Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CodeBlue2014 -EN- libinjection - from sqli to xss

CodeBlue2014 -EN- libinjection - from sqli to xss

Nick Galbreath

February 14, 2014
Tweet

More Decks by Nick Galbreath

Other Decks in Programming

Transcript

  1. Nick Galbreath
 @ngalbreath • Founder/CTO of Signal Sciences Corp •

    Before: IponWeb (Moscow, Tokyo) • Before: Etsy (New York City) NEW
  2. What is libinjection? • A small C-library to detect SQLi

    attacks in user- input • With API in python, lua and php • Introduced at Black Hat USA 2012 • Open source with BSD license • https://github.com/client9/libinjection
  3. Why libinjection? • Existing detection is mostly done with regular

    expressions • No unit tests • No performance (speed) tests • No coverage tests • No accuracy or precision tests • No false positive tests • “what are they actually doing?”
  4. libinjection SQLi Today • Version 3.9.1 • 8000+ unique SQLi

    fingerprints • 400+ unit tests • 85,000+ SQLi samples
  5. In Use At • mod_security WAF http://www.modsecurity.org/ • ironbee WAF

    https://www.ironbee.com/ • glastopf honeypot http://glastopf.org/ • proprietary WAFs • internally at many companies • plus, a pure-java port
 https://github.com/Kanatoko/libinjection-Java • .NET wrapper
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net
  6. XSS

  7. Similar to SQLi • No standard detection library • Few,

    if any, have tests • Most are based using regular expressions • Can we do better?
  8. XSS Javascript Injection • Includes DOM-style attacks • Attacks existing

    javascript code. • Detection can truly be done on client • A very hard problem
  9. HTML Injection • HTML injection are attacks against the HTML

    tokenization algorithm 
 (text “<b>foo</b>” to tags <b>, foo, </b>) • The goal is to change the context to ‘javascript’ and execute arbitrary code. • This seems detectable.
  10. HTML Injection Samples <b>XSS</b> (raw HTML) <foo XSS> (tag attribute

    name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)
  11. Browser HTML Tokenization • Previously every browser parsed or tokenised

    HTML differently. • This lead to a number of different attacks using broken html tags, special characters or encodings. • Now, most browsers now use the same algorithm from the HTML5 specification. • The HTML5 algorithm is very specific
  12. 60+% of Desktop Browsers are HTML5 http://tnw.co/1cqFueo IE 9 9%

    IE 10 11% IE 11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%
  13. Remainder is IE6, IE7 and IE8 • IE6 will, in

    time, go away. Really ;-) • IE7 has only 2% of market share • IE8 has up to 20% marketshare XP • Mostly on Windows XP • Marketshare can only do down
  14. HTML injection attacks
 in HTML5 clients. • No: XML /

    XSLT injection • No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • No: DOM style attacks (need a client solution)
  15. libinjection html5 • Complete HTML5 Tokenizer. • Does not build

    a tree or DOMs • Just emits token events. • No copying of data
  16. Tokenization Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror

    ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
  17. Check in Each Context Each input is parsed in at

    least 6 different HTML contexts, because thats how XSS works! <b>XSS</b> (raw HTML) <foo XSS> (tag attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)
  18. Ban Problematic Tokens • Problematic tags, attributes, and values are

    cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: javascript URLs in various formats • and more…
  19. XSS Cheat Sheets • Most are outdated (exploits for Firefox

    3! ) • sorry OWASP :-( • Each entry validated to make sure they are valid for HTML5 browsers.
  20. HTML5SEC.org • Fantastic resource • But lists many examples for

    Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
  21. @soaj1664ashar • Produces interesting, new XSS regularly • If you

    like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW
  22. Attack / Scanners • Integrated output of one XSS scanner

    • Using Shazzer fuzz database
 http://shazzer.co.uk/
 (Thanks to ModSecurity team)
  23. $ make test-xss ./reader -t -i -x -m 10 ../data/xss*

    ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives
  24. IE Unbalanced Quotes • IE 8+ has strange behaviour with

    ‘unbalanced quotes’ inside comments and attribute values. • Work in progress
  25. TODO 2014-02-17 • It’s alpha — so it’s likely to

    have some spectacular failures (bypasses) • False-positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting 
 (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).