Microsoft’s (new!) SDL Threat Modeling Tool 2014

Amid almost no fanfare whatsoever, Microsoft yesterday released a tool I’ve been begging them for over the last five or six years.

[This is not unusual for me to be so persistently demanding, as I’ve found it’s often the only way to get what I want.]

As you’ve guessed from the title, this tool is the “SDL Threat Modeling Tool 2014”. Sexy name, indeed.

Don’t they already have one of those?

Well, yeah, kind of. There’s the TAM Threat Analysis & Modeling Tool, which is looking quite creaky with age now, and which I never found to be particularly usable (though some people have had success with it, so I’m not completely dismissive of it). Then there’s the previous versions of the SDL Threat Modeling Tool.

These have had their uses – and certainly it’s noticeable that when I work with a team of developers, one of whom has worked at Microsoft, it’s encouraging to ask “show me your threat model” and have them turn around with something useful to dissect.

So what’s wrong with the current crop of TM tools?

In a word, Cost.

Threat modeling tools from other than Microsoft are pretty pricey. If you’re a government or military contractor, they’re probably great and wonderful. Otherwise, you’ll probably draw your DFDs in PowerPoint (yes, that’s one of the easier DFD tools available to most of you!), and write your threat models in Word.

Unless, of course, you download and use the Microsoft SDL Threat Modeling Tool, which has always been free.

So where’s the cost?

The SDL TM tool itself was free, but it had a rather significant dependency.

Visio.

Visio is not cheap.

As a result, those of us who championed threat modeling at all in our enterprises found it remarkably difficult to get approval to use a free tool that depended on an expensive tool that nobody was going to use.

What’s changed today?

With the release of Microsoft SDL Threat Modeling Tool 2014, Microsoft has finally delivered a tool that allows for the creation of moderately complex DFDs (you don’t want more complex DFDs than that, anyway!), and a threat library-based analysis of those DFDs, without making it depend on anything more expensive or niche than Windows and .NET. [So, essentially, just Windows.]

Yes, that means no Visio required.

Is there anything else good about this new tool?

A quick bullet list of some of the features you’ll like, besides the lack of Visio requirement:

  • Imports from the previous SDL Threat Modeling Tool (version 3), so you don’t have to re-work
  • Multiple diagrams per model, for different levels of DFD
  • Analysis is per-interaction, rather than per-object [scary, but functionally equivalent to per-object]
  • The file format is XML, and is reasonably resilient to modification
  • Objects and data flows can represent multiple types, defined in an XML KnowledgeBase
  • These types can have customised data elements, also defined in XML
  • The rules about what threats to generate are also defined in XML
  • [These together mean an enterprise can create a library of threats for their commonly-used components]
  • Trust boundaries can be lines, or boxes (demonstrating that trust boundaries surround regions of objects)
  • Currently supported by a development team who are responsive to feature requests

Call to Action?

Yes, every good blog post has to have one of these, doesn’t it? What am I asking you to do with this information?

Download the tool. Try it out on a relatively simple project, and see how easy it is to generate a few threats.

Once you’re familiar with the tool, visit the KnowledgeBase directory in the tool’s installation folder, and read the XML files that were used to create your threats.

Add an object type.

Add a data flow type.

Add custom properties that describe your custom types.

Use those custom properties in a rule you create to generate one of the common threats in your environment.

Work with others in your security and development teams to generate a good threat library, and embody it in XML rules that you can distribute to other users of the threat modeling tool in your enterprise.

Document and mitigate threats. Measure how successful you are, at predicting threats, at reducing risk, and at impacting security earlier in your development cycle.

Then do a better job on each project.

Ways you haven’t stopped my XSS, Number 2–backslash doesn’t encode quotes in HTML attributes

Last time in this series, I posted an example where XSS was possible because a site’s developer is unaware of the implications that his JavaScript is hosted inside of HTML.

This is sort of the opposite of that, noting that time-worn JavaScript (and C, Java, C++, C#, etc) methods don’t always apply to HTML.

The XSS mantra for HTML attributes

I teach that XSS is prevented absolutely by appropriate contextual encoding of user data on its way out of your application and into the page.

The context dictates what encoding you need, whether the context is “JavaScript string”, “JavaScript code”, “HTML attribute”, “HTML content”, “URL”, “CSS expression”, etc, etc.

In the case of HTML attributes, it’s actually fairly simple.

Unless you are putting a URL into an attribute, there are three simple rules:

  1. Every attribute’s value must be quoted, whether with single quotes or double quotes.
  2. If the quote you use appears in the attribute value, it must be encoded.
  3. You must encode any characters which could confuse the encoding. [Encode the encoding characters]

Seems easy, right?

This is all kinds of good, except when you run into a site where the developer hasn’t really thought about their encoding very well.

You see, HTML attribute values are encoded using HTML encoding, not C++ encoding.

To HTML, the back-slash has no particular meaning.

I see this all the time – I want to inject script, but the site only lets me put user data into an attribute value:

<meta name="keywords" content="Wot I searched for">

That’s lovely. I’d like to put "><script>prompt(1)</script> in there as a proof of concept, so that it reads:

<meta name="keywords" content=""><script>prompt(1)</script>">

The dev sees this, and cuts me off, by preventing me from ending the quoted string that makes up the value of the content attribute:

<meta name="keywords" content="\"><script>prompt(1)</script>">

Nice try, Charlie, but that back-slash, it’s just a back-slash. It means nothing to HTML, and so my quote character still ends the string. My prompt still executes, and you have to explain why your ‘fix’ got broken as soon as you released it.

Oh, if only you had chosen the correct HTML encoding, and replaced my quote with “&quot;” [and therefore, also replace every “&” in my query with “&amp;”], we’d be happy.

And this, my friends, is why every time you implement a mitigation, you must test it. And why you follow the security team’s guidance.

Exercise for the reader – how do you exploit this example if I don’t encode the quotes, but I do strip out angle brackets?

Posted by Alun Jones | with no comments

Apple’s “goto fail” SSL issue–how do you avoid it?

Context – Apple releases security fix; everyone sees what they fixed

 

Last week, Apple released a security update for iOS, indicating that the vulnerability being fixed is one that allows SSL / TLS connections to continue even though the server should not be authenticated. This is how they described it:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Secure Transport is their library for handling SSL / TLS, meaning that the bulk of applications written for these platforms would not adequately validate the authenticity of servers to which they are connected.

