processes ajax files Application Database SQL LDAP web data stores Saturday, May 23, 2009
  • 8. WHY XSS IS DIFFERENT • Most injection flaws attack your server. • XSS attacks the end user -- it runs arbitrary code in their browser. • The browser is behind your firewall and is acting within the user’s security context. Saturday, May 23, 2009
  • 9. YOU CAN DO SOME NASTY THINGS WITH JAVASCRIPT • Javascript can control what appears on screen. • Javascript has access to your history. • Sites often store session tokens in GET request. • Javascript can intercept cookies. • Javascript can enumerate your network. Saturday, May 23, 2009
  • 11. REFLECTED XSS Attack Victim Attacker Attack Web App URL string Browser XSS • Victim browser submits an “evil” request that contains javascript. • The web application then reflects that javascript back to the victim browser, which then executes it. Saturday, May 23, 2009
  • 12. REFLECTED XSS • Attack does not persist across users, sessions, or pages. • It is only reflected back to the user that submits the malicious url. • This is relatively easy to detect remotely via a scanner/fuzzer. Saturday, May 23, 2009
  • 13. PERSISTENT XSS Attack string Attacker Webpage Database Victim Webpage XSS • An attacker stores an attack string in a web application. • Visitors to that site access infected pages causing javascript execution. Saturday, May 23, 2009
  • 14. PERSISTENT XSS • Can persist across user, sessions, and pages. • It depends on application context and who can access the infected pages. • Very difficult to detect remotely via scanning/fuzzing. • There are many paths through an application, scanning is too noisy for a production system. • Best identified by code analysis. Saturday, May 23, 2009
  • 15. HYBRID XSS Attack Webpage Attack A Attack Victim Attacker Session Data URL Browser XSS Webpage Attack B • Victim browser submits “evil” url. • Attack string is stored as session data. • Session data is returned to browser on another page, executing javascript. Saturday, May 23, 2009
  • 16. HYBRID XSS • Attacks are not persistent across sessions. • Attacks do persist across pages. • Attacks may persist across users. • Think about “who’s online” functionality. • Extremely difficult to detect remotely. • May require specific request sequences. Saturday, May 23, 2009
  • 17. DETECTING INJECTION FLAWS REMOTELY Saturday, May 23, 2009
  • 18. SCANNING FOR REFLECTED XSS VULNERABILITIES • This requires a simple fuzzer. • Send an attack string. • Check for appropriately encoded returns. • The most difficult part is maintaining a current attack string list. Saturday, May 23, 2009
  • 19. SCANNING FOR PERSISTENT XSS VULNERABILITIES • This sort of scanner is immature. • Requires mapping input cause vs. output effect without knowledge of application state. •A persistent XSS scan is extremely noisy. • Each form has to have unique data submitted in order to map persistent data across the site. • Running an attack list against the mapped site creates one persistent record per attack string. Saturday, May 23, 2009
  • 20. DETECTING INJECTION FLAWS LOCALLY Saturday, May 23, 2009
  • 21. AVAILABLE TECHNIQUES • Static code analysis • Examines the source code • Dynamic analysis • Examines application state Saturday, May 23, 2009
  • 22. STATIC CODE ANALYSIS • Manual code review. • Static code analyzers: • Pixy (PHP) • CAT.NET (ASP.NET) • CodeSecure (Java/ASP.NET/PHP) Saturday, May 23, 2009
  • 23. WHAT STATIC ANALYSIS CAN DETECT • Input sanitization • Really only boolean, doesn’t evaluate quality. • Output encoding • Are both application (html) and character encoding explicit? • Data flow • Does anything skip sanitization or encoding? Saturday, May 23, 2009
  • 24. DYNAMIC CODE ANALYSIS • The only way to consider application state. • Remember that persistent and hybrid XSS are state- dependent. • Internal representation of data is tied to risk. • There aren’t a lot of existing tools. • Most existing are run-time IPS-style tools. Saturday, May 23, 2009
  • 26. THERE ARE THREE CONTROL POINTS FOR XSS Web Browser Application Database IT Infrastructure XSS can be mitigated at all three points. Saturday, May 23, 2009
  • 27. THE BROWSER • Different browsers will execute different code snippets. • O9, IE6: <BODY BACKGROUND=quot;javascript:alert('XSS');quot;> • FF2, O9: <META HTTP-EQUIV=quot;refreshquot; CONTENT=quot;0;url=data:text/ html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4Kquot;> • Current browsers are much better than previous generations. Saturday, May 23, 2009
  • 28. IT INFRASTRUCTURE • Web application firewalls. • Intrusion prevention systems. • Web application sandboxes. • All of these are signature-based defenses. Saturday, May 23, 2009
  • 30. IT’S ALL ABOUT PROCESS Request Return Security Decode Logic Encode Checks • This requires a consistent and enforced architectural approach. • JSP, PHP 3/4, and classic ASP don’t lend themselves to this approach. Saturday, May 23, 2009
  • 31. DECODE YOUR INPUT Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 • If the request specified an encoding, you might want to assume that encoding for parameters. • HTTP defaults to ISO-8859-1 • Convert the request to your application’s internal representation. Saturday, May 23, 2009
  • 32. SECURITY CHECKS • This is where you apply your whitelists. • Remember the principal of least privilege and use the most restrictive patterns possible. • If you must accept markup tags, parse the tags and replace them with tokens. • Consider whitelisting any paths or URLs. Saturday, May 23, 2009
