Fixing app codes that generate false positive XSS, SQL injection & other vulnerability alerts

Q1:
I know quite a number of the XSS & SQL injection (& other vulnerabilities) reported by our IPS (Intrusion Protectn System)
are false positives as they are known accesses from the web accessing the app  or  from the users subnets (incl public
Internet) to the web servers.

So how do people normally go about handling this?  Do we ignore it or if whitelisting is not possible (due to the product's
limitation), do we get the offending payload & then submit to apps support team to fix it?

Q2:
I reckon almost all the reported XSS, SQL injection & Adobe alerts are triggered by .Net or Java-related codes?  Is there
any other common programming language that could have triggered XSS & SQL injection?  Will SQL commands &
4th GL trigger such alerts?

Q3:
Does premier MS & Oracle support contract entitles us to get MS/Oracle to review & fix the codes?  Or such requests
are not supported by MS/Oracle ?

Q4:

Are the following considered payloads?  I got them from the IPS.  How do we go about identifying which
lines of codes is the trigger for XSS ?  Any tools out there to help with such codings (or shall I say software
configuration?)   troubleshooting?

Sample 1
========
GET /VOICES/XRMServices/2011/OrganizationData.svc/RoleSet?$select=RoleId&$filter=Name%20eq%20'Senior%20Executive' HTTP/1.1
Accept: application/json,text/javascript, */*
X-Requested-Width: XMLHttpRequest
Referer: http://intranet-uat-voices.vital.gov.sg/VOICES/main.aspx?etc=10050&extraqs=%3f_gridType%3d10050%26etc%3d10050%26id%3d%257bD063CA65-60F4-E411-8E74-005056A5104D%257d%26rskey%3d820491894&pagemode=iframe&pagetype=entityrecord&rskey=820491894
Accept-Language: en-sg
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E; Tablet PC 2.0)
Host: intranet-uat-voices.mital.com.in
Connection: Keep-Alive
Cookie: ReqClientId=b1afa8a0-57fd-4509-ab6f-3f413093bb22; gov.sg=2190998794.20480.0000;



Sample 2
========
GET /Reserved.ReportViewerWebControl.axd?OpType=Resource&Version=11.0.3452.0&Name=Microsoft.Reporting.WebForms.Icons.MultiValueSelect.gif HTTP/1.1
Accept: */*
Referer: http://intranet-uat-voices-in.mital.com.in/WebForms/Reports/Service_Request_Report.aspx
Accept-Language: en-sg
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/5.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; InfoPath.2; MS-RTC LM 8; .NET CLR 3.0.30729)
Host: intranet-uat-voices-in.mital.com.in
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=hravdfifth4zygmrk11gydkm; gov.sg=2190998794.20480.0000; __utmc=110516482; __utma=110516482.2134647970.1430968029.1430968029.1430968029.1; __utmz=110516482.1430968029.1.1.utmcsr=intranet-uat-voices-sp.vital.gov.sg|utmccn=(referral)|utmcmd=referral|utmcct=/WebForms/Home.aspx
X-RBT-Optimized-By: SG5MRWAVTL001 (RiOS 6.5.6) SC


Match Position In Buffer:       132 (0x84)
Match Position In Stream:       1021 (0x3fd)
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
A1: You should not ring bells for vulnerabilities in irrelevant technologies
A2: you can pass commands to bash via shellshock as one example
A3: No, you must hire programmer
A4: It must be analyzed by a himan (again see A1 for quick filter)
0
btanExec ConsultantCommented:
A1 - IPS/IDS alert is via signature so need to find out what "signature" triggered it and it is like the normal simple SQLi/XSS inject that caused it then you should ask why is legit user or trusted subnet sending this request - is it expected and happened frequently? Need to make informed decision before saying whitelisting or exception can be deployed in IDS/IPS or event FW

A2 - See OWASP cheatsheet on XSS/SQLi.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
I will say it is dependent on the web/app/db server deployed. I wouldnt care so much on the language per se as you also do not control attacker means to launch sucn exploit against your asset. They are looking for "gap" anywhere and if you are running CMS (content mgmt service) then it is part and parcel to harden it and ensure input validation done in code. Do an dynamic and static code review even prior to getting those web app and sites in production online...it is safer then trying to stop different lang and exploits or watch for CVEs (it is going to be endless and ineffective since we are non wiser on next step). We should deter attacker means to close all knowns vulnerability and gaps

A3 - Assurance is just a matter of word of undertaking. But you do see it they are actively looking out for Bounty offering to researchers to find gaps way before the attackers do it. If you really find a hole and undeclared then I am sure they have their security team to look into it. They do have contract binding and service account mgr to assist but do you trust w/o verifying it yourself. It is tough to say the platform .NET or Java is bugless and if it exists, it should be patch but based on timeliness and severity (tagged typically to CVSS 2.0 and CVE is confirmed). I do not advice specific customisation only for your fixes but should ensure they always have fixes as General Release otherwise, it is going to be broken for the next MS or Oracle global patch update releases...it is like "unmanaged" code per se (to me) since it is unique to your env. We should avoid be the "limelight" and "odd ones".

