XSS Proofing Java EE, JSP, and JSF Applications - Oracle

XSS-Proofing JavaTM EE, JSP, and JSF Applications Jeff Williams Aspect Security http://www.aspectsecurity.com [email protected] Twitter Questions: @planetlevel Monday, 8 June 2009

About Me WebGoat

1999

SSE-CMM

OWASP Foundation

AppSec Contract

2003

2001

OWASP Top Ten

Chapters Program

CSRF Guard & Tester

Java PDF Attack Filter

2005

Java Stinger

ASVS

2007

Risk Rating Model

Java ESAPI

JavaEE ClickJack Filter

2009

XSS Prevent CheatSheet 2

Monday, 8 June 2009

The Perfect Attack

3

Ebola: Courtesy NIH Monday, 8 June 2009

The Perfect Attack

You spread XSS every time you put untrusted data in a webpage without escaping 3

Ebola: Courtesy NIH Monday, 8 June 2009

150 days… https://www.dev.java.net/ servlets/Search? mode=xss&query=xss&scope=d omain&artifact=xss&resultsPerP age="'/>alert('Hello% 20TheRat') Courtesy xssed.org

" / > 4

Monday, 8 June 2009

150 days… https://www.dev.java.net/ servlets/Search? mode=xss&query=xss&scope=d omain&artifact=xss&resultsPerP age="'/>alert('Hello% 20TheRat') Courtesy xssed.org

" / > 4

Monday, 8 June 2009

15 seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss'>alert(document.cookie) Multiple instances in page

' > 5

Monday, 8 June 2009

15 seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss'>alert(document.cookie) Multiple instances in page

' > 5

Monday, 8 June 2009

15 more seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss' onmouseover='alert (document.cookie) Multiple instances in page

'

SP

6

Monday, 8 June 2009

15 more seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss' onmouseover='alert (document.cookie) Multiple instances in page

'

SP

6

Monday, 8 June 2009

Vulnerable Web Applications >

225,150,000 records leaked via vulnerable applications

>

79% of all stolen records in 2008 came from breached apps Courtesy Verizon

7

Monday, 8 June 2009

XSS Epidemic >

>

70-90% of applications are vulnerable 466 new vulnerable SSL websites per day

Courtesy Netcraft 8

Monday, 8 June 2009

“Alert Boxes Don’t Scare Me”

9

Monday, 8 June 2009

You Are Not the Target wired

attacking users through applications

xsspired

attacking applications directly

10

Monday, 8 June 2009

Session Hijacking XSS vulnerability

www.dupe.com

send session cookie*

* could also steal or corrupt any data that’s on the page 11 Monday, 8 June 2009

Phishing XSS vulnerability

www.dupe.com

>

Attacker… l l l

Injects a fake login form Gets victim’s credentials Victim has no idea

Fake login form

12

Monday, 8 June 2009

Installing Malware XSS vulnerability

www.dupe.com

redirect to malware

13

Monday, 8 June 2009

Mass Distribution SQL injection vulnerabilities

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE (@@FETCH_STATUS=0) BEGIN exec ('update ['+@T+'] set ['+@C+'] =rtrim(convert(varchar,['+@C +' ]))+''''')FETCH NEXT script redirect to malware

FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T varchar(255),@C

Thousands of sites hit at once Monday, 8 June 2009

Attacking Intranets www.dupe.com XSS vulnerability

XSS proxy

company intranet

15

Monday, 8 June 2009

Attacking Intranets www.dupe.com XSS vulnerability

insider

XSS proxy

company intranet

15

Monday, 8 June 2009

XSS Worms XSS vulnerability

Twitter

var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)"); var xss = urlencode('http:// www.stalkdaily.com"> & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27

Monday, 8 June 2009

Validation Can't Totally Prevent XSS

< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27

Monday, 8 June 2009


< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27

Monday, 8 June 2009


< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27

Monday, 8 June 2009

Always Use Context-Sensitive HTML Simple JavaScript Escaping! Quoted Element Data • &#xHH Attributes Values • &#xHH • \xHH

>

CSS Data Values • \HH

URL Endings • %HH

http://www.owasp.org/index.php/XSS Prevention Monday, 8 June 2009

28


>


URL Endings • %HH


28


>


URL Endings • %HH


28

JavaScript Comments Attribute Avoid Untrusted Data in Other Contexts Code • No Names • No • No

>

Style Expressio ns • No

Unquoted Attributes • No 29

Monday, 8 June 2009

Don't Attempt to Filter Scripts

Bad Idea

30

Monday, 8 June 2009

Get a Security Escaping Library

http://www.owasp.org/ 31

Monday, 8 June 2009

Why Isn't HTML Escaping Enough?

http://ha.ckers.org/xss.html 32

Monday, 8 June 2009

Escaping in Servlets out.println( request.getParameter( "foo" ) ); You must escape all untrusted data… String foo = request.getParameter( "foo" ); out.println( encoder.escapeForHtmlBody( foo ) ); out.println( encoder.escapeForJavaScript( foo ) ); out.println( encoder.escapeForCSS( foo ) ); Pay attention to the context! 33

Monday, 8 June 2009

Escaping in Servlets String foo = bean.getFoo(); out.println("

Pay attention to the context!

34

Monday, 8 June 2009

Escaping in JSP and JSTL ${foo} Quotes don’t help with URL

Except for body and quoted attributes, you have to do all your own escaping

Note the quotes!

35

Monday, 8 June 2009

Escaping in JSF Lots of loopholes…URLs, CSS, scripts, events Only safe in HTML context

Pay attention to the context! 36

Monday, 8 June 2009

Which Tags Escape Right?

http://www.owasp.org/index.php/ Category:OWASP_JSP_Testing_Tool 37

Monday, 8 June 2009

Regex Appendix – For Reference Later Description

Pattern

Simple use of untrusted data

Untrusted data repopulating a form