Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Reflected XSS: comprehensive pattern needed for Java code

refer to attached codes that we do input validation for
a reflected XSS:

we've increased the validations but each time a rescan
is done, there's new set of "pattern" that's not caught
& the same pentester conveys we just have to follow
Owasp recommendations:

Q1
can anyone help review the attached & enhance to
make it fully compliant?

Q2
pentester says they can't possibly provide all the
possible patterns, so what does this mean?  No
closure possible or we can reduce to a minimum?
Our apps team is getting tired & claims the pentester
fails to provide the full patterns while pentester says
we just need to adhere to Owasp, so which is which
as I'm confused who is right & what's best practice?
Avatar of sunhux
sunhux

ASKER

attached the input validation codes embedded into Tomcat
xss_pattern.txt
Avatar of sunhux

ASKER

Best not to recommend us to upgrade Tomcat (we're on 8.5.42) as we've just upgraded.

We dont have WAF but one WAF vendor has the filter below:
%00%01%04%1b%08%5c%7f%02%04%0a%0b%0c%0d%0e%0f%0a%1b%1c%1d%1e%1f%7f%80%81%82%83%84%85%86%87%88%89%8a%8b%8c%8d%8e%8f%90%95%97%98%99%9a%9a%9b%9c%9d%9e%9f%a0%a1%a2%a3%a4%a5%a6%a7%a8%aa%ab%ac
How can we apply the above WAF filter to the codes I've attached:
appreciate specific codes, thanks
Avatar of sunhux

ASKER

Think pentester uses Netsparkle
Avatar of sunhux

ASKER

Just to qualify, we don't have the source codes so the java codes
I've attached is to  blacklist those characters.

Can we safely say  input validation  employs whitelisting (what's
the allowed characters)  while the codes I have employs
blacklisting: block undesirable characters.

In any case, will be much appreciated if anyone can enhance
the codes attached
Avatar of leakim971
what about to use a dedicated "proxy" on a separate unit to protect your server ?
Avatar of sunhux

ASKER

WAF & proxy did cross our mind but the pentester from Big 4
conveyed that the risk can be lowered from High to Med but
not closed as internal users (or an outside attacker who gained
a foothold in our internal LAN) could still attack it.  It's still
highly recommended to fix it at source (ie at the app server).

Or is there any such javascript to do whitelisting instead of
blacklisting for Tomcat that anyone could share?
ASKER CERTIFIED SOLUTION
Avatar of leakim971
leakim971
Flag of Guadeloupe image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

Ah, ok, a solution that runs in the endpoint itself: not that I'm giving
excuses but we'll have some learning curve to build up to be able to
set up, configure and maintain mod_security
Avatar of sunhux

ASKER

Can we say mod_security is an endpoint WAF & if so can it be bypassed:

Methods to Bypass WAF – Cross-Site Scripting:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Methods_to_Bypass_WAF_.E2.80.93_Cross-Site_Scripting

• Stored XSS
If an attacker managed to push XSS through the filter, WAF wouldn’t be able to prevent the attack conduction.
• Reflected XSS in Javascript
 Example: <script> ... setTimeout(\"writetitle()\",$_GET[xss]) ... </script>
 Exploitation: /?xss=500); alert(document.cookie);//
all is based on this :

if an attacker managed to push XSS through the filter

that should not happen, right?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

BTan, can ESAPI.js be used with Tomcat?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

Where can we download all the esapi components for Tomcat?

The link below has downloads for  .js & .html  so are the required
scripts/filters/components included in them?

Is esapi deploying the whitelisting or blacklisting method?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

My apps colleague replied:
He's aware of the ESAPI solution, but it only works if the applications source codes & all the
java scripts are given to us but the vendor did not release the source codes to us,  i.e.
we don't have all the codes from frontend to backend (we run microservices), thus
deployed the blacklisting javascript (attached in the 1st post above) in Tomcat
Avatar of sunhux

ASKER

I'm curious why my colleague can't convert his javascript to do
whitelisting  if the script could do 'blacklisting'
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

BTan, can the last suggestions (the four points) be implemented if
the vendor did not release the source codes to us?

Somehow the apps colleague  'embed' the blacklisting javascript
in Tomcat: I can ask him exactly how he 'embed' if this will give
any clue.

I hv doubts that the javascript (which I've attached in the 1st post
above) can't be re-written to do whitelistg.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

My apps colleague got back that he's aware of the ESAPI solution but it
can't be implemented as we don't have the source codes due to legacy
reasons: the binaries were passed down from generations without the
source codes & we now migrate these binaries to microservices/docker
& thus he came out with a javascript to be 'layered' into Tomcat.

Yes, apps colleague showed me he already have "xssProtectionEnabled",
"HttpHeaderSecurityFilter", "antiClickJackingEnabled"   enabled (in web.
xml  & one other Tomcat config file) but pentester using Netsparker still
found it vulnerable (he used quite extensive patterns to test Reflective
XSS).

As for "input validation"/"whitelisting" the inputs, it's not possible as we
don't have the source codes.
Avatar of sunhux

ASKER

attached 1st screen of web.xml with red arrows showing the 3 Tomcat settings
are in place.

Next attachment is what the pentester highlighted despite the javascript that
was applied in Tomcat (in my very 1st post above).

If we use WAF, it's also a blacklisting mechanism as I was told by WAF admin
tt when whitelisting is done, it caused some issue as some legit characters or
patterns (which we can predict which are the required patterns) got blocked.
XssJpom.jpg
xssHighrisk.JPG
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

Does mod_security & Barracuda WAF has a similar "learning mode"?
Good question, these can be advised by provider