Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Issue29 – June 2012 | Page-1
Issue29 – June2012 | Page-2
Issue29 – June 2012 | Page-3Playing Bad Games: few minutes, giving the attacker just the ...
Issue29 – June2012 | Page-4The following image shows how the attack is Last year one of the developers of this kindp...
Issue29 – June 2012 | Page-5Looking better into the conversation, we can This is a really stylish and classy attack,see ...
Issue29 – June2012 | Page-6Scapy Primer Getting Familiar with Basic ...
Issue29 – June 2012 | Page-7 Building and assembling your first ...
Issue29 – June2012 | Page-8tcp_pkt=TCP(): To build packet at TCPlayer.ls(tcp_pkt): Displays the fieldsassociated ...
Issue29 – June 2012 | Page-9Building your Own Port Scanner res,unans=sr(tcpip_pkt) : Command ...
Issue29 – June2012 | Page-10sniffed_pkts: Displays stats of sniffed Referencespackets by protocol wis...
Issue29 – June 2012 | Page-11Hypertext Transfer By default HTTP utilize TCP port 80 andProtocol...
Issue29 – June2012 | Page-12containstoken “Basic” and base 64 encoded "Enter your username andof the username...
Issue29 – June 2012 | Page-13The first line informs the web browserauthentication is done with a username andpassword and ...
Issue29 – June2012 | Page-14 as playing on partycasino.com or surfing ...
Issue29 – June 2012 | Page-15For those who carry out online crime, theaim is mainly financial gain. This type offraud is t...
Issue29 – June2012 | Page-16SECTION 66D - Attracted by the offer, she visited a link ...
Issue29 – June 2012 | Page-17 It reads as – It reads as – Whoever, by deceivi...
Issue29 – June2012 | Page-18SummaryActs covered Cheating by personation using ...
Issue29 – June 2012 | Page-19MITM with Etterca p Ettercap can be found in M...
Issue29 – June2012 | Page-20 fig4 and also the images the target is ...
Issue29 – June 2012 | Page-21 Now you see that the target browsing the ...
Issue29 – June2012 | Page-22Preventing Cross SiteScripting… Is it a myth!IntroductionI have been associated with understan...
Issue29 – June 2012 | Page-23XSS is quite an attack, even though pretty primary defense and data validation asold,...
Issue29 – June2012 | Page-24Feasibility of Escaping TechniqueEscaping the data could be the right way togo, as a primary d...
Issue29 – June 2012 | Page-25
Upcoming SlideShare
Loading in …5
×
Technology, Entertainment & Humor
1,410 views
Jun. 21, 2012

ClubHack Magazine Issue June 2012

Here we are with the 29th issues of ClubHack Magazine for June 2012. This issue covers topics such as Game server DOS attacks,Scapy - a packet crafting tool, preventing Cross Site Scripting, etc.

Hope you are enjoying the new section - Code Gyan. We are planning to start few mini series of articles on various interesting topics. If you have any suggestions and ideas on the same or wish to contribute or start a mini series of articles on a particular topic do let us know.

