Voting on BSides SF presentations closes this Friday (Feb 2nd). If you’ll be in San Francisco for RSA, make sure to check out BSides as well. It’s also a chance to learn about a JavaScript-based approach to fingerprinting web app frameworks — but only if you vote for Blind Fury!

Blind Fury: An Alternate Web App Fingerprinting Technique

Web app fingerprinting attempts to identify the type and version of frameworks installed on a web site. Knowledge of frameworks and their version helps determine whether a site has kept up to date with security patches. Accurate fingerprinting can be more efficient and less intrusive than blackbox vulnerability scanning for identifying potential vulnerabilities.

Traditional approaches to fingerprinting web applications rely on brute force enumeration of pages, scraping content with regexes, or hybrids of the two. These are suboptimal. Page enumeration is bandwidth-intensive. Its accuracy falls when “install” files are removed or pages are minified. Regexes are prone to errors of matching incorrect content or are defeated by simple site modification (such as removing <meta> content). These techniques tend to identify the presence of pages on a site, but do not indicate whether the files are actually used of the application.

Blind Fury uses a new approach that does not rely on page enumeration or regexes. Yet it is still able to identify several popular frameworks. In fact, the technique can be extended to generate fingerprints for almost any type of web site. It can create and analyze fingerprints from a completely blackbox perspective; it does not require prior knowledge of a target’s directory structure.

If you love Rutger Hauer movies, vote for Blind Fury.

Fear not, regardless of the outcome of voting, I’ll be posting more about it at the end of the month.

p.s. Regular visitors may have noticed that the site has moved to WordPress.com from Blogger (saying good-bye to negative privacy and policy changes). The only drawback so far is that some of the archive links are broken because they were originally saved as year/month rather than year/month/day. All of the content remains, just under a slightly different link.

I previously lamented the death of web scanners¹ so it’s only fair that to turn this nihilistic gaze to the futility of manual web security testing. This isn’t to say it’s impossible to perform a comprehensive review of a web app. The problem lies in repeating that review after developers modify the app. Or the problem of obtaining consistent results from different testers. Or if we continue to look for problems: Repeating an in-depth review of one app across the few thousand that might exist in an organization.

It’s not controversial to state the web apps need to be tested. The trick is trying to keep up with the pace of development for a single web app, compounded by the pace at which new apps arise. Security testers must deal with the fear that a once-secure app might be crippled by the introduction of a new feature or a change that inadvertently breaks an old one. With this in mind, the fundamental challenges of manual pen testing is managing the effort required to maintain one site’s security and scaling that effort to thousands.

If we look at recent compromises, and accept reasoning from an anecdotal basis, we see simple attacks succeeding against huge, well-known web sites. It’s not like Google, Twitter, Facebook, and similar don’t understand security, don’t have budgets for security testing, or don’t have people testing their apps. Google actively encourages ethical testing against several of its properties.² This nod to explicit permission to find vulns isn’t a concession to the impossibility of writing secure code; it’s a nod towards the difficulty of scale in manually testing large, complex web applications. It’s also interesting to see the vulns considered worthy of reward versus those deemed cruft or a “vector for petty mischief”.³ This highlights the minefield within the subjectivity of risk when terms like risk, attack, threat, and impact are ambiguously defined or too-broadly applied.

Consider the Sony Playstation Network (PSN) breach⁴ that compromised user data “by hacking into an application server behind a Web server and two firewalls”.⁵ This attack⁶ is a topical example of the impact of (what seems to be⁷) straight-forward web vulns like SQL injection. One could wonder whether the vulnerable web site ever received security testing. If so, the quality of the test must be called into question, especially if the alleged attack vector was so simple. On the other hand, we could ruminate on reasons why the site wasn’t tested. Missed and forgotten because the site was so old? Assumed it had been tested before? Too many other sites considered more important needed to be tested first? We could go on, but the point of the exercise is to express the difficulty of maintaining web security, not second-guessing situations we know too little about.

