CodeBlue2014 -EN- libinjection - from sqli to xss

Transcript

1. libinjection From SQLi to XSS Nick Galbreath @ngalbreath! Signal Sciences

   Corp! nickg@signalsciences.com Code Blue ∙ Tokyo ∙ 2014-02-18

2. This is also in English! ͜Ε͸೔ຊޠͰ΋͋Γ·͢! https://speakerdeck.com/ngalbreath/
 codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/
 codeblue2014-jp-libinjection-from-sqli-to-xss

3. Nick Galbreath
 @ngalbreath • Founder/CTO of Signal Sciences Corp •

   Before: IponWeb (Moscow, Tokyo) • Before: Etsy (New York City) NEW

4. What is libinjection? • A small C-library to detect SQLi

   attacks in user- input • With API in python, lua and php • Introduced at Black Hat USA 2012 • Open source with BSD license • https://github.com/client9/libinjection

5. Why libinjection? • Existing detection is mostly done with regular

   expressions • No unit tests • No performance (speed) tests • No coverage tests • No accuracy or precision tests • No false positive tests • “what are they actually doing?”

6. libinjection SQLi Today • Version 3.9.1 • 8000+ unique SQLi

   fingerprints • 400+ unit tests • 85,000+ SQLi samples

7. In Use At • mod_security WAF http://www.modsecurity.org/ • ironbee WAF

   https://www.ironbee.com/ • glastopf honeypot http://glastopf.org/ • proprietary WAFs • internally at many companies • plus, a pure-java port
 https://github.com/Kanatoko/libinjection-Java • .NET wrapper
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net

8. XSS

9. Similar to SQLi • No standard detection library • Few,

   if any, have tests • Most are based using regular expressions • Can we do better?

10. Two Types of XSS • HTML injection attacks • Javascript

    injection attacks

11. XSS Javascript Injection • Includes DOM-style attacks • Attacks existing

    javascript code. • Detection can truly be done on client • A very hard problem

12. HTML Injection • HTML injection are attacks against the HTML

    tokenization algorithm 
 (text “<b>foo</b>” to tags <b>, foo, </b>) • The goal is to change the context to ‘javascript’ and execute arbitrary code. • This seems detectable.

13. HTML Injection Samples <b>XSS</b> (raw HTML) <foo XSS> (tag attribute

    name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)

14. Browser HTML Tokenization • Previously every browser parsed or tokenised

    HTML differently. • This lead to a number of different attacks using broken html tags, special characters or encodings. • Now, most browsers now use the same algorithm from the HTML5 specification. • The HTML5 algorithm is very specific

15. Every Tokenization Step http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization

16. Is Clearly Defined

17. 60+% of Desktop Browsers are HTML5 http://tnw.co/1cqFueo IE 9 9%

    IE 10 11% IE 11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%

18. ~90% Mobile Browsers
 are HTML5 http://bit.ly/JQSZxb

19. Remainder is IE6, IE7 and IE8 • IE6 will, in

    time, go away. Really ;-) • IE7 has only 2% of market share • IE8 has up to 20% marketshare XP • Mostly on Windows XP • Marketshare can only do down

20. libinjection XSS

21. HTML injection attacks
 in HTML5 clients. • No: XML /

    XSLT injection • No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • No: DOM style attacks (need a client solution)

22. libinjection html5 • Complete HTML5 Tokenizer. • Does not build

    a tree or DOMs • Just emits token events. • No copying of data

23. Tokenization Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror

    ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>

24. Check in Each Context Each input is parsed in at

    least 6 different HTML contexts, because thats how XSS works! <b>XSS</b> (raw HTML) <foo XSS> (tag attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)

25. Ban Problematic Tokens • Problematic tags, attributes, and values are

    cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: javascript URLs in various formats • and more…

26. Training Sources

27. XSS Cheat Sheets • Most are outdated (exploits for Firefox

    3! ) • sorry OWASP :-( • Each entry validated to make sure they are valid for HTML5 browsers.

28. HTML5SEC.org • Fantastic resource • But lists many examples for

    Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers

29. @soaj1664ashar • Produces interesting, new XSS regularly • If you

    like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW

30. Attack / Scanners • Integrated output of one XSS scanner

    • Using Shazzer fuzz database
 http://shazzer.co.uk/
 (Thanks to ModSecurity team)

31. Current Status

32. Available Now • Available on github:
 https://github.com/client9/libinjection • Home page:


    https://libinjection.client9.com/ • but… still alpha

33. $ make test-xss ./reader -t -i -x -m 10 ../data/xss*

    ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives

34. IE Unbalanced Quotes • IE 8+ has strange behaviour with

    ‘unbalanced quotes’ inside comments and attribute values. • Work in progress

35. Performance  
    
 DIFDLT
    QFS
    TFDPOE

36. TODO 2014-02-17 • It’s alpha — so it’s likely to

    have some spectacular failures (bypasses) • False-positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting 
 (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).

37. nickg@signalsciences.com