On a related note ­ the never ending obfuscation techniques to bypass any
filtering mechanism (WAF or otherwise) lead me to use additional WAF
techniques to help mitigate XSS attacks.  I recently gave my "XSS
Street-Fight" presentation at Blackhat DC
(http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Barnett)
which outlined these items.  The preso slides aren't up on the BH site yet
so I posted them on them here -
http://www.modsecurity.org/documentation/XSS_Street_Fight-Ryan_Barnett-Black
hatDC-2011.pdf

The short of it is that you need to things like -

1. Generic Attack Payload Detection ­ highly obfuscated payloads often have
   tell-tail signs that something is abnormal with it.
2. Dynamic Taint Propagation ­ to compare inbound/outbound data to identify
   possible areas where the app isn't applying output escaping/encoding of
   user­supplied data.
3. Counting the number of iframes/scripts on a page ­ successful XSS attacks
   will often result in new tags
4. Adding a JS Sandbox ­ pushing a JS sandbox (like Active Content
   Signatures) down to the client so you can combat XSS there.
   Anyways ­ this is a topic that we will be discussing at the upcoming OWASP
   Summit in Portugal next week. http://www.owasp.org/index.php/Summit_2011
   Should be interesting to hash all these concepts out further.

Sorry for the thread hijackŠ

-Ryan

From:  Ryan Dewhurst ryandewhurst@gmail.com
Date:  Wed, 2 Feb 2011 21:36:44 +0000
To:  websecurity@lists.webappsec.org
Subject:  [WEB SECURITY] WAF XSS Fuzzer?!

On 2 February 2011 21:36, Ryan Dewhurst ryandewhurst@gmail.com wrote:

I'll probably add it to XSS Rays, it will consist of:-

for(var i=0;i<10;i++) {
vector = '<img src=1 onerror=alert('+(i+1)+')>';
}

It will probably work for most WAFs as Thornmaker and sdc has already proved

On Thu, Feb 3, 2011 at 10:43 AM, Chris Weber chris@casabasecurity.com wrote:

Any plans to produce a tool (or update an existing one) that has these
techniques?

I was definitely thinking the same thing, Chris -- x5s would be ideal
to test WAFs, but perhaps not perfect.

I'd also be curious to test for div overlays/hijacking and base/form
hijacking (and other issues with HTMLi). I will probably get some
opportunity to test everything mentions on a few WAFs soon. Feel free
to ping me about test cases or tool benchmarking.

So, I'm certainly interested in your beta projects. What's with
webappsec tool these days where the dev versions are significantly
more advanced than the releases? Whoever said that webappsec isn't
innovating obviously isn't involved in webappsec. It's just the stupid
appsec commercial product vendors that aren't innovating!

Cheers,
Andre

Awesome that someone put a book together on this subject; long
overdue. I didn't know there were others as geeked out on
canonicalization as you and I were, and the guys over at Depth
Security.

FYI WhiteHat Sentinel has been testing for a large number of these
"filter evasion"/canonicalization issues for 4+ years now. I published
stats about their frequency of occurrence a few years ago at BlackHat.
That was from a fairly small sample of applications compared to what
we work with today though, so it's probably time to take a look at
those numbers again.

What we find time and time again is that most of the obscure "filter
evasion" techniques tend to succeed as edge-cases. But there are a
heck of a lot of edge-cases out there. Some other observations about
these type of filter-evasion/canonicalization issues:

1. hard for static automation to identify
2. often emergent behaviors, results of disparate code bases and/or
   interactions with app/web server product configurations
3. often only show up at runtime in Production, usually because of a
   relationship in item #2
4. often only in isolated parts of larger applications (again, see #2)
   so spot-checking applications doesn't help. Need better automated
   levers to cover all inputs, and find the edge-cases.

We have also worked fairly closely with several Web App Firewall
vendors integrating Sentinel, and sharing information with them about
these types of filter evasions. However, WAF vendors have a tough time
of it. Customers will tolerate false-negatives over false-positives.
Good or bad, that's just how the world works. Filtering on these types
of data constructs has an unfortunate tendency to generate false
positives - especially on internationlized websites using multiple
code pages/encoding formats. Likewise, remediation is often as
challenging for the developer to understand as mitigation. Tricky
problem.

Also, I know IBM Appscan has implemented some degree of tests
targeting these issues as well. I have not seen the other mainstream
webapp scanners perform any depth of testing here (they might, but I
haven't seen it in their test injections nor results). However - the
biggest problems the appsec scanning industry is facing today involves
scaling, and false-positives rates. Improved filter-evasion just isn't
a primary problem (yet) IMHO.

Interesting times. The appsec industry, the customer base, and the
technologies are all evolving rapidly today. The next 5 years in
appsec should be much more exciting than the last 5 years.

Keep up the excellent work, Chris (I'm assuming x5s is your project).

Arian Evans

On Thu, Feb 3, 2011 at 9:43 AM, Chris Weber chris@casabasecurity.com wrote: