Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Libinjection: From SQLi to XSS

Libinjection: From SQLi to XSS

First presented at OWASP AppSec SoCal in Santa Monica, California on January 28, 2014

Nick Galbreath

January 28, 2014

More Decks by Nick Galbreath

Other Decks in Programming


  1. Nick Galbreath @ngalbreath [email protected] What’s the Goal? 5P&MJNJOBUF *OKFDUJPO"UUBDLT Correction

    solution is validate inputs, but… Developer education ain’t cutting it Massive legacy and existing applications need protecting
  2. Nick Galbreath @ngalbreath [email protected] What is Libinjection? • A c-library

    for detecting SQLi attacks from user input • Released at BlackHat USA 2012 • Tokenizes user input as if it were SQL • Then matches token-stream against 
 known SQL attacks • Currently in IronBee and ModSecurity WAFs
  3. Nick Galbreath @ngalbreath [email protected] Why libinjection? • To my amazement

    there was no standardized, measurable open source solution for detecting SQLi. • The ones that existed were mostly collections of regular expressions, without unit tests or other QA. • How do you know how well it works? Or if it works at all?
  4. Nick Galbreath @ngalbreath [email protected] Initial Attempt • 16 Tokens •

    622 SQLi fingerprints • Maybe a few rules to ‘fold’ or combine tokens
  5. Nick Galbreath @ngalbreath [email protected] Current Status • Two years later….

    • Version 3.9.1 • 20 number of tokens — and could use more! • 8000+ SQLi fingerprints • 30+ rules for folding together tokens • 400+ unit tests • 85,000+ SQLi samples
  6. Nick Galbreath @ngalbreath [email protected] Active Attack-Driven QA • Original training

    was done by using SQLi attack scanners. • Unfortunately, I learned they are not equivalent to skilled attackers. At all. • SQL is a lot larger, and more diverse than I expected. • Many many bypasses found initially. • Big thanks to @rsalgado and @modsecurity team and many others
  7. Nick Galbreath @ngalbreath [email protected] Go Get It! • https://libinjection.client9.com/ •

    https://github.com/client9/libinjection/ • Lots more presentations on client9.com
  8. Nick Galbreath @ngalbreath [email protected] HTML Injection • <b>XSS</b> (raw HTML)

    • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  9. Nick Galbreath @ngalbreath [email protected] These are attacks against the HTML

    tokenization algorithm. ! The goal is to change the context to javascript and execute arbitrary code
  10. Nick Galbreath @ngalbreath [email protected] Javascript Injection • Dynamically generated CSS,

    using user-input • Dynamically generated Javascript, using user-input. • DOM type attacks, javascript that uses the environment to generate HTML.
  11. Nick Galbreath @ngalbreath [email protected] Hard Problem • Many times the

    server is not involved
 (100% client-side problem). • Javascript unlike SQL is highly dynamic and error tolerant. • Detecting javascript ‘fragments’ without context is near impossible to do accurately and with precision.
  12. Nick Galbreath @ngalbreath [email protected] “Use a HTML Purifier” • Yeah

    sure…if you are expecting full HTML inputs • Most inputs are not HTML, which means you’ll be rejecting a lot of inputs. • <[email protected]> would be rejected since it’s not a whitelisted tag. • Fairly large, language-specific libraries • Not a practical solution
  13. Nick Galbreath @ngalbreath [email protected] Sanitization Functions • 1,000,000 sanitization functions

    exist • Attempt to turn XSS input into something safe • Why? Why not just reject the input? • Altering inputs can create new vectors of attack
  14. Nick Galbreath @ngalbreath [email protected] Regular Expressions • Regular expression soup

    without QA either for positive and false positives. • Impossible to debug • Have a hard time dealing with escaped inputs

  16. Nick Galbreath @ngalbreath [email protected] The remainder are IE • And

    IE only has a few versions • The tokenizer didn't change that much • Well-known exceptions to the rule • HTML5 was designed to mostly match existing behavior anyways
  17. Nick Galbreath @ngalbreath [email protected] IE6 and IE7 • IE7 has

    only 2% of market share • IE6 will, in time, go away. • Both are likely running on 10 year old machine.
  18. Nick Galbreath @ngalbreath [email protected] IE8 • Somewhere between 10-20% marketshare

