SlideShare a Scribd company logo

Grails vs XSS: Defending Grails against XSS attacks

Rafael Luque Leiva
Rafael Luque Leiva

The document discusses cross-site scripting (XSS) attacks and defenses in Grails applications. It describes three types of XSS attacks and threats they pose. It then outlines issues with Grails encoding and provides solutions, such as changing the default codec to be more secure. The document demonstrates XSS vulnerabilities and defenses using ZAP and provides recommendations to upgrade applications and be aware of security.

Software
1 of 59
Download to read offline
R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24
http://goo.gl/uVadCh
Following the white rabbit. . .
Something more than a joke. . .
Demo 1 https://vimeo.com/77387364
XSS Intro
XSS concepts and treats R. Luque & J. San Leandro • What’s a XSS • XSS Types: Reflected, stored, DOM-based. • Famous attacks: Samy worm, MrBean defacement, . . .
XSS threats R. Luque & J. San Leandro • Interface defacement • Session hijacking • Your PC may be joined to the horde of zombies in a BotNet.
Responsibilities: Why is this still an issue?
Do your homework R. Luque & J. San Leandro • Security is often overlooked at all levels • Raise awareness • Practice with security tools • Promote defensive coding
Understanding Grails Encoding
Grails Pre-2.3 Gotchas
#1: Built-in default codec
#1: Built-in default codec grails.views.default.codec
#1: Built-in default codec is none! grails.views.default.codec = ’’none’’
#1: Built-in default codec is none! Problems You have to escape explicitly every untrusted data: encodeAsHTML() encodeAsJavaScript() encodeAsURL()
#1: Built-in default codec is none! Problems High likelihood of XSS vulnerabilities in production. E.g. Grails.org website is vulnerable.
#1: Built-in default codec is none! Problems Double-encoding prevention over security by default.
#1: Built-in default codec is none! Solution Change default codec to HTML: grails.views.default.codec = ’’html’’
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...}
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../>
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/>
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)}
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
#2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
#3: One codec is not enough You MUST use the escape syntax for the context of the HTML document you’re putting untrusted data into: • HTML • JavaScript • URL • CSS
#3: One codec is not enough HTML entity encoding doesn’t work if you’re using untrusted data inside a <script>, or an event handler attribute like onmouseover, or inside CSS, or in a URL.
#3: One codec is not enough Problems You can override the default codec for a page, but not to switch the codec for each context: <%@page defaultCodec=’CODEC’ %>
#3: One codec is not enough Problems How to manage GSPs with mixed encoding requirements?
#3: One codec is not enough Solution 1 Turn off default codec for that page and use encodeAsJavaScript() and encodeAsHTML() explicitly everywhere.
#3: One codec is not enough Solution 2 Extract the JavaScript fragment to a GSP tag encoding as JavaScript.
Grails 2.3 Encoding Enhancements
#1: New configuration more secure by default
#1: New configuration more security by default grails { views { gsp { encoding = ’UTF-8’ htmlcodec = ’xml’ // use xml escaping instead of HTML4 codecs { expression = ’html’ // escapes values inside ${} scriptlet = ’html’ // escapes output from scriptlets in GSPs taglib = ’none’ // escapes output from taglibs staticparts = ’none’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { //’text/html’ = ’html’ } } }
#2: Finer-grained control of codecs Control the codecs used per plugin: pluginName.grails.views.gsp.codecs.expression = ’CODEC’
#2: Finer-grained control of codecs Control the codecs used per page: <%@ expressionCodec=’CODEC’ %>
#2: Finer-grained control of codecs Control the default codec used by a tag library: static defaultEncodeAs = ’HTML’ Or on a per tag basis: static encodeAsForTags = [tagName: ’HTML’]
#2: Finer-grained control of codecs Add support for an optional encodeAs attribute to all tags automatically: <my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
#3: Context-sensitive encoding switching Tag withCodec(’CODEC’, Closure) to switch the current default codec, pushing and popping a default codec stack. out.println ’<script type=’’text/javascript’’>’ withCodec(‘‘JavaScript’’) { out << body() } out.println() out.println ’</script>’
Don’t Trust Plugins
Plugins are part of your app R. Luque & J. San Leandro • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface • Review plugins to make sure they encode, and if they don’t you should JIRA the authors immediately, and fork and patch to fix your app quickly.
E.g. Javamelody vulnerability R. Luque & J. San Leandro • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47). • You should upgrade ASAP.
Demo: Javamelody XSSed R. Luque & J. San Leandro
Demo 2 https://vimeo.com/77401328
Solutions: What options do we have?
Be aware R. Luque & J. San Leandro • Upgrade to Grails 2.3 • Review carefully all dynamic content • Raise awareness • Use application firewalls
• CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation
Security in the development lifecycle R. Luque & J. San Leandro • ZAP Security Tests Plugin for Grails.
Demo 3 https://vimeo.com/77395745
Conclusions: Grails can defeat XSS
Grails R. Luque & J. San Leandro • Provides the means to make your application safe from XSS attacks • Upgrade to 2.3 ASAP • Pay attention to XSS
XSS R. Luque & J. San Leandro • It’s much more dangerous than defacement jokes • Your users are the actual target • Difficult to monitor
Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp.
Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp. • Spread the word both horizontally and vertically.
References R. Luque & J. San Leandro • Grails XSS Countermeasures – R. Luque, J. San Leandro • Grails ZAP Security Tests Plugin – The Rat Pack group • ZAP Security Tests Sample App – The Rat Pack group • Can I pwn your Grails application? – Marc Palmer • Grails-9906 – Grails Jira • Grails Default Codecs Proposal – Grails Wiki • Metasploit: The Penetration Tester’s Guide – David Kennedy et al. • The Tangled Web – Michal Zalewski • Metasploit para Pentesters – Pablo Gonzalez • Pentesting con Kali – Pablo Gonzalez
Picture credits R. Luque & J. San Leandro • Game: http://www.themaninblue.com/ • Cover: http://www.flickr.com/photos/usairforce/ CC by-nc • White rabbit: http://www.flickr.com/photos/alles-banane/5849593440 CC by-sa-nc • Hieroglyphs: http://www.flickr.com/photos/59372146@N00 CC by-sa-nc • Zombies: http://www.flickr.com/photos/aeviin/4986897433 CC by-sa-nc
R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24

