Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This group should mostly be dealing with how web applications enable networking security issues that are otherwise not there. Everything is being tunneled over port 80 now so what does that enable and how do we fix it? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Regex for snort
Posted by: rsnake
Date: September 21, 2006 10:43AM

Placeholder for snort regex talk with p3rlhax:

p3rlhax, I think it's a pretty complex issue actually. Firstly you have to make an assumption that the server is using an encoding method that uses angle brackets at all (UTF-7 and US-ASCII can cause issues for instance). If it's UTF-8 you're in better shape and if it's ISO-8859-1 you're golden.

Next, you need to decide if you are going to catch every version of XSS or just what the page is vulnerable to. That'll make a big difference in your regex.

Next, if you know that a double quote in a particular URL parameter is not allowed and in fact that will allow the user to break out of the encapsulation that alone can be a signature. If it is allowed, that makes this a lot more complex.

So before I go down the rabbit hole, what are the parameters in which you want to detect. We can probably work from there.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Regex for snort
Posted by: p3rlhax
Date: September 22, 2006 04:44AM

Thanks RSnake for creating the forum.

I think it is safe to assume that given a known vulnerable field, the method to break out of the encapsulation will also be fairly specific to that field. Consider that we know the vulberable field and know the mechanism to break out of the encapsulation. What remains is to write a signature that will capture all strings capable of exectuting in the browser.

Let us consider a blogging application where all special characters need to be allows as a value for the parameter. Thus if double quote etc need to be allowed can cannot be used in the signature by it self. An effective signature should catch breaking out of the encapsulation followed by some code that is capable of executing in the browser.

eg. signature I published for Roller.

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "Roller Weblog XSS exploit"; flow:to_server; content:"post"; depth:4; nocase; content:"method=post"; nocase; pcre:"/(name|email|url).*=.*%22.*%3e.*%3cscript.*%3e.*%3c%2fscript.*%3e.*&/i"; classtype:web-application-activity; sid:9999991; rev:1;)

p3rlhax

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: September 22, 2006 10:25AM

My first thought is that this isn't taking into account other vectors. For instance the regex as you wrote it is looking for:

... " ... > ... <script ... > ... </script ...> ...

Which won't match things like this that work in every browser:

"><BODY onload=alert("XSS")>

So it needs to be more broad if you want to do accurate detection.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Regex for snort
Posted by: id
Date: September 22, 2006 03:38PM

Using the preprocessor http_inspect you shouldn't have to worry about the unicode. It has had exploits in the past and evasion, but it is probably the proper place to deal with normalizing data rather than sigs.

-id

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: September 22, 2006 03:52PM

Does that also normalize variable width multi-byte tokens? Or rather detect anything outside of a certain ASCII range?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Regex for snort
Posted by: id
Date: September 22, 2006 04:37PM

I don't know if it does or not, but if it does not, it is still the place to add that functionality as opposed to the sigs. That way the functionality is only added once and new sigs only have to be written once for the normalized data.

-id

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: September 23, 2006 07:32PM

That's actually not a bad idea, but it really should take into account what the encoding method is. If that was the case, you could probably add that functionality in without much issue.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Regex for snort
Posted by: p3rlhax
Date: September 24, 2006 12:56AM

If I am not mistaken the normalization is done only for the URL parameters in SNORT.This is achieved using the uricontent keyword. I dont think you can do the same for the post body.

p3rlhax

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: September 24, 2006 01:29PM

It would need to do both for sure... It's not just unicode normalization, it's also changing high order ASCII chars to either low order or removing them completely.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Noxes
Posted by: p3rlhax
Date: October 13, 2006 12:16AM

Just thought of sharing this information on this forum. For the past few days, I have been playing with a tool that claims to mitigate XSS using client side protection. Its called Noxes built by the Secure Systems Lab from the Univ of Vienna. Simple concept in which it acts as a proxy and monitors all http responses. It then creates a whitelist of static links in that response. Any requests that are not in this list and are made to a different domain using the referer header of the current domain are flagged as suspecious.

This simplistic approach seems to work pretty well to combat cookie / id theft and that class of XSS attacks. It is however ineffective against attacks that deface websites, cause denial of service, Click fraud etc.

I would be really interested in knowing what you think. Thanks a lot. I appreciate it.

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: October 13, 2006 11:08AM

How does that effect cross linking of images and JavaScript? Part of the problem with this is CSRF. Most of these types of mitigation don't really take that kind of thing into account or break complex AJAX applications that need cross domain requests to function. Do you have more info on it?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Regex for snort
Posted by: p3rlhax
Date: October 16, 2006 01:39AM

Here is the link to Noxes: http://www.seclab.tuwien.ac.at/projects/noxes/

It will be ineffective against CSRF if the CSRF request does not have a referrer or is a static link on an attackers page. If the link is generated using XSS then it will be effective.

It will pop up several alerts for cross linking of images. As far as AJAX is concerned, I think AJAX can only be used for requests to the same domain and hence will not popup an alers from Noxes. Thus attacks similar to the myspace (samy) worm will not be detected.

The developers are very helpful and have acknowledged these limitations.

This tool seems to be more targeted towards XSS that steals cookies and authentication information.

I would be interested to know what you think about a client side solution for XSS mitigation.

Thanks
p3rlhax

Options: ReplyQuote
Re: Regex for snort
Posted by: rsnake
Date: October 16, 2006 10:44AM

I sent an email to them, I'll see what I can find out. I don't want to make any assumptions without talking to them first. The PDF was an interesting read though for anyone interested in XSS theory: http://www.seclab.tuwien.ac.at/papers/noxes.pdf

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.