XSS Countermeasures in Grails

XSS Countermeasures in
Grails
Rafael Luque @rafael_luque — OSOCO
José San Leandro @rydnr — Ventura24

http://goo.gl/UGdJ0I

XSS concepts
• What’s a XSS
• XSS Types: Reﬂected, stored, DOM-based.
• Famous XSS attacks: Samy worm, MrBean defacement, ...

XSS threats
• Interface defacement
• Session hijacking
• Click hijacking
• Malware infection
• Your PC may be joined to the horde of zombies in a BotNet.

Following
the
white
rabbit. . .

Something more than a joke. . .

Exploiting the browser
1. Preparing the exploit server. . .

2. Injecting an invisible frame pointing to the exploit server. . .

3. Exploit works and executes the payload. . .

4. Spawning notepad.exe process to migrate to. . .

Post-exploitation phase
Run a remote shell

Keylogging

Run VNC session

Welcome to the
horde of
zombies

Joining to a botnet
1. Install the malware. . .

Joining to a botnet
2. Welcome to my botnet C&C. . .

Responsibilities: Why is
this still an issue?

Commercial software
• XSS is not known for business stakeholders

Commercial software
• For most people, security means attacking your servers

Commercial software
• For most people, security means attacking your servers
• Developers don’t pay enough attention

Do your homework
• Raise awareness

Do your homework
• Raise awareness
• Practice with security tools

Do your homework
• Raise awareness
• Promote defensive coding

Do your homework
• Raise awareness
• Promote defensive coding
• Improve monitoring

#1: Built-in default codec
grails.views.default.codec

is none!
grails.views.default.codec = ’’none’’

is none!
Problems
You have to escape explicitly every untrusted
data:
encodeAsHTML()
encodeAsJavaScript()
encodeAsURL()

is none!
Problems
High likelihood of XSS vulnerabilities in
production.
E.g. Grails.org website.

is none!
Problems
Double-encoding prevention over Security by
default.

is none!
Solution
Change default codec to HTML:
grails.views.default.codec = ’’html’’

#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}

• GSP EL: ${...}
• Tag: <g:tag .../>

• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>

• GSP EL: ${...}
• Tag: <g:tag .../>
• Tag as a method: ${g.tag(...)}

• GSP EL: ${...}
• Tag: <g:tag .../>
• Tag as a method: ${g.tag(...)}
• Scriptlets: <%= ... %>

#3: Tag output is not
escaped
Problems
Review the tags you use to make sure they
encode their output or have options for this (e.g.
encodeAs attribute).

escaped
Problems
Review the tags from plugins you use.

escaped
Problems
Review the tags you invoke as methods in
Controllers.

escaped
Problems
Don’t trust Grails core tags, they have
inconsistent behaviour. E.g:
<g:fieldValue /> // HTML-encoded
<g:message /> // NO HTML-encoded

escaped
Solutions
If tag implementation doesn’t encode, add it
explicitly or invoke it as a method inside a GSP
expression:
<g:message ... encodeAs=’’HTML’’/>
${g.message(...)}
g.message(...).encodeAsHTML()

#4: g:message doesn’t
escape arguments
Problems
With default codec set to HTML the following
XSS attack vector works:
<g:message code=’welcome’ args=’[params.user]’/>
where:
welcome = Hi {0}!
params.user = <script>alert(’pwnd’)</script>

escape arguments
Solutions
Upgrade to a Grails version with the issue
(GRAILS-7170) ﬁxed:
2.0.5, 2.1.5, 2.2.2, 2.3-M1

escape arguments
Solutions
Escape explicitly or invoke the tag inside a GSP
expression:
<g:message code=’welcome’ args=’[params.user]’
encodeAs=’HTML’/>
${g.message(code:’welcome’, args:[params.user])}

#5: One codec is not
enough
You MUST use the escape syntax for the context of the HTML
document you’re putting untrusted data into:
• HTML
• JavaScript
• URL
• CSS

enough
HTML entity encoding doesn’t work if you’re using untrusted
data inside a <script>, or an event handler attribute like
onmouseover, or inside CSS, or in a URL.

enough
Problems
You can override the default codec for a page,
but not to switch the codec for each context:
<%@page defaultCodec=’CODEC’ %>

enough
Problems
How to manage GSPs with mixed encoding
requirements?

enough
Solutions
Turn off default codec for that page and use
encodeAsJavaScript() and
encodeAsHTML() explicitly everywhere.

enough
Solutions
Extract the JavaScript fragment to a GSP tag
encoding as JavaScript.