Recommended

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
theratpack
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
theratpack
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
Nothing Nowhere
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
Ali Ikinci
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
Joe Kutner
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 

Recommended

Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
theratpack
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
theratpack
 
A Brief History of Cryptographic Failures
A Brief History of Cryptographic FailuresA Brief History of Cryptographic Failures
A Brief History of Cryptographic Failures
Nothing Nowhere
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
Ali Ikinci
 
10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make10 Mistakes Hackers Want You to Make
10 Mistakes Hackers Want You to Make
Joe Kutner
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 
Defender economics
Defender economicsDefender economics
Defender economics
addelindh
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Network Security and Cryptography.pdf
Network Security and Cryptography.pdfNetwork Security and Cryptography.pdf
Network Security and Cryptography.pdf
AdityaKumar1548
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Hacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e MetasploitableHacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e Metasploitable
Andrea Draghetti
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdf
AdityaKumar1548
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
Adam Baldwin
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
POSSCON
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive MontrealThe State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
Liran Tal
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
OSOCO
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
Rafael Luque Leiva
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
OwaspCzech
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 

More Related Content

What's hot

Defender economics
Defender economicsDefender economics
Defender economics
addelindh
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Network Security and Cryptography.pdf
Network Security and Cryptography.pdfNetwork Security and Cryptography.pdf
Network Security and Cryptography.pdf
AdityaKumar1548
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
OWASP Delhi
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Hacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e MetasploitableHacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e Metasploitable
Andrea Draghetti
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdf
AdityaKumar1548
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
Adam Baldwin
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
POSSCON
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
idsecconf
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
Priyanka Aash
 
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive MontrealThe State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
Liran Tal
 

