Published on March 12, 2014
libinjectionFrom SQLi to XSS Nick Galbreath @ngalbreath! Signal Sciences Corp! email@example.com Code Blue ∙ Tokyo ∙ 2014-02-17
Nick Galbreath @ngalbreath • Founder/CTO of Signal Sciences Corp • Before: IponWeb (Moscow, Tokyo) • Before: Etsy (New York City)
What is libinjection? • A small C-library to detect SQLi attacks in user- input • With API in python, lua and php • Introduced at Black Hat USA 2012 • Open source with BSD license • https://github.com/client9/libinjection
Why libinjection? • Existing detection is mostly done with regular expressions • No unit tests • No performance (speed) tests • No coverage tests • No accuracy or precision tests • No false positive tests • “what are they actually doing?”
libinjection SQLi Today • Version 3.9.1 • 8000 unique SQLi ﬁngerprints • 400+ unit tests • 85,000+ SQLi samples
In Use At • mod_security WAF - http://www.modsecurity.org/ • ironbee WAF - https://www.ironbee.com/ • glastopf honeypot - http://glastopf.org/ • proprietary WAFs • internally at many companies • partial pure-java port
Similar to SQLi • No standard detection library • Few if any have tests • Regular expression based detection • Can we do better?
HTML Injection Samples <b>XSS</b> (raw HTML) <foo XSS> (tag attribute from user input) <foo name=XSS> (tag value from user input) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)
Browser HTML Tokenization • Previously every browser parsed or tokenised HTML differently. • This lead to a number of different attacks using broken html tags, special characters or encodings. • Now, most browsers now use the same algorithm speciﬁed by HTML5.
> 65% are HTML5 http://tnw.co/1cqFueo
Every Tokenization Step
Is Clearly Deﬁned
The remainder are IE • And IE only has a few versions • And has some well-known exceptions to the HTML5 parsing rules.
IE6 and IE7 • IE7 has only 2% of market share • IE6 will, in time, go away. • Both are likely running on 10 year old machine.
IE8 • Somewhere between 10-20% marketshare • The most modern MS browser on Windows XP • Marketshare can only go down.
Opera • 1.33% Global Market Share • But maybe 40% of that is ‘Opera Mini’ for phone or embedded systems • Opera has a lot of oddities in HTML functionality and parsing • Ignoring
HTML injection attacks in HTML5 clients. • No: XML / XSLT injection • No: Any injection for IE6, IE7, Opera, FF and Chrome older than a year. • No: DOM style attacks (need a client solution)
libinjection html5 • Full HTML5 Tokenizer. • Does not build a tree or DOMs • Just emits tokenizer events. • Zero copying of data
Tokenization Sample TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
Check in each Context Each input is parsed in at least 6 different HTML contexts, because thats how XSS works! <b>XSS</b> (raw HTML) <foo XSS> (tag attribute from user input) <foo name=XSS> (tag value from user input) <foo name='XSS'> (quoted value) <foo name="XSS"> (quoted value) <foo name=`XSS`> (IE only!)
XSS Cheat sheets • Most are outdated (exploits for Firefox 3! ) • sorry OWASP :-( • Each entry validated to make sure they are valid for HTML5 browsers.
HTML5SEC.org • Fantastic resource • But lists many examples for Firefox 3 and/or obsolete Opera versions • Pruned to focus on HTML5 browsers
@soaj1664ashar • Produces interesting new XSS regularly • If you like XSS you should follow him on Twitter
Attack / Scanners • Integrate one scanner’s test cases • Using Shazzer fuzz databases - http://shazzer.co.uk/
Available Now • Available on github • http://libinjection.client9.com/ • but… still alpha
IE Unbalanced Quotes • IE 8+ has strange behaviour with ‘unbalanced quotes’ inside comments and attribute values. • Work in progress
Performance 500,000+ checks per second
TODO 2014-02-17 • It’s alpha — so it’s likely to have some spectacular failures (bypasses) • False-positive QA not completed. • Currently does not handle some IE injections • Does not have a test-bed for experimenting (maybe later this week). • More QA, code-coverage needed • No bindings for scripting languages (soon).
Talks by Nick Galbreath. Web App Security in an Agile World. ... CodeBlue2014 -JP- libinjection-from sqli to xss. Feb 16, 2014 by Nick Galbreath.
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm ...
Want to watch this again later? Sign in to add this video to a playlist
Libinjection: From SQLi to XSS by Nick Galbreath. ... May 5, 2015 by Nick Galbreath. Speaker Details. signalsciences.com View Speaker Details.
Defeating Getimagesize() Checks In File Uploads; Challenge 6: Digest Authentication Reloaded; Challenge 5: Digest Authentication Attack; Basic ...
OWASP AppSec California ... Nick Galbreath. Follow NGalbreath Company : Client9 libinjection: from SQLi to XSS
libinjection: From SQLI to XSS (version 2) was first presented at Code Blue, Tokyo Japan on 2014-02-18. English and 日本語 ← Older; Newer →
Nick Galbreath. CTO/Founder Signal Sciences. How do Open Source Software Product Companies Make Money? ... libinjection: From SQLI to XSS (version 1) ...
... From Sqli To Xss - Nick Galbreath ... This talk will introduce a new algorithm for detecting XSS attacks. Like the SQLi libinjection ...