APPLICATION RELATED SECURIT VULNERA!ILITIES IN A WE! APPLICATION " # " Application Related Security Vulnerabilities in a Web Application Who should read this? T$is docu%ent pro&ides an insi'$t on t$e &arious application related security &ulnerabilities ($ic$ a (eb application %ay $a&e) T$ese &ulnerabilities pro&ide t$e $ac*ers +et$ical $ac*ers, an easy (ay to attac* t$e application and $inder its -unctionality or steal con.dential in-or%ation/data) T$e &ulnerabilities co&ered in t$is docu%ent are t$e ones ($ic$ (ere identi.ed by t$e application " 0Rational AppScan1 ($en run on an IIS"based application) 0Rational AppScan, is a tool ($ic$ is used to identi-y t$e &ulnerable areas in a (eb application) It pro&ides us a $and-ul o- in-or%ation about t$e &ulnerability and &arious (ays to .2 it) T$is docu%ent is partially based on t$e reports t$at (ere recei&ed -ro% t$e 0Rational AppScan. Document Revision History Date Version Author Remarks #3"4ul"56#6 #)6 Rupes$ 7u%ar R 4ain 8inali9ed t$e docu%ent to upload) 5#"4ul"56#6 5)6 Rupes$ 7u%ar R 4ain Added t(o %ore &ulnerabilities in t$e list) Added t$e docu%ent $istory section) " 5 " Application Related Security Vulnerabilities in a Web Application TABLE OF O!TE!T" # A$$L%AT%O! RELATED V&L!ERAB%L%T%E"''''''''''''''''''''''''''''''''''''''''''''''''''( #'# ross)"ite "cri*tin+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''', #)#)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) : #)#)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) : #)#); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) : #)#)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))## #)#)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))## #'- "tored ross)"ite "cri*tin+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''#- #)5)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #5 #)5)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #5 #)5); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #5 #)5)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))#? #)5)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))#? #'. "/L %n0ection''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''#, #);)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #: #);)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #: #);); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) #: #);)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))#@ #);)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))#3 #'1 Data2ase Error $attern Found'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''-3 #)<)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 56 #)<)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 56 #)<); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 56 #)<)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5# #)<)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))55 #'4 "/L /uery in $arameter Value''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''-. #)>)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5; #)>)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5; #)>); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5; #)>)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5; #)>)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5; #'( ross)"ite Re5uest For+ery'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''-1 #)?)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5< #)?)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5< #)?); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5< #)?)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5> #)?)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5> #', Link %n0ection 67acilitates ross)"ite Re5uest For+ery8''''''''''''''''''''''''''''''''''''''-( #):)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5? #):)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5? #):); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5? #):)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5: #):)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5: " ; " Application Related Security Vulnerabilities in a Web Application #'9 $hishin+ throu+h Frames''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''-9 #)@)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5@ #)@)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5@ #)@); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 5@ #)@)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5@ #)@)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))5@ #': $ermanent ookie ontains "ensitive "ession %n7ormation'''''''''''''''''''''''''''''''-: #)3)# Security Ris*s)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 53 #)3)5 Possible Causes))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 53 #)3); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) 53 #)3)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))53 #)3)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))53 #'#3 "ession !ot %nvalidated A7ter Lo+out'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.3 #)#6)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;6 #)#6)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;6 #)#6); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;6 #)#6)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));6 #)#6)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));6 #'## achea2le ""L $a+e Found''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.# #)##)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;# #)##)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;# #)##); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;# #)##)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));# #)##)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));# #'#- HT;L omments "ensitive %n7ormation Disclosure'''''''''''''''''''''''''''''''''''''''''''.- #)#5)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;5 #)#5)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;5 #)#5); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;5 #)#5)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));5 #)#5)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));5 #'#. ;issin+ "ecure Attri2ute in Encry*ted "ession 6""L8 ookie'''''''''''''''''''''''''''''.. #)#;)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;; #)#;)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;; #)#;); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;; #)#;)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));; #)#;)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));; #'#1 /uery $arameter in ""L Re5uest'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.1 #)#<)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;< #)#<)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;< #)#<); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;< #)#<)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));< #)#<)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));< #'#4 achea2le Lo+in $a+e Found'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.4 #)#>)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;> #)#>)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;> #)#>); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;> #)#>)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));> #)#>)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));> " < " Application Related Security Vulnerabilities in a Web Application #'#( "ession %denti<er !ot &*dated''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.( #)#?)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;? #)#?)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;? #)#?); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;? #)#?)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));: #)#?)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));: #'#, %nade5uate Account Lockout'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.9 #)#:)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;@ #)#:)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;@ #)#:); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;@ #)#:)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));@ #)#:)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));@ #'#9 Authentication By*ass &sin+ "/L %n0ection''''''''''''''''''''''''''''''''''''''''''''''''''''''.: #)#@)# Security Ris*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;3 #)#@)5 Possible Causes)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;3 #)#@); Tec$nical Description))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ;3 #)#@)< =eneral 8i2 Reco%%endations)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));3 #)#@)> Re-erences and Rele&ant Lin*s))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))<6 " > " Application Related Security Vulnerabilities in a Web Application # A**lication Related Vulnera2ilities Contents #) Cross"Site Scriptin' 5) Stored Cross"Site Scriptin' ;) SAL Auery in Para%eter Value <) Cross"Site ReBuest 8or'ery >) Lin* InCection +-acilitates Cross"Site ReBuest 8or'ery, ?) P$is$in' t$rou'$ 8ra%es :) Per%anent Coo*ie Contains Sensiti&e Session In-or%ation @) Session Not In&alidated A-ter Lo'out 3) Cac$eable SSL Pa'e 8ound #6) DTEL Co%%ents Sensiti&e In-or%ation Disclosure ##) Eissin' Secure Attribute in Encrypted Session +SSL, Coo*ie #5) Auery Para%eter in SSL ReBuest " ? " Application Related Security Vulnerabilities in a Web Application ross)"ite "cri*tin+ Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description T$e Cross"Site Scriptin' attac* is a pri&acy &iolation1 t$at allo(s an attac*er to acBuire a le'iti%ate userFs credentials and to i%personate t$at user ($en interactin' (it$ a speci.c (ebsite) T$e attac* $in'es on t$e -act t$at t$e (eb site contains a script t$at returns a userFs input +usually a para%eter &alue, in an DTEL pa'e1 (it$out .rst saniti9in' t$e input) T$is allo(s an input consistin' o- 4a&aScript code to be e2ecuted by t$e bro(ser ($en t$e script returns t$is input in t$e response pa'e) As a result1 it is possible to -or% lin*s to t$e site ($ere one o- t$e para%eters consists o- %alicious 4a&aScript code) T$is code (ill be e2ecuted +by a userFs bro(ser, in t$e site conte2t1 'rantin' it access to coo*ies t$at t$e user $as -or t$e site1 and ot$er (indo(s in t$e site t$rou'$ t$e userFs bro(ser) T$e attac* proceeds as -ollo(sG T$e attac*er lures t$e le'iti%ate user to clic* on a lin* t$at (as produced by t$e attac*er) W$en t$e user clic*s on t$e lin*1 t$is 'enerates a reBuest to t$e (eb" site