A4 -  yes for the GET as mainly it is in the request URL. For POST, it will be in the content inside the HTTP captures as well (so long as it is not encrypted via SSL/TLS or via VPN etc)...the user agent can be faked too so i tend not to "believe" or "trust" it too much...detector may use that as part of Indicator of compromise/anomaly/attack for their device Yara rule, Snort rule etc. But they are strings that can be tampered, injected, etc if the channel or carrier did not have the securing from end to end. Bot use it to avoid detection likewise for DDoS bot and even tunnel thru trusted prootcol like DNS etc

...but always wise to analyse the http packet via baseline received compared to those received too
...the cookie may be added by proxies or load balancer or web server themselves instead of the web apps. Likely they may failed the httponly or secure flag from scanner but just be ready to justify why they are considered as false +ve. You also dont own those intermediary devices..
0
sunhuxAuthor Commented:
>why is legit user or trusted subnet sending this request - is it expected and happened frequently?
It happens often;  instead of whitelisting, governance wants to fix the apps
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

sunhuxAuthor Commented:
It's only the "Generic XSS" & "SQL injection" signatures of Deep Security that got triggered.

The  OWASP cheatsheets are good guidelines;  will be better if they are specific to .Net
& Java codings
0
gheistCommented:
But that is the request, not anything that server code can help you with.
0
sunhuxAuthor Commented:
>  if they are specific to .Net & Java codings
I mean if there are specific examples that given best practice codings for .Net &
Java that will prevent such false positives from arising.  From the source & destinations,
I can tell that they are from web to app servers with legit purpose (as we have a couple
thousand servers with hundreds of projects & the accesses are all within the same
project) thus I reckon these are false positives.
0
gheistCommented:
You see 2 sample requests
I see in each long line of parameters that should be manipulated by a fuzzer or human auditor in hope for unexpected and eventually insecure behaviour of website.
If you trust this test to be security hole - imagine that anyone can post SELECT 1=1 to any static page on your website and your governor will ask you to fix web page.
0
btanExec ConsultantCommented:
OWASP has for .net and java too for developer
https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet
https://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#J2EE_Security_for_Developers

Guidance in reviewing these two lang is available too
https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

The most common is use of OWASP recommended ESAPI in various lang for secure coding adopted by organisation practices https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

but we cannot control the "legit" client request (probably the WAF has blocked) and web server configuration is part of hardening - the key is you can attempt to disable and enable as req but you be never to control your intermediary if you are owning that. XFF can be inserted in hdr but can you say no to those proxy device if you do not even manage them or out of your reach.

if secure coding is done and went thru the dyn and static code review as regime, I do not see why "governance" cannot accept it if you deemed due diligence is done and is those whitelisted client sending (unexpected or unmanaged) req, you already done your part to defend at n/w (vul scanning etc), server (hardening) and app code (secure coding) level ...
0
sunhuxAuthor Commented:
Thanks.  A couple more clarifications to help me zoom down which part of
the codings / application software that trigger these alerts.

Q1:
Refer to the latest payload attached : does the "Match Position ..."  indicate
which specific codes or software is the culprit triggering the alerts?  Below
are the positions I extract from the attached:

Match Position In Buffer: 56 (0x38)
Match Position In Stream: 462085 (0x70d05)


Q2:
Is there any tool out there (ideally freewares) that we can use to scan our codes
which will pinpoint where are the likely codes that trigger such XSS & SQL
injection alerts?
May8-38-68.txt
0
btanExec ConsultantCommented:
A1-seems that the attached is mapping to
'AND 1=(_!@2dilemma)+'
and for pos 0x38 is at CHAR(33) which is '!'

