sunhux
asked on
Reflected XSS: comprehensive pattern needed for Java code
refer to attached codes that we do input validation for
a reflected XSS:
we've increased the validations but each time a rescan
is done, there's new set of "pattern" that's not caught
& the same pentester conveys we just have to follow
Owasp recommendations:
Q1
can anyone help review the attached & enhance to
make it fully compliant?
Q2
pentester says they can't possibly provide all the
possible patterns, so what does this mean? No
closure possible or we can reduce to a minimum?
Our apps team is getting tired & claims the pentester
fails to provide the full patterns while pentester says
we just need to adhere to Owasp, so which is which
as I'm confused who is right & what's best practice?
a reflected XSS:
we've increased the validations but each time a rescan
is done, there's new set of "pattern" that's not caught
& the same pentester conveys we just have to follow
Owasp recommendations:
Q1
can anyone help review the attached & enhance to
make it fully compliant?
Q2
pentester says they can't possibly provide all the
possible patterns, so what does this mean? No
closure possible or we can reduce to a minimum?
Our apps team is getting tired & claims the pentester
fails to provide the full patterns while pentester says
we just need to adhere to Owasp, so which is which
as I'm confused who is right & what's best practice?
ASKER
Best not to recommend us to upgrade Tomcat (we're on 8.5.42) as we've just upgraded.
We dont have WAF but one WAF vendor has the filter below:
%00%01%04%1b%08%5c%7f%02%0 4%0a%0b%0c %0d%0e%0f% 0a%1b%1c%1 d%1e%1f%7f %80%81%82% 83%84%85%8 6%87%88%89 %8a%8b%8c% 8d%8e%8f%9 0%95%97%98 %99%9a%9a% 9b%9c%9d%9 e%9f%a0%a1 %a2%a3%a4% a5%a6%a7%a 8%aa%ab%ac
How can we apply the above WAF filter to the codes I've attached:
appreciate specific codes, thanks
We dont have WAF but one WAF vendor has the filter below:
%00%01%04%1b%08%5c%7f%02%0
How can we apply the above WAF filter to the codes I've attached:
appreciate specific codes, thanks
ASKER
Think pentester uses Netsparkle
ASKER
Just to qualify, we don't have the source codes so the java codes
I've attached is to blacklist those characters.
Can we safely say input validation employs whitelisting (what's
the allowed characters) while the codes I have employs
blacklisting: block undesirable characters.
In any case, will be much appreciated if anyone can enhance
the codes attached
I've attached is to blacklist those characters.
Can we safely say input validation employs whitelisting (what's
the allowed characters) while the codes I have employs
blacklisting: block undesirable characters.
In any case, will be much appreciated if anyone can enhance
the codes attached
what about to use a dedicated "proxy" on a separate unit to protect your server ?
ASKER
WAF & proxy did cross our mind but the pentester from Big 4
conveyed that the risk can be lowered from High to Med but
not closed as internal users (or an outside attacker who gained
a foothold in our internal LAN) could still attack it. It's still
highly recommended to fix it at source (ie at the app server).
Or is there any such javascript to do whitelisting instead of
blacklisting for Tomcat that anyone could share?
conveyed that the risk can be lowered from High to Med but
not closed as internal users (or an outside attacker who gained
a foothold in our internal LAN) could still attack it. It's still
highly recommended to fix it at source (ie at the app server).
Or is there any such javascript to do whitelisting instead of
blacklisting for Tomcat that anyone could share?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, ok, a solution that runs in the endpoint itself: not that I'm giving
excuses but we'll have some learning curve to build up to be able to
set up, configure and maintain mod_security
excuses but we'll have some learning curve to build up to be able to
set up, configure and maintain mod_security
ASKER
Can we say mod_security is an endpoint WAF & if so can it be bypassed:
Methods to Bypass WAF – Cross-Site Scripting:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Methods_to_Bypass_WAF_.E2.80.93_Cross-Site_Scripting
• Stored XSS
If an attacker managed to push XSS through the filter, WAF wouldn’t be able to prevent the attack conduction.
• Reflected XSS in Javascript
Example: <script> ... setTimeout(\"writetitle()\ ",$_GET[xs s]) ... </script>
Exploitation: /?xss=500); alert(document.cookie);//
Methods to Bypass WAF – Cross-Site Scripting:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Methods_to_Bypass_WAF_.E2.80.93_Cross-Site_Scripting
• Stored XSS
If an attacker managed to push XSS through the filter, WAF wouldn’t be able to prevent the attack conduction.
