© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation

IBM Rational Application Security

The Bank JobUtilizing XSS Vulnerabilities

Adi SharabaniIBM Rational Application SecurityResearch Group Manager

OWASP IL

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Agenda

Theoretical part:

– Same Origin Policy 101

– Cross-Site Scripting 101

– HTTP sessions

Practical part:

– Trivial robbery

– Advanced robbery

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Browser Scripting Capabilities

What can scripts do:

– Scripts can perform user interactions with the site

– Scripts can seamlessly interact with the web site

– Can perform any action that is related to the site

– Can launch signed and safe ActiveX control

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Scripting Restrictions – Same Origin Policy

What scripts can not do:

– Scripts can only interact with the domain they came from

– Scripts can see send and receive responses only from their domain

– Scripts can access other browser’s frames only from same domain

– Scripts can issue requests to other domains (but not view the corresponding responses)

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

XSS 101

XSS occurs when user input (JavaScript) is returned by the web application:

String data = request.getParameter(“param”);

out.println(data)

Simple exploit:

– http://www.thebank.site/action?param=<payload>

XSS breaks Same-Origin Policy

– Vulnerable domain may now return arbitrary JavaScripts.

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Cross Site Scripting – The Exploit Process

Evil.orgEvil.org

TheBank.siteTheBank.siteUserUser

Script returned, executed by browser

3

User sends script embedded as data

2

1Link to bank.com sent to user via E-mail or HTTP

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

The session cookie

HTTP is stateless

Session id makes your application stateful

Session id = your identification

Should not be guessable

JavaScript access: document.cookie

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Cross Site Scripting – The Exploit Process

Evil.orgEvil.org

TheBank.siteTheBank.siteUserUser

Evil.org uses stolen session information to impersonate user

5

Script returned, executed by browser

3

User sends script embedded as data

2

1Link to bank.com sent to user via E-mail or HTTP

4

Script sends user’s cookie and session information without the user’s consent or knowledge

© 2009 IBM Corporation

IBM Rational Application Security

Trivial Robbery

Demo

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Demo

Build payload

Send malicious link to victim

Retrieve the cookie and extract the session id

Manually add session cookie to local browser

Make a transaction

© 2009 IBM Corporation

IBM Rational Application Security

Advanced Robbery

Demo

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Problems: The session id cookie is not enough

HTTPOnly– Set-Cookie: <name>=<value>[; <name>=<value>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

Pre-logon XSS

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

Problems: Key-logging is not enough

Second factor authentication– Dongles

– Client certificates

Challenge on transaction– Security questions: “What is your mom’s maiden name?”

– Time-based challenge

© 2009 IBM Corporation

ILSL - IBM Israel Software Lab

?http://blog.watchfire.com