containin' a para%eter &alue (it$ %alicious 4a&aScript code) I- t$e (eb"site e%beds t$is para%eter &alue into t$e response DTEL pa'e +t$is is t$e essence o- t$e site issue,1 t$e %alicious code (ill run in t$e userFs bro(ser) Possible actions t$at can be per-or%ed by t$e script areG H#I Send userFs coo*ies +-or t$e le'iti%ate site, to t$e attac*er) H5I Send in-or%ation t$at is accessible t$rou'$ t$e DOE +URLs1 8or% .elds1 etc),1 to t$e attac*er) T$e result is t$at t$e security and pri&acy o- t$e &icti% user is co%pro%ised on t$e &ulnerable site) So%e notesG H#I Alt$ou'$ t$e attac*ed (eb site is in&ol&ed1 it is not co%pro%ised directly) It is used as a FCu%p stationF -or t$e %alicious script sent by t$e attac*er1 to return to t$e &icti%Fs bro(ser1 as i- it is le'iti%ate) Do(e&er1 since t$e pri&acy o- t$e &icti% is breac$ed in t$e conte2t o- t$e speci.c site1 and since t$e site is directly responsible1 it is considered a security Ja( in t$e site) H5I T$e %alicious lin* can be pro&ided by t$e attac*er1 usin' a (eb site lin*1 i- t$e attac*er %aintains a site t$at is &isited by t$e &icti% user) T$e %alicious lin* can also be pro&ided by e%ail1 i- t$e attac*er *no(s t$e userFs e%ail address1 and t$e userFs e%ail client uses t$e bro(ser to render t$e DTEL %essa'e) H;I W$ile user input is %ost co%%only -ound in -or% .eld &alues +i)e) URL para%eters,1 t$ere are *no(n attac*s ($ere t$e %alicious code is e%bedded in t$e pat$1 Buery1 or in t$e DTTP Re-errer $eaders1 and e&en in coo*ies) H<I AppScan sends %any types o- Cross"Site Scriptin' attac*s1 includin' attac*s t$at (or* only on speci.c bro(sers or &ersions o- bro(sers) AppScanFs KS$o( in !ro(serK -eature uses Internet E2plorer to s$o( t$e &ulnerability) In t$e case o- &ariants to ($ic$ Internet E2plorer is not &ulnerable1 but ot$er bro(sers are1 t$e KS$o( in !ro(serK -acility does not (or* and t$e popup is not s$o(n) T$ere are t(o possible scenarios -or sendin' input to a (eb application t$at is &ulnerable to cross" site scriptin'G A) T$e para%eter &alue sent to t$e C=I script is returned in t$e response pa'e1 e%bedded in t$e DTEL) " : " Application Related Security Vulnerabilities in a Web Application 8or e2a%pleG HreBuestI =ET /c'i"bin/script)plLna%eM4S%it$ DTTP/#)6 HresponseI DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G 5: NDTELO Dello 4S%it$ N/DTELO !) T$e para%eter &alue sent to t$e C=I script is returned in an DTEL para%eter &alue conte2t) 8or e2a%pleG HreBuestI =ET /c'i"bin/script)plLna%eM4S%it$ DTTP/#)6 HresponseI DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G 5>< NDTELO Please .ll in your 9ip codeG N8ORE EETDODM=ET ACTIONMK/c'i"bin/script)plKO NINPUT TPEMte2t NAEEMKna%eK &alueMK4S%it$KO NbrO NINPUT TPEMte2t NAEEMK9ipK &alueMKEnter 9ip code $ereKO NbrO NINPUT TPEMsub%it &alueMKSub%itKO N/8OREO N/DTELO E2a%ple # " scenario A T$e -ollo(in' reBuest is sent by t$e userG Hattac* reBuestI =ET /c'i"bin/script)plLna%eMOKFONscriptOalert+FWatc$.reP56QSSP56Test P56Success-ulF,N/scriptO DTTP/#)6 Hattac* response scenario AI DTTP/#)# 566 O7 Ser&erG So%eSer&er </5#/5663 @G#6G#: AE 5;;/;>6 DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G @; NDTELO Dello OKFONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO N/DTELO In t$is case1 t$e 4a&aScript code (ill be e2ecuted by t$e bro(ser +T$e OKFO part is irrele&ant $ere,) E2a%ple 5 " scenario ! Usin' t$e sa%e script and input as in E2a%ple # to in&o*e t$e attac*G Hattac* response scenario !I DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l " @ " Application Related Security Vulnerabilities in a Web Application Accept"Ran'esG bytes Content"Len't$G ;#6 NDTELO Please .ll in your 9ip codeG N8ORE EETDODM=ET ACTIONMK/c'i"bin/script)plKO NINPUT TPEMte2t NAEEMKna%eK &alueMKOKFONscriptOalert+FWatc$.re QSS Test Success-ulF, N/scriptOKO NbrO NINPUT TPEMte2t NAEEMK9ipK &alueMKEnter 9ip code $ereKO NbrO NINPUT TPEMsub%it &alueMKSub%itKO N/8OREO N/DTELO T$e OKFO pre.2 is used to brea* out o- t$e para%eter &alue conte2t) Closin' t$e para%eter &alue .eld + KFO , and t$en closin' t$e NINPUTO ta' + O , (ill cause t$e 4a&aScript to be e2ecuted by t$e bro(ser and not to be treated as a para%eter &alue t$at (ould $a&e been parsed or e2ecuted as 4a&aScript code) Listed belo( are t$e diRerent test &ariantsG H#I OFONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H5I OKONscriptOalert+KWatc$.re QSS Test Success-ulK,N/scriptO H;I N/Te2tAreaONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H<I OKFONi%' srcMKCa&ascriptGalert+FWatc$.re QSS Test Success-ulF,KO H>I OKFONi%' srcMST2?aUST2?#UST2:?UST2?#UST2:;UST2?;UST2:5UST2?3UST2:6UST2:<UST2;aUalert +SBuotUWatc$.reST256UQSSST256UTestST256USuccess-ulSBuotU,O H?I K styleMKbac*'roundGurl+Ca&ascriptGalert+FWatc$.re QSS Test Success-ulF,,K OAMK H:I ""ONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H@I FValert+FWatc$.re QSS Test Success-ulF,VF H3I KValert+FWatc$.re QSS Test Success-ulF,VK H#6I OFONP66scriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO +)NET #)# speci.c &ariant, H##I OKONP66scriptOalert+KWatc$.re QSS Test Success-ulK,N/scriptO +)NET #)# speci.c &ariant, H#5I OVACI"VAD<"VAD("SCRIPTVAD<"alert+#5;<,VAD("/SCRIPTVAD<" H#;I PA:PA5P!EP!cP8;PE;P85PE3P86P8<P!ePE#PEcPE>P85P8<PA@PA:Watc$.reP 56QSSP56TestP56Success-ulPA:PA3P!cPA-P8;PE;P85PE3P86P8<P!e Variant detailsG Test &ariants H#I S H5IG T$ese are t$e %ost basic cross"site scriptin' &ariants) T$e diRerence bet(een t$e t(o &ariants is t$e use o- Buotes or o- an apostrop$e in t$e 4a&aScript code) So%e (eb application pro'ra%%ers only saniti9e user input -or apostrop$e or -or Buotes1 but not bot$) T$is &ulnerability is detected by runnin' bot$ &ariants) Test &ariant H;IG T$is test &ariant is speci.cally desi'ned -or user input t$at is returned e%bedded in NTEQTAREAO para%eters) Durin' t$e test1 an atte%pt is %ade to brea* out o- t$e para%eter &alue +te2t area,1 to -orce t$e 4a&aScript to be e2ecuted by t$e bro(ser) Test &ariant H<IG So%e (eb application pro'ra%%ers saniti9e NSCRIPTO ta's -ro% user input1 but -or'et to saniti9e t$e KCa&ascriptGK speci.er1 ($ic$ can be used in DTEL lin*s) Durin' t$is test1 an atte%pt is %ade to e%bed t$e %alicious 4a&aScript code by usin' an Ni%'O ta' (it$ a 4a&aScript lin* as its source) Test &ariant H>IG T$is &ariant is &ery si%ilar to &ariant T<) It uses DTEL entities to bypass security %easures ($ic$ saniti9e user input o- t$e N1 O1 Buotes and t$e KCa&ascriptGK speci.er) Test &ariant H?IG T$is &ariant uses t$e least nu%ber o- non"standard c$aracters) Unli*e -or%er &ariants1 it does not use S1 O1 N 1 T or U c$aracters) Assu%in' t$at t$e user input is e%bedded in an DTEL -or% para%eter &alue +inside an NINPUTO ta',1 t$e %alicious strin' .rst escapes -ro% para%eter &alue conte2t and t$en proceeds to add a STLE attribute to t$e NINPUTO ta'1 in ($ic$ it e%beds t$e %alicious 4a&aScript code) NoteG t$is &ariant (ill only succeed in scenario !1 or i- user input is e%bedded in attributes o- ot$er DTEL ele%ents) " 3 " Application Related Security Vulnerabilities in a Web Application Test &ariant H:IG So%e (eb applications e%bed user input inside DTEL co%%ents) To test t$e application -or t$is &ulnerability1 t$e DTEL co%%ent + ""O , is .rst closed1 and t$en t$e %alicious 4a&aScript code is e%bedded) Test &ariants H@I S H3IG So%e (eb applications e%bed user input in 4a&aScript strin' literals1 -or e2a%pleG NDTELO NSCRIPT LAN=UA=EMK4a&aScriptKO &ar str M FDello WuserXinputFU ))) N/SCRIPTO N/DTELO I- (e send t$e -ollo(in' para%eter &alueG FValert+FWatc$.re QSS Test Success-ulF,VF1 t$e resultin' response pa'e (ill loo* li*e t$isG NDTELO NSCRIPT LAN=UA=EMK4a&aScriptKO &ar str M FDello F V alert+FWatc$.re QSS Test Success-ulF, V FFU ))) N/SCRIPTO N/DTELO T$e application is tric*ed into concatenatin' t$e %alicious 4a&aScript code in t$e %iddle o- t$e ori'inal strin' literal1 causin' t$e bro(ser to e2ecute our 4a&aScript code) T$e diRerence bet(een &ariants T@ and T3 is t$e use o- Buotes or o- an apostrop$e1 ($ic$ custo%i9es t$e attac* -or bot$ strin' ter%inatin' c$aracters) Test &ariants H#6I S H##IG In Eicroso-t )NET #)#1 t$e DttpReBuest) ValidateInput %et$od &alidates data sub%itted by a client bro(ser and raises an e2ception i- potentially dan'erous data is present) 8ro% ESDNG KI- t$e &alidation -eature is enabled by pa'e directi&e or con.'uration1 t$is %et$od is called durin' t$e Pa'eFs ProcessReBuest processin' p$ase) ValidateInput can be called by your code i- t$e &alidation -eature is not enabled) ReBuest &alidation (or*s by c$ec*in' all input data a'ainst a $ard"coded list o- potentially dan'erous data)K Input data is c$ec*ed durin' reBuest &alidation in t$e -ollo(in' %e%bersG " DttpReBuest)8or%1 " DttpReBuest)AueryStrin'1 " DttpReBuest)Coo*ies YY NoteG T$e DttpReBuest)ValidateInput is enabled by de-ault in ASP)NET #)# ASP)NET #)# bloc*s input containin' FNF -ollo(ed by an alp$anu%eric c$aracter or an e2cla%ation %ar* +e)') NscriptO 1 Ni%'1 NZ""1 etc))), I- t$e FNF c$aracter is -ollo(ed .rst by a NULL byte and only t$en by an alp$anu%eric c$aracter1 t$e pattern does not %atc$ and t$e input is allo(ed to reac$ t$e (eb application) 8or e2a%pleG HYI T$e strin' FNscriptOF is bloc*ed by ASP)NET #)# HYI T$e strin' FNP66scriptOF is allo(ed by ASP)NET #)# In addition1 t$e DTEL parser o- %ost (eb bro(sers +includin' all &ersions o- Eicroso-t Internet E2plorer,1 i'nores t$e NULL byte1 and parses NP66scriptO as NscriptO) W$en co%binin' t$is (it$ t$e security proble% presented abo&e1 any DTEL ta' can be inCected t$rou'$ ASP)NET #)# DttpReBuest)ValidateInput security %ec$anis%1 lea&in' it &ulnerable to cross site scriptin'1 and inCection o- ot$er %alicious DTEL ta's) Test &ariant H#5IG W$ile %any input &alidation -unctions properly .lter out or escape co%%on c$aracters used -or QSS +suc$ as NO +trian'ular parent$esis,,1 only a -e( %ana'e to $andle $a9ardous UT8": encoded strin's) T$ere-ore1 in %any cases1 ($en sendin' an QSS attac* payload encoded in UT8":1 t$e payload (ill return in t$e response (it$out bein' altered) 8or t$e attac* to succeed1 t$e &icti%Fs bro(ser s$ould treat t$e QSS payload as UT8":1 ot$er(ise t$e script (ill not be e2ecuted) I- FEncodin'F is set to FAuto"DetectF1 and Internet E2plorer .nds a UT8": strin' in t$e .rst <63? c$aracters o- t$e response body1 it (ill set t$e c$arset encodin' to UT8": auto%atically1 unless anot$er c$arset encodin' is already en-orced) T$is auto%atic encodin' -eature %ay $elp a %alicious user to %ount t$e UT8": QSS attac*) " #6 " Application Related Security Vulnerabilities