SlideShare a Scribd company logo

Grails vs XSS: Defending Grails against XSS attacks

theratpack
theratpack

Talk at Codemotion Madrid 2013.

Technology
1 of 59
Download to read offline
R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24
http://goo.gl/uVadCh
Following the white rabbit. . .
Something more than a joke. . .
Demo 1 https://vimeo.com/77387364
XSS Intro
XSS concepts and treats R. Luque & J. San Leandro • What’s a XSS • XSS Types: Reflected, stored, DOM-based. • Famous attacks: Samy worm, MrBean defacement, . . .
XSS threats R. Luque & J. San Leandro • Interface defacement • Session hijacking • Your PC may be joined to the horde of zombies in a BotNet.
Responsibilities: Why is this still an issue?
Do your homework R. Luque & J. San Leandro • Security is often overlooked at all levels • Raise awareness • Practice with security tools • Promote defensive coding
Understanding Grails Encoding
Grails Pre-2.3 Gotchas
#1: Built-in default codec
#1: Built-in default codec grails.views.default.codec
#1: Built-in default codec is none! grails.views.default.codec = ’’none’’
#1: Built-in default codec is none! Problems You have to escape explicitly every untrusted data: encodeAsHTML() encodeAsJavaScript() encodeAsURL()
#1: Built-in default codec is none! Problems High likelihood of XSS vulnerabilities in production. E.g. Grails.org website is vulnerable.
#1: Built-in default codec is none! Problems Double-encoding prevention over security by default.
#1: Built-in default codec is none! Solution Change default codec to HTML: grails.views.default.codec = ’’html’’
#2: Inconsistent behaviour Apply codec • GSP EL: ${...} Does not apply codec
#2: Inconsistent behaviour Apply codec • GSP EL: ${...} • Tag: <g:tag .../> Does not apply codec
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/>
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)}
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
#3: One codec is not enough You MUST use the escape syntax for the context of the HTML document you’re putting untrusted data into: • HTML • JavaScript • URL • CSS
#3: One codec is not enough HTML entity encoding doesn’t work if you’re using untrusted data inside a <script>, or an event handler attribute like onmouseover, or inside CSS, or in a URL.
#3: One codec is not enough Problems You can override the default codec for a page, but not to switch the codec for each context: <%@page defaultCodec=’CODEC’ %>
#3: One codec is not enough Problems How to manage GSPs with mixed encoding requirements?
#3: One codec is not enough Solution 1 Turn off default codec for that page and use encodeAsJavaScript() and encodeAsHTML() explicitly everywhere.
#3: One codec is not enough Solution 2 Extract the JavaScript fragment to a GSP tag encoding as JavaScript.
Grails 2.3 Encoding Enhancements
#1: New configuration more secure by default
#1: New configuration more security by default grails { views { gsp { encoding = ’UTF-8’ htmlcodec = ’xml’ // use xml escaping instead of HTML4 codecs { expression = ’html’ // escapes values inside ${} scriptlet = ’html’ // escapes output from scriptlets in GSPs taglib = ’none’ // escapes output from taglibs staticparts = ’none’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { //’text/html’ = ’html’ } } }
#2: Finer-grained control of codecs Control the codecs used per plugin: pluginName.grails.views.gsp.codecs.expression = ’CODEC’
#2: Finer-grained control of codecs Control the codecs used per page: <%@ expressionCodec=’CODEC’ %>
#2: Finer-grained control of codecs Control the default codec used by a tag library: static defaultEncodeAs = ’HTML’ Or on a per tag basis: static encodeAsForTags = [tagName: ’HTML’]
#2: Finer-grained control of codecs Add support for an optional encodeAs attribute to all tags automatically: <my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
#3: Context-sensitive encoding switching Tag withCodec(’CODEC’, Closure) to switch the current default codec, pushing and popping a default codec stack. out.println ’<script type=’’text/javascript’’>’ withCodec(‘‘JavaScript’’) { out << body() } out.println() out.println ’</script>’
Don’t Trust Plugins
Plugins are part of your app R. Luque & J. San Leandro • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface • Review plugins to make sure they encode, and if they don’t you should JIRA the authors immediately, and fork and patch to fix your app quickly.
E.g. Javamelody vulnerability R. Luque & J. San Leandro • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47). • You should upgrade ASAP.
Demo: Javamelody XSSed R. Luque & J. San Leandro
Demo 2 https://vimeo.com/77401328
Solutions: What options do we have?
Be aware R. Luque & J. San Leandro • Upgrade to Grails 2.3 • Review carefully all dynamic content • Raise awareness • Use application firewalls
• CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation
Security in the development lifecycle R. Luque & J. San Leandro • ZAP Security Tests Plugin for Grails.
Demo 3 https://vimeo.com/77395745
Conclusions: Grails can defeat XSS
Grails R. Luque & J. San Leandro • Provides the means to make your application safe from XSS attacks • Upgrade to 2.3 ASAP • Pay attention to XSS
XSS R. Luque & J. San Leandro • It’s much more dangerous than defacement jokes • Your users are the actual target • Difficult to monitor
Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp.
Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp. • Spread the word both horizontally and vertically.
References R. Luque & J. San Leandro • • • • • • • • • • Grails XSS Countermeasures – R. Luque, J. San Leandro Grails ZAP Security Tests Plugin – The Rat Pack group ZAP Security Tests Sample App – The Rat Pack group Can I pwn your Grails application? – Marc Palmer Grails-9906 – Grails Jira Grails Default Codecs Proposal – Grails Wiki Metasploit: The Penetration Tester’s Guide – David Kennedy et al. The Tangled Web – Michal Zalewski Metasploit para Pentesters – Pablo Gonzalez Pentesting con Kali – Pablo Gonzalez
Picture credits R. Luque & J. San Leandro • Game: http://www.themaninblue.com/ • Cover: http://www.flickr.com/photos/usairforce/ CC by-nc • White rabbit: http://www.flickr.com/photos/alles-banane/5849593440 CC by-sa-nc • Hieroglyphs: http://www.flickr.com/photos/59372146@N00 CC by-sa-nc • Zombies: http://www.flickr.com/photos/aeviin/4986897433 CC by-sa-nc
R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24