The presence of a vulnerability is usually indisputable. On the other hand, its risk or exploitation impact often falls to debate. SQL injection is a clear example of a vuln that should be addressed immediately rather than arguing if the vuln exposes an empty database or encrypted credit card numbers. SQL injection flaws are due to fundamentally improper programming. Even if an exploit is questionable, there’s bad code sitting on the server that should be fixed.

CSRF is a different matter, especially depending on how it manifests. Arguments over risk ratings too often devolve into opinions biased by imaginative threats rather than focus on the situation. (For example, mistakenly considering a CSRF countermeasure broken because it can be bypassed by XSS or incorrectly assuming CSRF tokens prevent sniffing attacks.)

The details of web vulns differ enough that it’s hard, and perhaps unwise, to assign each a static risk. Efforts like CVSS⁸ try to bring consistency and terminology to describing software vulns, but the scoring systems seems infrequent within web security. Fortunately, the risk calculations can be avoided without great loss if you treat vulns like the software defects they are. Assign priorities using methodologies already familiar to your dev team. And if the effort required to fix a bug is greater than the effort required to prove it’s really, really, truly a problem, then have a discussion about impact and risk.

Manual testing has a high degree of variance in quality and coverage. I don’t make these statements without being blameless. In the past I’ve written a chapter or two that omitted an attack variant or didn’t highlight something well enough. These are things I’ve tried to address in revised editions and on this web site. My point is that manual tests have an unavoidable bias in focus that depends on the person conducting them. Rather than passing judgement on quality, this is more of a judgement on coverage and that inevitable human factor of making mistakes. (After all, lots of vulns boil down to mistakes in code, albeit fairly consequential ones.)

CSRF arrived on the OWASP Top 10 in 2007. How many people were testing their web apps before that year? (To be fair, how many apps were being compromised that way? Especially when SQL injection remains(!) so much easier.) I like to pick on CSRF because the vuln is easily misunderstood and its purported impacts and countermeasures vary immensely.

There are two methodologies for addressing test coverage: blackbox (review the deployed app) and whitebox (review the app’s code). Blackbox testing rarely requires knowledge of the app’s underlying language. Although cases like PHP show that prior knowledge can be helpful because configuration settings influence code execution. The same code may run securely on one server and be wide open under a different configuration. Blackbox testing is the easiest path because it requires nothing more than a browser to begin. The snag is that blackbox testing won’t necessarily find the dusty corners of the web site where an insecure link or form is hiding.

Then why not just step towards a code review where every corner can be checked? A pen tester could spend an hour investigating different XSS vectors against a web page whereas reviewing the page’s source code could provide higher confidence whether it’s secure. After all, not every security fix is securely fixed.⁹

The drawback is that whitebox testing reduces the population of testers capable of finding security problems. This exacerbates the problem of scale in matching testers to web apps. The tester needs to have good comprehension of the app’s programming language in addition to security concepts. Someone very good at reviewing Java may miss a vuln in C#. Knowledge of good software design translates well between languages. Yet the problem remains that too few people have too many sites to review.

As with the article on web scanner mortality, this one requires a caveat. There will be a vocal group hurling cliched invectives against the idea that manual testing is useless, never requires tools, and is a worthless endeavor. None of those were asserted here. In fact, manual testing must be part of any exhaustive security testing. Humans have the ability to analyze the design of a web site, where an automated scanner largely focuses on implementation problems. Humans also possess the creative thinking required to turn QA’s use cases into abuse and misuse cases that bypass security.

Web QA testing groups are likely already overloaded with the combinatorial craziness inherent to reviewing UIs. Yet this is a perfect step for identifying security problems alongside bugs in features. Tools like Selenium¹⁰ would be prime platforms for security testing. Yet how many times did a web pen test produce findings, provide a PDF, then leave? Why haven’t Selenium scripts (or anything similar) become a lingua franca of pen test results?

One of the biggest changes necessary to manual testing is translating the hands-on tests that a human performs into a script that someone else (or a tool) can repeat.¹¹ Treating pen tests as snapshots in time misses the opportunity to build a repository of security knowledge. Rather than just manage vulns, a group could manage the techniques and scripts used to find such vulns. This not only enables a one-time security review to become repeatable, but the quality of testing can improve.