in a Web Application A success-ul attac* -or t$is &ariant reBuires t$e -ollo(in'G HYI T$e &icti% uses an Internet E2plorer client (it$ FEncodin'F set to FAuto"DetectF) HYI T$ere is no c$arset encodin' en-orce%ent +unless ut-": is en-orced, inG HYI T$e response $eaders +KContent"TypeG te2t/$t%lU c$arsetMHencodin'IK,) HYI A N%eta $ttp"eBui&MKContent"TypeK +))), c$arsetMHencodin'I/O ta' at t$e response $t%l) HYI T$e inCected te2t appears in t$e .rst <63? c$aracters o- t$e $t%l te2t) Test &ariant H#;IG T$e purpose o- t$is &ariant is to e2ploit t$e (ay Internet"E2plorer treats responses (it$ Fus"asciiF Content"Type +it discards t$e Eost Si'ni.cant !it o- eac$ c$aracter,) !y c$an'in' t$e %ost si'ni.cant bit o- eac$ c$aracter o- an QSS payload1 AppScan can e&ade standard input sanitation -unctions) 8or e2a%pleG P;C1 ($ic$ is t$e URL"encoded representation o- KNK1 is trans-or%ed into P!C in t$is attac*) It is not reco'ni9ed by t$e ser&er"side sanitation -unction as a $a9ardous c$aracter1 and t$ere-ore not altered in any (ay1 but it (ill be read by Internet E2plorer as KNK1 %a*in' a Cross" Site Scriptin' attac* possible) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s CERT Ad&isory CA"5666"65 Eicroso-t Do( ToG Pre&ent Cross"Site Scriptin' Security Issues +A5>53@>, Eicroso-t Do( ToG Pre&ent Cross"Site Scriptin' in ASP)NET Eicroso-t Do( ToG Protect 8ro% InCection Attac*s in ASP)NET Eicroso-t Do( ToG Use Re'ular E2pressions to Constrain Input in ASP)NET Eicroso-t )NET Anti"Cross Site Scriptin' Library Cross"Site Scriptin' Trainin' Eodule " ## " Application Related Security Vulnerabilities in a Web Application "tored ross)"ite "cri*tin+ Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description T$e Cross"Site Scriptin' attac* is a pri&acy &iolation1 ($ic$ allo(s an attac*er to acBuire a le'iti%ate userFs credentials and to i%personate t$at user ($en interactin' (it$ a speci.c (ebsite) T$e attac* $in'es on t$e -act t$at t$e (eb site contains a script t$at returns a userFs input +usually a para%eter &alue, in an DTEL pa'e1 (it$out .rst saniti9in' t$e input) T$is allo(s an input consistin' o- 4a&aScript code to be e2ecuted by t$e bro(ser ($en t$e script returns t$is input in t$e response pa'e) As a result1 it is possible to -or% lin*s to t$e site ($ere one o- t$e para%eters consists o- %alicious 4a&aScript code) T$is code (ill be e2ecuted +by a userFs bro(ser, in t$e site conte2t1 'rantin' it access to coo*ies t$at t$e user $as -or t$e site1 and ot$er (indo(s in t$e site t$rou'$ t$e userFs bro(ser) T$e attac* proceeds as -ollo(sG T$e attac*er lures t$e le'iti%ate user to clic* on a lin* t$at (as produced by t$e attac*er) W$en t$e user clic*s on t$e lin*1 t$is 'enerates a reBuest to t$e (eb" site containin' a para%eter &alue (it$ %alicious 4a&aScript code) I- t$e (eb"site e%beds t$is para%eter &alue into t$e response DTEL pa'e +t$is is t$e essence o- t$e site issue,1 t$e %alicious code (ill run in t$e userFs bro(ser) Possible actions t$at can be per-or%ed by t$e script areG H#I Send userFs coo*ies +-or t$e le'iti%ate site, to t$e attac*er) H5I Send in-or%ation t$at is accessible t$rou'$ t$e DOE +URLs1 8or% .elds1 etc),1 to t$e attac*er) T$e result is t$at t$e security and pri&acy o- t$e &icti% user is co%pro%ised on t$e &ulnerable site) So%e notesG H#I Alt$ou'$ t$e attac*ed (eb site is in&ol&ed1 it is not co%pro%ised directly) It is used as a FCu%p stationF -or t$e %alicious script sent by t$e attac*er1 to return to t$e &icti%Fs bro(ser1 as i- it is le'iti%ate) Do(e&er1 since t$e pri&acy o- t$e &icti% is breac$ed in t$e conte2t o- t$e speci.c site1 and since t$e site is directly responsible1 it is considered a security Ja( in t$e site) H5I T$e %alicious lin* can be pro&ided by t$e attac*er1 usin' a (eb site lin*1 i- t$e attac*er %aintains a site t$at is &isited by t$e &icti% user) T$e %alicious lin* can also be pro&ided by e%ail1 i- t$e attac*er *no(s t$e userFs e%ail address1 and t$e userFs e%ail client uses t$e bro(ser to render t$e DTEL %essa'e) H;I W$ile user input is %ost co%%only -ound in -or% .eld &alues +i)e) URL para%eters,1 t$ere are *no(n attac*s ($ere t$e %alicious code is e%bedded in t$e pat$1 Buery1 or in t$e DTTP Re-errer $eaders1 and e&en in coo*ies) H<I AppScan sends %any types o- Cross"Site Scriptin' attac*s1 includin' attac*s t$at (or* only on speci.c bro(sers or &ersions o- bro(sers) AppScanFs KS$o( in !ro(serK -eature uses Internet E2plorer to s$o( t$e &ulnerability) In t$e case o- &ariants to ($ic$ Internet E2plorer is not &ulnerable1 but ot$er bro(sers are1 t$e KS$o( in !ro(serK -acility does not (or* and t$e popup is not s$o(n) T$ere are t(o possible scenarios -or sendin' input to a (eb application t$at is &ulnerable to cross" site scriptin'G A) T$e para%eter &alue sent to t$e C=I script is returned in t$e response pa'e1 e%bedded in t$e " #5 " Application Related Security Vulnerabilities in a Web Application DTEL) 8or e2a%pleG HreBuestI =ET /c'i"bin/script)plLna%eM4S%it$ DTTP/#)6 HresponseI DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G 5: NDTELO Dello 4S%it$ N/DTELO !) T$e para%eter &alue sent to t$e C=I script is returned in an DTEL para%eter &alue conte2t) 8or e2a%pleG HreBuestI =ET /c'i"bin/script)plLna%eM4S%it$ DTTP/#)6 HresponseI DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G 5>< NDTELO Please .ll in your 9ip codeG N8ORE EETDODM=ET ACTIONMK/c'i"bin/script)plKO NINPUT TPEMte2t NAEEMKna%eK &alueMK4S%it$KO NbrO NINPUT TPEMte2t NAEEMK9ipK &alueMKEnter 9ip code $ereKO NbrO NINPUT TPEMsub%it &alueMKSub%itKO N/8OREO N/DTELO E2a%ple # " scenario A T$e -ollo(in' reBuest is sent by t$e userG Hattac* reBuestI =ET /c'i"bin/script)plLna%eMOKFONscriptOalert+FWatc$.reP56QSSP56Test P56Success-ulF,N/scriptO DTTP/#)6 Hattac* response scenario AI DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l Accept"Ran'esG bytes Content"Len't$G @; NDTELO Dello OKFONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO N/DTELO In t$is case1 t$e 4a&aScript code (ill be e2ecuted by t$e bro(ser +T$e OKFO part is irrele&ant $ere,) E2a%ple 5 " scenario ! Usin' t$e sa%e script and input as in E2a%ple # to in&o*e t$e attac*G Hattac* response scenario !I DTTP/#)# 566 O7 Ser&erG So%eSer&er DateG Sun1 6# 4an 5665 66G;#G#3 =ET Content"TypeG te2t/$t%l " #; " Application Related Security Vulnerabilities in a Web Application Accept"Ran'esG bytes Content"Len't$G ;#6 NDTELO Please .ll in your 9ip codeG N8ORE EETDODM=ET ACTIONMK/c'i"bin/script)plKO NINPUT TPEMte2t NAEEMKna%eK &alueMKOKFONscriptOalert+FWatc$.re QSS Test Success-ulF, N/scriptOKO NbrO NINPUT TPEMte2t NAEEMK9ipK &alueMKEnter 9ip code $ereKO NbrO NINPUT TPEMsub%it &alueMKSub%itKO N/8OREO N/DTELO T$e OKFO pre.2 is used to brea* out o- t$e para%eter &alue conte2t) Closin' t$e para%eter &alue .eld + KFO , and t$en closin' t$e NINPUTO ta' + O , (ill cause t$e 4a&aScript to be e2ecuted by t$e bro(ser and not to be treated as a para%eter &alue t$at (ould $a&e been parsed or e2ecuted as 4a&aScript code) Listed belo( are t$e diRerent test &ariantsG H#I OFONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H5I OKONscriptOalert+KWatc$.re QSS Test Success-ulK,N/scriptO H;I N/Te2tAreaONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H<I OKFONi%' srcMKCa&ascriptGalert+FWatc$.re QSS Test Success-ulF,KO H>I OKFONi%' srcMST2?aUST2?#UST2:?UST2?#UST2:;UST2?;UST2:5UST2?3UST2:6UST2:<UST2;aUalert +SBuotUWatc$.reST256UQSSST256UTestST256USuccess-ulSBuotU,O H?I K styleMKbac*'roundGurl+Ca&ascriptGalert+FWatc$.re QSS Test Success-ulF,,K OAMK H:I ""ONscriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO H@I FValert+FWatc$.re QSS Test Success-ulF,VF H3I KValert+FWatc$.re QSS Test Success-ulF,VK H#6I OFONP66scriptOalert+FWatc$.re QSS Test Success-ulF,N/scriptO +)NET #)# speci.c &ariant, H##I OKONP66scriptOalert+KWatc$.re QSS Test Success-ulK,N/scriptO +)NET #)# speci.c &ariant, H#5I OVACI"VAD<"VAD("SCRIPTVAD<"alert+#5;<,VAD("/SCRIPTVAD<" H#;I PA:PA5P!EP!cP8;PE;P85PE3P86P8<P!ePE#PEcPE>P85P8<PA@PA:Watc$.reP 56QSSP56TestP56Success-ulPA:PA3P!cPA-P8;PE;P85PE3P86P8<P!e Variant detailsG Test &ariants H#I S H5IG T$ese are t$e %ost basic cross"site scriptin' &ariants) T$e diRerence bet(een t$e t(o &ariants is t$e use o- Buotes or o- an apostrop$e in t$e 4a&aScript code) So%e (eb application pro'ra%%ers only saniti9e user input -or apostrop$e or -or Buotes1 but not bot$) T$is &ulnerability is detected by runnin' bot$ &ariants) Test &ariant H;IG T$is test &ariant is speci.cally desi'ned -or user input t$at is returned e%bedded in NTEQTAREAO para%eters) Durin' t$e test1 an atte%pt is %ade to brea* out o- t$e para%eter &alue +te2t area,1 to -orce t$e 4a&aScript to be e2ecuted by t$e bro(ser) Test &ariant H<IG So%e (eb application pro'ra%%ers saniti9e NSCRIPTO ta's -ro% user input1 but -or'et to saniti9e t$e KCa&ascriptGK speci.er1 ($ic$ can be used in DTEL lin*s) Durin' t$is test1 an atte%pt is %ade to e%bed t$e %alicious 4a&aScript code by usin' an Ni%'O ta' (it$ a 4a&aScript lin* as its source) Test &ariant H>IG T$is &ariant is &ery si%ilar to &ariant T<) It uses DTEL entities to bypass security %easures ($ic$ saniti9e user input o- t$e N1 O1 Buotes and t$e KCa&ascriptGK speci.er) Test &ariant H?IG T$is &ariant uses t$e least nu%ber o- non"standard c$aracters) Unli*e -or%er &ariants1 it does not use S1 O1 N 1 T or U c$aracters) Assu%in' t$at t$e user input is e%bedded in an DTEL -or% para%eter &alue +inside an NINPUTO ta',1 t$e %alicious strin' .rst escapes -ro% para%eter &alue conte2t and t$en proceeds to add a STLE attribute to t$e NINPUTO ta'1 in ($ic$ it e%beds t$e %alicious 4a&aScript code) NoteG t$is &ariant (ill only succeed in scenario !1 or i- user input is e%bedded in attributes o- ot$er DTEL ele%ents) Test &ariant H:IG So%e (eb applications e%bed user input inside DTEL co%%ents) To test t$e application -or t$is &ulnerability1 t$e DTEL co%%ent + ""O , is .rst closed1 and t$en t$e %alicious 4a&aScript code is e%bedded) Test &ariants H@I S H3IG So%e (eb applications e%bed user input in 4a&aScript strin' literals1 -or e2a%pleG " #< " Application Related Security Vulnerabilities in a Web Application NDTELO NSCRIPT LAN=UA=EMK4a&aScriptKO &ar str M FDello WuserXinputFU ))) N/SCRIPTO N/DTELO I- (e send t$e -ollo(in' para%eter &alueG FValert+FWatc$.re QSS Test Success-ulF,VF1 t$e resultin' response pa'e (ill loo* li*e t$isG NDTELO NSCRIPT LAN=UA=EMK4a&aScriptKO &ar str M FDello F V alert+FWatc$.re QSS Test Success-ulF, V FFU ))) N/SCRIPTO N/DTELO T$e application is tric*ed into concatenatin' t$e %alicious 4a&aScript code in t$e %iddle o- t$e ori'inal strin' literal1 causin' t$e bro(ser to e2ecute our 4a&aScript code) T$e diRerence bet(een &ariants T@ and T3 is t$e use o- Buotes or o- an apostrop$e1 ($ic$ custo%i9es t$e attac* -or bot$ strin' ter%inatin' c$aracters) Test &ariants H#6I S H##IG In Eicroso-t )NET #)#1 t$e DttpReBuest)ValidateInput %et$od &alidates data sub%itted by a client bro(ser and raises an e2ception i- potentially dan'erous data is present) 8ro% ESDNG KI- t$e &alidation -eature is enabled by pa'e directi&e or con.'uration1 t$is %et$od is called durin' t$e Pa'eFs ProcessReBuest processin' p$ase) ValidateInput can be called by your code i- t$e &alidation -eature is not enabled) ReBuest &alidation (or*s by c$ec*in' all input data a'ainst a $ard"coded list o- potentially dan'erous data)K Input data is c$ec*ed durin' reBuest &alidation in t$e -ollo(in' %e%bersG " DttpReBuest)8or%1 " DttpReBuest)AueryStrin'1 " DttpReBuest)Coo*ies YY NoteG T$e DttpReBuest)ValidateInput is enabled by de-ault in ASP)NET #)# ASP)NET #)# bloc*s input containin' FNF -ollo(ed by an alp$anu%eric c$aracter or an e2cla%ation %ar* +e)') NscriptO 1 Ni%'1 NZ""1 etc))), I- t$e FNF c$aracter is -ollo(ed .rst by a NULL byte and only t$en by an alp$anu%eric c$aracter1 t$e pattern does not %atc$ and t$e input is allo(ed to reac$ t$e (eb application) 8or e2a%pleG HYI T$e strin' FNscriptOF is bloc*ed by ASP)NET #)# HYI T$e strin' FNP66scriptOF is allo(ed by ASP)NET #)# In addition1 t$e DTEL parser o- %ost (eb bro(sers +includin' all &ersions o- Eicroso-t Internet E2plorer,1 i'nores t$e NULL byte1 and parses NP66scriptO as NscriptO) W$en co%binin' t$is (it$ t$e security proble% presented abo&e1 any DTEL ta' can be inCected t$rou'$ ASP)NET #)# DttpReBuest) ValidateInput security %ec$anis%1 lea&in' it &ulnerable to cross site scriptin'1 and inCection o- ot$er %alicious DTEL ta's) Test &ariant H#5IG W$ile %any input &alidation -unctions properly .lter out or escape co%%on c$aracters used -or QSS +suc$ as NO +trian'ular parent$esis,,1 only a -e( %ana'e to $andle $a9ardous UT8": encoded strin's) T$ere-ore1 in %any cases1 ($en sendin' an QSS attac* payload encoded in UT8":1 t$e payload (ill return in t$e response (it$out bein' altered) 8or t$e attac* to succeed1 t$e &icti%Fs bro(ser s$ould treat t$e QSS payload as UT8":1 ot$er(ise t$e script (ill not be e2ecuted) I- FEncodin'F is set to FAuto"DetectF1 and Internet E2plorer .nds a UT8": strin' in t$e .rst <63? c$aracters o- t$e response body1 it (ill set t$e c$arset encodin' to UT8": auto%atically1 unless anot$er c$arset encodin' is already en-orced) T$is auto%atic encodin' -eature %ay $elp a %alicious user to %ount t$e UT8": QSS attac*) A success-ul attac* -or t$is &ariant reBuires t$e -ollo(in'G HYI T$e &icti% uses an Internet E2plorer client (it$ FEncodin'F set to FAuto"DetectF) HYI T$ere is no c$arset encodin' en-orce%ent +unless ut-": is en-orced, inG HYI T$e response $eaders +KContent"TypeG te2t/$t%lU c$arsetMHencodin'IK,) HYI A N%eta $ttp"eBui&MKContent"TypeK +))), c$arsetMHencodin'I/O ta' at t$e response $t%l) " #> " Application Related Security Vulnerabilities in a Web Application HYI T$e inCected te2t appears in t$e .rst <63? c$aracters o- t$e $t%l te2t) Test &ariant H#;IG T$e purpose o- t$is &ariant is to e2ploit t$e (ay Internet"E2plorer treats responses (it$ Fus"asciiF Content"Type +it discards t$e Eost Si'ni.cant !it o- eac$ c$aracter,) !y c$an'in' t$e %ost si'ni.cant bit o- eac$ c$aracter o- an QSS payload1 AppScan can e&ade standard input sanitation -unctions) 8or e2a%pleG P;C1 ($ic$ is t$e URL"encoded representation o- KNK1 is trans-or%ed into P!C in t$is attac*) It is not reco'ni9ed by t$e ser&er"side sanitation -unction as a $a9ardous c$aracter1 and t$ere-ore not altered in any (ay1 but it (ill be read by Internet E2plorer as KNK1 %a*in' a Cross" Site Scriptin' attac* possible) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s CERT Ad&isory CA"5666"65 Eicroso-t Do( ToG Pre&ent Cross"Site Scriptin' Security Issues +A5>53@>, Eicroso-t Do( ToG Pre&ent Cross"Site Scriptin' in ASP)NET Eicroso-t Do( ToG Protect 8ro% InCection Attac*s in ASP)NET Eicroso-t Do( ToG Use Re'ular E2pressions to Constrain Input in ASP)NET Eicroso-t )NET Anti"Cross Site Scriptin' Library Cross"Site Scriptin' Trainin' Eodule " #? " Application Related Security Vulnerabilities in a Web Application "/L %n0ection Security Ris*s It is possible to &ie(1 %odi-y or delete database entries and tables) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description Web applications o-ten use databases at t$e bac*end to interact (it$ t$e enterprise data (are$ouse) T$e de"-acto standard lan'ua'e -or Bueryin' databases is SAL +eac$ %aCor database &endor $as its o(n dialect,) Web applications o-ten ta*e user input +ta*en out o- t$e DTTP reBuest, and incorporate it in an SAL Buery1 ($ic$ is t$en sent to t$e bac*end database) T$e Buery results are t$en processed by t$e application and so%eti%es displayed to t$e user) T$is %ode o- operation can be e2ploited by an attac*er i- t$e application is not care-ul enou'$ (it$ its treat%ent o- user +attac*er, input) I- t$is is t$e case1 an attac*er can inCect %alicious data1 ($ic$ ($en incorporated into an SAL Buery1 c$an'es t$e ori'inal synta2 o- t$e Buery into so%et$in' co%pletely diRerent) 8or e2a%ple1 i- an application uses userFs input +suc$ as userna%e and pass(ord, to Buery a database table o- usersF accounts in order to aut$enticate t$e user1 and t$e attac*er $as t$e ability to inCect %alicious data into t$e userna%e part o- t$e Buery +or t$e pass(ord part1 or bot$,1 t$e Buery can be c$an'ed into a diRerent data yan*in' Buery1 a Buery t$at %odi.es t$e database1 or a Buery t$at runs s$ell co%%ands on t$e database ser&er) Typically1 t$e attac*er ac$ie&es t$is 'oal in steps) De/s$e (ill .rst learn t$e structure o- t$e SAL Buery1 and t$en use t$is *no(led'e to t$(art t$e Buery +by inCectin' data t$at c$an'es t$e Buery synta2, into per-or%in' diRerently t$an intended) Suppose t$e Buery in Buestion isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF W$ere Wuser and Wpass are user input +collected -ro% t$e DTTP reBuest ($ic$ in&o*ed t$e script t$at constructs t$e Buery " eit$er -ro% a =ET reBuest Buery para%eters1 or -ro% a POST reBuest body para%eters,) A re'ular usa'e o- t$is Buery (ould be (it$ &alues WuserMCo$n1 Wpass(ordMsecret#5;) T$e Buery -or%ed (ould beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFCo$nF AND pass(ordMFsecret#5;F T$e e2pected Buery result is 6 i- no suc$ userVpass(ord pair e2ists in t$e database1 and O6 i- suc$ pair e2ists +i)e) t$ere is a user na%ed FCo$nF in t$e database1 ($ose pass(ord is Fsecret#5;F,) T$is (ould ser&e as a basic aut$entication %ec$anis% -or t$e application) !ut an attac*er can alter t$is Buery in t$e -ollo(in' (aysG #) !y pro&idin' an input consistin' o- a sin'le apostrop$e c$aracter +F,1 t$e attac*er can cause t$e database to e%it an error %essa'e1 ($ic$ usually contains &aluable in-or%ation re'ardin' t$e SAL Buery) T$e attac* (ould si%ply in&ol&e sendin' a reBuest (it$ t$e user &alue F and a pass(ord (it$ any &alue +e)') -oobar,) T$e result (ould be t$e -ollo(in' +%al-or%ed, SAL BueryG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFFF AND pass(ordMF-oobarF T$is %ay yield t$e -ollo(in' error %essa'e +dependin' on t$e speci.c database in use at t$e bac*end,G Synta2 error +%issin' operator, in Buery e2pression Fuserna%e M FFF AND pass(ord M F-oobarFF) T$e attac*er is in-or%ed t$at t$e Buery is built around t$e e2pression userna%eMFWuserF AND pass(ordMFWpassF) T$is crucial in-or%ation is needed to e2ploit t$e SAL Buery at $and) W$en t$e attac*er understands t$e -or%at o- t$e Buery1 $is ne2t step (ould si%ply be to useG user M F or #M# or FFMF pass(ord M -oobar T$e resultin' Buery isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFF or #M# or FFMFF AND pass(ordMF-oobarF T$is %eans t$at t$e Buery +in t$e SAL database, (ill return TRUE -or e&ery record o- t$e table KaccountsK1 since t$e e2pression #M# is al(ays true) T$ere-ore1 t$e Buery (ill return t$e nu%ber o- records in KaccountsK1 and t$us t$e user +attac*er, (ill be considered &alid) T$ere are se&eral &ariants o- t$is probin' %et$od1 suc$ as sendin' FU or ]F +it s$ould be re%e%bered t$at al%ost all &endors $a&e t$eir " #: " Application Related Security Vulnerabilities in a Web Application o(n uniBue SAL FdialectF,) Speci.cally sendin' F $a&in' #M# is also *no(n to produce error %essa'es t$at re&eal in-or%ation about colu%n na%es) In so%e cases1 t$e user input is not incorporated in a strin' conte2t +enco%passed in apostrop$es,1 but rat$er in nu%eric conte2t1 t$at is1 e%bedded as"is) T$us t$e input strin' # $a&in' #M# can be used in suc$ cases) 5) In so%e cases1 it is possible to replace t$e ori'inal Buery (it$ any ot$er Buery) T$e (ay to do it is to pre%aturely ter%inate t$e ori'inal Buery +e)') by closin' t$e strin' conte2t usin' apostrop$e1 -orce ter%ination by a Buery separator c$aracter suc$ as se%icolon and t$en (rite a ne( Buery,) I- t$e application is Je2ible enou'$ to recei&e +and display, data -ro% t$e %odi.ed Buery +alt$ou'$ it is not e2actly t$e e2pected data,1 t$en t$is tec$niBue %ay be used to do(nload &arious database tables and records) E&en i- t$e application does not process t$e une2pected data returned -ro% t$e database in suc$ (ay t$at t$is data is displayed1 it %ay still be possible to run %alicious Bueries on t$e database +e)') to c$an'e tables1 delete tables1 and run s$ell co%%ands,) 8inally1 in so%e cases t$e desired data can be acBuired by cra-tin' t$e %alicious Bueries in suc$ (ay t$at t$e desired data is returned in t$e -or%at e2pected by t$e application) T$e -ollo(in' input strin's can be used to yield sensiti&e in-or%ation -ro% syste% tables in t$e database +dependin' on t$e (ay t$e application $andles returned Buery results1 o- course,G FU select \\&ersion1#1#1#"" +ES"SAL database " returns t$e database &ersion, FU select Y -ro% %aster))sys%essa'es +ES"SAL database " returns syste% in-or%ation, FU select Y -ro% dbo)sysdatabases +ES"SAL database " returns database na%es %ana'ed by t$e database ser&er, FU select Y -ro% sys)dbaXusers +Oracle database " returns database userna%es, We see t$ere-ore t$at i- user input is not santi9ed +t$at is1 strin' data is ensured not to $a&e F or K " t$ese c$aracters %ust be encoded/escaped1 and nu%eric/boolean or ot$er typed data is ensured to be o- proper -or%at,1 an attac*er can %a*e use o- t$is -act and %anipulate