Pierluigi Paganini August 10, 2016

The security expert Rafael Fontes Souza has discovered vulnerabilities in the website of HP (Hewlett Packard) and decided to explain concepts of code review to mitigate the risk of this failure and prevent future attacks.

“I would like to make it clear, I am writing this report for educational purpose, I contacted HP Security-Team that already fixed the flaw.

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’).

Cross-site scripting is a type of coding vulnerability. XSS enables attackers to inject malicious into web pages viewed by other users. XSS may allow attackers to bypass access controls (suck as the same-origin policy).

How this attack works?

Cross-site scripting (XSS) vulnerabilities occur when:

1. Untrusted data enters a web application, typically from a web request.
2. The web application dynamically generates a web page that contains this untrusted data.
3. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc.
4. A victim visits the generated web page through a web browser, which contains a malicious script that was injected using the untrusted data.
5. Since the script comes from a web page that was sent by the web server, the victim’s web browser executes the malicious script in the context of the web server’s domain.
6. This effectively violates the intention of the web browser’s same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain.

What to Review

Cross-site scripting flaws can be difficult to identify and remove from a web application. The best practice to search for flaws is to perform an intense code review and search for all places where user input through an HTTP request could possibly make its way into the HTML output.

Code reviewer needs to closely review.

1. That untrusted data is not transmitted in the same HTTP responses as HTML or JavaScript.
2. When data is transmitted from the server to the client, untrusted data must be properly encoded in JSON format and the HTTP response MUST have a Content-Type of application/json Do not assume data from the server is safe. Best practice is to always check data.
3. When introduced into the DOM, untrusted data MUST be introduced using one of following APIs:

• Node.textContent
• document.createTextNode
• Element.setAttribute (second parameter only)

Code reviewer should also be aware of the HTML tags (such as <img src…>, <iframe…>, <bgsound src…> etc.) that can be used to transmit malicious JavaScript.

Web application vulnerability automated tools/scanners can help to find Cross-Site scripting flaws. They cannot find all this is way manual code reviews are important. Manual code reviews won’t catch all either but a defense in depth approach is always the best approach based on your level of risk.

Your code should filter meta-characters from user input. The admins must take appropriate measures for their web applications in order to prevent these type of attacks as these can damage you more than you expect.

All of the information mentioned here is for educational purposes and based on OWASP and MITRE, we aren’t responsible for what you do afterwards.

About the author Rafael Fontes Souza

Rafael Fontes Souza is an Information Security Professional at Cipher Intelligence Labs with focus in Penetration Testing, Vulnerability Assessment, Analysis and Mitigation.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cross-site scripting, HP)