Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Libinjection: From SQLi to XSS

Libinjection: From SQLi to XSS

First presented at OWASP AppSec SoCal in Santa Monica, California on January 28, 2014


Nick Galbreath

January 28, 2014

More Decks by Nick Galbreath

Other Decks in Programming


  1. libinjection: from sqli to xss https://speakerdeck.com/ngalbreath/ libinjection-from-sqli-to-xss Nick Galbreath OWASP

    AppSec SoCal Santa Monica, California January 28, 2014
  2. Nick Galbreath @ngalbreath nickg@client9.com YouTube Screen Cast: http://bit.ly/1jqrnM8 ! 'MJDLS1IPUPT

  3. Nick Galbreath @ngalbreath nickg@client9.com What’s the Goal? 5P&MJNJOBUF *OKFDUJPO"UUBDLT Correction

    solution is validate inputs, but… Developer education ain’t cutting it Massive legacy and existing applications need protecting
  4. Nick Galbreath @ngalbreath nickg@client9.com What is Libinjection? • A c-library

    for detecting SQLi attacks from user input • Released at BlackHat USA 2012 • Tokenizes user input as if it were SQL • Then matches token-stream against 
 known SQL attacks • Currently in IronBee and ModSecurity WAFs
  5. Nick Galbreath @ngalbreath nickg@client9.com Why libinjection? • To my amazement

    there was no standardized, measurable open source solution for detecting SQLi. • The ones that existed were mostly collections of regular expressions, without unit tests or other QA. • How do you know how well it works? Or if it works at all?
  6. Nick Galbreath @ngalbreath nickg@client9.com Initial Attempt • 16 Tokens •

    622 SQLi fingerprints • Maybe a few rules to ‘fold’ or combine tokens
  7. Nick Galbreath @ngalbreath nickg@client9.com Current Status • Two years later….

    • Version 3.9.1 • 20 number of tokens — and could use more! • 8000+ SQLi fingerprints • 30+ rules for folding together tokens • 400+ unit tests • 85,000+ SQLi samples
  8. Nick Galbreath @ngalbreath nickg@client9.com Active Attack-Driven QA • Original training

    was done by using SQLi attack scanners. • Unfortunately, I learned they are not equivalent to skilled attackers. At all. • SQL is a lot larger, and more diverse than I expected. • Many many bypasses found initially. • Big thanks to @rsalgado and @modsecurity team and many others
  9. Nick Galbreath @ngalbreath nickg@client9.com Go Get It! • https://libinjection.client9.com/ •

    https://github.com/client9/libinjection/ • Lots more presentations on client9.com
  10. Nick Galbreath @ngalbreath nickg@client9.com XSS 5IF0UIFS*OKFDUJPO

  11. Nick Galbreath @ngalbreath nickg@client9.com What is XSS injection?
 1. HTML

    Injection 2. Javascript Injection
  12. Nick Galbreath @ngalbreath nickg@client9.com HTML Injection • <b>XSS</b> (raw HTML)

    • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  13. Nick Galbreath @ngalbreath nickg@client9.com These are attacks against the HTML

    tokenization algorithm. ! The goal is to change the context to javascript and execute arbitrary code
  14. Nick Galbreath @ngalbreath nickg@client9.com This seems detectable.

  15. Nick Galbreath @ngalbreath nickg@client9.com Javascript Injection • Dynamically generated CSS,

    using user-input • Dynamically generated Javascript, using user-input. • DOM type attacks, javascript that uses the environment to generate HTML.
  16. Nick Galbreath @ngalbreath nickg@client9.com These are attacks against existing javascript

  17. Nick Galbreath @ngalbreath nickg@client9.com Hard Problem • Many times the

    server is not involved
 (100% client-side problem). • Javascript unlike SQL is highly dynamic and error tolerant. • Detecting javascript ‘fragments’ without context is near impossible to do accurately and with precision.
  18. Nick Galbreath @ngalbreath nickg@client9.com What are existing solutions to 

    detecting XSS?
  19. Nick Galbreath @ngalbreath nickg@client9.com “Use a HTML Purifier” • Yeah

    sure…if you are expecting full HTML inputs • Most inputs are not HTML, which means you’ll be rejecting a lot of inputs. • <nickg@client9.com> would be rejected since it’s not a whitelisted tag. • Fairly large, language-specific libraries • Not a practical solution
  20. Nick Galbreath @ngalbreath nickg@client9.com Sanitization Functions • 1,000,000 sanitization functions

    exist • Attempt to turn XSS input into something safe • Why? Why not just reject the input? • Altering inputs can create new vectors of attack
  21. Nick Galbreath @ngalbreath nickg@client9.com Regular Expressions • Regular expression soup

    without QA either for positive and false positives. • Impossible to debug • Have a hard time dealing with escaped inputs
  22. Nick Galbreath @ngalbreath nickg@client9.com Who are the vectors of XSS


  24. Nick Galbreath @ngalbreath nickg@client9.com HTML5 Parsers 
 are now the

    Majority IUUQUOXDPDR'VFP BSF)5.-
  25. Nick Galbreath @ngalbreath nickg@client9.com The remainder are IE • And