Ignore “An attacker with a privileged network position” – this is the very definition of a Man-in-the-Middle (MITM) attacker, and whereas we used to be more blasé about this in the past, when networking was done with wires, now that much of our use is wireless (possibly ALL in the case of iOS), the MITM attacker can easily insert themselves in the privileged position on the network.

The other reason to ignore that terminology is that SSL / TLS takes as its core assumption that it is protecting against exactly such a MITM. By using SSL / TLS in your service, you are noting that there is a significant risk that an attacker has assumed just such a privileged network position.

Also note that “failed to validate the authenticity of the connection” means “allowed the attacker to attack you through an encrypted channel which you believed to be secure”. If the attacker can force your authentication to incorrectly succeed, you believe you are talking to the right server, and you open an encrypted channel to the attacker. That attacker can then open an encrypted channel to the server to which you meant to connect, and echo your information straight on to the server, so you get the same behaviour you expect, but the attacker can see everything that goes on between you and your server, and modify whatever parts of that communication they choose.

So this lack of authentication is essentially a complete failure of your secure connection.

As always happens when a patch is released, within hours (minutes?) of the release, the patch has been reverse engineered, and others are offering their description of the changes made, and how they might have come about.

In this case, the reverse engineering was made easier by the availability of open source copies of the source code in use. Note that this is not an intimation that open source is, in this case, any less secure than closed source, because the patches can be reverse engineered quickly – but it does give us a better insight into exactly the code as it’s seen by Apple’s developers.

Here’s the code:

    if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;

Yes, that’s a second “goto fail”, which means that the last “if” never gets called, and the failure case is always executed. Because of the condition before it, however, the ‘fail’ label gets executed with ‘err’ set to 0.

Initial reaction – lots of haha, and suggestions of finger pointing

So, of course, the Internet being what it is, the first reaction is to laugh at the clowns who made such a simple mistake, that looks so obvious.

T-shirts are printed with “goto fail; goto fail;” on them. Nearly 200 have been sold already (not for me – I don’t generally wear black t-shirts).

But really, these are smart guys – “be smarter” is not the answer

This is SSL code. You don’t get let loose on SSL code unless you’re pretty smart to begin with. You don’t get to work as a developer at Apple on SSL code unless you’re very smart.

Clearly “be smart” is already in evidence.

There is a possibility that this is too much in evidence – that the arrogance of those with experience and a track record may have led these guys to avoid some standard protective measures. The evidence certainly fits that view, but then many developers start with that perspective anyway, so in the spirit of working with the developers you have, rather than the ones you theorise might be possible, let’s see how to address this issue long term:

Here’s my suggested answers – what are yours?

Enforce indentation in your IDE / check-in process

OK, so it’s considered macho to not rely on an IDE. I’ve never understood that. It’s rather like saying how much you prefer pounding nails in with your bare fists, because it demonstrates how much more of a man you are than the guy with a hammer. It doesn’t make sense when you compare how fast the job gets done, or the silly and obvious errors that turn up clearly when the IDE handles your indenting, colouring, and style for you.

Yes, colouring. I know, colour-blind people exist – and those people should adjust the colours in the IDE so that they make sense. Even a colour-blind person can get shade information to help them. I know syntax colouring often helps me spot when an XSS injection is just about ready to work, when I would otherwise have missed it in all the surrounding garbage of HTML code. The same is true when building code, you can spot when keywords are being interpreted as values, when string delimiters are accidentally unescaped, etc.

The same is true for indentation. Indentation, when it’s caused by your IDE based on parsing your code, rather than by yourself pounding the space bar, is a valuable indication of program flow. If your indentation doesn’t match control flow, it’s because you aren’t enforcing indentation with an automated tool.

What the heck, enforce all kinds of style

Your IDE and your check-in process are a great place to enforce style standards to ensure that code is not confusing to the other developers on your team – or to yourself.

A little secret – one of the reasons I’m in this country in the first place is that I sent an eight-page fax to my bosses in the US, criticising their programming style and blaming (rightly) a number of bugs on the use of poor and inconsistent coding standards. This was true two decades ago using Fortran, and it’s true today in any number of different languages.

The style that was missed in this case – put braces around all your conditionally-executed statements.

I have other style recommendations that have worked for me in the past – meaningful variable names, enforced indenting, maximum level of indenting, comment guidelines, constant-on-the-left of comparisons, don’t include comparisons and assignments in the same line, one line does one thing, etc, etc.

Make sure you back the style requirements with statements as to what you are trying to do with the style recommendation. “Make the code look the same across the team” is a good enough reason, but “prevent incorrect flow” is better.

Make sure your compiler warns on unreachable code

gcc has the option “-Wunreachable-code”.

gcc disabled the option in 2010.

gcc silently disabled the option, because they didn’t want anyone’s build to fail.

This is not (IMHO) a smart choice. If someone has a warning enabled, and has enabled the setting to produce a fatal error on warnings, they WANT their build to fail if that warning is triggered, and they WANT to know when that warning can no longer be relied upon.

So, without a warning on unreachable code, you’re basically screwed when it comes to control flow going where you don’t want it to.

Compile with warnings set to fatal errors

And of course there’s the trouble that’s caused when you have dozens and dozens of warnings, so warnings are ignored. Don’t get into this state – every warning is a place where the compiler is confused enough by your code that it doesn’t know whether you intended to do that bad thing.

Let me stress – if you have a warning, you have confused the compiler.

This is a bad thing.

You can individually silence warnings (with much comments in your code, please!) if you are truly in need of a confusing operation, but for the most part, it’s a great saving on your code cleanliness and clarity if you address the warnings in a smart and simple fashion.

Don’t over-optimise or over-clean your code

The compiler has an optimiser.

It’s really good at its job.

It’s better than you are at optimising code, unless you’re going to get more than a 10-20% improvement in speed.

Making code shorter in its source form does not make it run faster. It may make it harder to read. For instance, this is a perfectly workable form of strstr:

const char * strstr(const char *s1, const char *s2)
{
  return (!s1||!s2||!*s2)?s1:((!*s1)?0:((*s1==*s2&&s1==strstr(s1+1,s2+1)-1)?s1:strstr(s1+1,s2)));
}

Can you tell me if it has any bugs in it?

