libinjection From SQLi to XSS Nick Galbreath @ngalbreath! Signal Sciences Corp! [email protected] Code Blue ∙ Tokyo ∙ 2014-02-18 

This is also in English! ͜Ε͸೔ຊޠͰ΋͋Γ·͢! https://speakerdeck.com/ngalbreath/
 codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/
 codeblue2014-jp-libinjection-from-sqli-to-xss 

Nick Galbreath
 @ngalbreath • Founder/CTO of Signal Sciences Corp • Before: IponWeb (Moscow, Tokyo) • Before: Etsy (New York City) NEW 

What is libinjection? • A small C-library to detect SQLi attacks in user- input • With API in python, lua and php • Introduced at Black Hat USA 2012 • Open source with BSD license • https://github.com/client9/libinjection 

Why libinjection? • Existing detection is mostly done with regular expressions • No unit tests • No performance (speed) tests • No coverage tests • No accuracy or precision tests • No false positive tests • “what are they actually doing?” 

libinjection SQLi Today • Version 3.9.1 • 8000+ unique SQLi fingerprints • 400+ unit tests • 85,000+ SQLi samples 

In Use At • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ • glastopf honeypot http://glastopf.org/ • proprietary WAFs • internally at many companies • plus, a pure-java port
 https://github.com/Kanatoko/libinjection-Java • .NET wrapper
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net 

XSS 

Similar to SQLi • No standard detection library • Few, if any, have tests • Most are based using regular expressions • Can we do better? 

Two Types of XSS • HTML injection attacks • Javascript injection attacks 

XSS Javascript Injection • Includes DOM-style attacks • Attacks existing javascript code. • Detection can truly be done on client • A very hard problem 

HTML Injection • HTML injection are attacks against the HTML tokenization algorithm 
 (text “foo” to tags , foo, ) • The goal is to change the context to ‘javascript’ and execute arbitrary code. • This seems detectable. 

HTML Injection Samples XSS (raw HTML) (tag attribute name) (tag attribute value) (quoted value) (quoted value) (IE only!) 

Browser HTML Tokenization • Previously every browser parsed or tokenised HTML differently. • This lead to a number of different attacks using broken html tags, special characters or encodings. • Now, most browsers now use the same algorithm from the HTML5 specification. • The HTML5 algorithm is very specific 

Every Tokenization Step http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization 

Is Clearly Defined 

60+% of Desktop Browsers are HTML5 http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE 11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62% 

~90% Mobile Browsers
 are HTML5 http://bit.ly/JQSZxb 

Remainder is IE6, IE7 and IE8 • IE6 will, in time, go away. Really ;-) • IE7 has only 2% of market share • IE8 has up to 20% marketshare XP • Mostly on Windows XP • Marketshare can only do down 

libinjection XSS 

HTML injection attacks
 in HTML5 clients. • No: XML / XSLT injection • No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • No: DOM style attacks (need a client solution) 

libinjection html5 • Complete HTML5 Tokenizer. • Does not build a tree or DOMs • Just emits token events. • No copying of data 

Tokenization Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > 

Check in Each Context Each input is parsed in at least 6 different HTML contexts, because thats how XSS works! XSS (raw HTML) (tag attribute name) (tag attribute value) (quoted value) (quoted value) (IE only!) 

Ban Problematic Tokens • Problematic tags, attributes, and values are cataloged. • Tags: , anything XML or SVG related • Attributes: on*, etc • Values: javascript URLs in various formats • and more… 

Training Sources 

XSS Cheat Sheets • Most are outdated (exploits for Firefox 3! ) • sorry OWASP :-( • Each entry validated to make sure they are valid for HTML5 browsers. 

HTML5SEC.org • Fantastic resource • But lists many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers 

@soaj1664ashar • Produces interesting, new XSS regularly • If you like XSS, please follow him on Twitter • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW 

Attack / Scanners • Integrated output of one XSS scanner • Using Shazzer fuzz database
 http://shazzer.co.uk/
 (Thanks to ModSecurity team) 

Current Status 

Available Now • Available on github:
 https://github.com/client9/libinjection • Home page:
 https://libinjection.client9.com/ • but… still alpha 

$ make test-xss ./reader -t -i -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 ../data/xss-html5secorg.txt 151 False test 62_2 ../data/xss-html5secorg.txt 153 False test 62_3 ../data/xss-html5secorg.txt 352 False test 102 ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--` --!> ../data/xss-soaj1664ashar.txt 21 False ../data/xss-xenotix.txt 17 False "'`> ../data/xss-xenotix.txt 19 False '`">javascript:alert(1) ../data/xss-xenotix.txt 610 False `"'> ../data/xss-xenotix.txt 613 False `"'> ../data/xss-xenotix.txt 615 False `"'> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639 Total Samples 1628 Detected as XSS 11 False Negatives 

IE Unbalanced Quotes • IE 8+ has strange behaviour with ‘unbalanced quotes’ inside comments and attribute values. • Work in progress 

Performance  

 DIFDLT
QFS
TFDPOE 

TODO 2014-02-17 • It’s alpha — so it’s likely to have some spectacular failures (bypasses) • False-positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting 
 (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon). 

[email protected]