If you have something interesting to share, any suggestions & feedbacks please send to us at info@chmag.in

no profile picture user

  • Login to see the comments

ClubHack Magazine Issue June 2012

  1. 1. Issue29 – June 2012 | Page-1
  2. 2. Issue29 – June2012 | Page-2
  3. 3. Issue29 – June 2012 | Page-3Playing Bad Games: few minutes, giving the attacker just the time to enjoy his action on Twitter.Anatomy of a Game- I have to admit that quite often manyServer DDoS Attack companies are capable to DDoS themselves, putting online a poor server and network architecture. So when the service goesThe Distributed Denial of Service attacks online, everything falls down on millions ofare now the most common and easy weapon user requesting the page. This causes indeedto create trouble and to do a very visible more trouble than the hacktivists, don’t youdamage to a target, with an after all very think? little effort. Back to the topic, this is the classical way toFor example is the most common weapon do a DDoS attack, but there are more, andused by hacktivists, since it requires only a more interesting to be analyzed and morevery common tool (like LOIC), and relies on stylish in their execution.the rage of hundreds, if not thousands, ofpeople. They are also very hard to be eluded, Working in this field I often do a post-since if the attacker has behind him a huge mortem analysis on these attacks, andbandwidth, there’s little to do if not close recently I’ve found this extremelyyour firewalls to avoid more damage on the fascinating method.internal server. In both cases, the attackerwins, and the site is off for some time. In this case the DDoS attack is executed not directly by the attacker, but using as aThis is actually the good news, since the “botnet” a large numbers of custom gameattack can’t stand for long, and so the servers around the globe. Making them“Tango Down”, if correctly detected and attack the target.responded with a full closure, can last for a
  4. 4. Issue29 – June2012 | Page-4The following image shows how the attack is Last year one of the developers of this kindperformed. of custom game server reported (http://icculus.org/pipermail/cod/2011- August/015397.html) this vulnerabilities, and immediately released a patch to resolve the issue. But of course in many cases these are illegal servers, the software is downloaded form who knows where, and they are active in many countries, like Russia or China, so we can’t expect that the administrators would care patching the server software or caring about any kind of requests. In the best case they will shut down the server at all and begin another one. As said I’ve worked directly on this case, so let’s give a look on the attack details, analyzing the real traffic. As you may guess, I’m not disclosing the attacked site, or the game servers IP or URLs. This is just a case study analysis.The first thing that catches the eye is that, The first thing to observe is the kind ofconsidering that the custom game servers packets, as said they’re all UDP traffic, withare located anywhere in the world, and they variable sizes, sent to the 21 port of theappear and die constantly, is practically attacked IP.impossible to identify the attacker’s identity.This kind of attack is not-so-well known,even if there is someone that beganreporting it from last year.http://cert.lexsi.com/weblog/index.php/2011/10/18/422-new-dos-attack-amplified-through-gaming-serversBut how this can happen?Because the custom game servers arevulnerable to a specific attack. The attackimplies asking, with a particular packet, thegame status of the server. This is a verysmall UDP request, but when made spoofingthe source IP, the game server responds tothat IP with a huge amount of information.
  5. 5. Issue29 – June 2012 | Page-5Looking better into the conversation, we can This is a really stylish and classy attack,see that this packet is a statusResponse much more organized than those performedfrom a Call of Duty custom game server. with LOIC, I think everyone will agree. What to do to avoid these attacks? Very little unfortunately. Blacklisting the game servers is a poor tactic since they came and go day by day, so it’s pretty much useless. Maybe this kind of attack will slow down as the patching process goes on, but there will always be vulnerable servers from those countries, and they likely will be used to perform this kind of DDoS attacks.I can go on for days, the game servers As always, the best defense is constantlyinvolved where thousands and everyone monitoring what happens on your network.fired a huge amount of responses. I guess In this case you can quickly respond bythe players weren’t that happy at the attack activating some blacklist and try to mitigatetime! the attack.As said Call of Duty was not the only game But if you don’t see, you’ll never knowused, but also some Quake game servers what’s happening!!!were used to perform the DDoS.And in this case also we have astatusResponse packet. Federico intch.me/federico Federico “glamis” Filacchione, a security professional, tries constantly to spread security awareness, explaining that security is not a simple tool, but thinking to the same old stuff in a totally different way (and it’s not that hard!).
  6. 6. Issue29 – June2012 | Page-6Scapy Primer Getting Familiar with Basic Commands Scapy is already available in major SecurityOverview distributions such as Backtrack, Security Onion etc. You can also install scapy byScapy is a wonderful packet crafting tool following detailed instructions given in thewritten by Philippe Biondi. Below is an Scapy documentation.excerpt from the Scapy documentationneatly describing Scapy. To start Scapy, execute sudoscapy (if normal user) or just scapy (if root).“Scapy is a powerful interactive packetmanipulation program. It is able to forge ordecode packets of a wide number ofprotocols, send them on the wire, capturethem, match requests and replies, and muchmore. Scapy can easily handle most classicaltasks like scanning, tracerouting, probing, Once Scapy is started, you will be providedunit tests, attacks or network discovery.” python interactive shell (>>>). Once you are inside in interactive shell, theAs Scapy uses Python syntax and Python commands such as ls, lsc helps you tointerpreter, it can be used as an interactive navigate further.shell or as a Python module. The mainadvantage of Scapy is its flexibility unlike Note: The Warning about IPv6 and INFOother packet crafting tools with limited can be ignored. The gnuplot, PyX packagesfunctionalities. Scapy can manipulate and are required for graphical representation ofprocess packets at every TCP/IP layer. It packets in Scapy. The packages may besupports wide range of protocols and allows installed if you need the same.adding your own. As Scapy providesmultiple functionalities, you can build ls() : displays list of supported protocols.custom tools with combined functionalities. (Output cropped to display only initial fewAlso very less knowledge is required to write entries)your own tools due to ease of use in Scapy.This article is limited to getting familiarwith basic commands, Scapy interactiveinterface and a demo of SYN port scan inScapy.