The pessimism of this article and the previous one isn’t intended to be a capitulation to web vulnerabilities. By identifying the fundamental challenges to security testing it’s possible to start thinking of creative ways to solve them. It’s important to understand a problem well to avoid branching off into solutions that address false issues or have too narrow of a focus. In future articles we’ll turn the tables on this bleak landscape and look at the effective ways to apply automation and manual testing to web sites.

=====

1 http://www.deadliestwebattacks.com/2011/05/death-of-web-scanners.html

2 http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html

3 http://www.google.com/corporate/rewardprogram.html

4 http://us.playstation.com/support/answer/index.htm?a_id=2356

5 http://news.cnet.com/8301-31021_3-20058950-260.html?tag=mncol;txt

6 http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

7 I’ve yet to find definitive explanations of the attack, so reserve a little skepticism for reports like this: http://news.cnet.com/8301-27080_3-20063789-245.html

8 http://nvd.nist.gov/cvss.cfm

9 http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-something.html

10 http://seleniumhq.org/ 11 Dinis Cruz recognized this type of problem and started the O2 project, https://www.owasp.org/index.php/OWASP_O2_Platform. However, O2 focuses more on the tools to implement repeatability rather than defining a grammar to describe vuln tests. Selenium is a similar tool that uses JavaScript to define tests that can be driven by one of several different programming languages; however, it does not have an explicit security bent.

Here are slides from the February 2011 eSymposium webcast.

Skip the stagnant list of attacks and weaknesses in favor of an approach the deals with the design and implementation of your site. Many items relate to a site’s use of HTTP and HTML. Neither of these arrived in the 21st century. In fact, they date back to the ’90s. HTML 4.01 was made official in December 1999, when Jessica Simpson and Whitney Houston had hits on the Billboard Top 10, and The Green Mile and Galaxy Quest were in the Top 10 grossing movies. (I realize these references reinforce the mighty U.S. cultural hegemony, but the U.K. album charts for that month included Boyzone and Westlife so you’ll have to forgive me.)

But let’s get back to the OWASP Top 10. There’s an implication here that some compelling reason exists for ignoring it. Simply put, it’s uninteresting over time and unhelpful for more than nomenclature.

If you love the OWASP Top 10, don’t bother reading the rest of this post. Skip to the comments section and start typing. The curious may read on. The impatient may skip to the last paragraph.

The OWASP Top 10 list originated as a clone of the SANS Top 10 for Windows and Unix vulnerabilities (ostensibly the most popular ways those operating systems were compromised). The list made an initial mistake of putting itself forward as a standard, which encouraged adoption without comprehension — taking the list as a compliance buzzword rather than a security starting point. The 2010 update mercifully raises red flags about the danger of falling into the trap of myopic adherence to the list.

The list has a suspicious confirmation bias such that popular, trendy vulnerabilities rise to the top, possibly because that’s what researchers are looking for. And these researchers are coming from a proactive rather than forensics perspective of web security, meaning that they rely on vulnerabilities discovered in a web site vs. vulnerabilities actively exploited to compromise a web site.

Two of the list’s metrics, Prevalence and Detectability, appear curiously correlated. A vulnerability that’s easy to detect (e.g. cross-site scripting) has a widespread prevalence. I question the causality of this relationship: Are they widespread because they’re easy to detect? This arises because an entry like A7: Insecure Cryptographic Storage has a difficult detectability and (therefore?) uncommon prevalence. Yet the last few months marked clear instances of web sites that stored users’ passwords with no salt and poor encryption [1][2]. This seems to reinforce the idea that the list is also biased towards a blackbox perspective of web applications at the expense of viewpoints from developers and architects.

Six of the list’s entries have easy detectability. This seems strange. If more than half of the risks to a web application are easy to find, why do these problems remain so widespread that site owners can’t squash them? The list of well-funded, well-established applications that have had HTML injection problems has more than a few familiar names: Amazon, eBay, Facebook, GMail, Paypal, and Twitter [3]. Maybe detectability isn’t so easy when dealing with large, complex systems.

