libinjection: from sqli to xss by nick galbreath
DESCRIPTION
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license. Nick Galbreath Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan. In 2013 - LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA - DevOpsDays Tokyo, Japan - Security Development Conference (Microsoft) San Francisco, CA, USA - DevOpsDays Austin, Texas, USA - Positive Hack Days http://phdays.com, Moscow Russia - RSA USA, San Francisco, CA, speaker and panelist In 2012 - DefCon - BlackHat USA - OthersTRANSCRIPT
![Page 1: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/1.jpg)
libinjectionFrom SQLi to XSS
Nick Galbreath @ngalbreath!Signal Sciences [email protected]
Code Blue ∙ Tokyo ∙ 2014-02-17
![Page 2: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/2.jpg)
Nick Galbreath @ngalbreath
• Founder/CTO of Signal Sciences Corp
• Before: IponWeb (Moscow, Tokyo)
• Before: Etsy (New York City)
![Page 3: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/3.jpg)
What is libinjection?• A small C-library to detect SQLi attacks in user-
input
• With API in python, lua and php
• Introduced at Black Hat USA 2012
• Open source with BSD license
• https://github.com/client9/libinjection
![Page 4: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/4.jpg)
Why libinjection?• Existing detection is mostly done with regular expressions
• No unit tests
• No performance (speed) tests
• No coverage tests
• No accuracy or precision tests
• No false positive tests
• “what are they actually doing?”
![Page 5: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/5.jpg)
libinjection SQLi Today
• Version 3.9.1
• 8000 unique SQLi fingerprints
• 400+ unit tests
• 85,000+ SQLi samples
![Page 6: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/6.jpg)
In Use At• mod_security WAF - http://www.modsecurity.org/
• ironbee WAF - https://www.ironbee.com/
• glastopf honeypot - http://glastopf.org/
• proprietary WAFs
• internally at many companies
• partial pure-java port
![Page 7: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/7.jpg)
XSS
![Page 8: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/8.jpg)
Similar to SQLi
• No standard detection library
• Few if any have tests
• Regular expression based detection
• Can we do better?
![Page 9: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/9.jpg)
Two Types of XSS
• HTML injection attacks
• Javascript injection attacks
![Page 10: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/10.jpg)
XSS Javascript Injection
• Includes DOM-style attacks
• Attacks existing javascript code.
• Detection can truly be done on client
• A very hard problem
![Page 11: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/11.jpg)
HTML Injection
• HTML injection are attacks against the HTML tokenization algorithm (text “<b>foo</b>” to tags <b>, foo, </b>)
• The goal is to change the context to ‘javascript’ and execute arbitrary code.
• This seems detectable.
![Page 12: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/12.jpg)
HTML Injection Samples<b>XSS</b> (raw HTML)
<foo XSS> (tag attribute from user input)
<foo name=XSS> (tag value from user input)
<foo name='XSS'> (quoted value)
<foo name="XSS"> (quoted value)
<foo name=`XSS`> (IE only!)
![Page 13: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/13.jpg)
Browser HTML Tokenization
• Previously every browser parsed or tokenised HTML differently.
• This lead to a number of different attacks using broken html tags, special characters or encodings.
• Now, most browsers now use the same algorithm specified by HTML5.
![Page 15: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/15.jpg)
Every Tokenization Step
![Page 16: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/16.jpg)
Is Clearly Defined
![Page 17: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/17.jpg)
The remainder are IE
• And IE only has a few versions
• And has some well-known exceptions to the HTML5 parsing rules.
![Page 18: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/18.jpg)
IE6 and IE7
• IE7 has only 2% of market share
• IE6 will, in time, go away.
• Both are likely running on 10 year old machine.
![Page 19: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/19.jpg)
IE8
• Somewhere between 10-20% marketshare
• The most modern MS browser on Windows XP
• Marketshare can only go down.
![Page 20: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/20.jpg)
Opera• 1.33% Global Market Share
• But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems
• Opera has a lot of oddities in HTML functionality and parsing
• Ignoring
![Page 21: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/21.jpg)
libinjection XSS
![Page 22: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/22.jpg)
HTML injection attacks in HTML5 clients.
• No: XML / XSLT injection
• No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year.
• No: DOM style attacks (need a client solution)
![Page 23: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/23.jpg)
libinjection html5
• Full HTML5 Tokenizer.
• Does not build a tree or DOMs
• Just emits tokenizer events.
• Zero copying of data
![Page 24: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/24.jpg)
Tokenization Sample
TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE >
<img src=“junk” onerror=alert(1);>
![Page 25: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/25.jpg)
Check in each ContextEach input is parsed in at least 6 different HTML contexts, because thats how XSS works!
<b>XSS</b> (raw HTML)
<foo XSS> (tag attribute from user input)
<foo name=XSS> (tag value from user input)
<foo name='XSS'> (quoted value)
<foo name="XSS"> (quoted value)
<foo name=`XSS`> (IE only!)
![Page 26: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/26.jpg)
Ban Problematic Tokens • Problematic tags, attributes, and values are
cataloged.
• Tags: <script>, anything XML or SVG related
• Attributes: on*, etc
• Values: javascript URLs in various formats
• and more…
![Page 27: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/27.jpg)
Training Sources
![Page 28: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/28.jpg)
XSS Cheat sheets
• Most are outdated (exploits for Firefox 3! )
• sorry OWASP :-(
• Each entry validated to make sure they are valid for HTML5 browsers.
![Page 29: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/29.jpg)
HTML5SEC.org
• Fantastic resource
• But lists many examples for Firefox 3 and/or obsolete Opera versions
• Pruned to focus on HTML5 browsers
![Page 30: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/30.jpg)
@soaj1664ashar
• Produces interesting new XSS regularly
• If you like XSS you should follow him on Twitter
![Page 31: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/31.jpg)
Attack / Scanners
• Integrate one scanner’s test cases
• Using Shazzer fuzz databases - http://shazzer.co.uk/
![Page 32: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/32.jpg)
Current Status
![Page 33: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/33.jpg)
Available Now
• Available on github
• http://libinjection.client9.com/
• but… still alpha
![Page 34: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/34.jpg)
$ make test-xss ./reader -t -i -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja	vascr	ipt:confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False ̀ "'><img src=xxx:x ?onerror=javascript:alert(1)> !XSS : 1628 SAFE : 11 TOTAL : 1639 !Threshold is 10, got 11, failing.
1639 Total Samples 1628 Detected as XSS 11 False Negatives
![Page 35: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/35.jpg)
IE Unbalanced Quotes
• IE 8+ has strange behaviour with ‘unbalanced quotes’ inside comments and attribute values.
• Work in progress
![Page 36: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/36.jpg)
Performance
500,000+ checks per second
![Page 37: libinjection: from SQLi to XSS by Nick Galbreath](https://reader035.vdocument.in/reader035/viewer/2022081715/5470fee6b4af9fbe0a8b4a65/html5/thumbnails/37.jpg)
TODO 2014-02-17• It’s alpha — so it’s likely to have some spectacular failures
(bypasses)
• False-positive QA not completed.
• Currently does not handle some IE injections
• Does not have a test-bed for experimenting (maybe later this week).
• More QA, code-coverage needed
• No bindings for scripting languages (soon).