A2-looks like the tool is Netsparker as spelled out in "X-Scanner: Netsparker"
https://www.netsparker.com/web-vulnerability-scanner/overview/
0
gheistCommented:
But you understand that those exploits come from outside and applications on your server have no influence whatsoever on them. They will just ring all the bells and whistles even against static completely read-only website.
0
btanExec ConsultantCommented:
indeed agree with gheist esp when it is a scanner that does such testing spawning off alarms in a "fire drill" trial round. it either get the server to generate some error leakage otherwise it sound the alarm of the security device checks from WAF etc.
0
sunhuxAuthor Commented:
>those exploits come from outside and applications on your server have no influence whatsoever on them
The sample payload I've pasted is triggered by an internal web server going to an iternal app server;
not from outside.  In fact more than 99.5% of such alerts in our environment are intranets

As such, I reckon it is due to poor codings or non-optimal software configs
0
sunhuxAuthor Commented:
>"X-Scanner: Netsparker"
Our tool is not Netsparker; guess it derives it's alerts based on Netsparker
0
btanExec ConsultantCommented:
input validation need to be done regardless malice in the HTTP request. secure coding is baseline to catch such attempt even if it is legit which the sample seemingly has query statement potentially triggering SQLi.

Ref - SWAT checklist is handy at a glance to close the low hanging as well https://www.sans.org/security-resources/posters/securing-web-application-technologies-swat-2014-60

As for the tools, X-Scanner is not the standard http header and definitely the header can be manipulated esp whne it is from the adversary trying to evade detection and inspection. regardless, if you are looking at codes (static) and executable running (dynamic) state web scanning , there is fortify and webinspect that work together to pinpoint to that segment of code triggers. Minimally static code scanner will highlight those lacking function or code segment not doing due secure coding

Ref - OWASP phoenix has a list of tools suggested https://www.owasp.org/index.php/Phoenix/Tools
0
sunhuxAuthor Commented:
> there is fortify and webinspect that work together to pinpoint to that segment
Fortify is used before codes are uploaded in our server.  So I'll need both
Fortify plus Webinspect?
0
btanExec ConsultantCommented:
to be exact, it is WebInspect Real-Time, as it is called.
the emergence of integrated application security testing (IAST) technologies that observe the running code of the application in real-time while the application is being tested. This helps to confirm or disprove the exploitability of the suspected vulnerability, and point to its origin in the application, as well as provide developers with real, actionable information like stack traces and line of code detail, so that they can fix the security problems faster and accurately
http://www.hp.com/hpinfo/newsroom/press/2011/110714.html?mtxs=rss-corp-news

Pardon me I am not "selling" but meant to share that such integrated toolkit is available ...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Sorry for my delayed response.

Upon reading up some articles on Fortify & WebInspect Real-time, appears that they
address weak/insecure loopholes but will this address "false positives" esp for Generic
Cross-site scripting, SQL injection & Adobe  related alerts?

In particular, given the Payload data (which we extract from our IPSes), will Webinspect
Real-time point to specific codes that can be enhanced to stop these alerts?
0
btanExec ConsultantCommented:
They point to codes if the users has the codes (of the website) on the alert, they claimed to do it supposedly. They are web based and not application centric - like owning Adobe or other off the shelf user appl...no one have.

However, I do not see any tools will (or can) be saying there are no False positives in findings, tester and user need to verify all findings surfaced. Minimally the dynamic and static combination attempts to bring down that FP threshold but it is not a sure mean. The findings can be ported to WAF for mitigation defence to be put up as well...subjected to WAF support the reading of the scanner finding format.
Most of the scanner tools are not target's environment aware hence false positive will still need to validated with manual involvement using other separate tools like Burp, fiddler, manual injection etc.
0
gheistCommented:
Application will keep showing users pages ant they will keep posting search terms back to the server.
You need to check each post field IF manipulation can lead to unauthoruzed exposure, i.e real XSS or SQL injection.
Otherwise - false positives, adjust NIDS filters.
0
btanExec ConsultantCommented:
static codes analysis tends to surface quite a fair amt of findings and if the developed codes does no secure coding and uses those best practice templates like OWASP (or even not using ESAPI api) and Mitre standard, then be prepared to see more of those laundry listing. Every inputs are consider evil unless proven otherwise. That is for apps side and for network aspects, tuning is part of the regime esp when new apps are launched ... but those alerts tagged with CVE as ref should not be false pos and must verify and remediated... some scanning msg also tend to be misleading when the target is not up or already decommission (as it failed to have any scan response)...
0
gheistCommented:
The problem is that even backend is assured safe application will continue to use same requests between it and browser and IDS will keep whistling loudly.
0
btanExec ConsultantCommented:
agree more layer to check and sometimes (or I must say most of the time) system/apps owners do not own those infra folks appliance. the findings is ideally to do it in "excepted" case with whitelisting for client testing only during the approved scanning limit and schedule slot...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.