If you’ve ever “tested for the OWASP Top 10″ or asked a vendor if their scanner “tests for the OWASP Top 10″ then you’ve tested the implementation of that web site, but not necessarily its design.

Web application vulnerabilities roughly fall into a design or implementation error. A great example of a design error is cross-site request forgery (CSRF). CSRF exploits the natural, expected way a browser submits requests from the iframe and img tags that appear in HTML. It was manifest from the first form tag in the ’90s, but didn’t reach critical mass (i.e. inclusion on the Top 10) until 2007. SQL injection was another design error: the ever-insecure commingling of code and data. (SQL injection occurs because the grammar of a database query could be modified by the data used by the query.)

These design problems inspired efforts to create viable solutions. Naive solutions blacklisted the common characteristics of an exploit, but such approaches dealt with implementation rather than design. Superior solutions introduced new concepts, the Origin header for CSRF and prepared statements for SQL injection, that enabled developers to address the systemic cause of the vulnerabilities rather than paper over the bugs that allowed them to emerge on the site.

Alas, not every vulnerability gets the secure by design treatment. HTML injection (known as cross-site scripting in the Vulgar Latin) attacks seem destined to be the ever-living cockroaches of the web. Where SQL injection combined code and data in the form of database queries, HTML injection combines user-supplied data with HTML. No one yet has created to reliable “prepared statement/parameterized query” equivalent for updating the DOM.

This doesn’t mean implementation errors can’t be dealt with: Coding guidelines provide secure alternatives to common patterns, frameworks enable consistent usage of recommended techniques, automated scanners provide a degree of verification.

This delineation of design and implementation plays second fiddle to the Siren’s Song of the OWASP Top 10. (Anecdote alert.) All too often the phrase, “Does it scan for the OWASP Top 10?” or “How does this compare to the OWASP Top 10?” arises when discussing a scanner’s capability or the outcome of a penetration test. Not exactly the list’s fault, but the inquirer’s. Never the less, the list has become a beast that drives web security in spite of the fact that applications have narrowly-defined, easy-to-detect problems like HTML injection (XSS) as well as widely-defined, broad, combined concepts like Broken Authentication and Session Management. After all, twenty years into the web sites still ask for an email address and password to authenticate users.

All software has bugs and bugs lead to implementation problems like HTML injection or forgetting to use a prepared statement for a SQL query. Such problems are usually independent of the site’s design. On the other hand, the security of authentication and session management have strong ties to a site’s design. Yet a scanner or penetration test that can’t execute a login bypass via SQL injection or brute force an administrator’s password doesn’t imply the site’s design is strong or correct — it simply means those attacks failed.

Maybe this misinterpretation of the OWASP Top 10 was already obvious: A scanner or penetration test that goes through the list verifies that common attacks can or cannot compromise the site, but strict adherence to the list doesn’t mean that the site is well-designed.

Fine, you say, complain about the rot in Denmark, but where’s the better replacement?

The Common Weakness Enumeration [4] (CWE) provides an excellent alternative to the stale OWASP list. To quote directly from its site, CWE “provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design.”

Several of the weaknesses aren’t even specific to web applications, but they’ve clearly informed attacks against web applications. CSRF evolved from the “Confused Deputy” described in 1988 [5]. SQL injection and HTML injection have ancestors in Unix command injection used against SMTP and finger daemons, to name just two. Pointing developers to these concepts provides a richer background on security.

If you care about your site’s security, engage your developers and security team in the site’s design and architecture. Use tools or manual testing to verify its implementation. Refer to the CWE for coding guidelines. And keep the OWASP Top 10 list around as an artifact of the types of vulnerabilities that interests the security community — a different community, one might guess, from the attackers targeting web sites.

As a final experiment, invert the sense of the attacks and weaknesses to a prescriptive list of Mike’s Top 10 and see how that influences developers:

M1. Validate data from the client.
M2. Sanitize data for the appropriate context when displayed in the client.
M3. Apply strong authentication schemes.
M4. Use strong PRNG and high entropy when access control relies on knowledge of a value.
M5. Enforce strong session management and workflows (and set the Origin header).
M6. Configure the platform securely.
M7. Use established, recommended cryptographic systems and techniques.
M8. Apply authorization checks consistently.
M9. Turn on SSL wherever possible.
M10. Restrict data to expected values.