t$e database) In t$e Oracle test &ariant1 t$e SAL inCection is &alidated by -orcin' t$e Oracle database to establis$ an DTTP connection bac* -ro% t$e Oracle ser&er1 to t$e testin' %ac$ine1 usin' t$e UTLXDTTP pac*a'e) T$e inCection payload sentG F [[ UTLXDTTP)REAUEST+F$ttpG//IPXAddressG@6/SALXInCectionXValidationF, [[ F Assu%in' t$at t$e ori'inal SAL Buery (asG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF1 t$e actual SAL Buery durin' t$e SAL inCection test (ill beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFF [[ UTLXDTTP)REAUEST +F$ttpG//IPXAddressG@6/SALXInCectionXValidationF, [[ FF AND pass(ordMFWpassF W$en runnin' t$is SAL Buery1 t$e Oracle ser&er (ill e2ecute t$e UTLXDTTP)REAUEST entry point1 ($ic$ (ill contact t$e testin' %ac$ine and reBuest t$e .le F/SALXInCectionXValidationF o&er DTTP) NoteG 8or t$is test to be &alidated properly1 a direct TCP connection %ust be possible bet(een t$e Oracle ser&er and t$e testin' %ac$ine) A si%ilar approac$ is used in an ES SAL port listener test &ariant) T$e inCection payload sentG FU select Y -ro% openro(set +FsBloledbF1FNet(or*MD!ESSOCNUAddressMIPXAddress13333UuidM%yUsrUp(dM%yPassF1Fselect -oo -ro% barF,"" Assu%in' t$at t$e ori'inal SAL Buery (asG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF1 t$e actual SAL Buery durin' t$e SAL inCection test (ill beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFFU select Y -ro% openro(set +FsBloledbF1FNet(or*MD!ESSOCNUAddressMHIPXAddressI13333UuidM%yUsrUp(dM%yPassF1Fselect -oo -ro% barF,""F AND pass(ordMFWpassF W$en runnin' t$is SAL Buery1 ES SAL ser&er (ill establis$ a connection to HIPXAddressI on port 33331 as a result o- t$e openro(set+, e2ecution) NoteG 8or t$is test to be &alidated properly1 a direct TCP connection %ust be possible bet(een t$e ES SAL ser&er and t$e testin' %ac$ine) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) " #@ " Application Related Security Vulnerabilities in a Web Application It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s KWeb Application Disasse%bly (it$ OD!C Error Eessa'esK +!y Da&id Litc$.eld, SAL InCection Trainin' Eodule " #3 " Application Related Security Vulnerabilities in a Web Application Data2ase Error $attern Found Security Ris*s It is possible to &ie(1 %odi-y or delete database entries and tables) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description AppScan disco&ered Database Errors in t$e test response1 ($ic$ %ay $a&e been tri''ered by an attac* ot$er t$an SAL InCection) It is possible1 t$ou'$ not certain1 t$at t$is error indicates a possible SAL InCection &ulnerability in t$e application) I- it does1 please read t$e -ollo(in' SAL InCection ad&isory care-ullyG Web applications o-ten use databases at t$e bac*end to interact (it$ t$e enterprise data (are$ouse) T$e de"-acto standard lan'ua'e -or Bueryin' databases is SAL +eac$ %aCor database &endor $as its o(n dialect,) Web applications o-ten ta*e user input +ta*en out o- t$e DTTP reBuest, and incorporate it in an SAL Buery1 ($ic$ is t$en sent to t$e bac*end database) T$e Buery results are t$en processed by t$e application and so%eti%es displayed to t$e user) T$is %ode o- operation can be e2ploited by an attac*er i- t$e application is not care-ul enou'$ (it$ its treat%ent o- user +attac*er, input) I- t$is is t$e case1 an attac*er can inCect %alicious data1 ($ic$ ($en incorporated into an SAL Buery1 c$an'es t$e ori'inal synta2 o- t$e Buery into so%et$in' co%pletely diRerent) 8or e2a%ple1 i- an application uses userFs input +suc$ as userna%e and pass(ord, to Buery a database table o- usersF accounts in order to aut$enticate t$e user1 and t$e attac*er $as t$e ability to inCect %alicious data into t$e userna%e part o- t$e Buery +or t$e pass(ord part1 or bot$,1 t$e Buery can be c$an'ed into a diRerent data yan*in' Buery1 a Buery t$at %odi.es t$e database1 or a Buery t$at runs s$ell co%%ands on t$e database ser&er) Typically1 t$e attac*er ac$ie&es t$is 'oal in steps) De/s$e (ill .rst learn t$e structure o- t$e SAL Buery1 and t$en use t$is *no(led'e to t$(art t$e Buery +by inCectin' data t$at c$an'es t$e Buery synta2, into per-or%in' diRerently t$an intended) Suppose t$e Buery in Buestion isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF W$ere Wuser and Wpass are user input +collected -ro% t$e DTTP reBuest ($ic$ in&o*ed t$e script t$at constructs t$e Buery " eit$er -ro% a =ET reBuest Buery para%eters1 or -ro% a POST reBuest body para%eters,) A re'ular usa'e o- t$is Buery (ould be (it$ &alues WuserMCo$n1 Wpass(ordMsecret#5;) T$e Buery -or%ed (ould beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFCo$nF AND pass(ordMFsecret#5;F T$e e2pected Buery result is 6 i- no suc$ userVpass(ord pair e2ists in t$e database1 and O6 i- suc$ pair e2ists +i)e) t$ere is a user na%ed FCo$nF in t$e database1 ($ose pass(ord is Fsecret#5;F,) T$is (ould ser&e as a basic aut$entication %ec$anis% -or t$e application) !ut an attac*er can alter t$is Buery in t$e -ollo(in' (aysG #) !y pro&idin' an input consistin' o- a sin'le apostrop$e c$aracter +F,1 t$e attac*er can cause t$e database to e%it an error %essa'e1 ($ic$ usually contains &aluable in-or%ation re'ardin' t$e SAL Buery) T$e attac* (ould si%ply in&ol&e sendin' a reBuest (it$ t$e user &alue F and a pass(ord (it$ any &alue +e)') -oobar,) T$e result (ould be t$e -ollo(in' +%al-or%ed, SAL BueryG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFFF AND pass(ordMF-oobarF T$is %ay yield t$e -ollo(in' error %essa'e +dependin' on t$e speci.c database in use at t$e bac*end,G Synta2 error +%issin' operator, in Buery e2pression Fuserna%e M FFF AND pass(ord M F-oobarFF) T$e attac*er is in-or%ed t$at t$e Buery is built around t$e e2pression userna%eMFWuserF AND pass(ordMFWpassF) T$is crucial in-or%ation is needed to e2ploit t$e SAL Buery at $and) W$en t$e attac*er understands t$e -or%at o- t$e Buery1 $is ne2t step (ould si%ply be to useG user M F or #M# or FFMF pass(ord M -oobar T$e resultin' Buery isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFF or #M# or FFMFF AND pass(ordMF-oobarF T$is %eans t$at t$e Buery +in t$e SAL database, (ill return TRUE -or e&ery record o- t$e table KaccountsK1 " 56 " Application Related Security Vulnerabilities in a Web Application since t$e e2pression #M# is al(ays true) T$ere-ore1 t$e Buery (ill return t$e nu%ber o- records in KaccountsK1 and t$us t$e user +attac*er, (ill be considered &alid) T$ere are se&eral &ariants o- t$is probin' %et$od1 suc$ as sendin' FU or ]F +it s$ould be re%e%bered t$at al%ost all &endors $a&e t$eir o(n uniBue SAL FdialectF,) Speci.cally sendin' F $a&in' #M# is also *no(n to produce error %essa'es t$at re&eal in-or%ation about colu%n na%es) In so%e cases1 t$e user input is not incorporated in a strin' conte2t +enco%passed in apostrop$es,1 but rat$er in nu%eric conte2t1 t$at is1 e%bedded as"is) T$us t$e input strin' # $a&in' #M# can be used in suc$ cases) 5) In so%e cases1 it is possible to replace t$e ori'inal Buery (it$ any ot$er Buery) T$e (ay to do it is to pre%aturely ter%inate t$e ori'inal Buery +e)') by closin' t$e strin' conte2t usin' apostrop$e1 -orce ter%ination by a Buery separator c$aracter suc$ as se%icolon and t$en (rite a ne( Buery,) I- t$e application is Je2ible enou'$ to recei&e +and display, data -ro% t$e %odi.ed Buery +alt$ou'$ it is not e2actly t$e e2pected data,1 t$en t$is tec$niBue %ay be used to do(nload &arious database tables and records) E&en i- t$e application does not process t$e une2pected data returned -ro% t$e database in suc$ (ay t$at t$is data is displayed1 it %ay still be possible to run %alicious Bueries on t$e database +e)') to c$an'e tables1 delete tables1 and run s$ell co%%ands,) 8inally1 in so%e cases t$e desired data can be acBuired by cra-tin' t$e %alicious Bueries in suc$ (ay t$at t$e desired data is returned in t$e -or%at e2pected by t$e application) T$e -ollo(in' input strin's can be used to yield sensiti&e in-or%ation -ro% syste% tables in t$e database +dependin' on t$e (ay t$e application $andles returned Buery results1 o- course,G FU select \\&ersion1#1#1#"" +ES"SAL database " returns t$e database &ersion, FU select Y -ro% %aster))sys%essa'es +ES"SAL database " returns syste% in-or%ation, FU select Y -ro% dbo)sysdatabases +ES"SAL database " returns database na%es %ana'ed by t$e database ser&er, FU select Y -ro% sys)dbaXusers +Oracle database " returns database userna%es, We see t$ere-ore t$at i- user input is not santi9ed +t$at is1 strin' data is ensured not to $a&e F or K " t$ese c$aracters %ust be encoded/escaped1 and nu%eric/boolean or ot$er typed data is ensured to be o- proper -or%at,1 an attac*er can %a*e use o- t$is -act and %anipulate t$e database) In t$e Oracle test &ariant1 t$e SAL inCection is &alidated by -orcin' t$e Oracle database to establis$ an DTTP connection bac* -ro% t$e Oracle ser&er1 to t$e testin' %ac$ine1 usin' t$e UTLXDTTP pac*a'e) T$e inCection payload sentG F [[ UTLXDTTP)REAUEST+F$ttpG//IPXAddressG@6/SALXInCectionXValidationF, [[ F Assu%in' t$at t$e ori'inal SAL Buery (asG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF1 t$e actual SAL Buery durin' t$e SAL inCection test (ill beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFF [[ UTLXDTTP)REAUEST +F$ttpG//IPXAddressG@6/SALXInCectionXValidationF, [[ FF AND pass(ordMFWpassF W$en runnin' t$is SAL Buery1 t$e Oracle ser&er (ill e2ecute t$e UTLXDTTP)REAUEST entry point1 ($ic$ (ill contact t$e testin' %ac$ine and reBuest t$e .le F/SALXInCectionXValidationF o&er DTTP) NoteG 8or t$is test to be &alidated properly1 a direct TCP connection %ust be possible bet(een t$e Oracle ser&er and t$e testin' %ac$ine) A si%ilar approac$ is used in an ES SAL port listener test &ariant) T$e inCection payload sentG FU select Y -ro% openro(set +FsBloledbF1FNet(or*MD!ESSOCNUAddressMIPXAddress13333UuidM%yUsrUp(dM%yPassF1Fselect -oo -ro% barF,"" Assu%in' t$at t$e ori'inal SAL Buery (asG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF1 t$e actual SAL Buery durin' t$e SAL inCection test (ill beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFFU select Y -ro% openro(set +FsBloledbF1FNet(or*MD!ESSOCNUAddressMHIPXAddressI13333UuidM%yUsrUp(dM%yPassF1Fselect -oo -ro% barF,""F AND pass(ordMFWpassF W$en runnin' t$is SAL Buery1 ES SAL ser&er (ill establis$ a connection to HIPXAddressI on port 33331 as a result o- t$e openro(set+, e2ecution) NoteG 8or t$is test to be &alidated properly1 a direct TCP connection %ust be possible bet(een t$e ES SAL ser&er and t$e testin' %ac$ine) =eneral 8i2 Reco%%endations I- t$e error