  7. 7. Issue29 – June 2012 | Page-7 Building and assembling your first packet Python is object oriented language. Each supported protocol is available as a class, in order to build a packet you need to create instances/object of that class and then can access the fields of the protocol. ip_pkt=IP(): To build a packet at IP layer ls(ip_pkt): To display the fields associated with the IP protocol. By defaultlsc() : Displays list of available commands in essential fields has been already set forScapy. packet which is ready to send on network.To know more about a command or its Note: First column is the fields associatedoption, execute help(cmdname) with the protocol, second column represents type of the field. Third column representse.g. >>>help(arpcachepoison) the values set for each field (if not changed, displays default values). Fourth column represents default values set by the Scapy in order to send the packet on network. To set any fields associated with the protocol, use object. field=<value>conf: Displays preferences set for the Scapy e.g. ip_pkt.src=‟10.10.10.1‟,session such as routing information, ip_pkt.dst=‟10.10.10.2‟.interfaces etc.
  8. 8. Issue29 – June2012 | Page-8tcp_pkt=TCP(): To build packet at TCPlayer.ls(tcp_pkt): Displays the fieldsassociated with the TCP protocol. To set anyfields associated with the protocol, useobject. field=<value>e.g. tcp_pkt.dport=53,tcp_pkt.dport= [135,139,445,80]which is an array of integer values. There are some values for which by default None has been set. These are calculated on the fly when sending a packet. tcpip_pkt.show2(): To display these calculated fields before sending on network.tcpip_pkt=ip_pkt/tcp_pkt: To build afull TCP/IP packet.Note: The Order does matter here. Abovecommand will create aip packet inside tcppacket. (Remember TCP/IP and 4 layers).tcpip_pkt.show():To display the fieldsassociated with the packet. You can also usels(tcp_pkt) which displays anotherrepresentation of the packet as shownabove.This command will display fields and theassociated values (either manuallyset/default).Ipsum dolor sit ametLoremIpsum Dolor sitAmetLoermIpsum dolor sit ametLoermIpsum dolor sit ametLoermIpsumdolor sit ametLoermIpsum dolor sit ametLoermIpsum dolor sit ametLoermIpsumdolor sit amet
  9. 9. Issue29 – June 2012 | Page-9Building your Own Port Scanner res,unans=sr(tcpip_pkt) : Command send the packet tcpip_pkt which was builtAccording to Wikipedia, Port Scanning is an in above steps. The variable res will storeattack that sends client requests to a range the packets for which answers were receivedof server port addresses on a host, with the with full packet response. The variablegoal of finding an active port. The status will unans will store the packets for which nobe either Open (indicating service is answers received.listening on port), Closed (indicatingconnections will be denied to the port), res.show(): The command will displayFiltered (no reply from the host indicating the packets along with their response. As inhost behind firewall or any other SYN scanner, if response packet is receivedintermediate device blocking the with SA flags, it indicates port is open. Ifconnection). response packet is received with RA flags then it indicates port is closed.There are several types of port scanning, wewill be focusing on SYN scanning for demo(a.k.a. Half open scanning). In thistechnique, If SYN packet is sent to the targethost based on response we can determine ifthe port is open, closed or filtered.(Respose: SYN,ACK – Open , RST,ACK –Closed, No Response - Filtererd ), afterreceiving the response, the source doesn’tsend ACK to complete 3 way connection As we see in above screenshot, packet 0001hence known as Half open scanning. and 0004 are having RA as flags in response packet hence port 137 and port 80 areFor Demo, I have set up two VMs, closed, whereas other packets are having SABacktrack5 (IP: 10.10.10.1) and WinXP as flags hence port 135,139,445 are open(IP:10.10.10.2) configured in host only which exactly matches with our nmapmode. output.Nmap SYN scanner output Sneak peek into Sniffer functionality Sniffing is technique where it captures traffic on all or just parts of the network from single machine within the network. To enable sniffing, use sniff() command. The option count enables to sniff only defined no of packets. sniffed_pkts=sniff(count-10): Sniffs only first 10 packets.