Grails 2.3 Encoding
Enhancements

#1: New conﬁguration more
secure by default

#1: New conﬁguration more
security by default
grails {
views {
gsp {
encoding = ’UTF-8’
htmlcodec = ’xml’ // use xml escaping instead of HTML4
codecs {
expression = ’html’ // escapes values inside ${}
scriptlet = ’html’ // escapes output from scriptlets in GSPs
taglib = ’none’ // escapes output from taglibs
staticparts = ’none’ // escapes output from static templates
}
}
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
//’text/html’ = ’html’
}
}
}

#2: Finer-grained control of
codecs
Control the codecs used per plugin:
pluginName.grails.views.gsp.codecs.expression = ’CODEC’

codecs
Control the codecs used per page:
<%@ expressionCodec=’CODEC’ %>

codecs
Control the default codec used by a tag library:
static defaultEncodeAs = ’HTML’
Or on a per tag basis:
static encodeAsForTags = [tagName: ’HTML’]

codecs
Add support for an optional encodeAs attribute to all tags
automatically:
<my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>

#3: Context-sensitive
encoding switching
Tag withCodec(’CODEC’, Closure) to switch the current
default codec, pushing and popping a default codec stack.
out.println ’<script type=’’text/javascript’’>’
withCodec(‘‘JavaScript’’) {
out << body()
}
out.println()
out.println ’</script>’

#3: Context-sensitive
encoding switching
Core tags like <g:javascript/> and <r:script/>
automatically set an appropriate codec.

#4: Raw output
When you do not wish to encode a value, you can use the
raw() method.
${raw(book.title)}
It’s available in GSPs, controllers and tag libraries.

#5: Default encoding for all
output
You can conﬁgure Grails to encode all output at the end of a
response.

#5: Default encoding for all
output
grails {
views {
gsp {
codecs {
...
staticparts = ’raw’ // escapes output from static templates
}
}
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
’text/html’ = ’html’
}
}
}
If activated, the staticparts codec needs to be set to raw so
that static markup is not encoded.

Plugins are also part of your application
• Grails plugins are not security audited

• Grails plugins are part of your application’s attack surface

• Grails plugins are part of your application’s attack surface
• Review plugins to make sure they encode, and if they don’t
you should JIRA the authors immediately, and fork and
patch to ﬁx your app quickly.

E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.

• Allows blind XSS attack via X-Forwarded-For header
spooﬁng.

spooﬁng.
• The attack target is the admin’s browser.

spooﬁng.
• Fixed in the last release (1.47).

spooﬁng.
• Fixed in the last release (1.47).
• You should upgrade ASAP.

Solutions: What options
do we have?

Think like an attacker
• According to your grails version

• Find unescaped values

• Use fuzzers

• Use fuzzers
• Read and understand Samy code

• Use fuzzers
• Read and understand Samy code
• Review OWASP XSS cheatsheets

Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped

Be aware
• Monitor for suspicious trafﬁc

Be aware
• Spread the knowledge

Be aware
• Adopt ZAP or similar fuzzers in your CI process

Be aware
• Adopt ZAP or similar fuzzers in your CI process
• Review available security plugins for Grails

Application ﬁrewalls
• Enable common, safe rules

• Log unexpected trafﬁc

• Log unexpected trafﬁc
• Don’t fool yourself

Early-adopt CSP
• CSP: Content Security Policy

Early-adopt CSP
• Adds headers to disable default behavior

Early-adopt CSP
• inline Javascript

Early-adopt CSP
• dynamic code evaluation

Early-adopt CSP
• dynamic code evaluation
• Still a Candidate Recommendation of W3C

Conclusions: Grails can
defeat XSS

Grails
• Is able to defend our application from XSS attacks

Grails
• But we need to pay attention to the details

Grails
• Upgrade to 2.3 ASAP

Grails
• Upgrade to 2.3 ASAP
• Pay attention to XSS

XSS
• Is much more dangerous than defacement jokes

XSS
• The browsers are the actual target

XSS
• Difﬁcult to monitor

XSS
• Difﬁcult to monitor
• Unconfortable counter-measures in the browser: NoScript,
Request Policy

Wake up
• Write secure applications by default

Wake up
• Get yourself used with Metasploit, Burp, ZAP

Wake up
• Get yourself used with Metasploit, Burp, ZAP
• Spread the word both horizontally and vertically

Picture credits
• Cover:
http://www.flickr.com/photos/usairforce/
CC by-nc
• White rabbit:
http://www.flickr.com/photos/alles-banane/5849593440
CC by-sa-nc
• Hieroglyphs:
http://www.flickr.com/photos/59372146@N00
CC by-sa-nc
• Zombies:
http://www.flickr.com/photos/aeviin/4986897433
CC by-sa-nc

XSS Countermeasures in Grails

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to XSS Countermeasures in Grails (20)

More from OSOCO (8)

Recently uploaded (20)

XSS Countermeasures in Grails