Jun 8, 2009 ... OWASP. Foundation. 2007. 2009. Chapters. Program. Java. Stinger. JavaEE.
ClickJack. Filter. Java. PDF Attack. Filter. Monday, 8 June 2009 ...
XSS-Proofing JavaTM EE, JSP, and JSF Applications Jeff Williams Aspect Security http://www.aspectsecurity.com
[email protected] Twitter Questions: @planetlevel Monday, 8 June 2009
About Me WebGoat
1999
SSE-CMM
OWASP Foundation
AppSec Contract
2003
2001
OWASP Top Ten
Chapters Program
CSRF Guard & Tester
Java PDF Attack Filter
2005
Java Stinger
ASVS
2007
Risk Rating Model
Java ESAPI
JavaEE ClickJack Filter
2009
XSS Prevent CheatSheet 2
Monday, 8 June 2009
The Perfect Attack
3
Ebola: Courtesy NIH Monday, 8 June 2009
The Perfect Attack
You spread XSS every time you put untrusted data in a webpage without escaping 3
Ebola: Courtesy NIH Monday, 8 June 2009
150 days… https://www.dev.java.net/ servlets/Search? mode=xss&query=xss&scope=d omain&artifact=xss&resultsPerP age="'/>alert('Hello% 20TheRat') Courtesy xssed.org
" / > 4
Monday, 8 June 2009
150 days… https://www.dev.java.net/ servlets/Search? mode=xss&query=xss&scope=d omain&artifact=xss&resultsPerP age="'/>alert('Hello% 20TheRat') Courtesy xssed.org
" / > 4
Monday, 8 June 2009
15 seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss'>alert(document.cookie) Multiple instances in page
' > 5
Monday, 8 June 2009
15 seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss'>alert(document.cookie) Multiple instances in page
' > 5
Monday, 8 June 2009
15 more seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss' onmouseover='alert (document.cookie) Multiple instances in page
'
SP
6
Monday, 8 June 2009
15 more seconds… http://www28.cplan.com/cc230/ sessions_catalog.jsp? ilc=230-1&ilg=english&isort=&isort _type=&is=yes&icriteria8=xss' onmouseover='alert (document.cookie) Multiple instances in page
'
SP
6
Monday, 8 June 2009
Vulnerable Web Applications >
225,150,000 records leaked via vulnerable applications
>
79% of all stolen records in 2008 came from breached apps Courtesy Verizon
7
Monday, 8 June 2009
XSS Epidemic >
>
70-90% of applications are vulnerable 466 new vulnerable SSL websites per day
Courtesy Netcraft 8
Monday, 8 June 2009
“Alert Boxes Don’t Scare Me”
9
Monday, 8 June 2009
You Are Not the Target wired
attacking users through applications
xsspired
attacking applications directly
10
Monday, 8 June 2009
Session Hijacking XSS vulnerability
www.dupe.com
send session cookie*
* could also steal or corrupt any data that’s on the page 11 Monday, 8 June 2009
Phishing XSS vulnerability
www.dupe.com
>
Attacker… l l l
Injects a fake login form Gets victim’s credentials Victim has no idea
Fake login form
12
Monday, 8 June 2009
Installing Malware XSS vulnerability
www.dupe.com
redirect to malware
13
Monday, 8 June 2009
Mass Distribution SQL injection vulnerabilities
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE (@@FETCH_STATUS=0) BEGIN exec ('update ['+@T+'] set ['+@C+'] =rtrim(convert(varchar,['+@C +' ]))+''''')FETCH NEXT script redirect to malware
FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T varchar(255),@C
Thousands of sites hit at once Monday, 8 June 2009
Attacking Intranets www.dupe.com XSS vulnerability
XSS proxy
company intranet
15
Monday, 8 June 2009
Attacking Intranets www.dupe.com XSS vulnerability
insider
XSS proxy
company intranet
15
Monday, 8 June 2009
XSS Worms XSS vulnerability
Twitter
var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)"); var xss = urlencode('http:// www.stalkdaily.com">
& ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27
Monday, 8 June 2009
Validation Can't Totally Prevent XSS
< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27
Monday, 8 June 2009
Validation Can't Totally Prevent XSS
< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27
Monday, 8 June 2009
Validation Can't Totally Prevent XSS
< > & ' " % / \ # SP CR LF NUL = ( ) : ; { } ? + ` @ 27
Monday, 8 June 2009
Always Use Context-Sensitive HTML Simple JavaScript Escaping! Quoted Element Data • HH Attributes Values • HH • \xHH
>
CSS Data Values • \HH
URL Endings • %HH
http://www.owasp.org/index.php/XSS Prevention Monday, 8 June 2009
28
Always Use Context-Sensitive HTML Simple JavaScript Escaping! Quoted Element Data • HH Attributes Values • HH • \xHH
>
CSS Data Values • \HH
URL Endings • %HH
http://www.owasp.org/index.php/XSS Prevention Monday, 8 June 2009
28
Always Use Context-Sensitive HTML Simple JavaScript Escaping! Quoted Element Data • HH Attributes Values • HH • \xHH
>
CSS Data Values • \HH
URL Endings • %HH
http://www.owasp.org/index.php/XSS Prevention Monday, 8 June 2009
28
JavaScript Comments Attribute Avoid Untrusted Data in Other Contexts Code • No Names • No • No
>
Style Expressio ns • No
Unquoted Attributes • No 29
Monday, 8 June 2009
Don't Attempt to Filter Scripts
Bad Idea
30
Monday, 8 June 2009
Get a Security Escaping Library
http://www.owasp.org/ 31
Monday, 8 June 2009
Why Isn't HTML Escaping Enough?
http://ha.ckers.org/xss.html 32
Monday, 8 June 2009
Escaping in Servlets out.println( request.getParameter( "foo" ) ); You must escape all untrusted data… String foo = request.getParameter( "foo" ); out.println( encoder.escapeForHtmlBody( foo ) ); out.println( encoder.escapeForJavaScript( foo ) ); out.println( encoder.escapeForCSS( foo ) ); Pay attention to the context! 33
Monday, 8 June 2009
Escaping in Servlets String foo = bean.getFoo(); out.println("
Pay attention to the context!
34
Monday, 8 June 2009
Escaping in JSP and JSTL ${foo} Quotes don’t help with URL
Except for body and quoted attributes, you have to do all your own escaping
Note the quotes!
35
Monday, 8 June 2009
Escaping in JSF Lots of loopholes…URLs, CSS, scripts, events Only safe in HTML context
Pay attention to the context! 36
Monday, 8 June 2009
Which Tags Escape Right?
http://www.owasp.org/index.php/ Category:OWASP_JSP_Testing_Tool 37
Monday, 8 June 2009
Regex Appendix – For Reference Later Description
Pattern
Simple use of untrusted data
Untrusted data repopulating a form