  10. 10. Issue29 – June2012 | Page-10sniffed_pkts: Displays stats of sniffed Referencespackets by protocol wise(TCP,UDP,ICMP,Other). Scapy Documentation: http://www.secdev.org/projects/scapy/docsniffed_pkts.show(): Displays detailsof all sniffed packets.Sniffed_pkts[0000]: Displays details ofthe first sniffed packet AshwinPatil http://intch.me/2012-Ashwin-PatilScapy StrengthsThe Scapy is capable of doing muchpowerful things than the one describedabove. Some of the Scapy projects givenbelow.  Rogue Router Advertisements with Scapy: http://samsclass.info/ipv6/proj/floo d-router6a.htm  Malicious Content Harvesting with Python, WebKit, and Scapy : http://dvlabs.tippingpoint.com/blog /2011/11/28/malicious-content- harvesting  DEEPSEC: Extending Scapy by a GSM Air Interface: http://blog.c22.cc/2011/11/17/deeps ec-extending-scapy-by-a-gsm-air- interface/  Use Scapy to test snort rules: https://www.sans.org/webcasts/sca py-test-snort-rule-93169
  11. 11. Issue29 – June 2012 | Page-11Hypertext Transfer By default HTTP utilize TCP port 80 andProtocol alternatively can used port 8080. HTTP Basic AuthenticationHTTP If a HTTP client web browser request pages,Http is a hypertext transfer protocol is the server response with 401 unauthorizedprovides a standard for web browsers and status code. It include WWW authenticationcommunicate with server. It is an header field in his response. Header listapplication layer protocol designed within must contain at least one authenticationthe framework of the Internet protocol challenge applicable for requested pages.suite. The Basic authentication scheme that hasHttp is also called a stateless protocol authorized issue consist of a username andbecause each command is executed without password where this is secrete only to severcommand knowledge. The main reason that and you.it is difficult to implement web site that The server response 401 containsreact intelligence to the user input. HTTP authentication challenge of the token “Basic’client and server communicate via HTTP and value and pair specifying the name ofrequest and response messages. When the the protected realm.client submits a HTTP request to the serverthe server provides resources such as HTML HTTP/1.1 401 Access Deniedfiles and it returns a response message tothe clients. WWW-Authenticate: Basic realm=”control panel”There are three main http messages typeare: Content length=0  GET After receipt of server response 401, your  POST web browser prompts username and  HEAD password. The authentication header of browser’s follow up request again
  12. 12. Issue29 – June2012 | Page-12containstoken “Basic” and base 64 encoded "Enter your username andof the username and colon, password. password " .Authentication: Basic "for access.””);QWRtaW46Zm9vYmFy header(“HTTP/1.0 401The base 64 decode the string and compare Unauthorized”);against his username and passworddatabase. ?> <HTML>HTTP Advance Authentication withPHP <HEAD><TITLE>Authorization Failed</TITLE></HEAD>For password protected site the easiest wayto use HTTP authentication, where if a <BODY>browser request a protected page is not with <H1>Authorization Failed</H1>correct username and password. The webserver replies with HTTP 401 error mean <P>Without a valid username andunauthorized access and an invitation for password,the browser with proper username andpassword. access to this page cannot be granted.For set up an HTTP authentication use anApache. Use PHP for server side script Please click „reload‟ andlanguage. When we installed Apache enter amodule PHP provide two special global username and password whenvariable $PHP_AUTH_USER and prompted.$PHP_AUTH_PW. It contains usernameand password with current HTTP request. If </P>username and password both are incorrectit will respond with an HTTP 401 error. </BODY>PHP code: </HTML><? php <?php else: ?>If ($PHP_AUTH_USER != ...page contents here...“mysuser” <?phpendif; ?> or $PHP_AUTH_PW !=“mypass”):header("WWW-Authenticate: " . "Basic realm=”ProtectedPage: " .
