[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Cross Site Scripting

From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
Subject: RE: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 18:07:50 +0000
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70BDE0DC222G3W1111americ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

No no no no  NO!

Sergii is describing black list input validation. This is *not* a good solu=
tion to securing a web application (though I suppose it is better than noth=
ing at all). <img src=3D. onerror=3Dalert('xss')> will bypass the filter fo=
r <script> and still allow code execution. And that's the problem with blac=
klists, they attempt to define everything that is bad. The problem is this =
list is very large and changes every time someone figures out a new way to =
do something bad. This is why magic quotes is not a defense against SQL inj=
ection because you can perform SQL injection without needing to use a singl=
e quote.

Inputs in web application should be validated using white list input valida=
tion. For example, if an input is a US ZIP code, your web application shoul=
d only accept inputs that are 5 digits long (or perhaps, 5 digits followed =
by a dash, followed by 4 digits)

Recently I've been trying to think of a better way for the average Joe to u=
nderstand Blacklists/whitelist. I used to talk about metal detectors at air=
ports, and how they are a blacklist for metal. As soon as terrorists decide=
 they can use ceramic knives, your metal detector stops working. Unfortuant=
ely this analogy freaks people out, and I really don't have a good real-wor=
ld equivalent for whitelist input validation. Do you just get naked at the =
airport? :)

Please stop advising people to use blacklist input validation.

Billy Hoffman
--
Lead Researcher, HP Security Labs
HP Software
Phone: 678-781-4845
________________________________
From: Sergii Khomenko [mailto:sergey.khomenko@gmail.com]
Sent: Thursday, September 20, 2007 10:45 AM
To: 'Mad Unix'; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Cross Site Scripting

To reduce the risk and to prevent such an attack on your website, all form =
information that is entered, should be checked for html code like this <scr=
ipt>script code goes here</script>. Basically, your website should not acce=
pt any script code from anyone on the web and especially storing the code i=
n the db and then outputting it to somebody else.

When you add validation for your input fields, you can run free web vulnara=
bility scanners like www.acunetix.com<http://www.acunetix.com/> to see if y=
ou still have the vulns.

Hope this helps.

Sergii Khomenko

________________________________
From: Mad Unix [mailto:madunix@gmail.com]
Sent: Thursday, September 20, 2007 10:53 AM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Cross Site Scripting

Our security consulting compay he discoverd on our web server the following=
 risk:

Cross Site Scripting
Risk: High

Description of Vulnerability

The Cross-Site Scripting attack is a privacy violation that allows an attac=
ker to acquire a legitimate user's
credentials and to impersonate that user when interacting with a specific w=
ebsite.
The attack hinges on the fact that the web site contains a script that retu=
rns a user's input
(usually a parameter value) in an HTML page, without first sanitizing the i=
nput.
This allows an input consisting of JavaScript code to be executed by the br=
owser when the script returns this input
in the response page. As a result, it is possible to form links to the site=
 where one of the parameters consists of malicious
 JavaScript code. This code will be executed (by a user's browser) in the s=
ite context, granting
it access to cookies that the user has for the site, and other windows in t=
he site through the user's browser.


--------------
Can any one tell me more about this effect and how to observe and resolve t=
his issue, since is be given as high risk.
Thanks