What's hot (13)

Defender economics
Defender economicsDefender economics
Defender economics
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Network Security and Cryptography.pdf
Network Security and Cryptography.pdfNetwork Security and Cryptography.pdf
Network Security and Cryptography.pdf
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Hacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e MetasploitableHacking Lab con ProxMox e Metasploitable
Hacking Lab con ProxMox e Metasploitable
 
Web Security.pdf
Web Security.pdfWeb Security.pdf
Web Security.pdf
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
Bruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linxBruteforce basic presentation_file - linx
Bruteforce basic presentation_file - linx
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive MontrealThe State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
The State of Open Source Security - Liran Tal - 2019 NodeJS+Interactive Montreal
 

Similar to Grails vs XSS: Defending Grails against XSS attacks

XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
OSOCO
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
Rafael Luque Leiva
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
OwaspCzech
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
Phú Phùng
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
Area41
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
eiti panchkula
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 

Similar to Grails vs XSS: Defending Grails against XSS attacks (20)

XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 

Recently uploaded

Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 

Recently uploaded (20)

Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 

Grails vs XSS: Defending Grails against XSS attacks

  • 1. R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24
  • 3.
  • 5. Something more than a joke. . .
  • 7.
  • 9. XSS concepts and treats R. Luque & J. San Leandro • What’s a XSS • XSS Types: Reflected, stored, DOM-based. • Famous attacks: Samy worm, MrBean defacement, . . .
  • 10. XSS threats R. Luque & J. San Leandro • Interface defacement • Session hijacking • Your PC may be joined to the horde of zombies in a BotNet.
  • 11. Responsibilities: Why is this still an issue?
  • 12. Do your homework R. Luque & J. San Leandro • Security is often overlooked at all levels • Raise awareness • Practice with security tools • Promote defensive coding
  • 16. #1: Built-in default codec grails.views.default.codec
  • 17. #1: Built-in default codec is none! grails.views.default.codec = ’’none’’
  • 18. #1: Built-in default codec is none! Problems You have to escape explicitly every untrusted data: encodeAsHTML() encodeAsJavaScript() encodeAsURL()
  • 19. #1: Built-in default codec is none! Problems High likelihood of XSS vulnerabilities in production. E.g. Grails.org website is vulnerable.
  • 20. #1: Built-in default codec is none! Problems Double-encoding prevention over security by default.
  • 21. #1: Built-in default codec is none! Solution Change default codec to HTML: grails.views.default.codec = ’’html’’
  • 22. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...}
  • 23. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../>
  • 24. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/>
  • 25. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)}
  • 26. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 27. #2: Inconsistent behaviour Apply codec Does not apply codec • GSP EL: ${...} • Tag: <g:tag .../> • GSP EL in tag attribute: <g:tag a="${...}"/> • Tag as a method: ${g.tag(...)} • Scriptlets: <%= ... %>
  • 28. #3: One codec is not enough You MUST use the escape syntax for the context of the HTML document you’re putting untrusted data into: • HTML • JavaScript • URL • CSS
  • 29. #3: One codec is not enough HTML entity encoding doesn’t work if you’re using untrusted data inside a <script>, or an event handler attribute like onmouseover, or inside CSS, or in a URL.
  • 30. #3: One codec is not enough Problems You can override the default codec for a page, but not to switch the codec for each context: <%@page defaultCodec=’CODEC’ %>
  • 31. #3: One codec is not enough Problems How to manage GSPs with mixed encoding requirements?