indicates a SAL InCection &ulnerability1 please -ollo( t$e -ollo(in' 'uidelinesG " 5# " Application Related Security Vulnerabilities in a Web Application T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s KWeb Application Disasse%bly (it$ OD!C Error Eessa'esK +!y Da&id Litc$.eld, SAL InCection Trainin' Eodule " 55 " Application Related Security Vulnerabilities in a Web Application "/L /uery in $arameter Value Security Ris*s It is possible to &ie(1 %odi-y or delete database entries and tables) Possible Causes Para%eter &alues (ere F$ardcodedF in t$e DTEL as a para%eter o- type F$iddenF) Tec$nical Description Web applications o-ten use databases at t$e bac*end to interact (it$ t$e enterprise data (are$ouse) T$e de"-acto standard lan'ua'e -or Bueryin' databases is SAL +eac$ %aCor database &endor $as its o(n FdialectF,) In order to pro&ide database -unctionality to t$e client1 DTEL pa'es o-ten contain co%plete SAL Bueries in -or% .elds) 8or e2a%ple1 consider t$e -ollo(in' DTEL source snippetG N8ORE)))O ))) NINPUT TPEMDIDDEN NAEEMSALXAUER VALUEMKSelect Y -ro% table# ($ere table#)idM#5;<KO ))) N/8OREO T$is practice can lead to issues in t$e (eb application1 since it is unli*ely t$at t$e application &alidates t$at t$e Buery is le'iti%ate/unc$an'ed) As a result1 an attac*er can %odi-y t$e Buery and %anipulate t$e database) Sa%ple E2ploitG Consider t$e abo&e DTEL -or% e2a%ple) It is possible to %anually c$an'e t$e para%eter &alue in order to delete t$e table Ktable#K1 as -ollo(in' +sub%it t$e -ollo(in' -or%,G N8ORE)))O ))) NINPUT TPEMDIDDEN NAEEMSALXAUER VALUEMKDrop table#KO ))) N/8OREO =eneral 8i2 Reco%%endations H#I Do not e2pose SAL Buery lo'ic to t$e client) H5I Do not construct SAL Bueries at t$e client side +8or e2a%ple1 usin' 4a&aScript,) H;I Al(ays &eri-y user input1 %a*e sure t$at it is in t$e e2pected -or%at and e2pected content) Re-erences and Rele&ant Lin*s WASC T$reat Classi.cationG SAL InCection SAL InCection Trainin' Eodule CWE"@3G 8ailure to Preser&e SAL Auery Structure +FSAL InCectionF, " 5; " Application Related Security Vulnerabilities in a Web Application ross)"ite Re5uest For+ery Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Insu^cient aut$entication %et$od (as used by t$e application) Tec$nical Description Cross"Site ReBuest 8or'ery +CSR8, is an attac* t$at allo(s a $ac*er to per-or% an action on t$e &ulnerable site on be$al- o- t$e &icti%) T$e attac* is possible ($en t$e &ulnerable site does not properly &alidate t$e ori'in o- t$e reBuest) T$e se&erity o- t$is &ulnerability depends on t$e -unctionality o- t$e aRected application1 -or e2a%ple1 a CSR8 attac* on a searc$ pa'e is less se&ere t$an a CSR8 attac* on a %oney"trans-er or pro.le update pa'es) T$e attac* is per-or%ed by -orcin' t$e &icti%Fs bro(ser to issue an DTTP reBuest to t$e &ulnerable site) I- t$e user is currently lo''ed"in to t$e &icti% site1 t$e reBuest (ill auto%atically use t$e userFs credentials +li*e session coo*ies1 userFs IP address1 and ot$er bro(ser aut$entication %et$ods,) Usin' t$is %et$od1 t$e attac*er -or'es t$e &icti%Fs identity and sub%its actions on $is or $er be$al-) In ot$er (ords1 t$e &ulnerable site does not ta*e t$e proper %easures to &alidate t$at t$e user indeed (anted to per-or% t$e speci.c action) 8orcin' t$e &icti% to send t$e unintended reBuest can be done in nu%erous (aysG " Sendin' t$e &icti% a %alicious lin* to t$e &ulnerable application &ia e%ail) " Puttin' a $ot"lin* +li*e an i%a'e or -ra%e, to t$e &ulnerable site on t$e $ac*erFs (eb pa'e) " Postin' a lin* to t$e &ulnerable site in a public -oru%) " Usin' Cross"Site Scriptin' or Lin* InCection &ulnerabilities in t$e site +or anot$er site, and auto%atically redirectin' t$e bro(ser to t$e &ulnerable site) I- t$e attac*er uses a Lin* InCection &ulnerability on t$e &ulnerable site itsel- $e or s$e increases t$e li*eli$ood o- t$e user bein' aut$enticated to t$e site1 and by t$at increases t$e li*eli$ood o- t$e attac* to succeed) 8or e2a%ple1 usin' any o- t$e abo&e described options1 an attac*er can lure t$e &icti% to &ie( a pa'e containin'G Ni%' srcMK$ttpG//ban*/trans-erLdestinationM4o$nS%oneyM#666K styleMF&isibilityG$iddenFO T$is (ill cause t$e &icti%Fs bro(ser to auto%atically reBuest t$e URL to'et$er (it$ t$e current credentials o- t$e bro(ser) I- t$is ban*in' site is &ulnerable to CSR81 it (ill trans-er #666 dollars -ro% t$e &icti%Fs account to 4o$nFs ban* account accordin' to t$e application lo'ic) T$e Cross"Site ReBuest 8or'ery attac* is also *no(n as CSR8 +pronounced C"Ser-,1 QSR81 Cross" Site Re-erence 8or'ery1 One"Clic* Attac* and Session Ridin') ou can &eri-y t$at your application is &ulnerable to CSR8 byG H#I C$ec*in' t$at t$e &ulnerable lin*/reBuest does not include a para%eter t$at is $ard -or an attac*er to 'uess H5I C$ec*in' t$at t$e &ulnerable lin*/reBuest per-or%s an operation t$at s$ould only be per-or%ed (illin'ly " 5< " Application Related Security Vulnerabilities in a Web Application An application t$at contains a sensiti&e action1 ($ic$ can be accessed directly by a reBuest t$at t$e user sub%itted un*no(in'ly1 is considered &ulnerable to CSR8) CSR8 is also possible on lo'in and lo'out pa'es) On lo'out pa'es CSR8 can cause denial o- ser&ice1 since an attac*er can -or'e consecuti&e lo'out reBuests -ro% t$e &icti%) On lo'in pa'es CSR8 can allo( an attac*er to lo' t$e client into t$e attac*erFs account usin' a -or'ed reBuest containin' t$e attac*erFs userna%e and pass(ord) Lo'in CSR8 attac*s can $a&e serious conseBuences1 dependin' on ot$er site be$a&ior) 8or e2a%ple1 i- a site *eeps a $istory o- user actions +searc$ $istory1 -or e2a%ple, t$e attac*er (ill be able to see t$e actions pre&iously per-or%ed by t$e &icti% on t$e &ulnerable site) =eneral 8i2 Reco%%endations In order to a&oid CSR8 attac*s1 e&ery reBuest s$ould contain a uniBue identi.er1 ($ic$ is a para%eter t$at an attac*er cannot 'uess) One su''ested option is to add t$e session id ta*en -ro% t$e session coo*ie and addin' it as a para%eter) T$e ser&er %ust c$ec* t$at t$is para%eter %atc$es t$e session coo*ie1 and i- not discard t$e reBuest) T$e reason an attac*er cannot 'uess t$is para%eter is t$e Ksa%e ori'in policyK t$at applies to coo*ies1 so t$e attac*er cannot -or'e a -a*e reBuest t$at (ill see% real to t$e ser&er) Any secret t$at is $ard to 'uess and is not accessible to an attac*er +i)e) not accessible -ro% a diRerent do%ain, can be used instead o- t$e session id) T$is (ill pre&ent an attac*er -ro% cra-tin' a see%in'ly &alid reBuest) Re-erences and Rele&ant Lin*s Cross"site reBuest -or'ery (i*i pa'e K4a&aScript DiCac*in'K by 8orti-y Cross"Site ReBuest 8or'ery Trainin' Eodule " 5> " Application Related Security Vulnerabilities in a Web Application Link %n0ection 67acilitates ross)"ite Re5uest For+ery8 Security Ris*s It is possible to persuade a nai&e user to supply sensiti&e in-or%ation suc$ as userna%e1 pass(ord1 credit card nu%ber1 social security nu%ber etc) It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) It is possible to upload1 %odi-y or delete (eb pa'es1 scripts and .les on t$e (eb ser&er) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description Lin* InCection is t$e act o- %odi-yin' t$e content o- a site by e%beddin' in it a URL to an e2ternal site1 or to a script in t$e &ulnerable site) !y e%beddin' a URL in t$e &ulnerable site1 an attac*er is t$en able to use it as a plat-or% to launc$ attac*s a'ainst ot$er sites1 as (ell as a'ainst t$e &ulnerable site itsel-) So%e o- t$ese possible attac*s reBuire t$e user to be lo''ed in to t$e site durin' t$e attac*) !y launc$in' t$ese attac*s -ro% t$e &ulnerable site itsel- t$e attac*er increases t$e c$ances o- success1 because t$e user is %ore li*ely to be lo''ed in) T$e Lin* InCection &ulnerability is a result o- insu^cient user input sanitation1 ($ic$ is later returned to t$e user in t$e site response) T$e ability to inCect $a9ardous c$aracters into t$e response %a*es it possible -or attac*ers to e%bed URLs1 a%on' ot$er possible content %odi.cations) !elo( is an e2a%ple -or a Lin* InCection +We (ill assu%e t$at site K((()&ulnerable)co%K $as a para%eter called Kna%eK1 ($ic$ is used to 'reet users,) T$e -ollo(in' reBuestG DTTPG//((()&ulnerable)co%/'reet)aspLna%eM4o$n S%it$ Will yield t$e -ollo(in' responseG NDTELO N!ODO Dello1 4o$n S%it$) N/!ODO N/DTELO Do(e&er1 a %alicious user %ay send t$e -ollo(in' reBuestG DTTPG//((()&ulnerable)co%/'reet)aspLna%eMNIE= SRCMK$ttpG//((()AN"SITE)co%/ANSCRIPT) aspKO T$is (ill return t$e -ollo(in' responseG NDTELO N!ODO #6/55/5663 3G;@G65 AE #5></#5?# Dello1 NIE= SRCMK$ttpG//((()AN"SITE)co%/AN"SCRIPT)aspKO) N/!ODO N/DTELO As t$is e2a%ple s$o(s1 it is possible to cause a userFs bro(ser to issue auto%atic reBuests to &irtually any site t$e attac*er desires) As a result1 $e %ay use t$is Lin* InCection &ulnerability to launc$ se&eral types o- attac*sG Cross"Site ReBuest 8or'eryG An attac*er is able to cause t$e userFs bro(ser to send a reBuest to a site ($ere t$e user is currently lo''ed in1 and per-or% actions t$at t$e user did not intend to do) Suc$ actions %ay " 5? " Application Related Security Vulnerabilities in a Web Application include unre'isterin' -ro% t$e site1 or %odi-yin' t$e userFs pro.le1 e%ail address or e&en pass(ord1 ($ic$ could result in a co%plete account ta*eo&er) Cross"Site Scriptin'G Any Cross"Site scriptin' attac* be'ins (it$ t$e act o- lurin' users into clic*in' a specially cra-ted URL t$at e2ploits &ulnerability in t$e &icti% site) T$is is usually done by sendin' e%ails t$at contain t$e %alicious lin*1 or creatin' a (eb site t$at contains a lin* to t$e &ulnerable site) Wit$ t$e Lin* InCection &ulnerability1 it is possible to e%bed a %alicious URL in site A1 t$at ($en clic*ed (ill launc$ a Cross"Site Scriptin' attac* a'ainst site !) P$is$in'G It is possible -or an attac*er to inCect a lin* to a %alicious site t$at rese%bles t$e attac*ed site) An incautious user %ay clic* it and not reali9e t$at $e is lea&in' t$e ori'inal site and sur.n' to a %alicious site) T$e attac*er %ay t$en lure t$e user to lo'in a'ain1 t$us acBuirin' $is lo'in credentials) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s OWASP Article T$e Cross"Site ReBuest 8or'ery 8AA Cross"Site ReBuest 8or'ery Trainin' Eodule CWE":<G 8ailure to Saniti9e Data into a DiRerent Plane +FInCectionF, " 5: " Application Related Security Vulnerabilities in a Web Application $hishin+ throu+h Frames Security Ris*s It is possible to persuade a nai&e user to supply sensiti&e in-or%ation suc$ as userna%e1 pass(ord1 credit card