of Environment and Information Studies • Graduated “Security Camp 2012” Web-sec Class a speaker of Security Camp caravan in Morioka • Interested in XSS Vulnerability 2
administrators • XSS inspection and reporting extension • XSS reporting database and lifecycle • Vulnerability Information Lifecycle Management • Vulnerability survey in Japan Agenda 4
server manager upload the token to server check if a target server has valid token get page content search a form and submit tags to them check if a sent tags are escaped check if a link is target detect links Access to the service and get token ! Yellow: User Green:Scanner ! ! ! ! ! ! ! ! Output result (email / web ) • Users can scan their websites by getting the token from our service and uploading it on their websites • Only 3 steps for this inspection Koki Nakayasu, Tomonori Yamamoto, Yuki Uehara, Keiji Takeda Proposal and implementation of Web application for Cross-site Scripting Inspection (CSS 2011) 6
ordinary user • XSS inspection extension for ordinary users • Users can easily recognise whether pages which they access are safe or not • The extension sends the url to the inspection server • The inspection server checks the website • The inspection server saves the result to the db for reporting inspection server DB extension Web site Google chrome 2:Send url of browsing 3:Receive scan result Get the response Send parameter to target save result get result User 1:Browse 7
handling standard published by METI(Ministry of Economy, Trade and Industry) • IPA, JP-CERT/CC manage vulnerability information of software and web sites • Reporter can send vulnerability information anonymously • Prevention of disclosure of vulnerability information • Publish statistics of vulnerability report 8
security researcher • In Japan, IPA(information promotion agency) collects vulnerability reports • IPA sends these reports to the administrators and encourages them to fix • In my research, I reported many vulnerabilities on websites • 2011 July - September, we reported 167 of 198 vulnerabilities • “I need a new XSS reporting system“ 16% 84% me other ιϑτΣΞͷ੬ऑੑؔ࿈ใʹؔ͢Δಧग़ঢ়گ [2011ୈ3࢛ظʢ7݄ʙ9݄ʣ] 9
the Web site • Usage scenario • Users put url to the scan server • The scan server sends parameters to the url and check their escape status. The result is automatically saved to the DB as a report • These reports are checked weekly by a professor • Users can send reports by a click This system handled 1500 vulnerability reports in 3 years XSS reporting database and lifecycle (2011-) Vulnerability checking for security researcher 10
management system to Vulnerability coordinating association • An optimization of reporting and fixing after finding web site vulnerability • Define web vulnerability format based on http request and response information XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Koki Takahashi Vulnerability Information Lifecycle Management, a Proposal. (Bachelor thesis, Keio University, 2014) Abstract 12
abstract etc.. • Vulnerability researcher info…name, address etc.. • Website administrator info…name, address etc.. • Page / Web form information • Format can include information of more than one discover XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Approach 13
• Page / Form…Define the form which has a problem • Request… Define the data sent in scan • Response…Define the data received in scan XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Approach 14
by url parameter • reflection XSSɺHTTP header injection • CMS Version checking • Check Word Press/Movable Type version from meta tag • Show the result • Send result data automatically to the vulnerability DB XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Approach 15
function of the each elements • DB can be imported from API and Web form • Generate the exploit code XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Approach 16
download a PoC from the DB • Reporters send this PoC to the Administrator • The PoC has two frames • 1: Users can send parameters same as scan? • 2: Users can check responses in scan • PoC was generated by DB XSS reporting database and lifecycle (2011-) Vulnerability reporting and managing optimisation Approach 17
managing optimisation • Report XSS with PoC to Administrator • 36 XSS which reported through IPA • report with PoC which be generated by DB automatically • 30 web sites were fixed • Average fix days is 55 days • 80% of fixation is in 90 days with PoC total fixed in 90 days 80% 66% Evaluation 18
about escape leaking which causes Simple Reflection XSS • Purpose / Question • What percentage of web sites are vulnerable? • What kind of web site are vulnerable? ! • Result • 9762 forms have escape leaking (6.52%) • It’s no difference between using https or not , using frame option or not • Block of top 1000 domains is low rate, but tendency can’t be seen 20