  13. 13. Issue29 – June 2012 | Page-13The first line informs the web browserauthentication is done with a username andpassword and realm option let the particularusername and password should be usedwhen a group of web pages.To protect an entire site we would use PHP’sinclude the function to use the code thatperform the username and password checkin every file on your site. SatyendraPrajapati
  14. 14. Issue29 – June2012 | Page-14 as playing on partycasino.com or surfing social networking websites. This is becauseImpact of Cybercrime personal data will always become stored on their computers and it is important to avoidon Businesses that data being accessed. However, it is even more important for businesses to protectIT security is more important for businesses themselves against online crime, and thethan ever. figures from the Ponemon Institutes survey speak for themselves.A study that was carried out by thePonemon Institute has revealed thatbusinesses lacking in IT security could belosing over £200,000. The study, entitled“Impact of Cybercrime on Businesses”,surveyed 2,618 C-level IT security andexecutive personnel with the aim of findingout what everyone has in common. Thesurvey spanned the United States, UnitedKingdom, Hong Kong, Brazil and Germany.It was found that in the latter country,cyber-attacks cost businesses more thananywhere else, with the average cost beingaround $298,359. The average cost thatcyber-attacks will have on companies in theUnited States is $276,671, if they aresuccessfully carried out.Clearly, companies that do not pay adequateattention to their IT security are at risk.Anyone with a computer should make surethat their data is adequately protected, evenif they only use it for leisure activities such
  15. 15. Issue29 – June 2012 | Page-15For those who carry out online crime, theaim is mainly financial gain. This type offraud is the most common motive forcybercrime, with others being the theft ofcustomer data and the disruption of theoperations of a business. As well asadequately protecting their computers andonline security, those in the workplaceshould not forget about their personalmobile devices. This includes tablets andsmartphones and many companies areimplementing training programs to helptheir employees remain aware of the riskfrom cyber-attack.There are many ways in which internet SagarNangareusers can protect themselves from cyber- http://intch.me/2012-Sagarattack. Change passwords regularly andensure that they are complicated words, SagarNangare works as a webmaster atwith numbers and symbols if possible. ClubHack Magazine. Sagar is currentlyAlways sign out of everything when you are working for Dimakh Consultants asfinished, whether it is an e-mail account or a Social Media Manager & SEO Executivesocial networking site to minimize the riskof hacking. Run regular virus scans on yourcomputer and make sure that your softwareis up to date. Never give out your personalinformation to anyone that you do not trustand be generally smart about internet usage.Hopefully this will go a long way to helpingprevent cybercrime in the future.
  16. 16. Issue29 – June2012 | Page-16SECTION 66D - Attracted by the offer, she visited a link specified in the email and it redirected herPunishment for cheating to a webpage where she entered her net-by personation by using banking username, password and other information. In reality, the email as well ascomputer resource website was fake and her information is stolen and misused.Whoever, by means for any communicationdevice or computer resource cheats by Investigations revealed that the fake emailpersonating, shall be punished with and website was created by Rohit.imprisonment of either description for aterm which may extend to three years and He would be liable under this section.shall also be liable to fine which may extend Commentsto one lakh rupees. There are three aspects to this sectionIllustration 1. It needs to be proved that the personRevati receives an email that appears to is cheatedhave been sent from a famous onlineshopping website in India. Email promises Cheating is defined under Sectionher to an iPod at a discounted price if she 415 of the Indian Penal Code.pays Rs. 500 as a deposit amount.