    • The most modern MS browser on Windows XP • Marketshare can only go down.
  19. Nick Galbreath @ngalbreath [email protected] Opera • 1.33% Global Market Share

    • But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems • Opera has a lot of oddities in HTML functionality and parsing • Ignoring
  20. Nick Galbreath @ngalbreath [email protected] Pick Your Battles
 Not Covering •

    XML / XSLT injection • Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • DOM style attacks (need a client solution)
  21. Nick Galbreath @ngalbreath [email protected] Technique • Parse user input, in

    a number of HTML contexts to get tags, attributes, values, just like a browser would • Ban various unsafe things
  22. Nick Galbreath @ngalbreath [email protected] Shifting the Problem • Turn a

    security problem which is an open question into another known, solved problem. • ‘Detecting XSS’ -> how do you QA? How do you know if you are correct? • ‘Detecting XSS’ -> Tokenizing HTML5. Completely testable in a positive case. Now the detecting XSS part is much much smaller.
  23. Nick Galbreath @ngalbreath [email protected] HTML5 Tokenization • Tree building: Hard

    • Handling broken, nested tags: hard • Defining exact order of operations with script tags: hard • Defining what tags actually do: hard and evolving • Rendering: hard. • HTML5 Tokenization: easy and well-defined.
  24. Nick Galbreath @ngalbreath [email protected] libinjection html5 • Full HTML5 Tokenizer.

    • Does not build a tree or DOMs • Just emits tokenizer events. • Zero copying of data
  25. Nick Galbreath @ngalbreath [email protected] Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE

    junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
  26. Nick Galbreath @ngalbreath [email protected] Problematic Tokens • Problematic tags, attributes,

    and values are cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: JS urls in various formats
  27. Nick Galbreath @ngalbreath [email protected] Yeah its a blacklist • But

    its based on tokenization so there is additional context. • ‘onerror’ as-is, is NOT an injection • ‘onerror’ with an value, is (requires ‘=‘ afterwards, an non- empty value). • Should have better false positives and 
 false negatives • How else are you going to do it? • Likely to need refinement
  28. Nick Galbreath @ngalbreath [email protected] Check in each Context • Each

    input is parsed in different HTML contexts • <b>XSS</b> (raw HTML) • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  29. Nick Galbreath @ngalbreath [email protected] XSS Cheat Sheets • Most are

    outdated • sorry OWASP :-( • Validated to make sure they are valid for HTML5 browsers.
  30. Nick Galbreath @ngalbreath [email protected] HTML5SEC.org • Fantastic resource • List

    many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
  31. Nick Galbreath @ngalbreath [email protected] @soaj1664ashar • Produces interesting, new XSS

    regularly • If you like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW
  32. Nick Galbreath @ngalbreath [email protected] Attack / Scanners • Only integrated

    one scanner’s test cases • Need to find/use more.
  33. Nick Galbreath @ngalbreath [email protected] $ make test-xss ./reader -t -i

    -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives
  34. Nick Galbreath @ngalbreath [email protected] IE Unbalanced Quote • Not sure

    if only IE 8 or not. • Can you spare a Windows machine for a quick DOM inspection? • A few others look bogus but need to check on IE.
  35. Nick Galbreath @ngalbreath [email protected] Current Status 2014-01-27 • It’s alpha

    — so it’s likely to have some spectacular failures (bypasses) • False Positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).
  36. Nick Galbreath @ngalbreath [email protected] What do you expect? • It’s

    free! • On github
 https://github.com/client9/libinjection • On web
 https://libinjection.client9.com/ • Stay tuned for details! • Thanks!
  37. Nick Galbreath @ngalbreath [email protected] Thanks to everyone at OWASP AppSec

 See you next year! —nickg If you have any questions on libinjection, 
 please see https://libinjection.client9.com/ or email me at [email protected]