ctxt.dev

Wednesday, November 7, 2012

Remediation of XSS: Nested Contexts (part two)

In part one of this series I covered the correct use of JavaScript encoding and how this already covers the issue of the “nested” contexts. Now, onto a better solution – don’t use HTML Event attributes! Given the vulnerable code:

<div onclick="showError('<%=request.getParameter("error")%>')">
An error occurred, click here to see the details</div>

Instead of adding encoding to a complicated location within the DOM like the onclick event attribute - hook all of your events via JavaScript (example below uses JQuery):

<div id="errorBanner">An error occurred, click here to see the details
   <div id="errorDetails" style="display:none">
      <%=Encode.forHtml(request.getParameter("error")) %>
   </div>
</div>
<script type="text/javascript">
   $('#errorBanner').click($('#errorDetails').show());
</script>

The key here is to avoid placing dynamic data into "nested contexts" such as an event handler. This makes the remediation much simpler in many cases and lowers the amount of security knowledge a developer needs to understand how to fix the vulnerability.

The additional benefit of using JS to hook your events is that you can then externalize your JavaScript and define a Content Security Policy (CSP) for you site. CSP is by no means a magic bullet – but restrictive CSP policy can limit the damage potential of an XSS exploit.

Remediation of XSS: Nested Contexts (part one)

I have seen some solutions for XSS involving nested contexts that are not ideal. Partly because they are complicated and require a deep understanding of how the browser processes the HTML/DOM and they are likely inefficient; there are better solutions. This is the first post in a two part series.

First, what do I mean be nested contexts? Some examples would be writing dynamic data into an event handler such as onclick.

<div onclick="showError('<%=request.getParameter("error")%>')" >An error occurred, click here to see the details</div>

When the browser processes this it will first HTML decode the contents of the onclick attribute and then it will pass the results to the JavaScript Interpreter. As such, the advice I have seen (and previously given) is to apply “layered” encoding: 1) JavaScript encode and then 2) HTML Attribute Encode:

<div onclick="showError('<%= Encoder.encodeForHtml(Encoder.encodeForJavaScript( request.getParameter("error")%>')))" >An error occurred, click here to see the details</div>

Wow – that is completely unfriendly. Additionally, after thinking about this solution it seems unnecessarily complicated if you are using a robust JavaScript encoder (i.e. one that will JavaScript encode the '&' character) – then even though you are in an “HTML Attribute” context the following should be sufficient:

<div onclick="showError('<%= Encoder.encodeForJavaScript( request.getParameter("error")%>'))" >An error occurred, click here to see the details</div>

The reason that the above is sufficient is the Encode.forJavaScript will encode the '&' character so that when the browser HTML Decodes the attribute there is nothing to decode. However, this only applies to robust JavaScript encoders.

The encoder used above is from the OWASP Java Encoder Project.

Next post will cover refactoring the use of nested contexts rather than just encoding the data. As we will see, this has some very nice benefits.

Wednesday, December 21, 2011

Struts 2 Session Tampering via SessionAware/RequestAware WW-3631

UPDATE: This post was updated on 1/2/2012 to correct the post to take into account the fact that the interfaces mentioned below bind request parameters to String[] rather then String. See the post for exact details.

NOTE 1: I am not the original reporter of this issue. The issue below, with regards to the SessionAware, was originally reported to the Struts 2 team as WW-2264 by Hisato Killing. At that time, it was decided by the Struts 2 team that this was "Not A Problem". Back in May 2011 I identified the identical issue without previous knowledge of Hisato’s bug report and I reported it to the Struts 2 team as WW-3631 (CVE-2011-5057). A former colleague of mine, Abraham Kang who is now a Principal Security Researcher at Fortify an HP Company, urged me to include a reference to the RequestAware Interface and also indicated other *Aware interfaces could also be dangerous.

NOTE 2: This issue does not affect every application that uses Struts 2 - only those that have Actions that implement SessionAware, RequestAware, and possibly other *Aware interfaces either directly or indirectly, and make no attempt to block the auto-binding of the request or session collections.

