Blind XSS

Adam Baldwin

Tue, 26th February 2013


Speaker Bio 1:
Adam Baldwin is the Team Lead at Lift Security, a web application security consultancy and the Chief Security Officer at &yet (andyet.net). He at one time possessed a GCIA and CISSP. Adam is a highly knowledegable information security expert having created the DVCS pillaging toolkit, helmet: the security header middleware for node.js, a minor contributor to the W3AF project, and has previously spoken at DEF CON, Toorcon, Toorcamp, Djangcon, and JSconf.

Questions and answers

Max, Concise Courses:
What’s the most secure chat app in your opinion?

Adam Baldwin:
I don’t really have an opinion. Most of the stuff I am testing are custom internal tools. I found vulnerabilities in the popular ones [live chat messaging] out there, usually they are running old versions though, and they are usually all web based.


Max, Concise Courses:
What is the difference between XSS and CRSF?

Adam Baldwin:
XSS is where you inject html, or JavaScript or some other type of browser specific payload into the page and getting that to render, and you can submit anything on behalf of the user. It’s basically like a code injection and you are getting execution in context of the user which is rendering that html.

CSRF or request forgery is where a victim visits a malicious site and that malicious site submits a request something like a form on behalf of that user to some other site and because your browser is helpful it sends along things like authentication cookies, session cookies and things like that – that’s the difference.


Max, Concise Courses:
Why is XSS still vulnerable to attack; does HTML5 represent a new era of less ability for hackers to execute cross site scripting or is it more of a server issue?

Adam Baldwin:
It’s a developer problem at this point more so than anything else. Naive and even seasoned developers make the mistake of taking user input and sticking it someplace unrendered and not properly output encoded. The biggest thing to remember there too is that it needs to be contextually encoded, so if you have a user providing input and you are sticking it into an HTML document and it has to be coded one way, JavaScript or css, those encoding rules are different. I know that OSWAP has some encoding rules that help developers – but it’s really a developer problem; it’s not an HTML5 problem. Developers need to properly output code.


Max, Concise Courses:
Do you recommend the OWASP XSS Filter Evasion Cheat Sheet or do you have another that you use?

Adam Baldwin:
I don’t know what’s on that and I haven’t recommended that particular one, but it seems that there are new evasion techniques [coming out all the time]. I can’t think of all of the names but there are a bunch of people like Mario [and others] that come out with evasions. They have contests for evading different things, filters, encodings etc and there always seems to be something new so those cheat sheets can get out of date [very quickly]. It really is an evolving landscape, different browsers have different activities and nuances, that mean making a rule set across every platform really difficult. Its a hard problem to solve.


Max, Concise Courses:
Which is the best way to make sure that our company website hasn’t been injected with some sort of XSS Script? Is there a service or tool that can check our site for XSS vulnerabilities or existing malware?

Adam Baldwin:
The way that I would approach that is to look at your data-set. You could correlate all the fields in your database and look for patterns or script-tags, or payloads etc. That’s going to have the same problem as we do with encoding. People are going to have different techniques or styles for injection. So, you are going to have to look at that which can be a giant pain. Burp proxy (you can also review this here) have got a scanner that finds SWL injection points but no tool is going to find everything. I find the most interesting stuff doing manual audits, at Lift we provide assessments for that type of service and there are plenty of other vendors that do manual security assessments as well. Getting an audit done is really the way to test that.


Max, Concise Courses:
By Mario – you mean Mario Heiderich right?

Adam Baldwin:
Yes

Max, Concise Courses:
Yes, because we had Mario on Hacker Hotshots last November 2012 so we’ll link both of these events together so that there is some continuity there.