• Reflected XSS in Javascript
Example: <script> ... setTimeout(\"writetitle()\
Exploitation: /?xss=500); alert(document.cookie);//
all is based on this :
that should not happen, right?
if an attacker managed to push XSS through the filter
that should not happen, right?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
BTan, can ESAPI.js be used with Tomcat?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Where can we download all the esapi components for Tomcat?
The link below has downloads for .js & .html so are the required
scripts/filters/components included in them?
Is esapi deploying the whitelisting or blacklisting method?
The link below has downloads for .js & .html so are the required
scripts/filters/components
Is esapi deploying the whitelisting or blacklisting method?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My apps colleague replied:
He's aware of the ESAPI solution, but it only works if the applications source codes & all the
java scripts are given to us but the vendor did not release the source codes to us, i.e.
we don't have all the codes from frontend to backend (we run microservices), thus
deployed the blacklisting javascript (attached in the 1st post above) in Tomcat
He's aware of the ESAPI solution, but it only works if the applications source codes & all the
java scripts are given to us but the vendor did not release the source codes to us, i.e.
we don't have all the codes from frontend to backend (we run microservices), thus
deployed the blacklisting javascript (attached in the 1st post above) in Tomcat
ASKER
I'm curious why my colleague can't convert his javascript to do
whitelisting if the script could do 'blacklisting'
whitelisting if the script could do 'blacklisting'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
BTan, can the last suggestions (the four points) be implemented if
the vendor did not release the source codes to us?
Somehow the apps colleague 'embed' the blacklisting javascript
in Tomcat: I can ask him exactly how he 'embed' if this will give
any clue.
I hv doubts that the javascript (which I've attached in the 1st post
above) can't be re-written to do whitelistg.
the vendor did not release the source codes to us?
Somehow the apps colleague 'embed' the blacklisting javascript
in Tomcat: I can ask him exactly how he 'embed' if this will give
any clue.
I hv doubts that the javascript (which I've attached in the 1st post
above) can't be re-written to do whitelistg.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My apps colleague got back that he's aware of the ESAPI solution but it
can't be implemented as we don't have the source codes due to legacy
reasons: the binaries were passed down from generations without the
source codes & we now migrate these binaries to microservices/docker
& thus he came out with a javascript to be 'layered' into Tomcat.
Yes, apps colleague showed me he already have "xssProtectionEnabled",
"HttpHeaderSecurityFilter" , "antiClickJackingEnabled" enabled (in web.
xml & one other Tomcat config file) but pentester using Netsparker still
found it vulnerable (he used quite extensive patterns to test Reflective
XSS).
As for "input validation"/"whitelisting" the inputs, it's not possible as we
don't have the source codes.
can't be implemented as we don't have the source codes due to legacy
reasons: the binaries were passed down from generations without the
source codes & we now migrate these binaries to microservices/docker
& thus he came out with a javascript to be 'layered' into Tomcat.
Yes, apps colleague showed me he already have "xssProtectionEnabled",
"HttpHeaderSecurityFilter"
xml & one other Tomcat config file) but pentester using Netsparker still
found it vulnerable (he used quite extensive patterns to test Reflective
XSS).
As for "input validation"/"whitelisting"
don't have the source codes.
ASKER
attached 1st screen of web.xml with red arrows showing the 3 Tomcat settings
are in place.
Next attachment is what the pentester highlighted despite the javascript that
was applied in Tomcat (in my very 1st post above).
If we use WAF, it's also a blacklisting mechanism as I was told by WAF admin
tt when whitelisting is done, it caused some issue as some legit characters or
patterns (which we can predict which are the required patterns) got blocked.
XssJpom.jpg
xssHighrisk.JPG
are in place.
Next attachment is what the pentester highlighted despite the javascript that
was applied in Tomcat (in my very 1st post above).
If we use WAF, it's also a blacklisting mechanism as I was told by WAF admin
tt when whitelisting is done, it caused some issue as some legit characters or
patterns (which we can predict which are the required patterns) got blocked.
XssJpom.jpg
xssHighrisk.JPG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does mod_security & Barracuda WAF has a similar "learning mode"?
Good question, these can be advised by provider
ASKER
xss_pattern.txt