Recommended

XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 

Recommended

XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to MakeJoe Kutner
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defensePrakashchand Suthar
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 

More Related Content

What's hot

Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptbarysteyn
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to MakeJoe Kutner
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...POSSCON
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1ITAS VIETNAM
 

What's hot (18)

Cryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScriptCryptography In The Browser Using JavaScript
Cryptography In The Browser Using JavaScript
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmTriển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
[ITAS.VN]CheckMarx-CxSuite-Sample result for webgoat5.3rc1
 

Viewers also liked

Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionAbhishek kumar
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSSqqlan
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerComguard India
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Netsparker - Hosting Zirvesi 2010
Netsparker - Hosting Zirvesi 2010Netsparker - Hosting Zirvesi 2010
Netsparker - Hosting Zirvesi 2010Onur YILMAZ
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 

Viewers also liked (20)

Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Cross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix SessionCross Site Scripting Augusta For Matrix Session
Cross Site Scripting Augusta For Matrix Session
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jacking
 
Blind XSS
Blind XSSBlind XSS
Blind XSS
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Denis Baranov: Root via XSS
Denis Baranov: Root via XSSDenis Baranov: Root via XSS
Denis Baranov: Root via XSS
 
XSS Remediation
XSS RemediationXSS Remediation
XSS Remediation
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement Techniques
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Netsparker - Hosting Zirvesi 2010
Netsparker - Hosting Zirvesi 2010Netsparker - Hosting Zirvesi 2010
Netsparker - Hosting Zirvesi 2010
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 

Similar to Grails vs XSS: Defending Grails against XSS attacks

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksRafael Luque Leiva
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in GrailsOSOCO
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidOwaspCzech
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsviaForensics
 

Similar to Grails vs XSS: Defending Grails against XSS attacks (20)

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Grails vs XSS: Defending Grails against XSS attacks

