XSS The Gloves are Off

decisioncrunchΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 6 μήνες)

131 εμφανίσεις

XSS

The Gloves are Off

Andy Prow

Managing Director,

Aura Software Security Ltd

Andy@AuraSoftwareSecurity.co.nz

Kirk Jackson

Senior Developer

Xero

kirk@xero.com

The Message



“XSS can fully compromise your site’s users’
machine


which might include you”



“XSS is easy to protect against as long as
take the right precautions”





Who
are we?

o
Andy Prow


Managing Director of Aura Software
Security Ltd

o
Security Consultants
-

Penetration Testers

o
Performed web
application
pen
-
testing
for both
NZ,
Ausy

and UK companies.

o
Govt, corporate and banking

o
Wellington based.

o
BSc
Hons

in Comp
Sci

and Soft Eng


14 years
software dev experience.


Who
are we?

o
Kirk Jackson


Developer & Security Officer,
Xero

http://www.xero.com

o
Microsoft MVP


ASP.NET

o
Organises the Wellington .NET user group


25
user groups nationwide: http://www.dot.net.nz

o
Blog: http://pageofwords.com


Are the Threats Real?


XSS attacks include:

o
Twitter,
FaceBook
, PayPal, Google, MySpace,
WordPress
, etc...................


XSS attacks have / can:

o
Inject rude images and abusive pop
-
ups

o
Targeted CSRF

o
“Own” their browser


example in a mo...

o
Perform port scans from their machine

o
Download full malware to compromise their machine


XSS 101

XSS 101

http://www.owasp.org/index.php/XSS


XSS Shell

The Victim...


XSS Shell

The Command and Control Console...

XSS Attack and Defence


The gloves are off...

XSS Attack and Defence


NOTE: slides 11 (this slide) to slide 49 are taken
from the Live demo, using a
.Net

3.5 web
-
application. Each set of slides shows Andy’s XSS
attacks and then Kirk updates to the code


rebuild


rerun and therefore DEFEND the attack.


The real
preso

slides start again at 50.

XSS Attack and Defence


Attack:


XSS 101 for dummies...


<script>alert('
xss
');</script>


Defence:


sInput.Replace
("<script>", "&
lt;script&gt
;“)


Comments:


Poor choice


only replacing the “<script>” tag is too specific,
there are many ways around...

XSS Attack and Defence


Attack:


So if they’re checking for “<script>” we’ll change it...


<
ScRiPt
>alert(‘XSS’);</
ScRiPt
>


Defence:


OK


ToLower
() should fix that...


Comments:


Still very easily bypassed.

XSS Attack and Defence


Attack:


Try something other than “script”


<IMG
onmouseover
="
javascript:alert
('XSS')"
SRC="http://www.aurasoftwaresecurity.co.nz/images/Logo.jpg">


Defence:


Replace a larger set of strings...


Comments:


So it picks up on of the recognisable text, but what about
encoded values?

XSS Attack and Defence


Attack:


Perhaps HEX or UTF8 encoded


<IMG
onmouseover
="
&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#
x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&
#x53&#x53&#x27&#x29”
SRC="http://www.aurasoftwaresecurity.co.nz/images/Logo.jpg">


Defence:


HEX decode, then replace a larger set of strings...


Comments:


So it picks up on of the recognisable text, even encoded...

But couldn’t it be simpler?

XSS Attack and Defence


Attack:


Any variation...


Defence:


http://www.owasp.org/index.php/XSS_%28Cross_Site_Scriptin
g%29_Prevention_Cheat_Sheet



Comments:


Now it picks up all HTML special characters, whether encoded
or not


However, there are alternatives...

XSS Attack and Defence


Attack:


Any variation...


Defence:


Microsoft
AntiXSS

Library (for
.Net
)


Comments:


All done for you, and seems to work!

XSS Attack and Defence


Attack:


So the web
-
pages are secure


what about the web
-
services?


Defence:


Copy input cleansing to web
-
service, or move to data
-
layer.
Picks up data entry points.


Comments:


It’s an option...

Etc, etc...

XSS Attack and Defence


Attack:


So all web
-
services and web
-
pages are secure. Perhaps we’ve
got in via a back
-
end legacy system?


Defence:


Assume you cannot your own DB


cleanse the output to the
browser.


Comments:


It’s an option...

XSS Attack and Defence


Attack:


All data
-
stores, input and output are clean. So if
persistant

XSS fails try reflected.


Defence:


Check EVERY input parameter, both on the
querystring

and
from form data!


Comments:


Trust nothing, from anywhere!

Note: IE8 is blocking our reflected XSS! Good!

Unfortunately Firefox does NOT block our reflected XSS...

Encoding


Encoding is "the process of transforming
information from one format into another"
[
Wikipedia
]


Taking some input text and making it
appropriate to use

in a
given context


Untrusted

input


Safe to output


User enters: Kirk <script>...


We output: Kirk &
lt;script&gt
;....

Untrusted

Input


3 approaches

<script>alert('Hello!')</script>

Input arrives:

Invalid input!

Encode into DB

Store verbatim

Display on web page

Encoded in DB

&
lt;script

&
gt;alert
(‘H

Store verbatim

<script>ale

rt
('Hello!’

&
lt;script

&
gt;alert
(‘H

&
lt;script

&
gt;alert
(‘H

Display directly

Encode on display

Display contexts

What if we want to display it in a non
HTML context?

<script>


var

text = ‘XXXX’

</script>

<a
href
=“http://foo.com/?XXXX”
class=“XXXX”>


Javascript

context

URL context

HTML attribute context

XSS


Cross site scripting

Don’t display
untrusted

user input


Sanitise all input


Encode

all output


HTTP Headers


don’t insert
untrusted

content


Some ASP.NET controls don’t encode
output


Use Anti
-
XSS Library rather than
HttpUtility

AntiXSS

library


Encode text for a variety

of contexts


AntiXSS

module for automatically encoding controls


Produced by Microsoft ACE Team

(Security, Performance and Privacy)


Recently open
-
sourced (MS
-
PL, OSI
apprv
)


White List character sets


Principle of inclusions


a
-
z, A
-
Z, 0
-
9, space, period, comma, underscore, hyphen


Latin, Greek, Bengali, Balinese, Japanese, ...

AntiXSS

Encoding Methods

You determine the encoding method to use


HtmlEncode

-

html output, except when an
attribute


HtmlAttributeEncode

-

html attribute


JavascriptEncode

-

used within
javascript
,
puts inside quotes


UrlEncode

-

used in a
url

(e.g. query
param
)


...and
VisualBasicScriptEncode
,
XmlEncode
,
XmlAttributeEncode

SRE
-

Security Runtime Engine


Runs over entire page on pre
-
render


Looks at all controls, and all fields that need
encoding


Doesn’t double
-
encode


Add
httphandler

in
web.config


Deploy in bin directory

Other tools


CAT.NET



static analysis of
untrusted

data
flows


SRE upcoming enhancements:


SQL Detect


Clickjacking

protection


File canonicalization


Securing cookies / enforcing SSL

Wrap Up

o
XSS attacks can be devastating


DO NOT under
-
estimate.

o
If you’re vulnerable you WILL be attacked.

o
EASY TO FIX


at design and framework time.

o
BUGGER TO FIX


after you’ve written bad code!

o
Pen
-
Test thoroughly


o
Keep up to date


OWASP is an excellent source...