Dear Gunter!
Thank you for your very interessting paper on "Second-Order Code
Injection Attacks".
Here some other szenarios I came accross lately:
1. In one case there was an SMS based application. It was possible for
an attacker to send an SMS with a XSS to the application. Then the
script got executed in the helpdesk application. Although SMS is limited
to 160 characters it leaves enough space for sophisticated XSS attacks.
2. In an other case two web portals have been connected through a web
service link which allowed the partners to access eachother's data
repository. An attacker having gained one account on one portal was able
to do XSS attack on the partner portal. At first sight the script was
encoded in the SOAP-Message
<asdf>%3cscript%3ealert(...)%3c/script%3c</asdf> and one might not think
that it is vulnerable. But the parsing application decoded the XML
content and embedded it directly into the web page: Bang!
3. In an other web service scenario it was possible to inject XSS to the
backend HTML application using a CDATA encoding:
<asdf><![CDATA[<script>alert(...)</script>]]></asdf>
4. In this scenario a web application uses XML documents as a mean for
backend integration. If the XML generator does not pay attention when
assembling the XML document it can be possible to inject snippets of
XML. This problem is very difficult for an outsider to detect but an
insider will have good chances of exploiting it.
Concerning your protection recommendations I think that they must
supplemented:
- An attack has a direction. For example SQL-Injection is a back-end
directed attack. XSS in contrast is a front-end directed attack. To get
the optimal protection it is necessary to prevent in direction of the
attack. For SQL-Injection this results in input validation and for XSS
this results in output encoding (' -> "e).
- I think that removing characters does often not meet complex business
requirements (Think of family names like D'Amato). An backend
application does often not know which other applications are dependant
on that data. So every component using data must protect itself.
Especially in case of HTML GUIs the application must perform output
encoding.
- When auditing XML based application it must be verified that the XML
documents encode the content properly.
Kind Regards
Jan P. Monsch
--
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG
Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland
Tel +41 55 214 41 67
Fax +41 55 214 41 61
jan.monsch@csnc.ch
http://www.csnc.ch
PGP: F055 837D 2D86 1C86 C5E0 065C 0D16 B8B3 9E58 71F3
Security Review - Penetration Testing - Computer Forensics
_____________________________________________________________