--
madunix
madunix@gmail.com<mailto:madunix@gmail.com>

--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70BDE0DC222G3W1111americ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:Arial;
	color:navy;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:56.7pt 42.5pt 56.7pt 85.05pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>No no no no &nbsp;NO!<o:p></o:p></span=
></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Sergii is describing black list input
validation. This is *<b><span style=3D'font-weight:bold'>not</span></b>* a =
good
solution to securing a web application (though I suppose it is better than
nothing at all). &lt;img src=3D. onerror=3Dalert(&#8216;xss&#8217;)&gt; wil=
l bypass
the filter for &lt;script&gt; and still allow code execution. And that&#821=
7;s the
problem with blacklists, they attempt to define everything that is bad. The=
 problem
is this list is very large and changes every time someone figures out a new=
 way
to do something bad. This is why magic quotes is not a defense against SQL
injection because you can perform SQL injection without needing to use a si=
ngle
quote.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Inputs in web application should be va=
lidated
using white list input validation. For example, if an input is a US ZIP cod=
e,
your web application should only accept inputs that are 5 digits long (or
perhaps, 5 digits followed by a dash, followed by 4 digits)<o:p></o:p></spa=
n></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Recently I&#8217;ve been trying to thi=
nk
of a better way for the average Joe to understand Blacklists/whitelist. I u=
sed
to talk about metal detectors at airports, and how they are a blacklist for
metal. As soon as terrorists decide they can use ceramic knives, your metal
detector stops working. Unfortuantely this analogy freaks people out, and I
really don&#8217;t have a good real-world equivalent for whitelist input
validation. Do you just get naked at the airport? </span></font><font size=
=3D2
color=3Dnavy face=3DWingdings><span style=3D'font-size:10.0pt;font-family:W=
ingdings;
color:navy'>J</span></font><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'><o:p></o:p></span><=
/font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Please stop advising people to use
blacklist input validation. <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Billy Hoffman<o:p></o:p></span></font>=
</p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>--<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Lead Researcher, HP Security Labs<o:p>=
</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>HP Software<o:p></o:p></span></font></=
p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Phone: 678-781-4845</span></font><o:p>=
</o:p></p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font siz=
e=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span style=3D'font-si=
ze:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Sergii K=
homenko
[mailto:sergey.khomenko@gmail.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, September 20=
, 2007
10:45 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> 'Mad Unix';
websecurity@webappsec.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: [WEB SECURITY] =
Cross
Site Scripting</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span style=3D=
'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>To reduce the risk and to prevent such=
 an
attack on your website, all form information that is entered, should be che=
cked
for html code like this &lt;script&gt;script code goes here&lt;/script&gt;.
Basically, your website should not accept any script code from anyone on th=
e
web and especially storing the code in the db and then outputting it to
somebody else.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>When you add validation for your input
fields, you can run free web vulnarability scanners like <a
href=3D"http://www.acunetix.com/";>www.acunetix.com</a> to see if you still =
have
the vulns.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hope this helps.<o:p></o:p></span></fo=
nt></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Sergii Khomenko<o:p></o:p></span></fon=
t></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt'>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font siz=
e=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span style=3D'font-si=
ze:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Mad Unix
[mailto:madunix@gmail.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Thursday, September 20=
, 2007
10:53 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> websecurity@webappsec.or=
g<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [WEB SECURITY] Cros=
s Site
Scripting</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>Our&nbsp;security consulting compay he discoverd=
 on
our web server the following risk:<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>Cross Site Scripting <br>
Risk: High<o:p></o:p></span></font></p>

</div>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DRU style=3D'font-si=
ze:12.0pt'>Description
of Vulnerability<o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DRU style=3D'font-si=
ze:12.0pt'>The
Cross-Site Scripting attack is a privacy violation that allows an attacker =
to
acquire a legitimate user's <br>
credentials and to impersonate that user when interacting with a specific
website. <br>
The attack hinges on the fact that the web site contains a script that retu=
rns
a user's input <br>
(usually a parameter value) in an HTML page, without first sanitizing the
input. <br>
This allows an input consisting of JavaScript code to be executed by the
browser when the script returns this input <br>
in the response page. As a result, it is possible to form links to the site
where one of the parameters consists of malicious <br>
&nbsp;JavaScript code. This code will be executed (by a user's browser) in =
the
site context, granting <br>
it access to cookies that the user has for the site, and other windows in t=
he
site through the user's browser. <o:p></o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>--------------<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>Can any one tell me more about this effect and h=
ow to
observe and resolve this issue, since is be given as high risk.<o:p></o:p><=
/span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'>Thanks<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'><br clear=3Dall>
<br>
-- <br>
madunix<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span lang=3DR=
U
style=3D'font-size:12.0pt'><a href=3D"mailto:madunix@gmail.com";>madunix@gma=
il.com</a>&nbsp;<o:p></o:p></span></font></p>

</div>

</div>

</div>

</body>

</html>

--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70BDE0DC222G3W1111americ_--
Follow-Ups:
- Re: [WEB SECURITY] Cross Site Scripting
  - From: application.secure application.secure
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Paul Schmehl
- RE: [WEB SECURITY] Cross Site Scripting
  - From: White, Dain P
References:
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Sergii Khomenko
Prev by Date: Re: [WEB SECURITY] Cross Site Scripting
Next by Date: Re: [WEB SECURITY] Cross Site Scripting
Previous by thread: Re: [WEB SECURITY] Cross Site Scripting
Next by thread: Re: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site