Archive for the 'Security' Category
Monday, April 14th, 2008
Google XSS
Now, normally when I find an XSS vulnerability on a popular domain I just report it to the appropriate security team and move on, but this one is interesting…
By taking advantage of the content-type returned by spreadsheets.google.com (and a caching flaw on the part of Google), I was able to pull off a full blown XSS against the google.com domain. For those of you who don’t understand what this means, allow me to elaborate. When Google sets their cookie, it is valid for all of their sub domains. So, when you log into gmail (mail.google.com), your gmail cookie is actually valid for code.google.com, docs.google.com, spreadsheets.google.com…and so on. If someone (like me) finds an XSS vulnerability in any one of these sub domains, I’ll be able to hijack your session and access any google service as if I were you.
So, in this instance, I have an XSS on spreadsheets.google.com. With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you! Google’s use of “document.domain=” also make things a little easier to jump from one domain to the next, but that’s another story…
This particular XSS takes advantage of how Internet Explorer determines the content type of the HTTP response being returned by the server. Most would think that explicitly setting the content-type to something that isn’t supposed to be rendered by the browser would easily solve this issue, but it does not. IE isn’t the only browser that will ignore the content-type header in certain circumstances, Firefox, Opera, and Safari will ignore the content-type header as well (in certain circumstances). Security professionals and more importantly developers need to understand the nuances of how the popular web browsers handle various content-type headers, otherwise they may put their web application at risk of XSS. The most comprehensive paper I’ve seen on the subject was written by Blake Frantz of Leviathan. The paper can be found here. It’s a “MUST HAVE” reference for web app security pros. Read it, understand it, protect yourself appropriately or expect others to exploit appropriately…
In this issue, Google set the content-type header for a response which I controlled the content to text/plain. If I can inject what looks like HTML into the first few bytes of the response, I’ll be able to “trick” Internet Explorer into rendering the content as HTML. Luckily for me, I was able to do just that.
I created a spreadsheet on spreadsheets.google.com and for the first cell (A1) I put the following content: “<HTML><body><script>alert(document.cookie)</script></body></HTML>”
I then saved the spreadsheet and generated a link for the spreadsheet to be served as a CSV.
When this option is selected, the contents of the spreadsheet are displayed inline (the content-disposition header was not explicitly set to “attachment”), IE ignores the content-type header, sniffs the content-type from the response, then proceeds to render the response as if it were HTML. At this point, I control the entire HTML being rendered under an xxx.google.com domain.
To be fair, Google included a subtle defense to protect against content-type sniffing (padding the response), but those protection measures failed (with a little prodding by me). The issue is fixed, but if you try to reproduce this issue, you’ll see their defense in play. It a solid defense which shows they understand the nuances of content-type sniffing.
I’ll provide some tips on taking ownership of untrusted content and serving it from your server in a later post, but for now take a look at the paper written by Blake Frantz. I’m sure it will open some eyes…
Sunday, April 13th, 2008
RSA over… on to toorcon Seattle
RSA is officially over! It was a great experience and I’ll talk about a few of the talks that really captured me in later posts. I do want to thank Jeremiah Grossman for throwing the WASC get together, the BAYSEC crew, McAfee (their party was awesome), iSEC (their party was AWESOME), Thirsty Bear, everyone at the W, and everyone that came to the Breaking and Securing Web Applications talk!
There were tons of people trying to get some answers to their web appsec questions after the talk, if you weren’t able to talk to me after the session or during the conference, please don’t hesitate to shoot me an email.
I’ll be at toorcon next week, if you’re in the Seattle area, look me up…
Thursday, April 3rd, 2008
Amsterdam, RSA, Security Vids, and the Harvard Business Review
I’ve survived yet another Blackhat Europe… actually, part of me probably perished in the streets of Amsterdam, but that’s a story for the bars. I’ll be in San Francisco next week speaking at the RSA Conference. I plan on attending the WASC RSA meetup and the iSEC Forum and Social (I love the iSEC parties!). If you see me out and about, hit me up and we’ll talk security over a few drinks!
Also, I was sent a link to a collection of secure development videos from a co-worker. The videos cover a wide range of topics such as “How do I: Prevent a SQL Injection Security Flaw in an ASP.NET Application” all the way to “How Do I: Use Managed Cards in Windows CardSpace to Increase the Security of My Web Site“. The videos are a great place for any budding developer to explore some Secure Development techniques. I like the videos because many of them address security related questions that I get all of the time and serve as an excellent remediation tool. The vids are by no means a comprehensive guide to Secure Development nor are they a replacement for a formal SDL, but they can be a great training tool and have a lot of value.
Last item for the day… I’m a big fan of the Harvard Business Review (HBR). Usually, the articles contained within HBR have nothing to do with information security (or even computers for that matter). In the latest issue, there is a piece entitled “Radically Simple IT“, which outlines some interesting strategies for IT projects at the enterprise level (path based approach). It’s an interesting article and if you’re considering implementing any medium to large size IT project, you should definitely give it a read….