Katie Skelton - XSS & Why Your Fix Is Not Enough

hello everyone I'm Kitty Skelton and I work for a white-hot security I have done for just under two years thanks for this opportunity to speak at this also in first besides Belfast event so today I'm going to talk a bit about XSS my despite it being a known vulnerability for so many years that it still exists on a large majority of sites whitehat just under 50% of site of websites that we see are vulnerable to cross-site scripting so first of all we're going to talk a little bit about JavaScript so what is javascript javascript is a scripting language that was created to work with HTML and CSS to provide interactive web applications the HTML provides the content CSS provides the

look and feel the design of the page and javascript provides the behavior the activity some things that you may have seen on a website that are done through JavaScript are things like event handling so when you mouse over an image on a page and the image expands in size this will be done through JavaScript another thing you might see is when you're signing up for an account on a site and there's a location for your phone number and you accidentally put in an O instead of a zero if this form highlights that field in red and says input invalid that will be done through client-side validation which is done through JavaScript so what does JavaScript have to do with XSS so first

roll what is XSS XSS or cross-site scripting is a web application vulnerability where an attacker is able to include malicious code and have it reflect on the web on a web page XSS is where the attacker is abusing the trust that a user has for the website itself the user believes that anything that's on that web site should be there some places and that attackers will look for identifying XSS are things like search functionality if you search for something like shoes and the response comes back saying in the search results for shoes can be seen below that is simply your user input being reflected on the page another place that you might see a user input reflection would be

something like your username so for example on Amazon your first name is reflected when you sign in it says something like welcome kitty to me these are all locations that an attacker will look for potential XSS and try to put in their own piece of code to run malicious JavaScript so the main language that is used to at exploit XSS be JavaScript so what can an attacker do with XSS one thing an attacker can do with XSS is still valid session cookies so let's say you're the victim and you're signed into your banking site Frank calm an attacker is find XSS on bank.com and they've created a malicious injection that's designed to steal your session cookies so when you're

authenticated to bank calm you set up a session with the server that the server set send you a particular session cookie so the attacker sends you the link with the valid injection in it and when that injection fires after you've clicked on the link the session cookie is sent to the attacker all the attacker needs to do is include that session cookie in their browser navigate through bank comm they can see everything that you see the bank believes that they are you they have control of all of your money another thing an attacker can do with that success is too fierce web applications for example on a new site if there's XSS on for a new site it's

possible to include an article that is not actually valid something that the attacker has created in 2006 CBS news and BBC Dakota UK were both vulnerable to XSS attacker managed to create their own article state claiming that President Bush had appointed a nine year old boy to be the chairperson of the Information Security Department it was backed up by claims on CBS News on the BBC through the attackers malicious injection on both of those sites so to a normal person maybe they don't trust the website that is the attackers but if it's backed up by CBS news and the BBC who are they to question it another thing in a attacker can do with XSS is redirect user on to a malicious

site for example you as the victim are on your social media site social media comm and the attacker finds XSS on social media com they create an injection that is designed to redirect you to social media login calm my social media login calm isn't actually owned by the company of social media calm it's hosted by the attacker the attackers created this site to look exactly like the login form on social media calm the attacker sends you the victim a link containing their injection that redirects you to social media log and calm saying hey look at this really cool post and that I've just find you the victim clicks on the link you get redirected to your ph that says hey

you've been unauthenticated from social media calm please sign in again so you username and password include your username a password sign back in the attacker smart the redirect you actually to social media calm to an actual forum post or whatever they've told you is there but you the victim have just given the attacker your username and password they can now sign into that account you may not know as the victim that you have given away your username and password until you no longer have access to that acquaintance so what's the solution for XSS the best solution for XSS is two things input sanitization and I put encoding these two things go together hand in hand

first of all in personalization is where the developer is checking all user input for key signs of malicious code for example less than and greater than symbols that represent a tag in HTML the developer may strip those particular characters therefore preventing an attacker from creating tags or they'll use open occurring so I put encoding is used for when the site requires special characters to be used for example a cernium like o'leary contains a special character the apostrophe or single tick depending what you want to call it in this case the website shoot a lie the single tick to be put in through the user input but a single tick can represent a string in HTML so to prevent

the browser from treating it as syntax the developer output encodes it in HTML encoding so that when the browser sees this encoding it goes hey I'm going to display this as a single tick but I'm not going to treat it as part of the code of the page so to gather both of these done properly will prevent an XSS to other solutions that are commonly found on websites are whitelists and blacklists so a whitelist is where a developer has said I only want certain things to get through my user input this is useful for something like a phone number where the only thing you want and in your user input would be numbers but if your