What’s its memory usage? Processor usage? How would you change it to make it work on case-insensitive comparisons? Does it overflow buffers?

Better still: does it compile to smaller or more performant code, if you rewrite it so that an entry-level developer can understand how it works?

Now go and read the implementation from your CRT. It’s much clearer, isn’t it?

Release / announce patches when your customers can patch

Releasing the patch on Friday for iOS and on Tuesday for OS X may have actually been the correct move – but it brings home the point that you should release patches when you maximise the payoff between having your customers patch the issue and having your attackers reverse engineer it and build attacks.

Make your security announcements findable

Where is the security announcement at Apple? I go to apple.com and search for “iOS 7.0.6 security update”, and I get nothing. It’d be really nice to find the bulletin right there. If it’s easier to find your documentation from outside your web site than from inside, you have a bad search engine.

Finally, a personal note

People who know me may have the impression that I hate Apple. It’s a little more nuanced than that.

I accept that other people love their Apple devices. In many ways, I can understand why.

I have previously owned Apple devices – and I have tried desperately to love them, and to find why other people are so devoted to them. I have failed. My attempts at devotion are unrequited, and the device stubbornly avoids helping me do anything useful.

Instead of a MacBook Pro, I now use a ThinkPad. Instead of an iPad (remember, I won one for free!), I now use a Surface 2.

I feel like Steve Jobs turned to me and quoted Dr Frank N Furter: “I didn’t make him for you.”

So, no, I don’t like Apple products FOR ME. I’m fine if other people want to use them.

This article is simply about a really quick and easy example of how simple faults cause major errors, and what you can do, even as an experienced developer, to prevent them from happening to you.

Surface 2 –VPN bug disables Metro Internet Explorer

Update - FIXED

Since I wrote this article, another issue caused me to reset my WMI database, by deleting everything under C:\Windows\System32\wbem\Repository and rebooting. After that, the VPN issues documented in this article have gone away.

Original article

I have a home VPN – everyone should, because it makes for securable access to your home systems when you are out and about, whether it’s at the Starbucks down the street, or half way across the world, like I was on my trip to China last week.

Useful as my home VPN is, and hard as it is to get working (see my last post on Windows 8 VPN problems), it’s only useful if I can get my entire computer to talk through the VPN.

Sidebar – VPN split tunneling

Note that I am not disputing the value of split tunneling in a VPN, which is where you might set up your client to use the VPN only for a range of addresses, so that (for example) a computer might connect to the VPN for connections to a work intranet, but use the regular connectivity for the major part of the public web. For this article, assume I want everything but my link-local traffic to be forwarded to my VPN.

So, in my last VPN post, we talked about setting up the client end of a VPN, and now I want to use it.

Connecting is the easy part, and once connected, most of my apps on the Surface 2 work quite happily, connecting to the Internet through my VPN.

All of the Desktop apps seem to work without restriction, but there are some odd gaps when it comes to using “Windows Store” apps, also known as “Metro” or “Modern UI” apps. Microsoft can’t call this “Metro” any more, even though that’s the most commonly used term for it, so I’ll follow their lead and call this the “Modern UI” [where UI stands for User Interface].

Most glaring of all is the Modern UI Internet Explorer, which doesn’t seem to allow any connections at all, simply displaying “This page can’t be displayed”. The exception to this is if I connect to a web server that is link-local to the VPN server.

I’d think this was a problem with the way I had set up my VPN server, or my client connection, if it weren’t for the fact that my Windows 8.1 laptop connects correctly to this same VPN with no issues on Modern or Desktop versions of Internet Explorer, and of course the undeniable feature that Internet Explorer for the Desktop on my Surface 2 also works correctly.

I’d like to troubleshoot and debug this issue, but of course, the only troubleshooting tools for networking in the Surface 2 run on the Desktop, and therefore work quite happily, as if nothing is wrong with the network. And from their perspective, this is true.

When Bagpuss goes to sleep, all his little friends go to sleep, too.

Of course, Internet Explorer has always been claimed by Microsoft to be a “part of the operating system”, and in Windows 8.1 RT, there is no difference in this respect.

Every Modern UI application which includes a web control, web view, or in some way asks the operating system or development framework to host a web page, also fails to reach its intended target through the VPN.

Technical Support – what’s their take?

Technical support had me try a number of things, including resetting the system, but none of their suggestions had any effect. Eventually I found a tech support rep who told me this is a bug, not that that is really what you’d call a resolution of my problem. These are the sort of things that make it clear that the Surface is still in its early days, and while impressive, has a number of niggling issues that need “fit and finish” work before significant other features get added.

Posted by Alun Jones | with no comments

Deploying on the road…

Now that I have a Surface 2, I’m going to leave my laptop at home when I travel.

This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home.

That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway.

Deploying to my other devices – the Windows Phone and the Surface 2 running Windows RT – is something that I typically do by direct connection, or on the local network.

Windows Phone

For the Windows Phone, there’s a Store called “Beta” as opposed to “Public”, into which you can deploy your app, make it available to specific listed users, and this will allow you to quickly distribute an app remotely to your device.

Details on how to do this are here.

Windows Store

The story on Windows Store apps appears, at first blush, to be far more dismal, with numerous questions online asking “is there a beta store for Windows like there is for the phone?”

The answer comes back “no, but that’s a great idea for future development”.

But it is completely possible to distribute app packages to your Windows RT and other Windows 8.1 devices, using Powershell.

The instructions at MSDN, here, will tell you quite clearly how you can do this.

