Professional Documents
Culture Documents
IBM Confidential
What if Your Security Defect Became Famous?
• Starting with Heartbleed and Shellshock in 2014
software security bugs are making the news
• Recent WikiLeaks exposure of CIA research into
weaponizing iOS, Android and Samsung TV
security bugs
• Security researchers are trying to cash in on the
fame
• Bugs in security software are sensational (it’s the
software that is supposed to protect you)
• IBM is a target
• Costs to reputation and IBM revenue
• Actual security breaches could lead to litigation,
and law enforcement investigations
• Since 2000 the FTC has issued over 45
consent decrees against companies it ruled failed
to institute sufficient security practices while
delivering software or services. Some decrees
last 20 years!
• Yet with good security education, and solid design and implementation
practices, we can make sure our products are secure!
̶ Do not think that if your product is isolated from the Internet it is not at
risk.
̶ Redesign product front end not only to be good looking and functional,
but also secure
̶ Implement smart architectural changes that fix security flaws at the top
• X-Force Ethical Hacking Team and security testing teams in other Business
Units are here to help you in your development work.
• Vulnerability reports are not created to pass blame for security holes.
• Our shared goal is to make all our products secure.
IBM Confidential
Cross-Site Scripting (XSS)
WordPress Drupal
(source: wpwhitesecurity.com) (source: keycdn.com)
• Let’s assume we are using Java Server Pages (JSP) and the rendering code is
as follows:
• Generated HTML:
• Rendered HTML:
• Because the entered value is output as-is the generated HTML will look like
this:
• When HTML is rendered, the script that was embedded in the name is
executed:
• The trust that users have for your application now automatically
extends to the malicious code
• Once the record is added, every time it will be loaded, the dialog box will pop
up
• Stored XSS is retained by the application and affects other users (e.g.
application administrator)
• Consider a more sinister example. Let’s say the new user record is entered
with the following full name:
• We know that this string will be rendered as-is. This is how it will look in UI:
• Output Encoding works well for sever side generated pages and is quite effective in neutralizing most
XSS payloads.
̶ HTML Encoding for labels and messages
̶ URL Encoding for values stored in links
• The proper way to fix this issue is to use functionality that HTML-encodes the
output:
• In the output the special HTML symbols are now properly encoded:
'-alert(1)-'
• XSS in modern Rich Client UIs is often made possible by unsafe handling of
the DOM.
• Using the innerHtml attribute allows the user input to be rendered as HTML and
XSS with JavaScript events is possible.
alert(1)
• Whitelisting – recommended
̶ Reduces the attack surface to a known quantity
̶ If possible most input should be whitelisted to alphanumeric to prevent XSS (and many other
attacks)
̶ In some cases may be relaxed to allow single quotes or other characters (e.g. to allow input of
names like O’Brien)
̶ Special characters should only be allowed on an exception basis.
• As you validate the input and encode the output use proven,
reputable libraries
• It is preferable not to “roll your own” functionality
̶ It is very easy to make a mistake that does not cover some edge case and
that will render your defense ineffective
• It is best to implement a framework that has one central set of
functionality that validates and encodes data
̶ Peppering your code with checks may lead to some missed unprotected
case that attacker will take advantage of
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.
IBM CONFIDENTIAL