i used to code my pages in php, and am new to ror. recently i read this article: http://asciicasts.com/episodes/204-xss-protection-in-rails-3
about the xss protection and im curious, whether this only applies to output like js on a html page, or whether this ruby feature also covers sql injection, <img src="evilpage.php"/> session stealing and others?
Cross-site scripting (XSS) and SQL injection are two entirely different things, but using ActiveRecord properly in Rails 3 will also protect you from SQL injection.
Cross-site request forgery (CSRF, 'session stealing') is something totally different again.
Related
I am a newbie in web application development. My application is using AngularJS\NodeJS. A security tool reported reflected XSS vulnerability in our application. From my search on the internet I found that there is a HTTP X-XSS-Protection response header which appears to protect the application against reflected XSS attacks. However, I am not sure if that should be sufficient for handling the reflected XSS attacks or additionally any input sanitization should also be done in the application.
X-XSS-Protection is not enough, and is already enabled by default in most browsers. All it does is it enables the built-in XSS protection in browsers, but the trick is, to the best of my knowledge (maybe somebody will correct me) it is not specified what exactly the browser should do. Based on my experience, browsers only filter the most trivial XSS, when there is a parameter with javascript between script tags - such javascript from the parameter will not be run. For example if the parameter is
something <script>alert(1)</script> something
this will not be run by the browser. And apparently that's it.
For example if you have server-side code like
<div class="userclass-{{$userinput}}">
then this can be exploited with the string abc" onclick="alert(1)" x=", and this will go through the built-in filter in any browser I tried.
And then we haven't talked about stored or DOM XSS, where this protection is totally useless.
With Angular, it is slightly harder to make your code vulnerable to XSS (see here how to bind stuff as html for example), but it is by far not impossible, and because you would almost never need an actual script tag for that, this built-in protection has very limited use in an Angular app.
Also while input validation/sanitization is nice to have, what you actually need against XSS in general is output encoding. With Angular, that is somewhat easier than with many other frameworks, but Angular is not the silver bullet, your application can still be vulnerable.
In short, anytime you display user input anywhere (more precisely, anytime you insert user input into the page DOM), you have to make sure that javascript from the user can't be run. This can be achieved via output encoding, and secure Javascript use, which can mean a lot of things, mostly using your template engine or data binding in a way that only binds stuff as text, and not anything else (eg. tags).
What X-XSS-Protection does is browser dependent and can't be relied upon for security. It is meant as an extra layer to make it more difficult to exploit vulnerable applications, but is not meant as a replacement for correct encoding. It is a warning that an application is vulnerable and the responsibility to fix it is on the application developers.
This is why in Chrome, errors in the XSS filter are not even considered security bugs. See the Chrome Security FAQ:
Are XSS filter bypasses considered security bugs?
No. Chromium contains a reflected XSS filter (called XSSAuditor) that
is a best-effort second line of defense against reflected XSS flaws
found in web sites. We do not treat these bypasses as security bugs in
Chromium because the underlying issue is in the web site itself. We
treat them as functional bugs, and we do appreciate such reports.
The XSSAuditor is not able to defend against persistent XSS or
DOM-based XSS. There will also be a number of infrequently occurring
reflected XSS corner cases, however, that it will never be able to
cover. Among these are:
Multiple unsanitized variables injected into the page.
Unexpected server side transformation or decoding of the payload.
And there are plently of bugs. There are ways found to bypass the filter regularly. Just last week there was a fairly simple looking injected style attribute bypass.
Such a filter would need to tell where values in the output have come from by only looking at the input and the output, without seeing any templates or server-side code. When any processing is done to the input, or there's multiple kinds of decoding occurring, or multiple values are combined together, this can be very difficult.
Much easier would be to take care of the encoding at the template level. Here, we can easily tell the difference between variable values and static code because they haven't been merged together yet.
I need to verify the safety of my website. Do you know some tools for testing website safety i.e. sql injection, xss, .... ?
Can you recommend the best way to verify safety?
This sounds more like a question for Webmasters.SE or Security.SE rather than SO. But anyways...
There are many freely downloadable website vulnerability testers. I personally have used https://www.netsparker.com/communityedition/ and it caught some SQL mistakes in code from our contractor.
I'm looking for ways to protect our website from XSS attacks. At this point I am concerned about sanitizing/protecting the input only. I am aware of the need to encode the output, but that's out of the scope of this question.
A few things to bear in mind:
My web does not accept user-generated HTML at all.
I have Validate Request set to true.
I know that Microsoft recommends not to rely on on Validate Request exclusively. However, I'd like to know why. Embarking on an input sanitization project will involve a fair amount of time and money which I need to justify to the business.
I have been researching into actual examples of how to attack the Validate Request protection. All I have come up with is this. However, I have been unable to reproduce it on my site.
Yes Microsoft recommends that you don't rely on Validate Request because
Only you can define what represents good input for your application.
I recommend you read How To: Prevent Cross-Site Scripting in ASP.NET guideline. This is possibly the best thing I have read from Microsoft on the topic of XSS.
Another thing you can use to sanitize input is Microsoft Web Protection Library. It is easy to integrate it into existing applications and this is a quite mature project I personally rely on.
Cross site scripting can be fixed by encoding incoming parameters and also by validating them with a customized regex.
For example: Encode.forhtml(inputparam)
There are several types of context based encoding using OWASP encoder. If you're not sure about encoder or validation patterns, try the cross site scripting validator below to make sure the right approach to a fix.
XSS validator for Java: http://fixforscrossite.us-east-2.elasticbeanstalk.com/
I have a suite of Oracle Apex based applications due to have a security test. Does anyone have any tips on what I should look for to tighten things up?