  17. 17. Issue29 – June 2012 | Page-17 It reads as – It reads as – Whoever, by deceiving any person, A person is said to "cheat by fraudulently or dishonestly induces personation" if he cheats by the person so deceived to deliver pretending to be some other person, any property to any person, or to or by knowingly substituting one consent that any person shall retain person for another, or representing any property, or intentionally that he or any other person is a induces the person so deceived to do person other than he or such other or omit to do anything which he person really is. would not do or omit if he were not so deceived, and which act or Explanation omission causes or is likely to cause damage or harm to that person in The offence is committed whether the body, mind, reputation or property, individual personated is a real or imaginary is said to "cheat". person. IllustrationsExplanation  A cheats by pretending to be aA dishonest concealment of facts is a certain rich banker of the samedeception within the meaning of this name. A cheats by personation.section.  A cheats by pretending to be B, aIllustrations person who is deceased. A cheats by personation.  A, by falsely pretending to be in the Civil Service, intentionally deceives 3. Cheating by personation must be by Z, and thus dishonestly induces Z to using any communication device or let him have on credit goods for computer resource. which he does not mean to pay. A cheats.  A, by putting a counterfeit mark on an article, intentionally deceives Z into a belief that this article was made by a certain celebrated manufacturer, and thus dishonestly induces Z to buy and pay for the article. A cheats. 2. It must be cheating by personation Cheating by personation is defined under Section 416 of the Indian Penal Code.
  18. 18. Issue29 – June2012 | Page-18SummaryActs covered Cheating by personation using a computer resource/cell phone or other computer resourceInvestigation Police officer notauthorities below the rank of SagarRahurkar Inspector. contact@sagarrahurkar.com Controller of SagarRahurkar is a Law graduate, a Certifying Certified Fraud Examiner (CFE) and a Authorities or a certified Digital Evidence Analyst. person authorized by him He specializes in Cyber Laws, FraudRelevant courts Judicial examination, and Intellectual Property Magistrate First Law related issues. He has conducted Class Court of exclusive training programs for law Session enforcement agencies like Police, IncomeCognizable/Bailable Yes/Yes He is a regular contributor to various Info-Sec magazines, where he writes on IT Law related issues.
  19. 19. Issue29 – June 2012 | Page-19MITM with Etterca p Ettercap can be found in Matriux under Arsenal > Scanning >Ettercap. I prefer we use the console mode for betterHello readers, we are back with our tutorials understanding of the attack procedure.on Matriux, due to some unwantedcircumstances we weren’t able to be a part Attack Setupof last month’s issue. However we promise 1. Enable IP Forwarding by typing theto provide our continued support and help following in terminal.to the users. This month we are going tocover a basic tutorial of Man-In-The-Middle(MITM) attack using Ettercap by ARPspoofing technique. 2. Edit the file /etc/etter.conf (may beEttercap present at different location in different version try “locateEttercap is a great tool especially for Man- etter.conf “). Uncomment theIn-The-Middle Attacks. Very simple and following lines by removing “#” theyeasy to use tool intercept data over LAN and are presentsystems connected over switched routersand execute MITM attacks. 3. Open another terminal and type“Ettercap is a multipurpose “driftnet –i<<interface>>” use thesniffer/interceptor/logger for switched interface by which you are able toLAN. It supports active and passivedissection of many protocols (even cipheredones) and includes many features fornetwork and host analysis.” – quoted fromEttercap Website. communicate with the target system. (In my case it was eth1). You will beMITM with Ettercap by ARP able to see a black window comingpoisoning up.Requirement: Target system to be in thesame network as our attacker – Matriux(can be used over systems communicatingover routers too). But let’s make it easy ;)
  20. 20. Issue29 – June2012 | Page-20 fig4 and also the images the target is browsing in the driftnet window we opened up earlierInitiating the AttackOpen the terminal as root and start theattack by typing: ~#ettercap –Tq –M arp:remote /<<IPof target>>/ Now you have successfully performed a MITM attack using Ettercap by ARP spoofing. You can also try changing the data the target system is communicating with the internet. Corrupting the data packets: To corrupt the data you need to create aettercap filter. The data corruption and manipulation depends on how you want the target to see the data. Here we discuss the data corruption by creating a simple image filter. Which shows a particular image that we want to show instead of all the images the user browses over TCP/UDP. 1. Create a file named filter and paste the following code:IP of target can be a group of IP addresses.Now you can see the data, passwords andeverything being browsed or passed overinternet from the target in the window of
  21. 21. Issue29 – June 2012 | Page-21 Now you see that the target browsing the internet will see the images that we have included in the filter instead of the actual images. 2. Now create the ettercap filter from the file by typing:~#etterfilter filter -ofilter.ef Happy Hacking Reach us at:- report@matriux.com @matriuxtig3r www.facebook.com/matriuxtig3r 3. Now start ettercap again by applying the filter we just created by typing~# ettercap -T -q -F filter.ef - Team MatriuxM arp:remote /target ipaddress/ http://matriux.com
  22. 22. Issue29 – June2012 | Page-22Preventing Cross SiteScripting… Is it a myth!IntroductionI have been associated with understandingof cross site scripting for quite some timenow. I have provided quite a few talks andpresentation on this subject. Being a securecode reviewer, have found number of xssissues in the code. I have witnessed numberof mistakes developers make. I would beinterested in sharing some of myperspective about this attack. Since this isquite an old attack I would not be touchingon its existence or trying to understand What is data context and codewhat XSS is! as there a quite a few blogsand sites available. Let’s focus on various context?prevention techniques and its feasibility.Understand the chosen prevention path is A data context is like <div>datathe right path or not. context</div>. If the attackers data gets placed into the data context, they mightCross Site Scripting break out like this <div>data < script>alert("attack")</script>XSS is an attack that involves breaking out context</div>. Basically switching overof a data context and switching into a code to code context.If this basic criteria iscontext through the use of special characters understood. Prevention becomes lot easier.that are significant in the interpreter beingused.
