Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Finding Vulnerabilities
Posted by: modoc
Date: September 26, 2006 06:41PM

I'm somewhat responsible for most of the web properties of one of the major companies that showed up in the Full Disclosure thread that got so much attention.

*thanks for that thread, we fixed the identified issues.*

I understand how XSS works, although I'm not 100% clear on when which escaping/encoding method works in what context with which browser.

We use a couple commercial tool (SPI Dynamics' WebInspect for pen testing, including XSS; and Fortify Software's Fortify Suite which does code analysis). They find many issues, but certainly not 100% of them. Given that the number of web applications and the complexity of them precludes my walking through all the code by hand, what tools or strategies would you folks here recommend for identifying additional XSS holes?

Thanks!

Modoc

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: Kyran
Date: September 26, 2006 06:49PM

Nice to meet you Modoc. Thanks for joining us and http://jeremiahgrossman.blogspot.com/2006/09/is-testing-for-xss-illegal.html not getting someone to sue us.

Lots of people say XSS is related to user input, but a large amount of the issue is output. Anything that echos user-input is the problem. Check all input that is echoed with the cheat sheet. http://ha.ckers.org/xss.html. Filter out < > ( ) and = from user input. Especially the parenthesis.

- Kyran

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: modoc
Date: September 26, 2006 06:59PM

Kryan,

thanks for the welcome. Definitely not about to sue:) While I'd rather not find out about issues on the front page of /., it's better to find out that way, rather than after a giant phishing wave.

I think part of my issue is that we're talking about perhaps 20+ applications, each of which built with 1000's of java source files, and 1000's of jsps. Running on various clusters, with various hostnames, etc...

Some of the sites are build and run by other teams, but will fix issues if I can identify them.

Are there any good tools for finding these issues? At least better than the tools I'm using.

Maybe there's no magic, and people just find these things by poking around a site and keeping an eye on the URL and page source, but I'm hoping there's some secret magic tool or trick here:)


Modoc

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: Kyran
Date: September 26, 2006 07:10PM

Modoc,

I'm glad you are taking an interest in the issues themself before it's too late.

I'm not really sure if there is an all-powerful XSS locator magic trick. Most of us spend 1-20 minutes on a site, just poking around at user input and seeing how the returned html changes as a result.

I'm sure you could try to write your own tool based off the cheat sheet though, once you get a better understanding of the attack vectors.

P.S. The y is before the r in my name. :P

- Kyran

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: modoc
Date: September 26, 2006 07:33PM

Sorry: Kyran. Got it:)

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: maluc
Date: September 26, 2006 09:01PM

Hi modoc, and i too am glad to see you understand we have no ill-intent for the websites posted .. and while i don't follow any disclosure policy, i do hope these sites notice these postings, realize their significance, and fix these issues at their own site. That being said, i'm also a bit too lazy to write 30+ emails a day..

Although I believe that it's possible for a program to do what a human can do with a computer.. I've yet to hear of any 'xss tester' that actually works any anything than the most basic of issues (althoguh most hole are indeed extremely basic)

In my opinion, the best way to protect yourself for now.. is to learn how we find these holes in the first place. It really is easier that it looks, and the average time i spend on a site looking for one is certainly less than 5 minutes..

You hit the nail on the head, in that one of the two biggest causes of these being on large sites, is that most of the special add-on pages like newsletters/contests/etc are written by someone other than the main web designer, and aren't xss-tested before going live. Most management may consider this infeasible, but it's something that must be done - to save themselves the embarassment later.

The other biggest cause though, is the main web developer themselves having no sense of web app security past 'update apache and windows daily'. you've got to 1) filter these inputs and outputs:
' -> &#39;
" -> &quot;
> -> &gt;
< -> &lt;
& -> &amp;
in EVERY page that is on your domain. and 2) use ISO 8859-1 encoding
That'll solve *most* of your problems from XSS, but the hardest part is making sure it's applied to every single way of inputting.

I tend to ramble so i'll stop for now ^^. I'd additionally recommend getting someone to thoroughly test your site occasionally (6 months for very dynamic sites) and during major revisions - but finding someone reliable is difficult at best. Giving them an XSS exam might be a good idea. :x

Wow, i wrote too much.
-maluc

Options: ReplyQuote
Re: Finding Vulnerabilities
Posted by: rsnake
Date: September 26, 2006 11:29PM

Modoc - judging from your IP address I can pretty much guess what site(s) you're in charge of. That said, welcome and it's good to have you.

Now, I've played with a few vulnerability scanners out there. The one I am getting most interested is actually not a commerical tool but something Jeremiah Grossman is working on (private tool used for consultancy purposes only). If you want I can PM you his info.

The problem with most scanners is that they are looking only for certain types of signatures and taking way too much resources to find perfect results, rather than focusing on the real problem which is "potential" problems. Most of the time scanners cannot enumerate through all possibilities, but it's important to point out where there MAY be a problem, so that a human can investigate and eliminate. I'd rather know there's potentially a problem than not know there's potentially a problem.

All the mitigating factors Maluc mentioned above are good once you've identified the problem, but from a management process it is really far more complex. One way I've heard to mitigate these sorts of risks is to run vulnerability scanners (not black box but actual code review type scanners) and count the number of bugs. Baseline and then manage them down with bonuses-or revocation thereof. It's tricky, but it can be managed. Obviously finding single choke points for all the output is helpful, but that's even more tricky, especially with different coding groups.

Unfortunately given the various issues we discuss here there's no quick fix solution when the problem isn't already identified. Let us know if we can be more help with specific issues though.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.