WebApp Sec mailing list archives
Re: New Whitepaper - "Second-order Code Injection Attacks"
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Wed, 10 Nov 2004 11:07:23 +0100
Dear Gunter!Thank you for your very interessting paper on "Second-Order Code Injection Attacks".
Here some other szenarios I came accross lately:1. In one case there was an SMS based application. It was possible for an attacker to send an SMS with a XSS to the application. Then the script got executed in the helpdesk application. Although SMS is limited to 160 characters it leaves enough space for sophisticated XSS attacks.
2. In an other case two web portals have been connected through a web service link which allowed the partners to access eachother's data repository. An attacker having gained one account on one portal was able to do XSS attack on the partner portal. At first sight the script was encoded in the SOAP-Message <asdf>%3cscript%3ealert(...)%3c/script%3c</asdf> and one might not think that it is vulnerable. But the parsing application decoded the XML content and embedded it directly into the web page: Bang!
3. In an other web service scenario it was possible to inject XSS to the backend HTML application using a CDATA encoding: <asdf><![CDATA[<script>alert(...)</script>]]></asdf>
4. In this scenario a web application uses XML documents as a mean for backend integration. If the XML generator does not pay attention when assembling the XML document it can be possible to inject snippets of XML. This problem is very difficult for an outsider to detect but an insider will have good chances of exploiting it.
Concerning your protection recommendations I think that they must supplemented: - An attack has a direction. For example SQL-Injection is a back-end directed attack. XSS in contrast is a front-end directed attack. To get the optimal protection it is necessary to prevent in direction of the attack. For SQL-Injection this results in input validation and for XSS this results in output encoding (' -> "e).
- I think that removing characters does often not meet complex business requirements (Think of family names like D'Amato). An backend application does often not know which other applications are dependant on that data. So every component using data must protect itself. Especially in case of HTML GUIs the application must perform output encoding.
- When auditing XML based application it must be verified that the XML documents encode the content properly.
Kind Regards Jan P. Monsch -- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland Tel +41 55 214 41 67 Fax +41 55 214 41 61 jan.monsch () csnc ch http://www.csnc.ch PGP: F055 837D 2D86 1C86 C5E0 065C 0D16 B8B3 9E58 71F3 Security Review - Penetration Testing - Computer Forensics _____________________________________________________________
Current thread:
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jeff Williams (Nov 05)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (NGS) (Nov 05)
- <Possible follow-ups>
- Re: New Whitepaper - "Second-order Code Injection Attacks" Jan P. Monsch (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Rogan Dawes (Nov 12)
- RE: New Whitepaper - "Second-order Code Injection Attacks" Mark Curphey (Nov 14)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Stephen de Vries (Nov 20)
- Re: New Whitepaper - "Second-order Code Injection Attacks" Gunter Ollmann (Nov 11)