Libinjection: From SQLi to XSS

Libinjection: From SQLi to XSS

First presented at OWASP AppSec SoCal in Santa Monica, California on January 28, 2014

Ad2add30329e2e782ea0e8cc763dc865?s=128

Nick Galbreath

January 28, 2014
Tweet

Transcript

  1. 3.

    Nick Galbreath @ngalbreath nickg@client9.com What’s the Goal? 5P&MJNJOBUF *OKFDUJPO"UUBDLT Correction

    solution is validate inputs, but… Developer education ain’t cutting it Massive legacy and existing applications need protecting
  2. 4.

    Nick Galbreath @ngalbreath nickg@client9.com What is Libinjection? • A c-library

    for detecting SQLi attacks from user input • Released at BlackHat USA 2012 • Tokenizes user input as if it were SQL • Then matches token-stream against 
 known SQL attacks • Currently in IronBee and ModSecurity WAFs
  3. 5.

    Nick Galbreath @ngalbreath nickg@client9.com Why libinjection? • To my amazement

    there was no standardized, measurable open source solution for detecting SQLi. • The ones that existed were mostly collections of regular expressions, without unit tests or other QA. • How do you know how well it works? Or if it works at all?
  4. 6.

    Nick Galbreath @ngalbreath nickg@client9.com Initial Attempt • 16 Tokens •

    622 SQLi fingerprints • Maybe a few rules to ‘fold’ or combine tokens
  5. 7.

    Nick Galbreath @ngalbreath nickg@client9.com Current Status • Two years later….

    • Version 3.9.1 • 20 number of tokens — and could use more! • 8000+ SQLi fingerprints • 30+ rules for folding together tokens • 400+ unit tests • 85,000+ SQLi samples
  6. 8.

    Nick Galbreath @ngalbreath nickg@client9.com Active Attack-Driven QA • Original training

    was done by using SQLi attack scanners. • Unfortunately, I learned they are not equivalent to skilled attackers. At all. • SQL is a lot larger, and more diverse than I expected. • Many many bypasses found initially. • Big thanks to @rsalgado and @modsecurity team and many others
  7. 9.

    Nick Galbreath @ngalbreath nickg@client9.com Go Get It! • https://libinjection.client9.com/ •

    https://github.com/client9/libinjection/ • Lots more presentations on client9.com
  8. 12.

    Nick Galbreath @ngalbreath nickg@client9.com HTML Injection • <b>XSS</b> (raw HTML)

    • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  9. 13.

    Nick Galbreath @ngalbreath nickg@client9.com These are attacks against the HTML

    tokenization algorithm. ! The goal is to change the context to javascript and execute arbitrary code
  10. 15.

    Nick Galbreath @ngalbreath nickg@client9.com Javascript Injection • Dynamically generated CSS,

    using user-input • Dynamically generated Javascript, using user-input. • DOM type attacks, javascript that uses the environment to generate HTML.
  11. 17.

    Nick Galbreath @ngalbreath nickg@client9.com Hard Problem • Many times the

    server is not involved
 (100% client-side problem). • Javascript unlike SQL is highly dynamic and error tolerant. • Detecting javascript ‘fragments’ without context is near impossible to do accurately and with precision.
  12. 19.

    Nick Galbreath @ngalbreath nickg@client9.com “Use a HTML Purifier” • Yeah

    sure…if you are expecting full HTML inputs • Most inputs are not HTML, which means you’ll be rejecting a lot of inputs. • <nickg@client9.com> would be rejected since it’s not a whitelisted tag. • Fairly large, language-specific libraries • Not a practical solution
  13. 20.

    Nick Galbreath @ngalbreath nickg@client9.com Sanitization Functions • 1,000,000 sanitization functions

    exist • Attempt to turn XSS input into something safe • Why? Why not just reject the input? • Altering inputs can create new vectors of attack
  14. 21.

    Nick Galbreath @ngalbreath nickg@client9.com Regular Expressions • Regular expression soup

    without QA either for positive and false positives. • Impossible to debug • Have a hard time dealing with escaped inputs
  15. 23.

    Nick Galbreath @ngalbreath nickg@client9.com Web Browsers! 8IJMFUIFSFBSFTUJMMNBOZ EJ⒎FSFODFTJOIPXEJ⒎FSFOUCSPXTFSEP SFOEFSJOHBOEUIFZBMMIBWFTQFDJBM GFBUVSFT

    KBWBTDSJQUFYUFOTJPOTBOE QSPQSJFUBSZUBHTʜUIFZBDUVBMMZIBWF DPOWFSHFEJOUFSNTPGQBSTJOH)5.- 5IJTJTEVFUP)5.-
  16. 24.
  17. 25.

    Nick Galbreath @ngalbreath nickg@client9.com The remainder are IE • And

    IE only has a few versions • The tokenizer didn't change that much • Well-known exceptions to the rule • HTML5 was designed to mostly match existing behavior anyways
  18. 26.