=====

[1] http://www.theregister.co.uk/2010/12/13/gawker_hacked/
[2] http://www.theregister.co.uk/2011/01/21/trapster_website_hack/
[3] http://xssed.org/
[4] http://cwe.mitre.org/
[5] http://portal.acm.org/citation.cfm?id=871709

On June 7th the Stanford Web Security Research Group released a study of clickjacking countermeasures employed across Alexa Top-500 web sites. It’s an excellent survey of different approaches taken by web developers to prevent their sites from being framed (i.e. subsumed by an <iframe> tag). To better understand the dangers of framing pages, read the paper or check out Chapter Two of The Book.

One interesting point emphasized in the paper is how easily regular expressions can be misused or misunderstood as security filters. Regexes can be used to create positive or negative security models — either match acceptable content (whitelisting) or match attack patterns (blacklisting). Inadequate regexes lead to more vulnerabilities than just clickjacking.

One of the biggest mistakes made in regex patterns is leaving them unanchored. Anchors determine the span of a pattern’s match against an input string. The ‘^’ anchor matches the beginning of a line. The ‘$’ anchor matches the end of a line. (Just to confuse the situation, when ‘^’ appears inside grouping brackets it indicates negation, e.g. ‘[^a]+’ means match one or more characters that is not ‘a’.)

Consider the example of the nytimes.com’s document.referrer check as shown in Section 3.5 of the Stanford paper. The weak regex is highlighted in red:

if(window.self != window.top &&
!document.referrer.match(/https?:\/\/[^?\/]+\.nytimes\.com\//))
{
top.location.replace(
window.location.pathname);
}

As the authors point out (and anyone who is using regexes as part of a security or input validation filter should know), the pattern is unanchored and therefore easily bypassed. The site developers intended to check the referrer for links like these:

http://www.nytimes.com/https://www.nytimes.com/http://www.nytimes.com/auth/loginhttp://firstlook.blogs.nytimes.com/

Since the pattern isn’t anchored, it will look through the entire input string for a match, which leaves the attacker with a simple bypass technique. In the following example, the pattern matches the text in red — clearly not the developers’ intent:

http://evil.lair/clickjack.html?a=http://www.nytimes.com/

The devs wanted to match a URI whose domain included “.nytimes.com”, but the pattern would match anywhere within the referrer string.

The regex would be improved by requiring the pattern to begin at the first character of the input string. The new, anchored pattern would look more like this:

^https?:\/\/[^?\/]+\.nytimes\.com\/

The same concept applies to input validation for form fields and URI parameters. Imagine a web developer, we’ll call him Wilberforce for alliterative purposes, who wishes to validate zip codes submitted in credit card forms. The simplest pattern would check for five digits, using any of these approaches:

[0-9]{5}
\d{5}
[[:digit:]]{5}

At first glance the pattern works. Wilberforce even tests some basic XSS and SQL injection attacks with nefarious payloads like <script src=...> and 'OR 19=19. The regex rejects them all.

Then our attacker, let’s call her Agatha, happens to come by the site. She’s a little savvier and, whether or not she knows exactly what the validation pattern looks like, tries a few malicious zip codes (the five digits are underlined):

90210'
<script>alert(0x42)<script>57732
10118<script>alert(0x42)<script>

Poor Wilberforce’s unanchored pattern finds a matching string in all three cases, thereby allowing the malicious content through the filter and enabling Agatha to compromise the site. If the pattern had been anchored to match the complete input string from beginning to end then the filter wouldn’t have failed so spectacularly:

^\d{5}$

Unravelling Strings

Even basic string-matching approaches can fall victim to the unanchored problem; after all they’re nothing more than regex patterns without the syntax for wildcards, alternation, and grouping. Let’s go back to the Stanford paper for an example of walmart.com’s document.referrer check based on a JavaScript String object’s IndexOf function. This function returns the first position in the input string of the argument or -1 in case the argument isn’t found:

if(top.location != location) {
if(document.referrer &&
document.referrer.indexOf("walmart.com") == -1)
{
top.location.replace(document.location.href);
}
}

Sigh. As long as the document.referrer contains the string “walmart.com” the anti-framing code won’t trigger. For Agatha, the bypass is as simple as putting her booby-trapped clickjacking page on a site with a domain name like “walmart.com.evil.lair” or maybe using a URI fragment, http://evil.lair/clickjack.html#walmart.com. The developers neglected to ensure that the host from the referrer URI ends in walmart.com rather than merely contains walmart.com.