    IE only has a few versions • The tokenizer didn't change that much • Well-known exceptions to the rule • HTML5 was designed to mostly match existing behavior anyways
  26. Nick Galbreath @ngalbreath nickg@client9.com IE6 and IE7 • IE7 has

    only 2% of market share • IE6 will, in time, go away. • Both are likely running on 10 year old machine.
  27. Nick Galbreath @ngalbreath nickg@client9.com IE8 • Somewhere between 10-20% marketshare

    • The most modern MS browser on Windows XP • Marketshare can only go down.
  28. Nick Galbreath @ngalbreath nickg@client9.com Opera • 1.33% Global Market Share

    • But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems • Opera has a lot of oddities in HTML functionality and parsing • Ignoring
  29. Nick Galbreath @ngalbreath nickg@client9.com Introducing
 libinjection XSS

  30. XSS Detection for 
 The Future Focusing on
 HTML injection

    attacks in HTML5 clients.
  31. Nick Galbreath @ngalbreath nickg@client9.com Pick Your Battles
 Not Covering •

    XML / XSLT injection • Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • DOM style attacks (need a client solution)
  32. Nick Galbreath @ngalbreath nickg@client9.com Technique • Parse user input, in

    a number of HTML contexts to get tags, attributes, values, just like a browser would • Ban various unsafe things
  33. Nick Galbreath @ngalbreath nickg@client9.com Shifting the Problem • Turn a

    security problem which is an open question into another known, solved problem. • ‘Detecting XSS’ -> how do you QA? How do you know if you are correct? • ‘Detecting XSS’ -> Tokenizing HTML5. Completely testable in a positive case. Now the detecting XSS part is much much smaller.
  34. Nick Galbreath @ngalbreath nickg@client9.com Tokenizing HTML, exactly how a browser

    does is relatively easy.
  35. Nick Galbreath @ngalbreath nickg@client9.com HTML5 Tokenization • Tree building: Hard

    • Handling broken, nested tags: hard • Defining exact order of operations with script tags: hard • Defining what tags actually do: hard and evolving • Rendering: hard. • HTML5 Tokenization: easy and well-defined.
  36. Nick Galbreath @ngalbreath nickg@client9.com Every Tokenization Step

  37. Nick Galbreath @ngalbreath nickg@client9.com Is Clearly Defined

  38. Nick Galbreath @ngalbreath nickg@client9.com libinjection html5 • Full HTML5 Tokenizer.

    • Does not build a tree or DOMs • Just emits tokenizer events. • Zero copying of data
  39. Nick Galbreath @ngalbreath nickg@client9.com Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE

    junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
  40. Nick Galbreath @ngalbreath nickg@client9.com Problematic Tokens • Problematic tags, attributes,

    and values are cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: JS urls in various formats
  41. Nick Galbreath @ngalbreath nickg@client9.com Yeah its a blacklist • But

    its based on tokenization so there is additional context. • ‘onerror’ as-is, is NOT an injection • ‘onerror’ with an value, is (requires ‘=‘ afterwards, an non- empty value). • Should have better false positives and 
 false negatives • How else are you going to do it? • Likely to need refinement
  42. Nick Galbreath @ngalbreath nickg@client9.com Check in each Context • Each

    input is parsed in different HTML contexts • <b>XSS</b> (raw HTML) • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  43. Nick Galbreath @ngalbreath nickg@client9.com Training Sources

  44. Nick Galbreath @ngalbreath nickg@client9.com XSS Cheat Sheets • Most are

    outdated • sorry OWASP :-( • Validated to make sure they are valid for HTML5 browsers.
  45. Nick Galbreath @ngalbreath nickg@client9.com HTML5SEC.org • Fantastic resource • List

    many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
  46. Nick Galbreath @ngalbreath nickg@client9.com @soaj1664ashar • Produces interesting, new XSS

    regularly • If you like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW
  47. Nick Galbreath @ngalbreath nickg@client9.com Attack / Scanners • Only integrated

    one scanner’s test cases • Need to find/use more.
  48. Nick Galbreath @ngalbreath nickg@client9.com $ make test-xss ./reader -t -i

    -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives
  49. Nick Galbreath @ngalbreath nickg@client9.com IE Unbalanced Quote • Not sure

    if only IE 8 or not. • Can you spare a Windows machine for a quick DOM inspection? • A few others look bogus but need to check on IE.
  50. Nick Galbreath @ngalbreath nickg@client9.com Performance .PSFUIBO 

  51. Nick Galbreath @ngalbreath nickg@client9.com Current Status 2014-01-27 • It’s alpha

    — so it’s likely to have some spectacular failures (bypasses) • False Positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).
  52. Nick Galbreath @ngalbreath nickg@client9.com What do you expect? • It’s

    free! • On github
 https://github.com/client9/libinjection • On web
 https://libinjection.client9.com/ • Stay tuned for details! • Thanks!
  53. Nick Galbreath @ngalbreath nickg@client9.com Thanks to everyone at OWASP AppSec

 See you next year! —nickg If you have any questions on libinjection, 
 please see https://libinjection.client9.com/ or email me at nickg@client9.com