of access ranking (2013/10/11) • access ranking from alexa ( http:// www.alexa.com ) • Index page of these domains and pages which was linked index page • 871339 pages • 149777 forms ~~.jp ~~.com ~~.net ~~.li —.jp list of alexa ~~.jp —.jp pick up Access top page —.jp —.jp/search.php … domain list page list /index.html /search.php /about.html /news.php ….. pick up anchors Add these pages to list 21
page list • Send parameters include “<”, “>” to form • Save result, http request, and http response to mongoDB • Result • 9762 forms have escape leaking (6.52%) —.jp —.jp/search.php … page list mongoDB scanner Send parameters and Check Response Output json includes scan result and request, response 22
is a low ratio • Escape leaking on nginx is a high rate than other server • but number of forms is small • On Apache is low ratio • On Apache with version number is high rate kind forms escape leaking percentag e Apache 6363 406 6.38% Apache(1.x) 301 35 11.63% Apache(2.x) 1451 163 11.23% IIS 814 44 5.41% IIS 6 343 18 5.25% IIS 7 409 24 5.86% nginx 368 25 11.74% 25
• validateRequest function • PHP • PHP is high rate in any version • PHP/5.x is newer than 4, but PHP/5.x is higher than 4 kind forms escape leaking percenta ge ASP.NET 617 37 6.00% PHP 2231 267 11.97% PHP/4.x 146 15 10.27% PHP/5.x 2231 267 12.09% Phusion Passenger 50 1 2.00% Servlet 41 1 2.70% 26
high rate • Web sites by company have more form than other kind • Inquiry form, Shopping cart etc.. • go.jp (govermental websites) is safely escaping queries in general • Likewise, ac.jp(academic websites) is also safely • In this investigation, subject was limited kind forms escape leaking percentage ac.jp 1998 64 3.20% ad.jp 45 4 8.89% co.jp 36922 3353 9.08% ed.jp 329 6 1.82% go.jp 649 10 1.52% gr.jp 266 46 17.29% lg.jp 106 1 0.94% ne.jp 4216 181 4.29% or.jp 2498 154 6.16% jp 74174 3572 4.82% 29
asp is high rate But aspx is very low rate • aspx : ASP.NET • ASP.NET has requestValidation function which blocks request like HTML tags • Many pages of php and cgi are unescaped kind forms escape leaking percenta ge .asp 965 113 11.71% .aspx 2660 2 0.08% .html 9842 382 3.88% .cgi 3861 265 6.86% .php 9809 966 9.85% 30
• pick up from access ranking • Collected header information • Server: 2546 types (Preliminary: 303types) Some server uses server header with session id • X-Powered-By: 311 types (Preliminary: 124types) subject domain subject page subject form escape leaking 16000 871339 149777 9762 (6.52% of forms) server header x-powered- by header all 2546 311 XSSed 395 142 32
on IIS is a low ratio • Escape leaking on nginx is a very low rate • in preliminary investigation, nginx sample was very few • On Apache is low ratio • On Apache 1.x is high rate kind forms escape leaking percentag e Apache 106781 7594 7.09% Apache(1.x) 8377 1950 23.27% Apache(2.x) 31998 2414 7.54% IIS 10906 264 5.41% IIS 6 6595 144 2.18% IIS 7 5135 85 1.66% nginx 7518 198 2.63% 33
ratio • ASP.NET has requestValidation function which blocks request like HTML tags • Servlet is very low ratio • J2EE Filter function • PHP • PHP is high rate in any version kind forms escape leaking percenta ge ASP.NET 10774 175 1.62% PHP 37600 3222 8.57% PHP/4.x 4542 350 7.71% PHP/5.x 33040 2872 8.70% Phusion Passenger 571 14 2.45% Servlet 2511 18 0.72% 34
security • Strict-Transport-Security • X-Frame-Options / Frame-Options • X-XSS-Protection • X-Content-Type-Options • Content-Security-Policy X-Content-Security-Policy X-WebKit-CSP ! • Show trends of these headers in use List of useful HTTP headers (OWASP) 35
using this header : 1444 page • X-frame-options “deny” 151 • X-frame-options “same origin” 1294 • Frame-options : 0 page • 5.6% of page using this has escape leaking 37
Only a page uses X-Content-Security-Policy • In this investigation, there is hardly any website using CSP • It is to be desired that research, tool, and lecture for using CSP increase 40
Only a page uses X-Content-Security-Policy • In this investigation, there is hardly any website using CSP • It is to be desired that research, tool, and lecture for using CSP increase 41
6.52% web pages have escape leaking • regardless of access frequency • Block of top 1000 domains is low rate, but tendency can’t be seen • countermeasures for XSS by frame work, language only works • In this investigation, many XSS blocked by ASP.NET function • Others are more vulnerable than that • Web sites made by corporation are more vulnerable • co.jp domain: 9.08% • These web site have many forms 42
It’s no difference between using https or not , using frame option or not • http : 6.3% https : 6.5% • Strict-Transport-Security header is used in some sites, these sites are safe • X-Frame-Options header is used in about 10% of form But 5.6% of these form have escape leaking • Web site using countermeasure header for XSS are more secure than others • In web page which has X-XSS-Protection / X-Content-Type-Options header, only 0.5% has escape leaking • There is hardly any website using CSP • Only a form using CSP • It is to be desired that research, tool and lecture for using CSP increase 43
owaspjapan
tmiket
retrage
inesmontani
aleyda
schroneko
reverentgeek
jnunemaker
joshbly
bryan
lcolladotor
addyosmani