Thoughts on a New Year

It’s about this time of year that I think…

  • Why do reporters talk so much about NSA spying and Advanced Persistent Threats, when half the websites in existence will cough up cookies if you search for "-alert(document.cookie)-" ?
  • How can we expect people to write secure code when:
    • they don’t know what it is?
    • they can’t recognise insecure code?
    • it’s easier (more clicks, more thinks, etc) to write insecure code?
  • What does it take for a developer to get:
    • fired?
    • a bad performance review?
    • just mildly discomforted?
  • What is it about developers that makes us all believe that nobody else has written this piece of code before? (or that we can write it better)
  • Every time a new fad comes along, whether it’s XML, PHP, Ruby, etc, why do we spend so much time recognising that it has the same issues as the old ones? But without fixes.
  • Can we have an article on “the death of passwords” which will explain what the replacement is – and without that replacement turning out to be “a layer in front of a big password”?
  • Should you let your application out (publish it, make it available on the Internet, etc) if it is so fragile that:
    • you can’t patch it?
    • you can’t update the framework or libraries on which it depends (aka patch them)?
    • you don’t want a security penetration test to be performed on it?
  • Is it right to hire developers on the basis that they can:
    • steer a whiteboard to a small function which looks like it might work?
    • understand an obfuscated sample that demonstrates an obscure feature of your favourite framework?
    • tell you how to weigh twelve coins, one of which might be a fake?
    • bamboozle the interviewer with tales of technological wonders the likes of which he/she cannot fathom?
    • sing the old school song?

Ah, who am I kidding, I think those kinds of things all the time.

Error 860 in Windows 8.1 / Surface VPN

It should be easy enough to set up a VPN in Windows, and everything should work well, because Microsoft has been doing these sorts of things for some years.

clip_image002

Sure enough, if you open up the Charms bar, choose Settings, Change PC Settings, and finally Network, you’re brought to this screen, with a nice big friendly button to add a VPN connection. Tapping on it leads me to the following screen:

clip_image004

No problems, I’ve already got these settings ready to go.

clip_image006

Probably not the best to name my VPN settings “New VPN”, but then I’m not telling you my VPN endpoint. So, let’s connect to this new connection.

clip_image008

So far, so good. Now it’s verifying my credentials…

clip_image010

And then we should see a successful connection message.

clip_image012

Not quite. For the search engines, here’s the text:

Error 860: The remote access connection completed, but authentication failed because of an error in the certificate that the client uses to authenticate the server.

This is upsetting, because of course I’ve spent some time setting the certificate correctly (more on that in a later post), and I know other machines are connecting just fine.

I’m sure that, at this point, many of you are calling your IT support team, and they’re reminding you that they don’t support Windows 8 yet, because some lame excuse about ‘not yet stable, official, standard, or Linux”.

Don’t take any of that. Simply open the Desktop.

What? Yes, Windows 8 has a Desktop. And a Command Prompt, and PowerShell. Even in the RT version.

Oh, uh, yeah, back to the instructions.

Forget navigating the desktop, just do Windows-X, and then W, to open the Network Connections group, like this:

clip_image014

Select the VPN network you’ve created, and select the option to “Change settings of this connection”:

clip_image016

In the Properties window that pops up, you need to select the Security tab:

clip_image018

OK, so that’s weird. The Authentication Group Box has two radio buttons – but neither one is selected. My Grandma had a radio like that, you couldn’t tell what station you were going to get when you turn it on – and the same is generally true for software. So, we should choose one:

clip_image020

It probably matters which one you choose, so check with your IT team (tell them you’re connecting from Windows 7, if you have to).

Then we can connect again:

clip_image022clip_image024clip_image026

And… we’re connected.

Now for another surprise, when you find that the Desktop Internet Explorer works just fine, but the “Modern UI” (formerly known as “Metro”) version of IE decides it will only talk to sites inside your LAN, and won’t talk to external sites. Oh, and that behavior is extended to any Metro app that embeds web content.

I’m still working on that one. News as I have it!

For Surfaces rendered

I often thought I'd like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content.

It seems a little late for me to choose that career, so I'll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it.

There's no secret (or if there is, it's poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and Touch Cover. Along with hundreds of my brethren, I lined up at the Microsoft Store in Bellevue yelling "shut up and take my money!"

As an actual purchase, rather than a complete giveaway, I did have to pass the purchasing decision through my boss. Fortunately, she agreed that it was a good buy, as long as I treated it as a purchase of a toy for me, and stopped trying to persuade her it was a bona fide business investment for the company. Canny woman, my wife, and skilled at reducing arguments to their simplest and most incisive points.

So, a toy it was pitched as, a replacement for my iPad, which I also got for very little money – I won it in a hacking competition. As a toy, I couldn't expect to get the Surface Pro, which is convenient, because one wasn't offered.

What's it like as a toy?

Does it have the Angry Birds,then? Space and Star Wars versions, yes – Rovio hasn't been paid to get around to porting the others to Windows 8 yet.

It's also got Minesweeper and Solitaire, with the added thrill of daily challenges, and an Adventure Mode for Minesweeper that looks a little ripped off from Repton. Mahjong, Jetpack Joyride, Cut the Rope, there's enough games that while you might find a few individual names here and there that are missing, you'll be able to replace them with something in the same genre.

The front and back camera make for good Skype use, whether you're having a face-to-face chat, or showing someone the view out the window.

I can read comics, whether through the dozen or so manga readers, or through the Comics app from Comixology. Books come, of course, courtesy of the Kindle app, and of course there's a native Amazon app as well, although as usual, it's hard to get a better shopping experience in an app than Amazon has built into the web version.

That's right, you actually have a version of Internet Explorer 11 built specially for the touch-screen "Modern UI", which Microsoft used to call Metro, and which thoroughly needs a new name. This version of Internet Explorer is fairly basic, but fully functional for what most people are going to want it for. For most of what I do on the web, it's certainly sufficient.

On the fringe of toydom

Social media makes its presence felt nicely in the People hub, like on my Windows Phone, where in one place I can keep up with my Twitter, Facebook and LinkedIn friends/followers/minions. I can also post there, although I miss my phone's ability to post to multiple outlets at once.

If you've been paying attention to my gripes about podcast support on my Windows Phone, I have to say that, out of the box, I have the same – or worse –issues with the Surface 2. The native audio player does allow you to create playlists, but infallibly returns you to the start of an MP3 file almost every time you play it anew, apparently whether you played another MP3 file, skipped to a different app, or received a notification. I await the development of a good podcast / audiobook application with support for local MP3s.