  • 32. #3: One codec is not enough Solution 1 Turn off default codec for that page and use encodeAsJavaScript() and encodeAsHTML() explicitly everywhere.
  • 33. #3: One codec is not enough Solution 2 Extract the JavaScript fragment to a GSP tag encoding as JavaScript.
  • 35. #1: New configuration more secure by default
  • 36. #1: New configuration more security by default grails { views { gsp { encoding = ’UTF-8’ htmlcodec = ’xml’ // use xml escaping instead of HTML4 codecs { expression = ’html’ // escapes values inside ${} scriptlet = ’html’ // escapes output from scriptlets in GSPs taglib = ’none’ // escapes output from taglibs staticparts = ’none’ // escapes output from static templates } } // escapes all not-encoded output at final stage of outputting filteringCodecForContentType { //’text/html’ = ’html’ } } }
  • 37. #2: Finer-grained control of codecs Control the codecs used per plugin: pluginName.grails.views.gsp.codecs.expression = ’CODEC’
  • 38. #2: Finer-grained control of codecs Control the codecs used per page: <%@ expressionCodec=’CODEC’ %>
  • 39. #2: Finer-grained control of codecs Control the default codec used by a tag library: static defaultEncodeAs = ’HTML’ Or on a per tag basis: static encodeAsForTags = [tagName: ’HTML’]
  • 40. #2: Finer-grained control of codecs Add support for an optional encodeAs attribute to all tags automatically: <my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
  • 41. #3: Context-sensitive encoding switching Tag withCodec(’CODEC’, Closure) to switch the current default codec, pushing and popping a default codec stack. out.println ’<script type=’’text/javascript’’>’ withCodec(‘‘JavaScript’’) { out << body() } out.println() out.println ’</script>’
  • 43. Plugins are part of your app R. Luque & J. San Leandro • Grails plugins are not security audited • Grails plugins are part of your application’s attack surface • Review plugins to make sure they encode, and if they don’t you should JIRA the authors immediately, and fork and patch to fix your app quickly.
  • 44. E.g. Javamelody vulnerability R. Luque & J. San Leandro • CVE-2013-4378 vulnerability reported. • Allows blind XSS attack via X-Forwarded-For header spoofing. • The attack target is the admin’s browser. • Fixed in the last release (1.47). • You should upgrade ASAP.
  • 45. Demo: Javamelody XSSed R. Luque & J. San Leandro
  • 48. Be aware R. Luque & J. San Leandro • Upgrade to Grails 2.3 • Review carefully all dynamic content • Raise awareness • Use application firewalls
  • 49. • CSP: Content Security Policy • Adds headers to disable default behavior • inline Javascript • dynamic code evaluation
  • 50. Security in the development lifecycle R. Luque & J. San Leandro • ZAP Security Tests Plugin for Grails.
  • 53. Grails R. Luque & J. San Leandro • Provides the means to make your application safe from XSS attacks • Upgrade to 2.3 ASAP • Pay attention to XSS
  • 54. XSS R. Luque & J. San Leandro • It’s much more dangerous than defacement jokes • Your users are the actual target • Difficult to monitor
  • 55. Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp.
  • 56. Wake up R. Luque & J. San Leandro • Get yourself used with Metasploit, ZAP, BeEF, mod-security, Burp. • Spread the word both horizontally and vertically.
  • 57. References R. Luque & J. San Leandro • Grails XSS Countermeasures – R. Luque, J. San Leandro • Grails ZAP Security Tests Plugin – The Rat Pack group • ZAP Security Tests Sample App – The Rat Pack group • Can I pwn your Grails application? – Marc Palmer • Grails-9906 – Grails Jira • Grails Default Codecs Proposal – Grails Wiki • Metasploit: The Penetration Tester’s Guide – David Kennedy et al. • The Tangled Web – Michal Zalewski • Metasploit para Pentesters – Pablo Gonzalez • Pentesting con Kali – Pablo Gonzalez
  • 58. Picture credits R. Luque & J. San Leandro • Game: http://www.themaninblue.com/ • Cover: http://www.flickr.com/photos/usairforce/ CC by-nc • White rabbit: http://www.flickr.com/photos/alles-banane/5849593440 CC by-sa-nc • Hieroglyphs: http://www.flickr.com/photos/59372146@N00 CC by-sa-nc • Zombies: http://www.flickr.com/photos/aeviin/4986897433 CC by-sa-nc
  • 59. R. Luque & J. San Leandro Grails vs XSS Defending Grails against XSS attacks @rafael_luque - Osoco @rydnr - Ventura24