© 2009 IBM Corporation
IBM Rational Application Security
The Bank JobUtilizing XSS Vulnerabilities
Adi SharabaniIBM Rational Application SecurityResearch Group Manager
OWASP IL
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Agenda
Theoretical part:
– Same Origin Policy 101
– Cross-Site Scripting 101
– HTTP sessions
Practical part:
– Trivial robbery
– Advanced robbery
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Browser Scripting Capabilities
What can scripts do:
– Scripts can perform user interactions with the site
– Scripts can seamlessly interact with the web site
– Can perform any action that is related to the site
– Can launch signed and safe ActiveX control
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Scripting Restrictions – Same Origin Policy
What scripts can not do:
– Scripts can only interact with the domain they came from
– Scripts can see send and receive responses only from their domain
– Scripts can access other browser’s frames only from same domain
– Scripts can issue requests to other domains (but not view the corresponding responses)
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
XSS 101
XSS occurs when user input (JavaScript) is returned by the web application:
String data = request.getParameter(“param”);
out.println(data)
Simple exploit:
– http://www.thebank.site/action?param=<payload>
XSS breaks Same-Origin Policy
– Vulnerable domain may now return arbitrary JavaScripts.
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
TheBank.siteTheBank.siteUserUser
Script returned, executed by browser
3
User sends script embedded as data
2
1Link to bank.com sent to user via E-mail or HTTP
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
The session cookie
HTTP is stateless
Session id makes your application stateful
Session id = your identification
Should not be guessable
JavaScript access: document.cookie
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Cross Site Scripting – The Exploit Process
Evil.orgEvil.org
TheBank.siteTheBank.siteUserUser
Evil.org uses stolen session information to impersonate user
5
Script returned, executed by browser
3
User sends script embedded as data
2
1Link to bank.com sent to user via E-mail or HTTP
4
Script sends user’s cookie and session information without the user’s consent or knowledge
© 2009 IBM Corporation
IBM Rational Application Security
Trivial Robbery
Demo
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Demo
Build payload
Send malicious link to victim
Retrieve the cookie and extract the session id
Manually add session cookie to local browser
Make a transaction
© 2009 IBM Corporation
IBM Rational Application Security
Advanced Robbery
Demo
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Problems: The session id cookie is not enough
HTTPOnly– Set-Cookie: <name>=<value>[; <name>=<value>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]
Pre-logon XSS
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
Problems: Key-logging is not enough
Second factor authentication– Dongles
– Client certificates
Challenge on transaction– Security questions: “What is your mom’s maiden name?”
– Time-based challenge
© 2009 IBM Corporation
ILSL - IBM Israel Software Lab
?http://blog.watchfire.com