On the video front, things are somewhat improved, with the Xbox Video app being the natively supported method to play my MP4s. Sadly, there's still no subtitle support, as is the case across every single one of Microsoft's video playing tools – if the file isn't streaming across the web, with the closed captions in a separate stream, there's no way to get captions to display. This is a shame, as there is good support for standard subtitles in MP4s on the Apple competition, whether it's iPad, iPod or iPhone. Microsoft, this can't be that hard – support accessibility on all your video players, please! [I'm not deaf, but the bus can get a little loud]

Working up to proper use

The Touch Cover is barely usable as a keyboard – but I've added a Bluetooth keyboard to my Christmas wishlist, for the serious typing moments, and the Touch Cover is certainly sufficient for those occasional bon mots on the bus or airplane.

Sadly, Live Writer isn't available for Windows RT, so I'm not likely to use this for many blogs – although to keep myself honest, I am typing this on the Surface using the Touch Cover keyboard.

To write the blog entry, I'm actually using Word with its blogging template.

Woah, did you say Word? On RT?

Why yes, yes I did – but since the presence of Office 2013 on the Surface was advertised (at least, Excel, PowerPoint, OneNote, Word and Outlook), this was hardly a surprise to me – but it seems like a surprise to many of my Apple-owning friends who are just starting to get excited that Apple have deigned to let them have iWorks on their iPads now.

But the inclusion of Office isn't the only thing that makes this device veer further into the territory of a non-toy.

Surprisingly functional

I wasn't really expecting that Windows RT would have a desktop mode. I pretty much thought it would be Modern UI apps and nothing else. That seemed like it would suck, because I can't then copy files across the network for playing MP3s and MP4s on the bus to and from work.

So a friend of mine set my fears at rest before I bought the Surface, and let me know that there was indeed a desktop, and a Windows Explorer. That was the tipping point to realizing I could get along with my Surface.

Then came the surprises.

There's a Desktop version of Internet Explorer – and this one is fully functional! It even has "View Source" and the F12 Developer Tools, Microsoft's best-kept secret in IE for some time now. [On your Touch Cover, you get F12 by holding down the "Fn" key as you press "PgDn"] This means I can carry on my Cross-Site Scripting endeavours on my Surface – which I couldn't do from my iPad at all.

Also not on the iPad, but present on the Surface, a full version of the Command Prompt – I can run all my old batch scripts. Notepad, too (but no WordPad, sadly). Even, and I can't imagine using the power of this too much, PowerShell!

Flash Player, as well, which isn't available on the iPad. Remote Assistance and Remote Desktop, so I can connect to a real computer, something that wasn't a good experience on the iPad.

Bitlocker.

Woah, BitLocker? Wow, my hard drive is already encrypted. So too could be the 64GB MicroSD card I've attached for extra video and audio storage, again something I can't do on my iPad.

PerfMon, ResMon, Event Viewer, RegEdit, Windows Scripting Host, all sorts of serious tooling works in the desktop environment. Not Visual Studio, yet, but let's remember… this is a toy, not a real laptop.

The upshot of which is…

I use my Surface 2 far more than I ever used my iPad.

Despite a few niggling sharp corners that need to be addressed, it irritates me far less than any Apple device I've ever owned. This just cements in my mind that, while there are many people who love their Apples, I'm just not their target consumer. I'm not sure that I'm exactly the target consumer of the Surface, but it's inspired me and continues to grow on me. I'm even starting to write code for it. We'll see if that becomes anything in due course.

 

Java not yet available for Surface - one more advantage.

Ways you haven’t stopped my XSS–Number 1, JavaScript Strings

I saw this again today. I tried smiling, but could only manage a weak grin.

You think you’ve defeated my XSS attack. How did you do that?

Encoding or back-slash quoting the back-slash and quote characters in JavaScript strings

Sure, I can no longer turn this:

<script>
s_prop0="[user-input here]";
</script>

into this, by providing user input that consists of ";nefarious();// :

<script>
s_prop0="";nefarious();//";
</script>

Instead, I get this:

<script>
s_prop0="\";nefarious();//";
</script>

But, and this surprises many web developers, if that’s all you’ve done, I can still close that script tag.

INSIDE THE STRING

Yes, that’s bold, italic and underlined, because developers see this, and think “I have no idea how to parse this”:

<script>
s_prop0="</script><script>nefarious();</script>";
</script>

Fortunately, your browser does.

First it parses it as HTML.

This is important.

The HTML parser knows nothing about your JavaScript, it uses HTML rules to parse HTML bodies, and to figure out where scripts start and end.

So, when the HTML parser sees “<script>”, it creates a buffer. It starts filling that buffer with the first character after the tag, and it ends it with whatever character precedes the very next “</script>” tag it sees.

This means the HTML above gets interpreted as:

1. a block of script that won’t run, because it’s not complete code and generates a syntax error.

s_prop="

2. a block of script that will run, because it parses properly.

nefarious();

3. a double-quote character, a semi-colon, and an unnecessary end tag that it discards

Obviously, your code is more complex than mine, so this kind of injection has all kinds of nasty effects – but it’s possible for an attacker to hide those (not that the attacker needs to!)

So then, the fix is … what?

If you truly have to insert data from users into a JavaScript string, remember what it’s embedded in – HTML.

There are three approaches:

  1. Validate.
    If at all possible, discard characters willy-nilly. Does the user really need to input anything other than alphanumeric characters and spaces? Maybe you can just reject all those other characters.
  2. Encode.
    Yeah, you fell afoul of encoding, but let’s think about it scientifically this time.
    What are you embedded in? A JavaScript string embedded in HTML. You can’t HTML-encode your JavaScript content (try it and you’ll see it doesn’t work that way), so you have to JavaScript-string-encode anything that might make sense either to the HTML parser OR the JavaScript parser.
    You know I don’t like blacklists, but in this case, the only characters you actually need to encode are the double-quote, the back-slash (because otherwise you can’t uniquely reverse the encoding), and either the less-than or forward-slash.
    But, since I don’t like blacklists, I’d rather you chose to encode everything other than alphanumeric and spaces – it doesn’t cost that much.
  3. Span / Div.
    OK, this is a weird idea, but if you care to follow me, how about putting the user-supplied data into a hidden <span> or <div> element?
    Give it an id, and the JavaScript can reference it by that id. This means you only have to protect the user-supplied data in one place, and it won’t appear a dozen times throughout the document.