whitelist starts to continue to many and special characters it may be possible for an attacker to break through that whitelist and run their malicious code the alternative to that is a blacklist a blacklist is where the developer says these are all of the things that I don't want my user input to contain so things like tag names or are less than and greater than symbols but a blacklist can be extensive and quite commonly broken this little cartoon here is a joke on what can happen if input sanitization is not applied on your applications in this case a parent has named their child something with an injection in it and when the teacher included that child

into their database it dropped all of their students information it wiped all of that information meaning they don't have it anymore that is one problem with impact of input sanitize so now I'm going to talk a bit about some real-world breakable filters our first filter is to do with output encoding and some locations where particular output including does not prevent XSS so in this case the developer is preventing users for user input from containing our single tix in plain text so it's including it in hex HTML encoding so our single tick becomes unpress on hash x 27 semicolon in plain text areas of the HTML this will work fine the browser will simply treat that

as the little character it will not it treat it as syntax however in some locations such as in an a tag in an href in this particular example our first example here on the screen the from the eh ref is declaring JavaScript so we're using the JavaScript scheme where our function hold function is going to run when a user clicks on the click me that'll be visible on the page in this particular example our user input is highlighted in red and if you look at the line below you can see what it decodes to so we've included single tick closing parenthesis semicolon the function alert opening and closing parenthesis are two forward slashes which represent a comment in JavaScript

so what this is going to do is break out of the function that our user input is reflected into close off that function and call the alert function this is a proof of concept that we can run JavaScript on this particular landing space another landing space that this type of including will work is something like on drag if the user input is this again highlighted in red our parentheses are hex encoded and when a user dried to the XSS that will be visible on the page the alert will fire so here we want to look at a quick example of this filter in practice so here we are our user input reflected we're first going to demonstrate that our user input

is being HTML output encoded on won't be treated as actual syntax so here we can't break out of the tag that we're in so next up we're going to include the injection from the previous slide our single tick closing parenthesis semicolon alert function and here we're going to click on the title on the-- alert fired this is our proof of concept that we can run JavaScript in this particular landing space HTML and hex included our second filter is when our user input is being reflected within a script block on the HTML page in this case developer is preventing the user input from block from escaping the script tag so for example closing out the script tag with our last on symbol

/script greater than symbol the developer might be just stripping the special characters or stripping the keyword script in this particular case the developer will be stripping the keyword script there's two options that we have here the first is closing write the JavaScript that we're reflecting into and putting in our string so in our first example and we're in a variable on our user input is reflected within a string so we're putting in our cent our quote or semicolon to end the statement calling our alert function on commenting out the rest of the string that's leftover now this works it works in the majority of places however if you're like if you're the user reflective reflection is landing in a large piece

of script and functions and flag functions it can be really hard to fix the syntax when your user input is being when you're putting in certain characters in your user but javascript is key javascript requires that the syntax be correct otherwise none of this the block of script will run so this second injection are quote star alert star quote this is so much simpler so much easier because we're not breaking the syntax we're not trying to break out of the function and that we're in so here what we're doing is recruiting the string ABC we're calling the alert function I'm creating a string DF what javascript is going to do it's going to notice that we've got a string we're

calling a function and we've got another string we're trying to combine them together using mathematics so our stars could be replaced with minus signs boards lashes or pluses depending on the mathematics you want to do and what's going to happen is JavaScript is going to try and combine the ABC with the result of the alert function but the alert function doesn't return a string so after it's called the alert function the JavaScript actually went to error but it's it's alright it's it's too late we've all the attacker has already called has already called their function and their at their input has their injection has fired so here we're going to look at our filter in action so here

our user input is reflecting in the same place as in our example on the previous slide and here in the developer is simply taking our keyword script if we put in our mathematics function our Alert fires immediately our next filter is the white/black listing so we've talked a little bit about blacklisting so in this case our developer is preventing users from using certain event handlers and tag names in this particular example our developer only knows of a few ty one tag and a few event handlers so body on cliquey and my silver this is a pretty short black list most black lists on the web are going to be a lot more extensive than this but for

this quick example here are three things that can get around that black list so input on Weill SVG on double-click image on M s pointer over OMS pointer over is an IE 10 only and event handler but it'll still work for an attacker these are just some of the many ways that we can break this particular black list so here's an example of why a black list is a pretty bad idea this is just some of the event handlers that we knew know of today and it's quite extensive there's there's a lot of them so when new versions of HTML are released such as the most recent HTML 5 new tags and event handlers become available for