  • 1. R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24
  • 3.
  • 5. Something more than a joke. . .
  • 7.
  • 9. XSS concepts and treats R. Luque & J. San Leandro • What’s a XSS • XSS Types: Reflected, stored, DOM-based. • Famous attacks: Samy worm, MrBean defacement, . . .
  • 10. XSS threats R. Luque & J. San Leandro • Interface defacement • Session hijacking • Your PC may be joined to the horde of zombies in a BotNet.
  • 11. Responsibilities: Why is this still an issue?
  • 12. Do your homework R. Luque & J. San Leandro • Security is often overlooked at all levels • Raise awareness • Practice with security tools • Promote defensive coding
  • 16. #1: Built-in default codec grails.views.default.codec
  • 17. #1: Built-in default codec is none! grails.views.default.codec = ’’none’’
  • 18. #1: Built-in default codec is none! Problems You have to escape explicitly every untrusted data: encodeAsHTML() encodeAsJavaScript() encodeAsURL()
  • 19. #1: Built-in default codec is none! Problems High likelihood of XSS vulnerabilities in production. E.g. Grails.org website is vulnerable.
  • 20. #1: Built-in default codec is none! Problems Double-encoding prevention over security by default.
  • 21. #1: Built-in default codec is none! Solution Change default codec to HTML: grails.views.default.codec = ’’html’’
  • 22. #2: Inconsistent behaviour Apply codec • GSP EL: ${...} Does not apply codec
  • 23. #2: Inconsistent behaviour Apply codec • GSP EL: ${...} • Tag: <g:tag .../> Does not apply codec
  • 24. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/>
  • 25. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)}
  • 26. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 27. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 28. #3: One codec is not enough You MUST use the escape syntax for the context of the HTML document you’re putting untrusted data into: • HTML • JavaScript • URL • CSS
  • 29. #3: One codec is not enough HTML entity encoding doesn’t work if you’re using untrusted data inside a <script>, or an event handler attribute like onmouseover, or inside CSS, or in a URL.
  • 30. #3: One codec is not enough Problems You can override the default codec for a page, but not to switch the codec for each context: <%@page defaultCodec=’CODEC’ %>
  • 31. #3: One codec is not enough Problems How to manage GSPs with mixed encoding requirements?
  • 32. #3: One codec is not enough Solution 1 Turn off default codec for that page and use encodeAsJavaScript() and encodeAsHTML() explicitly everywhere.
  • 33. #3: One codec is not enough Solution 2 Extract the JavaScript fragment to a GSP tag encoding as JavaScript.
  • 35. #1: New configuration more secure by default
  • 36. #1: New configuration more security by default grails { views { gsp { encoding = ’UTF-8’ htmlcodec = ’xml’ // use xml escaping instead of HTML4 codecs { expression = ’html’ // escapes values inside ${} scriptlet = ’html’ // escapes output from scriptlets in GSPs taglib = ’none’ // escapes output from taglibs staticparts = ’none’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { //’text/html’ = ’html’ } } }
  • 37. #2: Finer-grained control of codecs Control the codecs used per plugin: pluginName.grails.views.gsp.codecs.expression = ’CODEC’
  • 38. #2: Finer-grained control of codecs Control the codecs used per page: <%@ expressionCodec=’CODEC’ %>
  • 39. #2: Finer-grained control of codecs Control the default codec used by a tag library: static defaultEncodeAs = ’HTML’ Or on a per tag basis: static encodeAsForTags = [tagName: ’HTML’]
  • 40. #2: Finer-grained control of codecs Add support for an optional encodeAs attribute to all tags automatically: <my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
  • 41. #3: Context-sensitive encoding switching Tag withCodec(’CODEC’, Closure) to switch the current default codec, pushing and popping a default codec stack. out.println ’<script type=’’text/javascript’’>’ withCodec(‘‘JavaScript’’) { out << body() } out.println() out.println ’</script>’
  • 43. Plugins are part of your app R. Luque & J. San Leandro • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface • Review plugins to make sure they encode, and if they don’t you should JIRA the authors immediately, and fork and patch to fix your app quickly.
  • 44. E.g. Javamelody vulnerability R. Luque & J. San Leandro • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47). • You should upgrade ASAP.
  • 45. Demo: Javamelody XSSed R. Luque & J. San Leandro
  • 48. Be aware R. Luque & J. San Leandro • Upgrade to Grails 2.3 • Review carefully all dynamic content • Raise awareness • Use application firewalls
  • 49. • CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation
  • 50. Security in the development lifecycle R. Luque & J. San Leandro • ZAP Security Tests Plugin for Grails.
  • 53. Grails R. Luque & J. San Leandro • Provides the means to make your application safe from XSS attacks • Upgrade to 2.3 ASAP • Pay attention to XSS
  • 54. XSS R. Luque & J. San Leandro • It’s much more dangerous than defacement jokes • Your users are the actual target • Difficult to monitor
  • 55. Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp.
  • 56. Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp. • Spread the word both horizontally and vertically.
  • 57. References R. Luque & J. San Leandro • • • • • • • • • • Grails XSS Countermeasures – R. Luque, J. San Leandro Grails ZAP Security Tests Plugin – The Rat Pack group ZAP Security Tests Sample App – The Rat Pack group Can I pwn your Grails application? – Marc Palmer Grails-9906 – Grails Jira Grails Default Codecs Proposal – Grails Wiki Metasploit: The Penetration Tester’s Guide – David Kennedy et al. The Tangled Web – Michal Zalewski Metasploit para Pentesters – Pablo Gonzalez Pentesting con Kali – Pablo Gonzalez
  • 58. Picture credits R. Luque & J. San Leandro • Game: http://www.themaninblue.com/ • Cover: http://www.flickr.com/photos/usairforce/ CC by-nc • White rabbit: http://www.flickr.com/photos/alles-banane/5849593440 CC by-sa-nc • Hieroglyphs: http://www.flickr.com/photos/59372146@N00 CC by-sa-nc • Zombies: http://www.flickr.com/photos/aeviin/4986897433 CC by-sa-nc
  • 59. R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24