A note on why I don’t like the blacklists

OK, aside from last weekend’s post, where I demonstrated how a weak blacklist is no defence, it’s important to remember that the web changes day by day. Not every browser is standard, and they each try to differentiate themselves from the other browsers by introducing “killer features” that the other browsers don’t have for a few weeks.

As a result, you can’t really rely on the HTML standard as the one true documentation of all things a browser may do to your code.

Tags change, who knows if tomorrow a <script> tag might not be “pausable” by a <pause>Some piece of text</pause> tag? Ludicrous, maybe, until someone decides it’s a good idea. Or something else.

As a result, if you want to be a robust developer who produces robust code, you need to think less in terms of “what’s the minimum I have to encode?”, and more in terms of “what’s the cost of encoding, and what’s the cost of failure if I don’t encode something that needs it?”

Posted by Alun Jones | with no comments
Filed under: ,

There is no such thing as “small sample code”

Every few months, something encourages me to make the tweet that:

There is no such thing as “small sample code”, every sample you publish is an SDK of its own

OK, so the choice of calling these “SDKs” is rooted in my Microsoft dev background, where “sample code” didn’t need documentation or bug tracking, whereas an SDK does. You can adjust the terminology to suit.

The basic point here is to remind you that you do not get to abrogate all responsibility by saying “this is sample code, you will need to add error checking and security”, even if you do say it in the article – even if you say it in the comments of the sample!

Why do I care so much? It’s only three lines of code!

Simply stated, I’ve seen too many cases where people have included three lines of code (or five, or twenty, the count doesn’t matter) into a program, and they’ve stepped away and shipped that code.

“It wasn’t my fault,” they say, when the incident happens, “I copied that code from a sample online.”

This is the point at which the re-education machine is engaged – because, of course, it totally is your fault, if you include code in your development without treating it with the same rigour as if you had written every line of it yourself. You will get punished – usually by having to stay late and fix it.

It’s also the sample writer’s fault.

He gave you the mini-SDK that you imported blindly into your application, without testing it, without checking errors in it, without appropriate security measures, and he brushed you off with “well, of course, you should add your own error checks and security magic to it”.

Here’s an example of what I’m talking about, courtesy of Troy Hunt linking to an ASP forum.

No, if you’re providing sample code on the Internet, it’s important to make sure it doesn’t embody BAD design; this is code that will be taken up by people by definition less keen, less eager, less smart and less motivated to do things right than you are – after all, rather than figuring out how to write this code for themselves, they are allowing you to do it for them, to teach them how it’s done. If you then teach them how it’s done badly, that’s how they will learn to do it – badly. And they will teach others.

So, instead, make your three line samples five lines, and add enough error checking that unexpected issues or other bad things will break the sample’s execution.

Oh yeah, and what about updates, when you find a horrendous bug – how do you distribute those?

Posted by Alun Jones | with no comments

A reminder of who I am, and what I do

Looking at my recent posts, I’ve noticed a few things – not only have I been posting very sporadically and randomly, but also I’ve been avoiding talking about a number of aspects of myself that are key to why I maintain this blog.

In an effort to improve on that, I’m going to start with a quick recap of my biography – not a chronological approach, but a few details to let newcomers know who I am, and old-timers remember my motivations.

1. Family - a father and husband

This always comes first. I work to support my family. I’ve been married nearly twenty years to a fantastically understanding wife, and with her I have a wonderful seventeen-year-old son who is fast becoming the sort of adult whom I’d want to be friends with, if we weren’t already related.

2. Technical interests – general

What makes me prime MVP material, as well as informs the rest of my work, is that I am fascinated with all aspects of technology, from nanotech to 3d printing, quantum computing, cryptography, physics, mathematics – even if it’s unrelated to my own work, or requires tools I can’t afford to use, I’m fascinated by, and try to remain informed about, as much technology as possible.

Sadly, the human brain and attention span can only gather so much information, so there’s always topics I want to know more about. I think this is the eternal frustration of the technologically inclined.

3. Technical background – developer

I’m also a software developer – practically my first job out of college was to develop for Unix platforms, initially, maintaining and porting Fortran code to that platform. Moved from there to Windows, largely out of cussidness (trying to prove to the world that Windows could run a reliable server), and languages like C++, C#, and a few other languages as time and interest allowed.

4. Interest & Current job – security guy

Over time, though, it became clear that my code was getting hacked. So was everyone else’s, but I was unusual in noticing it and wanting to do something about it.

So I became an expert in security. Mostly I did this by reading other people’s books, blogs and articles, and then answering other people’s security questions, to demonstrate that I understood and could explain.

Then, because I didn’t have a career background in security, I had to build one to match my expertise. So I worked my way up “through the ranks”, albeit a little quicker than was expected. Hopefully, that didn’t result in too much missed instruction.

As a result, I’m now a Senior Security Engineer at a large online site. I won’t name them, not because they’re not proud of me, or I’m not proud of them, but because they’ve made it very clear that my blogging is not a part of my job, and my job is not to be a part of my blog.

That means, of course, that nothing I say here is to be construed as an indication of my employer’s position (unless I specifically say it is), and that the stories here and on my twitter feed are pulled from general experience, conversations with others in my field, and general places I have worked, rather than my current employer. I have worked at enough places to tell that developers are, on average, the same no matter where you go. So the stories are the same.

The main area I’m interested in is that of Application Security – how you can build applications that offer functionality while remaining resilient under attack. But I’m still also interested in network security, social engineering (for good and fighting its use for ill), spam fighting, and a number of other topics. I occasionally tell people their web sites are broken.

5. Side work – WFTPD, 2ndAuth, Texas Imperial Software

At various times I’ve also been self-employed, and created Texas Imperial Software as the outlet for my frustrated software development side. Usually, it’s because I’ve seen a need (or had that need myself!) that isn’t being fulfilled by existing software.

“How hard can that be?” is usually the phrase that gets me into trouble.

So I find out how hard it can be. In this manner, I’ve produced:

WFTPD Server / WFTPD Server Pro – FTP servers for Windows. These have been selling for twenty years now, less solidly lately than in the past, when WFTPD was my full time job. But the income is enough to keep up the absolutely minimal support expenditure this software takes.