NOTE 3: Regarding the Secunia Advisor for this issue 47109 - it is listed as "Not Critical". I completely agree as there are very few Struts 2 applications that implement these interfaces. However, if your application does implement these interfaces it is likely a big problem, luckily the solution is fairly easy.

Apache Struts 2.x contains interfaces org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware.

Example implementation of SessionAware:

public class VulnerableAction extends ActionSupport 
implements Action, SessionAware {

  protected Map session;
 
  @Override
  public void setSession(final Map session) {
    this.session = session;
  }
 
  ...

As one would expect from the auto-binding of Struts2 that if an Action implements either of these interfaces it allows the auto-binding of data to the current session or request using the most common implementation (any changes made via the auto-binding may not persist past this single request, read on for more details). This could allow unexpected data to exist within the session by passing in request parameters such as "?session.key=value" or "?request.session.key=value" - these types of request parameters would be auto-bound to the current requests session map (generally a class level variable). When Struts2 binds these parameters they are bound as String arrays rather then a simple String. As such, the impact of this vulnerability is somewhat reduced - however, it is possible to use this technique to auto-bind to public setters of objects stored in the session.

If an object has a setValue(String) method and is stored within the session using the key "data" ; if one passed the following query string parameter "?session.data.value=authorized"; this would alter the field and set the value to "authorized". Note, when binding to public setters on objects within the session Struts2 does not force them to be String[].

While the two interfaces only require the implementation of the setSession and setRequest respectively, if one also implemented either getSession or getRequest respectively then the changes to the contents of the session will be persisted to users' actual session - rather than just the current request (e.g. the local member variable).

Doing a Google code search will reveal some open source packages that are vulnerable to this:

http://www.google.com/codesearch#search/&q=%2BgetSession%20org.apache.struts2.interceptor%20SessionAware%20%20lang:%5Ejava$&type=cs

http://www.google.com/codesearch#search/&q=org.apache.struts2.interceptor%20RequestAware%20getRequest%20lang:%5Ejava$&type=cs

Any system that implements Apache 2.x SessionAware, RequestAware, and/or other *Aware interfaces is affected by this unless they explicitly implemented something to block the parameter auto-binding to the implemented setters. Implementing getSession, getRequest, or a getter corresponding to the implemented setter makes the problem worse. The impact of this specific vulnerability is completely dependent upon the application that implements the interface and what the application uses the session data for.

There is an easy solution to this problem. Prevent auto-binding of the request and session via the default parameter interceptor by placing them into the ignored parameter list. Second, a warning should be placed in the JavaDoc for SessionAware, RequestAware, and possibly other *Aware interfaces indicating the possible issues with implementing this class and recommend that any Action that implements these interfaces also implement com.opensymphony.xwork2.interceptor.ParameterNameAware interface and checking to ensure that any parameters starting with “session” and/or “request” are not being auto-bound.

This was reported via Apache's JIRA system in May 2011: https://issues.apache.org/jira/browse/WW-3631. The Struts 2 team stated that a fix would be in version 3.x; and they agreed with me that there is an easy fix and any application implementing these interfaces could easily fix the issue themselves. However, as people are obviously using these interfaces in their code and not implementing the fix - I'd like to post this in a little more public fashion to ensure people are aware of the possible issues if they do implement these interfaces.

I should point out a listing of other *Aware interfaces that are likely of interest:

org.apache.struts2.interceptor.ApplicationAware

may lead to application context tampering

org.apache.struts2.interceptor.RequestAware

Request collection and/or Session collection tampering

org.apache.struts2.interceptor.ServletRequestAware

Request collection and/or Session collection tampering and possibly other concerns

org.apache.struts2.interceptor.ServletResponseAware
org.apache.struts2.interceptor.ParameterAware

An additional research item is the DirectRenderFromEventAction as this implements the SessionAware Interface.

This has also been reported under CVE-2011-5057.

--Jeremy Long