nu%ber1 social security nu%ber etc) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description P$is$in' is a 'eneral ter% -or atte%pts to sca% users into surrenderin' pri&ate in-or%ation t$at (ill be used -or identity t$e-t) It is possible -or an attac*er to inCect a -ra%e or an i-ra%e ta' (it$ %alicious content ($ic$ rese%bles t$e attac*ed site) An incautious user %ay bro(se it and not reali9e t$at $e is lea&in' t$e ori'inal site and sur.n' to a %alicious site) T$e attac*er %ay t$en lure t$e user to lo'in a'ain1 t$us acBuirin' $is lo'in credentials) T$e -act t$at t$e -a*e site is e%bedded in t$e ori'inal site $elps t$e attac*er by 'i&in' $is p$is$in' atte%pts a %ore reliable appearance) Sa%ple E2ploitG I- t$e para%eter &alue is reJected in t$e response (it$out proper sanitation1 t$e -ollo(in' reBuestG $ttpG//HSERVERI/script)asp2Lpara%eterMN-ra%e na%eMKe&ilK srcMK((()e&il)co%KO (ill cause t$e response to contain a -ra%e to t$e e&il site) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s 8TC Consu%er Alert " KDo( Not to =et Doo*ed by a FP$is$in'F Sca%K CWE";6#G ReJection Attac* in an Aut$entication Protocol " 5@ " Application Related Security Vulnerabilities in a Web Application $ermanent ookie ontains "ensitive "ession %n7ormation Security Ris*s It %ay be possible to steal session in-or%ation +coo*ies, t$at (as *ept on dis* as per%anent coo*ies) Possible Causes T$e (eb application stores sensiti&e session in-or%ation in a per%anent coo*ie +on dis*,) Tec$nical Description Durin' t$e application test1 it (as detected t$at sensiti&e session in-or%ation suc$ as user credentials or session to*ens (as stored in a per%anent coo*ie on t$e clientFs co%puter) H#I Since ot$er users %ay use t$e co%puter1 t$is in-or%ation %ay be co%pro%ised or used -or identity t$e-t or user i%personation) H5I I- t$e co%puter (ill be co%pro%ised1 t$e account in-or%ation %ay be stolen and used later by a %alicious user) In addition1 se&eral pri&acy re'ulations reBuire t$at users (ill be identi.ed uniBuely be-ore accessin' sensiti&e in-or%ation) Since a per%anent coo*ie %ay allo( ot$er users to lo'on to t$e (eb application (it$out aut$enticatin'1 t$is %ay not co%ply (it$ se&eral pri&acy re'ulations) =eneral 8i2 Reco%%endations Ea*e sure t$at sensiti&e session in-or%ation suc$ as user credentials or session to*ens (ill al(ays be stored in non"per%anent coo*ies +RAE coo*ies, only) T$is is ac$ie&ed by not settin' t$e KE2piresK .eld in t$e coo*ie) Re-erences and Rele&ant Lin*s 8inancial Pri&acyG T$e =ra%%"Leac$ !liley Act Dealt$ Insurance Portability and Accountability Act +DIPAA, Sarbanes"O2ley Act Cali-ornia S!#;@? DTTP State Eana'e%ent Eec$anis% +R8C 5#63, CWE">;3G In-or%ation Lea* T$rou'$ Persistent Coo*ies " 53 " Application Related Security Vulnerabilities in a Web Application "ession !ot %nvalidated A7ter Lo+out Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Insecure (eb application pro'ra%%in' or con.'uration) Tec$nical Description Accordin' to WASCG KInsu^cient Session E2piration is ($en a (eb site per%its an attac*er to reuse old session credentials or session IDs -or aut$ori9ation) Insu^cient Session E2piration increases a (eb siteFs e2posure to attac*s t$at steal or i%personate ot$er users)K A-ter a user si'ns out o- t$e application1 t$e identi.ers t$at (ere used durin' t$e session are supposed to be in&alidated) I- t$e ser&er -ails to in&alidate t$e session identi.ers1 it is possible -or ot$er users to use t$ose identi.ers to i%personate t$at user and per-or% actions on $is be$al-) Sa%ple E2ploitG T$is test lo's out o- t$e application1 and t$en tries to access a protected resource usin' t$e session identi.ers) I- t$e resource is retrei&ed success-ully1 it %eans t$at t$e coo*ie (as not e2pired by t$e ser&er) =eneral 8i2 Reco%%endations In&alidate session identi.ers in t$e lo'out processG eit$er %odi-y t$e lo'out script to e2pire t$e &alid session identi.ers1 or con.'ure t$e (eb ser&er to do so) Re-erences and Rele&ant Lin*s WASC T$reat Classi.cationG Insu^cient Session E2piration KDos and DonFts o- Client Aut$entication on t$e WebK1 7e&in 8u1 E%il Sit1 7endra S%it$1 Nic* 8ea%ster " EIT Laboratory -or Co%puter Science CWE"?#;G Insu^cient Session E2piration " ;6 " Application Related Security Vulnerabilities in a Web Application achea2le ""L $a+e Found Security Ris*s It is possible to 'at$er sensiti&e in-or%ation about t$e (eb application suc$ as userna%es1 pass(ords1 %ac$ine na%e and/or sensiti&e .le locations) Possible Causes Sensiti&e in-or%ation %i'$t $a&e been cac$ed by your bro(ser) Tec$nical Description Eost (eb bro(sers are con.'ured by de-ault to cac$e t$e userFs pa'es durin' use) T$is %eans t$at SSL pa'es are cac$ed as (ell) It is not reco%%ended to enable t$e (eb bro(ser to sa&e any SSL in-or%ation1 since t$is in-or%ation %i'$t be co%pro%ised ($en a &ulnerability e2ists) =eneral 8i2 Reco%%endations Disable cac$in' on all SSL pa'es or all pa'es t$at contain sensiti&e data) 8or e2a%ple1 you can add KPra'%aG no"cac$eK to your lo'in pa'e $eaders) Re-erences and Rele&ant Lin*s N/A " ;# " Application Related Security Vulnerabilities in a Web Application HT;L omments "ensitive %n7ormation Disclosure Security Ris*s It is possible to 'at$er sensiti&e in-or%ation about t$e (eb application suc$ as userna%es1 pass(ords1 %ac$ine na%e and/or sensiti&e .le locations Possible Causes Debu''in' in-or%ation (as le-t by t$e pro'ra%%er in (eb pa'es) Tec$nical Description Eany (eb application pro'ra%%ers use DTEL co%%ents to $elp debu' t$e application ($en needed) W$ile addin' 'eneral co%%ents is &ery use-ul1 so%e pro'ra%%ers tend to lea&e i%portant data1 suc$ asG .lena%es related to t$e (eb application1 old lin*s or lin*s ($ic$ (ere not %eant to be bro(sed by users1 old code -ra'%ents1 etc) An attac*er ($o .nds t$ese co%%ents can %ap t$e applicationFs structure and .les1 e2pose $idden parts o- t$e site1 and study t$e -ra'%ents o- code to re&erse en'ineer t$e application1 ($ic$ %ay $elp de&elop -urt$er attac*s a'ainst t$e site) =eneral 8i2 Reco%%endations H#I Do not lea&e any &ital in-or%ation suc$ as .lena%es or .le pat$s in DTEL co%%ents) H5I Re%o&e traces o- pre&ious +or -uture, site lin*s in t$e production site co%%ents) H;I A&oid placin' sensiti&e in-or%ation in DTEL co%%ents) H<I Ea*e sure t$at DTEL co%%ents do not include source code -ra'%ents) H>I Ea*e sure t$at no &ital in-or%ation (as le-t be$ind by pro'ra%%ers) Re-erences and Rele&ant Lin*s WASC T$reat Classi.cationG In-or%ation Lea*a'e " ;5 " Application Related Security Vulnerabilities in a Web Application ;issin+ "ecure Attri2ute in Encry*ted "ession 6""L8 ookie Security Ris*s It %ay be possible to steal user and session in-or%ation +coo*ies, t$at (as sent durin' an encrypted session) Possible Causes T$e (eb application sends non"secure coo*ies o&er SSL) Tec$nical Description Durin' t$e application test1 it (as detected t$at t$e tested (eb application set a coo*ie (it$out t$e KsecureK attribute1 durin' an encrypted session) Since t$is coo*ie does not contain t$e KsecureK attribute1 it %i'$t also be sent to t$e site durin' an unencrypted session) Any in-or%ation suc$ as coo*ies1 session to*ens or user credentials t$at are sent to t$e ser&er as clear te2t1 %ay be stolen and used later -or identity t$e-t or user i%personation) In addition1 se&eral pri&acy re'ulations state t$at sensiti&e in-or%ation suc$ as user credentials (ill al(ays be sent encrypted to t$e (eb site) =eneral 8i2 Reco%%endations !asically t$e only reBuired attribute -or t$e coo*ie is t$e Kna%eK .eld) Co%%on optional attributes areG Kco%%entK1 Kdo%ainK1 Kpat$K1 etc) T$e KsecureK attribute %ust be set accordin'ly in order to pre&ent to coo*ie -ro% bein' sent unencrypted) R8C 53?> statesG KT$e Secure attribute +(it$ no &alue, directs t$e user a'ent to use only +unspeci.ed, secure %eans to contact t$e ori'in ser&er ($ene&er it sends bac* t$is coo*ie1 to protect t$e con.dentially and aut$enticity o- t$e in-or%ation in t$e coo*ie)K 8or -urt$er re-erence please see t$e DTTP State Eana'e%ent Eec$anis% R8C 53?> atG $ttpG//((()iet-)or'/r-c/r-c53?>)t2t And -or K!est current practiceK -or use o- DTTP State Eana'e%ent please see lin*G$ttpG//tools)iet-)or'/$t%l/r-c53?< Re-erences and Rele&ant Lin*s 8inancial Pri&acyG T$e =ra%%"Leac$ !liley Act Dealt$ Insurance Portability and Accountability Act +DIPAA, Sarbanes"O2ley Act Cali-ornia S!#;@? " ;; " Application Related Security Vulnerabilities in a Web Application /uery $arameter in ""L Re5uest Security Ris*s It %ay be possible to steal sensiti&e data suc$ as credit card nu%bers1 social security nu%bers etc) t$at are sent unencrypted) Possible Causes Auery para%eters (ere passed o&er SSL1 and %ay contain sensiti&e in-or%ation) Tec$nical Description Durin' t$e application test1 it (as detected t$at a reBuest1 ($ic$ (as sent o&er SSL1 contained para%eters t$at (ere trans%itted in t$e Auery part o- an DTTP =ET reBuest) W$en sendin' =ET reBuests1 t$e bro(serFs $istory can be used to re&eal t$e URLs1 ($ic$ contain t$e Buery para%eter na%es and &alues) Due to t$e sensiti&ity o- encrypted reBuests1 it is su''ested to use DTTP POST ($en possible1 in order to a&oid t$e disclosure o- URLs and para%eter &alues to ot$ers) =eneral 8i2 Reco%%endations Ea*e sure t$at sensiti&e in-or%ation suc$ asG " Userna%e " Pass(ord " Social Security nu%ber " Credit Card nu%ber " Dri&erFs License nu%ber " E%ail address " P$one nu%ber " _ip code is al(ays sent in t$e body part o- an DTTP POST reBuest) Re-erences and Rele&ant Lin*s 8inancial Pri&acyG T$e =ra%%"Leac$ !liley Act Dealt$ Insurance Portability and Accountability Act +DIPAA, Sarbanes"O2ley Act Cali-ornia S!