2ndAuth – an auditing solution for shared accounts in Windows client and server systems. When you try to log on to a Windows system using an account marked as “shared”, you are prompted in addition for your real username and password. In turn, your verified username is logged in the Windows Event Log as a user of this shared account. Sure, shared accounts are against policy, but there are some times they can’t be avoided. In those times, 2ndAuth is a compensating control that allows you to finally answer the question “I know SQLAdmin brought down the server – so which operator do I kick / re-train / fire?”

iFetch – I love BBC Radio and TV, and wrote an app that fetches radio (or TV, if you’re in the UK) shows from the iPlayer, so that you can sync them to your mobile devices that aren’t supported by iPlayer apps.

6. Survivor – cancer

This is a pretty amazing achievement, thinking back on it – but I feel like all the work was done by other people – my wife, who made important surgical decisions while I was under general anaesthesis, and has been a great strength ever since, my surgeon and the doctors who handled the follow-up work, and my son who suffered through many nights of chicken and rice which was all I had the stomach for after radiotherapy. All I did was live through it.

This is why I cringe whenever I hear people talking about “brave” cancer patients. What I did was not brave, it was survival. Running from a bear that you’ve just noticed is eating you is not brave. It’s normal, it’s natural – it’s hard, for sure, but it isn’t brave. Brave is running towards the bear to beat him off.

Oh, and the type of cancer was testicular. The outside world considers that a bad word – and while conversations about breast cancer are plenty, you won’t find a testicular cancer awareness month. [The medical profession, by comparison, thinks cancer is a bad word, and listed my condition everywhere as “testicular C.”]

Men between the ages of 15 and 35 are most likely to be hit by testicular cancer – and there’s good news, and bad news. The good news is, it’s the most easily treated form of cancer (partly because it’s mostly outside the body already). The bad news – it’s fast acting, so delaying seeking treatment leads to many men literally dying because of embarrassment.

7. Microsoft MVP – Enterprise Security

This is an award that I’m constantly proud to have received, and which I think is thoroughly worth having. I’ll be sadder when I finally lose my MVP status (hopefully many years away still) than I was when I lost my CISSP. The network of other smart people is wonderful – and being in a category that has no closely-defined product means that I can continue to give more generally-appropriate advice, rather than specific instruction on an individual product. [It also means we don’t get the exciting swag, but hey, that’s not what I’m in the program for]

There’s an MVP Summit starting on November 17, it’s kind of a Microsoft-centric conference (think TechEd), but at a faster pace, greater depth, and with some material that isn’t public yet. We’ve each signed an NDA, and there are things I know are coming that are really exciting to me, but that I can’t talk about – yet.

8. Hobbies – juggling, unicycling

And occasionally I will draw on my hobbies of juggling and unicycling. This is how I get my exercise, some of the time, passing clubs with my son or riding unicycles around the school gym. I’m not very good, but then I don’t have to be.

In which a coffee store learns not to blacklist

I’ve been playing a lot lately with cross-site scripting (XSS) – you can tell that from my previous blog entries, and from the comments my colleagues make about me at work.

Somehow, I have managed to gain a reputation for never leaving a search box without injecting code into it.

And to a certain extent, that’s deserved.

But I always report what I find, and I don’t blog about it until I’m sure the company has fixed the issue.

So, coffee store, we’re talking Starbucks, right?

Right, and having known a few people who’ve worked in the Starbucks security team, I was surprised that I could find anything at all.

Yet it practically shouted at me, as soon as I started to inject script:

0-oops

Well, there’s pretty much a hint that Starbucks have something in place to prevent script.

But it’s not the only thing preventing script, as I found with a different search:

1-prompt

So, one search takes me to an “oops” page, another takes me to a page telling me that nothing happened – but without either one executing the script.

The oops page doesn’t include any of my script, so I don’t like that page – it doesn’t help my injection at all.

The search results page, however, that includes some of my script, so if I can just make that work for me, I’ll be happy.

Viewing source is pretty helpful, so here’s what I get from that, plus searching for my injected script:

2-social

So, while my intended JavaScript, “"-prompt(1)-"”, is not executed, and indeed is in the wrong context to be executed, every character has successfully made it into the source sent back to the user’s browser.

At this point, I figure that I need to find some execution that is appropriate for this context.

Maybe the XSS fish will help, so I search for that:

3-XSSFish

Looks promising – no “oops”, let’s check the source:

4-XSSFishSrc

This is definitely working. At this point, I know the site has XSS, I just have to demonstrate it. If I was a security engineer at Starbucks, this would be enough to cause me to go beat some heads about.

I think I should stress that. If you ever reach this point, you should fix your code.

This is enough evidence that a site has XSS issues to make a developer do some work on fixing it. I have escaped the containing quotes, I have terminated/escaped the HTML tag I was in, and I have started something like a new tag. I have injected into your page, and now all we’re debating about is how much I can do now that I’ve broken in.

And yet, I must go on.

I have to go on at this point, because I’m an external researcher to this company. I have to deliver to them a definite breach, or they’ll probably dismiss me as a waste of time.

The obvious thing to inject here is “"><script>prompt(1)</script>” – but we saw earlier that produced an “oops” page. We’ve seen that “prompt(1)” isn’t rejected, and the angle-brackets (chevrons, less-than / greater-than signs, etc, whatever you want to call them) aren’t rejected, so it must be the word “script”.

That, right there, is enough to tell me that instead of encoding the output (which would turn those angle-brackets into “&lt;” and “&gt;” in the source code, while still looking like angle-brackets in the display), this site is using a blacklist of “bad words to search for”.

Why is a blacklist wrong?

That’s a really good question – and the basic answer is because you just can’t make most blacklists complete. Only if you have a very limited character set, and a good reason to believe that your blacklist can be complete.

A blacklist that might work is to say that you surround every HTML tag’s attributes with double quotes, and so your blacklist is double quotes, which you encode, as well as the characters used to encode, which you also encode.

I say it “might work”, because in the wonderful world of Unicode and developing HTML standards, there might be another character to escape the encoding, or a set of multiple code points in Unicode that are treated as the encoding character or double quote by the browser.

Easier by far, to use a whitelist – only these few characters are safe,and ALL the rest get encoded.

You might have an incomplete whitelist, but that’s easily fixed later, and at its worst is no more than a slight inefficiency. If you have an incomplete blacklist, you have a security vulnerability.

