Libinjection: From SQLi to XSS

Transcript

1. libinjection: from sqli to xss https://speakerdeck.com/ngalbreath/ libinjection-from-sqli-to-xss Nick Galbreath OWASP

   AppSec SoCal Santa Monica, California January 28, 2014

2. Nick Galbreath @ngalbreath nickg@client9.com YouTube Screen Cast: http://bit.ly/1jqrnM8 ! 'MJDLS
   1IPUPT
   

   http://bit.ly/MZ0Cn0

3. Nick Galbreath @ngalbreath nickg@client9.com What’s the Goal? 5P
   &MJNJOBUF
   
   *OKFDUJPO
   "UUBDLT Correction

   solution is validate inputs, but… Developer education ain’t cutting it Massive legacy and existing applications need protecting

4. Nick Galbreath @ngalbreath nickg@client9.com What is Libinjection? • A c-library

   for detecting SQLi attacks from user input • Released at BlackHat USA 2012 • Tokenizes user input as if it were SQL • Then matches token-stream against 
 known SQL attacks • Currently in IronBee and ModSecurity WAFs

5. Nick Galbreath @ngalbreath nickg@client9.com Why libinjection? • To my amazement

   there was no standardized, measurable open source solution for detecting SQLi. • The ones that existed were mostly collections of regular expressions, without unit tests or other QA. • How do you know how well it works? Or if it works at all?

6. Nick Galbreath @ngalbreath nickg@client9.com Initial Attempt • 16 Tokens •

   622 SQLi fingerprints • Maybe a few rules to ‘fold’ or combine tokens

7. Nick Galbreath @ngalbreath nickg@client9.com Current Status • Two years later….

   • Version 3.9.1 • 20 number of tokens — and could use more! • 8000+ SQLi fingerprints • 30+ rules for folding together tokens • 400+ unit tests • 85,000+ SQLi samples

8. Nick Galbreath @ngalbreath nickg@client9.com Active Attack-Driven QA • Original training

   was done by using SQLi attack scanners. • Unfortunately, I learned they are not equivalent to skilled attackers. At all. • SQL is a lot larger, and more diverse than I expected. • Many many bypasses found initially. • Big thanks to @rsalgado and @modsecurity team and many others

9. Nick Galbreath @ngalbreath nickg@client9.com Go Get It! • https://libinjection.client9.com/ •

   https://github.com/client9/libinjection/ • Lots more presentations on client9.com

10. Nick Galbreath @ngalbreath nickg@client9.com XSS 5IF
    0UIFS
    *OKFDUJPO

11. Nick Galbreath @ngalbreath nickg@client9.com What is XSS injection?
 1. HTML

    Injection 2. Javascript Injection

12. Nick Galbreath @ngalbreath nickg@client9.com HTML Injection • <b>XSS</b> (raw HTML)

    • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)

13. Nick Galbreath @ngalbreath nickg@client9.com These are attacks against the HTML

    tokenization algorithm. ! The goal is to change the context to javascript and execute arbitrary code

14. Nick Galbreath @ngalbreath nickg@client9.com This seems detectable.

15. Nick Galbreath @ngalbreath nickg@client9.com Javascript Injection • Dynamically generated CSS,

    using user-input • Dynamically generated Javascript, using user-input. • DOM type attacks, javascript that uses the environment to generate HTML.

16. Nick Galbreath @ngalbreath nickg@client9.com These are attacks against existing javascript

    code.

17. Nick Galbreath @ngalbreath nickg@client9.com Hard Problem • Many times the

    server is not involved
 (100% client-side problem). • Javascript unlike SQL is highly dynamic and error tolerant. • Detecting javascript ‘fragments’ without context is near impossible to do accurately and with precision.

18. Nick Galbreath @ngalbreath nickg@client9.com What are existing solutions to 


    detecting XSS?

19. Nick Galbreath @ngalbreath nickg@client9.com “Use a HTML Purifier” • Yeah

    sure…if you are expecting full HTML inputs • Most inputs are not HTML, which means you’ll be rejecting a lot of inputs. • <nickg@client9.com> would be rejected since it’s not a whitelisted tag. • Fairly large, language-specific libraries • Not a practical solution

20. Nick Galbreath @ngalbreath nickg@client9.com Sanitization Functions • 1,000,000 sanitization functions

    exist • Attempt to turn XSS input into something safe • Why? Why not just reject the input? • Altering inputs can create new vectors of attack

21. Nick Galbreath @ngalbreath nickg@client9.com Regular Expressions • Regular expression soup

    without QA either for positive and false positives. • Impossible to debug • Have a hard time dealing with escaped inputs

22. Nick Galbreath @ngalbreath nickg@client9.com Who are the vectors of XSS

    Attacks?

23. Nick Galbreath @ngalbreath nickg@client9.com Web Browsers! 8IJMF
    UIFSF
    BSF
    TUJMM
    NBOZ
    
    EJ⒎FSFODFT
    JO
    IPX
    EJ⒎FSFOU
    CSPXTFS
    EP
    SFOEFSJOH
    BOE
    UIFZ
    BMM
    IBWF
    TQFDJBM
    GFBUVSFT

    
    KBWBTDSJQU
    FYUFOTJPOT
    BOE
    QSPQSJFUBSZ
    UBHTʜ
    UIFZ
    BDUVBMMZ
    IBWF
    DPOWFSHFE
    JO
    UFSNT
    PG
    QBSTJOH
    )5.-
    
    
    5IJT
    JT
    EVF
    UP
    )5.-

24. Nick Galbreath @ngalbreath nickg@client9.com HTML5 Parsers 
 are now the

    Majority IUUQUOXDPDR'VFP 
    
    BSF
    )5.-

25. Nick Galbreath @ngalbreath nickg@client9.com The remainder are IE • And

    IE only has a few versions • The tokenizer didn't change that much • Well-known exceptions to the rule • HTML5 was designed to mostly match existing behavior anyways

26. Nick Galbreath @ngalbreath nickg@client9.com IE6 and IE7 • IE7 has

    only 2% of market share • IE6 will, in time, go away. • Both are likely running on 10 year old machine.