#;@? " ;< " Application Related Security Vulnerabilities in a Web Application achea2le Lo+in $a+e Found Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Sensiti&e in-or%ation %i'$t $a&e been cac$ed by your bro(ser) Tec$nical Description Eost (eb bro(sers are con.'ured by de-ault to cac$e t$e userFs pa'es durin' use) T$is %eans t$at lo'in pa'es are cac$ed as (ell) It is not reco%%ended to enable t$e (eb bro(ser to sa&e any lo'in in-or%ation1 since t$is in-or%ation %i'$t be co%pro%ised ($en a &ulnerability e2ists) =eneral 8i2 Reco%%endations Disable cac$in' on all lo'in pa'es or all pa'es t$at contain sensiti&e data) 8or e2a%ple1 you can add KPra'%aG no"cac$eK to your lo'in pa'e $eaders) Re-erences and Rele&ant Lin*s N/A " ;> " Application Related Security Vulnerabilities in a Web Application "ession %denti<er !ot &*dated Security Ris*s It is possible to steal or %anipulate custo%er session and coo*ies1 ($ic$ %i'$t be used to i%personate a le'iti%ate user1 allo(in' t$e $ac*er to &ie( or alter user records1 and to per-or% transactions as t$at user) Possible Causes Insecure (eb application pro'ra%%in' or con.'uration) Tec$nical Description Accordin' to WASCG KSession 8i2ation is an attac* tec$niBue t$at -orces a userFs session ID to an e2plicit &alue) Dependin' on t$e -unctionality o- t$e tar'et (eb site1 a nu%ber o- tec$niBues can be utili9ed to K.2K t$e session ID &alue) T$ese tec$niBues ran'e -ro% Cross"site Scriptin' e2ploits to pepperin' t$e (eb site (it$ pre&iously %ade DTTP reBuests) A-ter a userFs session ID $as been .2ed1 t$e attac*er (aits -or t$e user to lo'in1 and t$en uses t$e prede.ned session ID &alue to assu%e t$e userFs online identity) In 'eneral1 t$ere are t(o types o- session %ana'e%ent syste%s -or ID &alues) T$e .rst type is Kper%issi&eK syste%s1 t$at allo( (eb bro(sers to speci-y any ID) T$e second type is KstrictK syste%s1 t$at only accept ser&er"side 'enerated &alues) Wit$ per%issi&e syste%s1 arbitrary session IDs are %aintained (it$out contact (it$ t$e (eb site) Strict syste%s reBuire t$at t$e attac*er %aintain t$e Ktrap"sessionK1 (it$ periodic (eb site contact1 pre&entin' inacti&ity ti%eouts) Wit$out acti&e protection a'ainst session .2ation1 t$e attac* can be %ounted a'ainst any (eb site usin' sessions to identi-y aut$enticated users) Web sites usin' session IDs are nor%ally coo*ie based1 but URLs and $idden -or%".elds are used as (ell) Un-ortunately1 coo*ie"based sessions are t$e easiest to attac*) Eost o- t$e currently identi.ed attac* %et$ods are ai%ed to(ard t$e .2ation o- coo*ies) In contrast to stealin' a userFs session ID a-ter t$ey $a&e lo''ed into a (eb site1 session .2ation pro&ides a %uc$ (ider (indo( o- opportunity) T$e acti&e part o- t$e attac* ta*es place be-ore t$e user lo's in) T$e session .2ation attac* is nor%ally a t$ree step processG #, Session Set"Up T$e attac*er sets up a Ktrap"sessionK -or t$e tar'et (eb site and obtains t$at sessionFs ID1 or t$e attac*er %ay select an arbitrary session ID used in t$e attac*) In so%e cases1 t$e establis$ed trap session &alue %ust be %aintained (it$ repeated (eb site contact) 5, Session 8i2ation T$e attac*er introduces t$e trap session &alue into t$e userFs bro(ser and .2es t$e userFs session ID) ;, Session Entrance T$e attac*er (aits until t$e user lo's into t$e tar'et (eb site1 and t$en1 ($en t$e .2ed session ID &alue is used1 t$e attac*er %ay ta*e o&er)K I- a session %ana'e%ent syste% accepts session IDs in t$e -or% o- a URL para%eter1 t$e -ollo(in' reBuest %ay -orce t$e session ID to t$e &alue o- t$e URL para%eter) Code SnippetG $ttpG//e2a%ple/lo'in)p$pLPDPSESSIDM#5;< Accordin' to WASCG KIssuin' a ne( session ID coo*ie &alue usin' a client"side script " ;? " Application Related Security Vulnerabilities in a Web Application A Cross"Site Scriptin' &ulnerability on any (eb site in t$e do%ain can be used to %odi-y t$e current coo*ie &alue) Code SnippetG $ttpG//e2a%ple/NscriptOdocu%ent)coo*ieMKsessionidM#5;<UP56do%ainM)e2a%ple)do%KUN/script O Anot$er si%ilar e2a%ple +usin' EETA ta' inCection,G $ttpG//e2a%ple/N%etaP56$ttp"eBui&MSet"Coo*ieP56contentMKsessionidM#5;<UP 56do%ainM)e2a%ple)do%KO Issuin' a coo*ie usin' an DTTP response $eader T$e attac*er -orces t$e tar'et (eb site1 or any ot$er site in t$e do%ain1 to issue a session ID coo*ie) T$is can be ac$ie&ed in %any (aysG " !rea*in' into a (eb ser&er in t$e do%ain +e)')1 a poorly %aintained WAP ser&er, " Poisonin' a userFs DNS ser&er1 eRecti&ely addin' t$e attac*erFs (eb ser&er to t$e do%ain " Settin' up a %alicious (eb ser&er in t$e do%ain +e)')1 on a (or*station in Windo(s 5666 do%ain1 all (or*stations are also in t$e DNS do%ain, " E2ploitin' an DTTP response splittin' attac*K """""""""""""""""""""""""""""""""""""""""""""" Co%parison o- t$e session identi.ers be-ore and a-ter t$e lo'in process re&ealed t$ey (ere not updated1 ($ic$ %eans t$at user i%personation %ay be possible) Preli%inary *no(led'e o- t$e session identi.er &alue %ay enable a re%ote attac*er to pose as a lo''ed"in le'iti%ate user) T$e session identi.er &alue can be obtained by utili9in' a Cross"Site Scriptin' &ulnerability1 causin' t$e &icti%Fs bro(ser to use a prede.ned session identi.er ($en contactin' t$e &ulnerable site1 or by launc$in' a Session 8i2ation attac* t$at (ill cause t$e site to present a prede.ned session identi.er to t$e &icti%Fs bro(ser) =eneral 8i2 Reco%%endations Al(ays 'enerate a ne( session to ($ic$ t$e user (ill lo' in i- success-ully aut$enticated) Pre&ent user ability to %anipulate session ID) Do not accept session IDs pro&ided by t$e userFs bro(ser at lo'in Re-erences and Rele&ant Lin*s KSession 8i2ation Vulnerability in Web"based ApplicationsK1 !y EitCa 7olse* " Acros Security PDP Eanual1 Session Dandlin' 8unctions1 Sessions and security " ;: " Application Related Security Vulnerabilities in a Web Application %nade5uate Account Lockout Security Ris*s It %i'$t be possible to escalate user pri&ile'es and 'ain ad%inistrati&e per%issions o&er t$e (eb application) Possible Causes Insecure (eb application pro'ra%%in' or con.'uration) Tec$nical Description A brute -orce attac* is an atte%pt by a %alicious user to 'ain access to t$e application by sendin' a lar'e nu%ber o- possible pass(ords and/or userna%es) Since t$is tec$niBue in&ol&es a lar'e a%ount o- lo'in atte%pts1 an application t$at does not li%it t$e nu%ber o- -alse lo'in reBuests allo(ed is &ulnerable to t$ese attac*s) It is t$ere-ore $i'$ly reco%%ended to restrict t$e nu%ber o- -alse lo'in atte%pts allo(ed on an account be-ore it is loc*ed) Sa%ple E2ploitG T$e -ollo(in' reBuest illustrates a pass(ord"'uessin' reBuestG $ttpG//site/lo'in)aspLuserna%eMEQISTIN=XUSERNAEESpass(ordM=UESSEDXPASSWORD I- t$e site does not loc* t$e tested account a-ter se&eral -alse atte%pts1 t$e attac*er %ay e&entually disco&er t$e account pass(ord and use it to i%personate t$e accountFs le'iti%ate user) =eneral 8i2 Reco%%endations Decide upon t$e nu%ber o- lo'in atte%pts to be allo(ed +usually -ro% ; to >,1 and %a*e sure t$at t$e account (ill be loc*ed once t$e per%itted nu%ber o- atte%pts is e2ceeded) To a&oid unnecessary support calls -ro% 'enuine users ($o (ere loc*ed out o- t$eir account and reBuire enablin'1 it is possible to suspend account acti&ity only te%porarily1 and enable it a-ter a speci.c period o- ti%e) Loc*in' t$e account -or a period o- ten %inutes or so is usually su^cient to bloc* brute -orce attac*s) Re-erences and Rele&ant Lin*s K!loc*in' !rute"8orce Attac*sK by Ear* !urnett " ;@ " Application Related Security Vulnerabilities in a Web Application Authentication By*ass &sin+ "/L %n0ection Security Ris*s It %ay be possible to bypass t$e (eb applicationFs aut$entication %ec$anis%) Possible Causes Sanitation o- $a9ardous c$aracters (as not per-or%ed correctly on user input) Tec$nical Description Web applications o-ten use databases at t$e bac*end to interact (it$ t$e enterprise data (are$ouse) T$e de"-acto standard lan'ua'e -or Bueryin' databases is SAL +eac$ %aCor database &endor $as its o(n dialect,) Web applications o-ten ta*e user input +ta*en out o- t$e DTTP reBuest, and incorporate it in an SAL Buery1 ($ic$ is t$en sent to t$e bac*end database) T$e Buery results are t$en processed by t$e application and so%eti%es displayed to t$e user) T$is %ode o- operation can be e2ploited by an attac*er i- t$e application is not care-ul enou'$ (it$ its treat%ent o- user +attac*er, input) I- t$is is t$e case1 an attac*er can inCect %alicious data1 ($ic$ ($en incorporated into an SAL Buery1 c$an'es t$e ori'inal synta2 o- t$e Buery into so%et$in' co%pletely diRerent) 8or e2a%ple1 i- an application uses userFs input +suc$ as userna%e and pass(ord, to Buery a database table o- usersF accounts in order to aut$enticate t$e user1 and t$e attac*er $as t$e ability to inCect %alicious data into t$e userna%e part o- t$e Buery +or t$e pass(ord part1 or bot$,1 t$e Buery can be c$an'ed into a diRerent data yan*in' Buery1 a Buery t$at %odi.es t$e database1 or a Buery t$at runs s$ell co%%ands on t$e database ser&er) Suppose t$e Buery in Buestion isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFWuserF AND pass(ordMFWpassF W$ere Wuser and Wpass are user input +collected -ro% t$e DTTP reBuest ($ic$ in&o*ed t$e script t$at constructs t$e Buery " eit$er -ro% a =ET reBuest Buery para%eters1 or -ro% a POST reBuest body para%eters,) A re'ular usa'e o- t$is Buery (ould be (it$ &alues WuserMCo$n1 Wpass(ordMsecret#5;) T$e Buery -or%ed (ould beG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFCo$nF AND pass(ordMFsecret#5;F T$e e2pected Buery result is 6 i- no suc$ userVpass(ord pair e2ists in t$e database1 and O6 i- suc$ pair e2ists +i)e) t$ere is a user na%ed FCo$nF in t$e database1 ($ose pass(ord is Fsecret#5;F,) T$is (ould ser&e as a basic aut$entication %ec$anis% -or t$e application) !ut an attac*er can bypass t$is %ec$anis% by sub%ittin' t$e -ollo(in' &aluesG WuserMCo$n1 Wpass(ordMF OR F#FMF#) T$e resultin' Buery isG SELECT COUNT+Y, 8ROE accounts WDERE userna%eMFCo$nF AND pass(ordMFF OR F#FMF#F T$is %eans t$at t$e Buery +in t$e SAL database, (ill return TRUE -or t$e user FCo$nF1 since t$e e2pression #M# is al(ays true) T$ere-ore1 t$e Buery (ill return a positi&e nu%ber1 and t$us t$e user +attac*er, (ill be considered &alid (it$out $a&in' to *no( t$e pass(ord) =eneral 8i2 Reco%%endations T$ere are se&eral issues ($ose re%ediation lies in saniti9in' user input) !y &eri-yin' t$at user input does not contain $a9ardous c$aracters1 it is possible to pre&ent %alicious users -ro% causin' your application to e2ecute unintended operations1 suc$ as launc$ arbitrary SAL Bueries1 e%bed 4a&ascript code to be e2ecuted on t$e client side1 run &arious operatin' syste% co%%ands etc) It is ad&ised to .lter out all t$e -ollo(in' c$aractersG H#I [ +pipe si'n, H5I S +a%persand si'n, H;I U +se%icolon si'n, H<I W +dollar si'n, H>I P +percent si'n, " ;3 " Application Related Security Vulnerabilities in a Web Application H?I \ +at si'n, H:I F +sin'le apostrop$e, H@I K +Buotation %ar*, H3I ]F +bac*slas$"escaped apostrop$e, H#6I ]K +bac*slas$"escaped Buotation %ar*, H##I NO +trian'ular parent$esis, H#5I +, +parent$esis, H#;I V +plus si'n, H#<I CR +Carria'e return1 ASCII 626d, H#>I L8 +Line -eed1 ASCII 626a, H#?I 1 +co%%a si'n, H#:I ] +bac*slas$, Re-erences and Rele&ant Lin*s KWeb Application Disasse%bly (it$ OD!C Error Eessa'esK +!y Da&id Litc$.eld, SAL InCection Trainin' Eodule " <6 "