The thing with Apex applications is that the underlying code is all PL/SQL, so it is no surprise that the major class of vulnerability affecting Apex application is SQL Injection.
You need to make sure that you do not use substitution variables (e.g. &P1_TEST.) as these almost always lead to exploitable injection. When they are used within PL/SQL begin/end blocks the injection is very "powerful" as an attacker can specify an arbitrary number of PL/SQL statements.
Many Apex apps use dynamic SQL (where a query is constructed in a string and then executed), either through direct calls to EXECUTE IMMEDIATE or through Apex FUNCTION_RETURNING_SQL blocks. Dynamic SQL is almost always a bad idea.
You'll also find quite a bit of Cross-Site Scripting in Apex apps, where input from users, or from queries run against the database is not escaped. The various Apex reports provide settings to enable escaping but these may not have been chosen when the report was defined.
Also consider the access-control model and ensure all the pages are protected with appropriate authorisation schemes. Do not use the APEX_APPLICATION_FILES table if you're storing uploads as that doesn't protect against unauthenticated downloads.
Hope that helps, and good luck!
Web applications on uncompromised computers are vulnerable to XSS,CRSF,sql injection attacks and cookie stealing in unsecure wifi environments.
To prevent those security issues there are the folowing remedies
sql injection: a good datamapper(like linq-to-sql) does not have the risk of sql injection (am i naïeve to believe this?)
CSRF: Every form-post is verified with the <%:Html.AntiForgeryToken() %> (this is a token in a asp.net mvc environment that is stored in a cookie and verified on the server)
XSS: every form that is allowed to post html is converted, only bb code is allowed, the rest is encoded . All possible save actions are done with a post event so rogue img tags should have no effect
cookie stealing: https
Am i now invulnerable to web-based hacking attempts(when implemented correctly)? Or am i missing some other security issues in web-development?(except for possible holes in the OS platform or other software)
The easy answer is "No you're not invulnerable - nobody is!"
This is a good start, but there are a few other things you could do. The main one you haven't mentioned is validation of untrusted data against a white-list and this is important as it spans multiple exploits such as both SQLi and XSS. Take a look at OWASP Top 10 for .NET developers part 1: Injection and in particular, the section about "All input must be validated against a whitelist of acceptable value ranges".
Next up, you should apply the principle of least privilege to the accounts connecting to your SQL Server. See the heading under this name in the previous link.
Given you're working with ASP.NET, make sure Request Validation remains on and if you absolutely, positively need to disable it, just do it at a page level. More on this in Request Validation, DotNetNuke and design utopia.
For your output encoding, the main thing is to ensure that you're encoding for the right context. HTML encoding != JavaScript encoding != CSS encoding. More on this in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).
For the cookies, make them HTTP only and if possible, only allow them to be served securely (if you're happy to only run over HTTPS). Try putting your web.config through the web.config security analyser which will help point you in the right direction.
Another CSRF defense - albeit one with a usability impact - is CAPTCHA. Obviously you want to use this sparingly but if you've got any really critical functions you want to protect, this puts a pretty swift stop to it. More in OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF).
Other than that, it sounds like you're aware of many of the important principles. It won't make you invulnerable, but it's a good start.
Am I now invulnerable to web-based hacking attempts?
Because, no matter how good you are, everyone makes mistakes, the answer is no. You almost certainly forgot to sanitize some input, or use some anti-forgery token. If you haven't now, you or another developer will as your application grows larger.
This is one of the reason we use frameworks - MVC, for example, will automatically generate anti-CSRF tokens, while LINQ-to-SQL (as you mentioned) will sanitize input for the database. So, if you are not already using a framework which makes anti-XSS and anti-CSRF measures the default, you should begin now.
Of course, these will protect you against these specific threats, but it's never possible to be secure against all threats. For instance, if you have an insecure SQL-connection password, it's possible that someone will brute-force your DB password and gain access. If you don't keep your versions of .Net/SQL-Server/everything up to date, you could be the victim of online worm (and even if you do, it's still possible to be zero-dayed).
There are even problems you can't solve in software: A script kiddie could DDOS your site. Your server-company could go bankrupt. A shady competitor could simply take a hedge-clippers to your internet line. Your warehouse could burn down. A developer could sell the source-code to a company in Russia.
The point is, again, you can't ever be secure against everything - you can only be secure against specific threats.
This is the definitive guide to web attacks. Also, I would recommend you use Metasploit against your web app.
It definitely is not enough! There are several other security issues you have to keep in mind when developing a web-app.
To get an overview you can use the OWASP Top-Ten
I think this is an very interesting post to read when thinking about web-security: What should a developer know before building a public web site?
There is a section about security that contains good links for most of the threats you are facing when developing web-apps.
The most important thing to keep in mind when thinking about security is:
Never trust user input!
[I am answering to this "old" question because I think it is always an actual topic.]
About what you didn't mention:
You missed a dangerous attack in MVC frameworks: Over Posting Attack
You also missed the most annoying threats: Denial of Service
You also should pay enough attention to file uploads (if any...) and many more...
About what you mentioned:
XSS is really really really waster and more annoying to mitigate. There are several types of encoding including Html Encoding, Javascript Encoding, CSS Encoding, Html Attribute Encoding, Url Encoding, ...
Each of them should be performed to the proper content, in the proper place - i.e. Just doing Html Encoding the content is not enough in all situations.
And the most annoying about XSS, is that there are some situations that you should perform Combinational Encoding(i.e. first JavascriptEncode and then HtmlEncode...!!!)
Take a look at the following link to become more familiar with a nightmare called XSS...!!!
XSS Filter Evasion Cheat Sheet - OWASP