  • 33. SANITIZING HTML • There are a number of libraries available to do this for you. • Microsoft AntiXSS (.NET), • OWASP AntiSamy (Java, .NET, Python). • HTML Purifier (PHP) Saturday, May 23, 2009
  • 34. WRITING YOUR OWN SANITIZATION LIBRARY • Whitelist HTML tags. • Be as restrictive as possible. • If allowing high-risk tasks (such as <a> and <img>), consider whitelisting their targets. • Replace all the allowed tags with symbols. Parse them for properties. • Store them this way. • Replace the symbols prior to encoding. This way, everything is constructed in your code and not passed from the user. Saturday, May 23, 2009
  • 35. ENCODE YOUR OUTPUT • Most commonly, encode using html entities. • After entity encoding, replace your tokens with actual tags. • If the final output is not html, encode accordingly. • XML if outputting AJAX, XAML, etc. Saturday, May 23, 2009
  • 36. EXPLICITLY DECLARE YOUR CHARACTER SET • Your web server can do it for you: • AddCharset UTF-8 .php (Apache .htaccess) • If in doubt, override your web server: • header('Content-type: text/html; charset=utf-8'); (PHP .htaccess) • <%Response.charset=quot;utf-8quot;%> (ASP.NET) • print quot;Content-Type: text/html; charset=utf-8nnquot;; (Perl) Saturday, May 23, 2009
  • 37. DO YOUR SECURITY CHECKS ACTUALLY WORK? foreach ($_GET as $secvalue) { if ((eregi(quot;<[^>]*script*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*object*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*iframe*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*applet*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*meta*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*style*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*form*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;([^>]*quot;?[^)]*)quot;, $secvalue)) || (eregi(quot;quot;quot;, $secvalue))) { die (quot;<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</ b><br><br>[ <a href=quot;javascript:history.go(-1)quot;><b>Go Back</b></a> ]quot;); } } foreach ($_POST as $secvalue) { if ((eregi(quot;<[^>]*script*quot;?[^>]*>quot;, $secvalue)) || (eregi(quot;<[^>]*style*quot;?[^>]*>quot;, $secvalue))) { die (quot;<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</ b><br><br>[ <a href=quot;javascript:history.go(-1)quot;><b>Go Back</b></a> ]quot;); } } This is actual code in a popular CMS. Saturday, May 23, 2009
  • 38. TESTING ARCHITECTURAL PATTERN IMPLEMENTATION Saturday, May 23, 2009
  • 39. VALIDATES INPUT SANITIZATION Web Fuzzer attack strings Sanitization Validator attack strings Stored strings Target Database App Virtual Machine Saturday, May 23, 2009
  • 40. VALIDATES OUTPUT ENCODING Endcoding Validator attack strings Database Fuzzer Stored strings attack strings Target Database App Virtual Machine Saturday, May 23, 2009
  • 42. TOOL BENEFITS • Finds fundamental problems in software design • More complex attacks rely on either sanitization or encoding to be broken. • Detects persistent XSS attack vectors. • In a dedicated VM, noise doesn’t matter. Saturday, May 23, 2009
  • 43. TOOL LIMITATIONS • Only works with database-resident state data • Cookies, header, etc are also valid XSS threats. • Only works against HTML forms • Can be extended to include AJAX, headers, cookies, etc. Saturday, May 23, 2009
  • 44. TOOL PLANS • Move it from PHP to C#. • Create a PM-friendly interface so that anyone can run it. • Add authentication integration: • Web forms, OpenID. • Expand it to include non-form fuzzing. Saturday, May 23, 2009
  • 45. WHY IS THIS HARD? • Legacy applications and languages often don’t lend themselves to this architectural pattern. • Browser behavior is often unexpected and gibberish code can be executed. • Application complexity makes it difficult to predict state, just like a client application. • Applications and developers change over time. Saturday, May 23, 2009
  • 46. CALL TO ACTION • Write better code. • Use current browser technology. • Honestly assess your enterprise. • Do you have lots of legacy code? Saturday, May 23, 2009
  • 47. I’M WEB 2.0 • Blog: http://hackerco.de • LinkedIn: http://www.linkedin.com/pub/don-ankney/6/213/651 • Twitter: http://twitter.com/dankney • E-mail: dankney@hackerco.de Saturday, May 23, 2009
  • 48. BIBLIOGRAPHY • Alshanetsky, Ilia. Php|Architect's Guide to Php Security|. Marco Tabini & Associates, Inc, 2005. • Ernst, M., Artzi, S., Kiezun, A., Dolby, J., Tip, F., and Dig, D. “Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit State Model Checking.” dspace.mit.edu (2009): • Ernst, M., Kiezun, A., Guo, P. J., Jayaraman, K., and Ernst, M. D. “Automatic Creation of Sql Injection and Cross-Site Scripting Attacks.” dspace.mit.edu (2008): • Fogie, Seth, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. Xss Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007. Saturday, May 23, 2009
  • 49. BIBLIOGRAPHY • Johns, M., Engelmann, B., and Posegga, J. “Xssds: Server-Side Detection of Cross- Site Scripting Attacks.” Proceedings of the 2008 Annual Computer Security Applications Conference (2008): 335-44. • Stuttard, Dafydd, and Marcus Pinto. The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. Wiley, 2007. • Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. “Cross-Site Scripting Prevention With Dynamic Data Tainting and Static Analysis.” Proceeding of the Network and Distributed System Security Symposium (NDSS’07) (2007): • Wassermann, G., and Su, Z. “Static Detection of Cross-Site Scripting Vulnerabilities.” Proceedings of the 30th international conference on Software engineering (2008): 171-80. Saturday, May 23, 2009