Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.

This would mean that the padlock icon in the corner of supposedly ‘safe’ websites and touted as optimal security by companies like security-with-verisign" target="_blank">Verisign may not be as safe as people generally believe.

Marlinspike revealed his findings at the Black Hat security conference in Washington DC, showing a number of ways where the “chain of trust” fell apart around SSL encryption.

He looked at the possibilities for new vectors of attack against HTTPS, the combination of HTTP and a network security protocol, which are often used for payment and sensitive corporate transactions.

Marlinspike also revealed a free software tool called “SSL Strip”, which could be deployed on a network and used for a man in the middle attack on all potential SSL connections.

It stripped away the SSL encryption, substituting a look-alike HTTPS site, while still convincing the user and website the security was in place.

Reference: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

Introduction

This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack.

These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by performing the appropriate escaping on the server-side. The use of an escaping/encoding library like the one in ESAPI is strongly recommended as there are many special cases. DOM Based XSS can be addressed by applying these rules on the client on untrusted data.

For a great cheatsheet on the attack vectors related to XSS, please refer to the excellent XSS Cheat Sheet by RSnake. More background on browser security and the various browsers can be found in the Browser Security Handbook.

Untrusted Data

Untrusted data is most often data that comes from the HTTP request, in the form of URL parameters, form fields, headers, or cookies. But data that comes from databases, web services, and other sources is frequently untrusted from a security perspective. That is, it might not have been perfectly validated. The OWASP Code Review Guide has a decent list of methods that return tainted data in various languages, but you should be careful about your own methods as well.

Untrusted data should always be treated as though it contains an attack. That means you should not send it anywhere without taking steps to make sure that any attacks are detected and neutralized. As applications get more and more interconnected, the likelihood of a buried attack being executed by a downstream interpreter increases rapidly.

Traditionally, input validation has been the preferred approach for handling untrusted data. However, input validation is not a great solution for injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don’t know which characters might be significant in the target interpreter. Second, and possibly even more importantly, applications must allow potentially harmful characters in. For example, should poor Mr. O’Malley be prevented from registering in the database simply because SQL considers ‘ a special character?

While input validation is important and should always be performed, it is not a complete solution for injection attacks. It’s better to think of input validation as Defense in depth" href="http://www.owasp.org/index.php/Defense_in_depth">defense in depth and use escaping as described below as the primary defense.

Escaping (aka Output Encoding)

“Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter’s parser. There are lots of different types of escaping, sometimes confusingly called output “encoding.” Some of these techniques define a special “escape” character, and other techniques have a more sophisticated syntax that involves several characters.

Do not confuse output escaping with the notion of Unicode character encoding, which involves mapping a Unicode character to a sequence of bits. This level of encoding is automatically decoded, and does not defuse attacks. However, if there are misunderstandings about the intended charset between the server and browser, it may cause unintended characters to be communicated, possibly enabling XSS attacks. This is why it is still important to specify the Unicode character encoding (charset), such as UTF-8, for all communications.

Escaping is the primary means to make sure that untrusted data can’t be used to convey an injection attack. There is no harm in escaping data – it will still render in the browser properly. Escaping merely prevents attacks from working.

Reference: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Cross site scripting issues are everywhere – I’ll try to provide as many resources as possible for programmers in different programming languages and show them how to take the basic steps in the way of protection.

Remember the basics: Always perform encoding at the time of displaying dynamic data to browsers. If you browse around the blog you should find more information on XSS and how to educate yourself as a programmer or individual (well programmers are individuals too, yeah.)

If your programming language is Java, then you should take a look at the StringEscapeUtils java class which belongs to the Apache commons namespace. It provides a nice set of encoding methods/functions that you need to have handy at the time of programming web based interfaces.

The Url for such class can be found here:

http://jakarta.apache.org/commons/lang/api/org/apache/commons/lang/StringEscapeUtils.html

In addition to providing encoding methods, the StringEscapeUtils class also provides decoding functionality – both encoding and decoding available in their Html, Javascript, Java, Xml and SQL versions (this last one not meant for XSS, but worth mentioning.)

Here’s a table of the different methods and references:

I will also cover in future posts any other encoding libraries available out there. For the moment, a nice alternative could be Michael Eddington’s encoding library named ‘Reform’ and which has recently (?) been adopted by the OWASP Encoding project. The library and the project can be found at:http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

Scenario

Let’s say that you are auditing a web application and found a web page that accepts dynamic user-provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. You now want to test if these are affected by a SQL injection vulnerability, and if so, exploit them to retrieve as much information as possible out of the web application’s back-end database management system or even be able to access the underlying operating system.

Consider that the target url is:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1

Assume that:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1

is the same page as the original one and:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2

differs from the original one, it means that you are in front of a SQL injection vulnerability in the id GET parameter of the index.php web application page which means that no IDS/IPS, no web application firewall, no parameters’ value sanitization is performed on the server-side.

Reference: http://sqlmap.sourceforge.net/doc/README.html