27. Nick Galbreath @ngalbreath nickg@client9.com IE8 • Somewhere between 10-20% marketshare

    • The most modern MS browser on Windows XP • Marketshare can only go down.

28. Nick Galbreath @ngalbreath nickg@client9.com Opera • 1.33% Global Market Share

    • But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems • Opera has a lot of oddities in HTML functionality and parsing • Ignoring

29. Nick Galbreath @ngalbreath nickg@client9.com Introducing
 libinjection XSS

30. XSS Detection for 
 The Future Focusing on
 HTML injection

    attacks in HTML5 clients.

31. Nick Galbreath @ngalbreath nickg@client9.com Pick Your Battles
 Not Covering •

    XML / XSLT injection • Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • DOM style attacks (need a client solution)

32. Nick Galbreath @ngalbreath nickg@client9.com Technique • Parse user input, in

    a number of HTML contexts to get tags, attributes, values, just like a browser would • Ban various unsafe things

33. Nick Galbreath @ngalbreath nickg@client9.com Shifting the Problem • Turn a

    security problem which is an open question into another known, solved problem. • ‘Detecting XSS’ -> how do you QA? How do you know if you are correct? • ‘Detecting XSS’ -> Tokenizing HTML5. Completely testable in a positive case. Now the detecting XSS part is much much smaller.

34. Nick Galbreath @ngalbreath nickg@client9.com Tokenizing HTML, exactly how a browser

    does is relatively easy.

35. Nick Galbreath @ngalbreath nickg@client9.com HTML5 Tokenization • Tree building: Hard

    • Handling broken, nested tags: hard • Defining exact order of operations with script tags: hard • Defining what tags actually do: hard and evolving • Rendering: hard. • HTML5 Tokenization: easy and well-defined.

36. Nick Galbreath @ngalbreath nickg@client9.com Every Tokenization Step

37. Nick Galbreath @ngalbreath nickg@client9.com Is Clearly Defined

38. Nick Galbreath @ngalbreath nickg@client9.com libinjection html5 • Full HTML5 Tokenizer.

    • Does not build a tree or DOMs • Just emits tokenizer events. • Zero copying of data

39. Nick Galbreath @ngalbreath nickg@client9.com Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE

    junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>

40. Nick Galbreath @ngalbreath nickg@client9.com Problematic Tokens • Problematic tags, attributes,

    and values are cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: JS urls in various formats

41. Nick Galbreath @ngalbreath nickg@client9.com Yeah its a blacklist • But

    its based on tokenization so there is additional context. • ‘onerror’ as-is, is NOT an injection • ‘onerror’ with an value, is (requires ‘=‘ afterwards, an non- empty value). • Should have better false positives and 
 false negatives • How else are you going to do it? • Likely to need refinement

42. Nick Galbreath @ngalbreath nickg@client9.com Check in each Context • Each

    input is parsed in different HTML contexts • <b>XSS</b> (raw HTML) • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)

43. Nick Galbreath @ngalbreath nickg@client9.com Training Sources

44. Nick Galbreath @ngalbreath nickg@client9.com XSS Cheat Sheets • Most are

    outdated • sorry OWASP :-( • Validated to make sure they are valid for HTML5 browsers.

45. Nick Galbreath @ngalbreath nickg@client9.com HTML5SEC.org • Fantastic resource • List

    many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers

46. Nick Galbreath @ngalbreath nickg@client9.com @soaj1664ashar • Produces interesting, new XSS

    regularly • If you like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW

47. Nick Galbreath @ngalbreath nickg@client9.com Attack / Scanners • Only integrated

    one scanner’s test cases • Need to find/use more.

48. Nick Galbreath @ngalbreath nickg@client9.com $ make test-xss ./reader -t -i

    -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives

49. Nick Galbreath @ngalbreath nickg@client9.com IE Unbalanced Quote • Not sure

    if only IE 8 or not. • Can you spare a Windows machine for a quick DOM inspection? • A few others look bogus but need to check on IE.

50. Nick Galbreath @ngalbreath nickg@client9.com Performance .PSF
    UIBO
     
    
 DIFDLT
    QFS
    TFDPOE
    (PPE
    &OPVHI

51. Nick Galbreath @ngalbreath nickg@client9.com Current Status 2014-01-27 • It’s alpha

    — so it’s likely to have some spectacular failures (bypasses) • False Positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).

52. Nick Galbreath @ngalbreath nickg@client9.com What do you expect? • It’s

    free! • On github
 https://github.com/client9/libinjection • On web
 https://libinjection.client9.com/ • Stay tuned for details! • Thanks!

53. Nick Galbreath @ngalbreath nickg@client9.com Thanks to everyone at OWASP AppSec

    SoCal.
 See you next year! —nickg If you have any questions on libinjection, 
 please see https://libinjection.client9.com/ or email me at nickg@client9.com