attackers to execute JavaScript on web applications this means that there's more work for the developers who are maintaining this blacklist but there's also room for error missing a single event handler should make your application vulnerable to access s it could be just misspelling an event handler there's also the problem with how long it takes years of the developer to update the black list when new things come on it could be a couple of hours it could be a couple of months it could be a couple of years that any web application relying on that black list they could be vulnerable to access s here is another example of our filter working so our user input is being

reflected in a plain text area of HTML we're going to just want to show that the body on my silver tag is simply being removed by the developer if we include our input on wheel when a user wheels over the input that will be displayed on the page the alert fires

another filter that we have is when the user input is reflecting in a hidden input fields the developer in this case is preventing the user input from escaping the input tag that the user input is reflected into there are three things that an attacker could do here the first on ours on the slide here is a style injection so our style equals X expression alert this is going to call the alert function when the style attribute is applied lucky for us or lucky for an attacker style is always applied to every input tag regardless of whether it's hidden or not this is however an IE 7 or newer vulnerability which means that it's got a limited from

victim range sometimes user input can be reflected before the type is declared in an input field something that each t ml does is it takes the first attribute and ignores any duplicates so in this case an attacker is able to declare the type equals text this input is no longer hidden it's going to be visible on the ph whether the developer wanted it to or not they can then go and use any other event hunter they that the developer hasn't blocked so onmouseover equals alert when a user Mouse's over that input field the other fires our third way of getting an injection into hidden input field is an attribute called access key creating a access key where

we declare that a certain and character on the keyboard is our access key in this case it's X we use the event handler on click give it the value alert and when a user clicks the buttons Control Alt X on a mark or alt shift X on Windows the alert fires it's going to be a problem but it would be possible to social engineer someone into clicking those keys to get something to happen it would be pretty easy to tell someone hey click on these buttons and you'll see a funny cat picture so here we're going to see another example of this hidden input field and examples of our access key injection working so first of all

showing that we cannot break out of the tag so here we can see the developer is hex encoding the greater than symbol so that we can close out the hidden input tag so we're going to stay within the input tag and declare access key so when the user clicks the appropriate buttons after this page is rendered the alert will fire there we are in this particular example we are also falling the user input is also falling before type equals hidden so just to give an example of declaring type equals text as you can see the hit the input field isn't visible on the page at this time but there the input field is not visible

and when the user clicks on it the alert fired another filter that we've got is when a developer is filtering or filtering on any tag for example when a less on symbol is followed by a letter developer will either strip out the less than symbol strip out the tag entirely or some other way to prevent the tag being rendered as a tag no in plain text areas of HTML this may prevent XSS unless you're using IE 9 in i9 you can put in a percentage sign between the less on symbol on the letter and i9 will actually treat this as an actual tie so we can an attacker can use on my silver equals alert when someone watches over

the ABC that'll be visible on the page the alert will fire so here another example so here we're showing that our user inputs reflected in flame tags we're going to show that any tag is not is being filtered out all were left with is the 1 to 3 of our input now when we put in the percentage sign between the less than symbol and the tag name we expect that user input to not be reflected anymore it's being treated as an actual tag so now if we put in the fill injection from the previous slide any tag on my super equals alert ABC

there we are ABCs on the pH alert fired just to demonstrate that this is are actually being rendered on the page I'm going to look at the source code just to prove that that tag is actually there the final filter that I've got for you today is when a developer appears to be filtering on all special characters that seem that are required to exploit XSS for example quotes that less than and greater than symbols single ticks pluses and equal signs this particular injection is landing in a document dot write within script space what's going to happen is the document dot write is going to write this input under the pH when it runs but we need those special

characters to create the tag so in this case we can use hex and today encoding which is our backslash x3c is our lesson symbol we're creating an arbitrary tag name XSS using the event handler on my silver box I x3d is our equals sign and in this particular case the developer is actually blocking keyword alert and so we're using this function called top that's going to combine the le string with our T string to create our function so we're backslash X 27 is our single tick to create our string box slash X to be is our Plus on box / x 3 e is our greater than symbol to close the tag a winning user much is over the axis

is displayed on the page the alert will fire so again we're going to see an example of this filter in place so user input is reflecting within a document dot right just to verify that user input cannot be used and the special characters can't just be used normally so we can't close out of the script I yep so here we've completely removed some of the special characters and the keyword script including our injection from the previous page or XSS onmouseover equals top alert with all our exes we must over those X's on the alert fires this is a fairly unique way to get in XSS on a pH it doesn't come up an awful lot where we reflect it in a

document dot right so today I've covered six different filters with yourselves so I put including blocking and closing script tag black listing hidden field where the developer is stopping you from swapping attacker from escaping the input tag filtering of any tag filtering all special characters that seem that are required for XSS thank you for your time are there any questions

well thanks

you