  23. 23. Issue29 – June 2012 | Page-23XSS is quite an attack, even though pretty primary defense and data validation asold, still lot of applications are vulnerable to secondary defense an application couldthis attack. No doubt it finds a second spot achieve a right blend of security for both thein OWASP top 10. It’s difficult to solve this needs. By making escaping a primaryattack as it’s more to do with the discipline defense the application can remain muchattitude of the person who develops and more secure even if special chars areflexibility from the business side. By allowed during data validation phase.discipline I mean by proper sanitization of Escaping technique finds its way wheneverdata. untrusted data travels across the application.Challenges with Data-validation What is Untrusted Data?Data validation is proposed commonsolution for cross site scripting. By data Untrusted data is input that can bevalidation we mean filtering special manipulated to contain a web attackcharacters from the client request at server payload. Untrusted data is the data whichside. While input validation is important comes from the HTTP request, in the formand should always be performed, it is not a of URL parameters, form fields, headers, orcomplete solution for injection attacks or cookies. The Data that comes fromcross site scripting. Its better to think of databases, web services, and other sourcesinput validation as defense in depth rather are also considered as untrusted data.than a primary defense. More over serverside input validation may not be the right Escapingsolution for DOM based XSS attacks whichhappen at the client side. Escaping is a technique used to ensure that characters are treated as data, not asBusiness perspective characters that are relevant to the interpreters parser.By Business I mean web applications, whichneeds special chars. Since special chars are Lets not confuse output escaping with thebusiness requirements for most of the web notion of Unicode character encoding,applications. Due to this requirement which involves mapping a Unicodesomehow the special chars finds its way into character to a sequence of bits. This level ofthe application. There are lots of businesses encoding is automatically decoded, and doeswho willingly take risk of allowing bad not defuse attacks.characters/special chars as some of thechars needs to be accommodated. To find a Escaping Technique simply lets thesolution which meets the business needs as interpreter know that the data is notwell as security needs has become evident. intended to be executed, and therefore prevents attacks from working.So, what could be the solution?A technique called “Escaping” lookspromising in meeting business needs as wellas security needs. By making escaping as
  24. 24. Issue29 – June2012 | Page-24Feasibility of Escaping TechniqueEscaping the data could be the right way togo, as a primary defense to cross sitescripting. As it takes care of the applicationfrom attack even if special chars areintroduced. But with escaping as solutionthere is quite a few challenges. Escapingrequires humongous addition to the code.Where ever untrusted data is found it SatishGovindappashould be escaped. There could be http://intch.me/2012-Satishperformance concern, which the businesswould definitely not want to compromise SatishGovindappa is working as secureon. Developers discipline plays a major role code reviewer in an organization. Ahere as ensuring escaping to all the developer turned code revieweruntrusted data in an enterprise web specialized in reviewing code ofapplication is quite a mammoth task. But enterprise J2EE web applications. Satishwith all this challenges escaping seems to be holds a SCJP, CEH, ECSA certificatesthe right path for Cross site scripting. and pursuing MS in Cyber law and Cyber Security.(The Source of some of the above details isfrom: https://www.owasp.org)
  25. 25. Issue29 – June 2012 | Page-25

×