The previous sentence is very important. Read it again. The referrer string isn’t supposed to end in walmart.com, the referrer’s host is supposed to end with that domain. That’s an important distinction considering the bypass techniques we’ve already mentioned:

http://walmart.com.evil.lair/clickjack.html
http://evil.lair/clickjack.html#walmart.com
http://evil.lair/clickjack.html?a=walmart.com

Parsers Before Patterns

Input validation filters often require an understanding of a data type’s grammar. Some times this is simple, such as a five digit zip code. More complex cases, such as email addresses and URIs, require that the input string be parsed before pattern matching is applied.

The previous indexOf string example failed because it doesn’t actually parse the referrer’s URI; it just looks for the presence of a string. The regex pattern in the nytimes.com example was superior because it at least tried to understand the URI grammar by matching content between the URI’s scheme (http or https) and the first slash (/)¹.

A good security filter must understand the context of the pattern to be matched. The improved walmart.com referrer check is shown below. Notice that the get_hostname_from_url function now uses a regex to extract the host name from the referrer’s URI and the string comparison ensures the host name either exactly matches or ends with “walmart.com”. (You could quibble that the regex in get_hostname_from_url isn’t anchored, but in this case the pattern works because it’s not possible to smuggle malicious content inside the URI’s scheme. The pattern would fail if it returned the last match instead of the first match. And, yes, the typo in the comment in the killFrames function is in the original JavaScript.)

function killFrames() {
if (top.location != location) {
if (document.referrer) {
var referrerHostname = get_hostname_from_url(document.referrer);
var strLength = referrerHostname.length;
if ((strLength == 11) && (referrerHostname != "walmart.com")){ // to take care of http://walmart.com url - length of "walmart.com" string is 11.
top.location.replace(document.location.href);
} else if (strLength != 11 && referrerHostname.substring(referrerHostname.length - 12) != ".walmart.com") { // length og ".walmart.com" string is 12.
top.location.replace(document.location.href);
}
}
}
}

function get_hostname_from_url(url) {
return url.match(/:\/\/(.[^/?]+)/)[1];
}

Conclusion

Regexes and string matching functions are ubiquitous throughout web applications. If you’re implementing security filters with these functions, keep these points in mind:

Normalize the character set. Ensure the string functions and regex patterns match the character encoding, e.g. multi-byte string functions for multi-byte sequences.

Always match the entire input string. Anchor patterns to the start (‘^’) and end (‘$’) of input strings. If you expect input strings to include multiple lines, understand how multiline (?m) and single line (?s) flags will affect the pattern — if you’re not sure then treat it as a single line. Where appropriate to the context, the results of string matching functions should be tested to see if the match occurred at the beginning, within, or end of a string.

Prefer a positive security model over a negative one. Whitelist content that you expect to receive and reject anything that doesn’t fit. Whitelist filters should be as strict as possible to avoid incorrectly matching malicious content. If you go the route of blacklisting content, make the patterns as lenient as possible to better match unexpected scenarios — an attacker may have an encoding technique or JavaScript trick you’ve never heard of.

Consider a parser instead of a regex. If you want to match a URI attribute, make sure your pattern extracts the right value. URIs can be complex. If you’re trying to use regexes to parse HTML content…good luck.

Don’t shy away from regexes because their syntax looks daunting, just remember to test your patterns against a wide array of malicious and valid input strings.

=====
¹ Technically, the pattern should match the host portion of the URI’s authority. Check out RFC 3986 for specifics, especially the regexes mentioned in Appendix B.