    Nick Galbreath @ngalbreath nickg@client9.com IE6 and IE7 • IE7 has

    only 2% of market share • IE6 will, in time, go away. • Both are likely running on 10 year old machine.
  19. 27.

    Nick Galbreath @ngalbreath nickg@client9.com IE8 • Somewhere between 10-20% marketshare

    • The most modern MS browser on Windows XP • Marketshare can only go down.
  20. 28.

    Nick Galbreath @ngalbreath nickg@client9.com Opera • 1.33% Global Market Share

    • But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems • Opera has a lot of oddities in HTML functionality and parsing • Ignoring
  21. 31.

    Nick Galbreath @ngalbreath nickg@client9.com Pick Your Battles
 Not Covering •

    XML / XSLT injection • Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • DOM style attacks (need a client solution)
  22. 32.

    Nick Galbreath @ngalbreath nickg@client9.com Technique • Parse user input, in

    a number of HTML contexts to get tags, attributes, values, just like a browser would • Ban various unsafe things
  23. 33.

    Nick Galbreath @ngalbreath nickg@client9.com Shifting the Problem • Turn a

    security problem which is an open question into another known, solved problem. • ‘Detecting XSS’ -> how do you QA? How do you know if you are correct? • ‘Detecting XSS’ -> Tokenizing HTML5. Completely testable in a positive case. Now the detecting XSS part is much much smaller.
  24. 35.

    Nick Galbreath @ngalbreath nickg@client9.com HTML5 Tokenization • Tree building: Hard

    • Handling broken, nested tags: hard • Defining exact order of operations with script tags: hard • Defining what tags actually do: hard and evolving • Rendering: hard. • HTML5 Tokenization: easy and well-defined.
  25. 38.

    Nick Galbreath @ngalbreath nickg@client9.com libinjection html5 • Full HTML5 Tokenizer.

    • Does not build a tree or DOMs • Just emits tokenizer events. • Zero copying of data
  26. 39.

    Nick Galbreath @ngalbreath nickg@client9.com Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE

    junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
  27. 40.

    Nick Galbreath @ngalbreath nickg@client9.com Problematic Tokens • Problematic tags, attributes,

    and values are cataloged. • Tags: <script>, anything XML or SVG related • Attributes: on*, etc • Values: JS urls in various formats
  28. 41.

    Nick Galbreath @ngalbreath nickg@client9.com Yeah its a blacklist • But

    its based on tokenization so there is additional context. • ‘onerror’ as-is, is NOT an injection • ‘onerror’ with an value, is (requires ‘=‘ afterwards, an non- empty value). • Should have better false positives and 
 false negatives • How else are you going to do it? • Likely to need refinement
  29. 42.

    Nick Galbreath @ngalbreath nickg@client9.com Check in each Context • Each

    input is parsed in different HTML contexts • <b>XSS</b> (raw HTML) • <foo XSS > (tag attribute from user input) • <foo name=XSS> (tag value from user input) • <foo name=‘XSS’> (quoted value) • <foo name=“XSS”> (quoted value) • <foo name=`XSS`> (IE only!)
  30. 44.

    Nick Galbreath @ngalbreath nickg@client9.com XSS Cheat Sheets • Most are

    outdated • sorry OWASP :-( • Validated to make sure they are valid for HTML5 browsers.
  31. 45.

    Nick Galbreath @ngalbreath nickg@client9.com HTML5SEC.org • Fantastic resource • List

    many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
  32. 46.

    Nick Galbreath @ngalbreath nickg@client9.com @soaj1664ashar • Produces interesting, new XSS

    regularly • If you like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW
  33. 47.

    Nick Galbreath @ngalbreath nickg@client9.com Attack / Scanners • Only integrated

    one scanner’s test cases • Need to find/use more.
  34. 48.

    Nick Galbreath @ngalbreath nickg@client9.com $ make test-xss ./reader -t -i

    -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives
  35. 49.

    Nick Galbreath @ngalbreath nickg@client9.com IE Unbalanced Quote • Not sure

    if only IE 8 or not. • Can you spare a Windows machine for a quick DOM inspection? • A few others look bogus but need to check on IE.
  36. 51.

    Nick Galbreath @ngalbreath nickg@client9.com Current Status 2014-01-27 • It’s alpha

    — so it’s likely to have some spectacular failures (bypasses) • False Positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).
  37. 52.

    Nick Galbreath @ngalbreath nickg@client9.com What do you expect? • It’s

    free! • On github
 https://github.com/client9/libinjection • On web
 https://libinjection.client9.com/ • Stay tuned for details! • Thanks!
  38. 53.

    Nick Galbreath @ngalbreath nickg@client9.com Thanks to everyone at OWASP AppSec

    SoCal.
 See you next year! —nickg If you have any questions on libinjection, 
 please see https://libinjection.client9.com/ or email me at nickg@client9.com