Back to the story

OK, so having determined that I can’t use the script tag, maybe I can add an event handler to the tag I’m in the middle of displaying, whether it’s a link or an input. Perhaps I can get that event handler to work.

Ever faithful is the “onmouseover” event handler. So I try that.

You don’t need to see the “oops” page again. But I did.

The weirdest thing, though, is that the “onmooseover” event worked just fine.

Except I didn’t have a moose handy to demonstrate it executing.

5-mooseover

So, that means that they had a blacklist of events, and onmouseover was on the list, but onmooseover wasn’t.

Similarly, “onfocus” triggered the “oops” page, but “onficus” didn’t. Again, sadly I didn’t have a ficus with me.

You’re just inventing event names.

Sure, but then so is the community of browser manufacturers. There’s a range of  “ontouch” events that weren’t on the blacklist, but are supported by a browser or two – and then you have to wonder if Google, maker of the Chrome browser and the Glass voice-controlled eyewear, might not introduce an event or two for eyeball tracking. Maybe a Kinect-powered browser will introduce “onwaveat”. Again, the blacklist isn’t future-proof. If someone invents a new event, you have to hope you find out about it before the attackers try to use it.

Again, back to the story…

Then I tried adding characters to the beginning of the event name. Curious – that works.

6-query

And, yes, the source view showed me the event was being injected. Of course, the browser wasn’t executing it, because of course, “?onmouseover” can’t be executed. The HTML spec just doesn’t allow for it.

Eventually, I made my way through the ASCII table to the forward-slash character.

7-slash

Magic!

Yes, that’s it, that executes. There’s the prompt.

Weirdly, if I used “alert” instead of “prompt”, I get the “oops” page. Clearly, “alert” is on the blacklist, “prompt” is not.

I still want to make this a ‘hotter’ report before I send it off to Starbucks, though.

How “hotter”?

Well, it’d be nice if it didn’t require the user to find and wave their mouse over the page element that you’ve found the flaw in.

Fortunately, I’d also recently found a behaviour in Internet Explorer that allows a URL to set focus to an element on the page by its ID or name. And there’s an “onfocus” event I can trigger with “/onfocus”.

8-focused

So, there we are – automated execution of my chosen code.

Anything else to make it more sexy?

Sure – how about something an attacker might try – a redirect to a site of their choosing. [But since I’m not an attacker, we’ll do it to somewhere acceptable]

I tried to inject “onfocus=’document.location=”//google.com”’” – but apparently, “document” and “location” are also on the banned list.

“ownerDocu”, “ment”, “loca” and “tion” aren’t on the blacklist, so I can do “this["ownerDocu"+"ment"]["loca"+"tion"]=” …

Very quickly, this URL took the visitor away from the Starbucks search page and on to the Google page.

Now it’s ready to report.

Hard part over, right?

Well, no, not really. This took me a couple of months to get reported. I tried “security@starbucks.com”, which is the default address for reporting security issues.

An auto-reply comes my way, informing me this is for Starbucks staff to report [physical] security issues.

I try the webmaster@ address, and that gets me nowhere.

The “Contact Us” link takes me to a customer service representative, and an entertaining exchange that results in them telling me that they’ve passed my email around everyone who’s interested, and the general consensus is that I should go ahead and publish my findings.

So you publish, right?

No, I’m not interested in self-publicising at the cost of someone else’s security. I do this so that things get more secure, not less.

So, I reach out to anyone I know who works for Starbucks, or has ever worked for Starbucks, and finally get to someone in the Information Security team.

This is where things get far easier – and where Starbucks does the right things.

The Information Security team works with me, politely, quickly, calmly, and addresses the problem quickly and completely. The blacklist is still there, and still takes you to the “oops” page – but it’s no longer the only protection in place.

My “onmooseover” and “onficus” events no longer work, because the correct characters are quoted and encoded.

The world is made safer and more secure, and a half a year later, I post this article, so that others can learn from this experience, too.

By withholding publishing until well after the site is fixed, I ensure that I’m not making enemies of people who might be in a position to help me later. By fixing the site quickly and quietly, Starbucks ensure that they protect their customers. And I, after all, am a customer.

The Starbucks Information Security team have also promised that there is now a route from security@ to their inbox, as well as better training for the customer service team to redirect security reports their way, rather than insisting on publishing. I think they were horrified that anyone suggested that. I know I was.

And did I ever tell you about the time I got onto Google’s hall of fame?

Posted by Alun Jones | with no comments
Filed under: ,

Why don’t we do that?

Reading a story on the consequences of the theft of Adobe’s source code by hackers, I come across this startling phrase:

The hackers seem to be targeting vulnerabilities they find within the stolen code. The prediction is that they’re sifting through the code, attempting to find widespread weaknesses, intending to exploit them with maximum effect by using zero-day attacks.

What I’d love to know is why we aren’t seeing a flood of developers crying out to be educated in how they, too, can learn to sift through their own code, attempt to find widespread weaknesses, so they can shore them up and prevent their code from being exploited.

An example of the sort of comments we are seeing can be found here, and they are fairly predictable – “does this mean Open Source is flawed, if having access to the source code is a security risk”, schadenfreude at Adobe’s misfortune, all manner of assertions that Adobe weren’t a very secure company anyway, etc.

Something that’s missing is an acknowledgement that we are all subject to the same pool of developers.

And attackers.

So, if you’re in the business of developing software – whether to sell, licence, give away, or simply to use in your own endeavours, you’re essentially in the same boat as Adobe prior to the hackers breaching their defences. Possibly the same boat as Adobe after the breach, but prior to the discovery.

Unless you are doing something different to what Adobe did, you are setting yourself up to be the next Adobe.

Obviously, Adobe isn’t giving us entire details of their own security program, and what’s gone right or wrong with it, but previous stories (as early as mid-2009) indicated that they were working closely with Microsoft to create an SDL (Security Development Lifecycle) for Adobe’s development.

So, instead of being all kinds of smug that Adobe got hacked, and you didn’t, maybe you should spend your time wondering if you can improve your processes to even reach the level Adobe was at when they got hacked.

And, to bring the topic back to what started the discussion – are you even doing to your software what these unidentified attackers are doing to Adobe’s code?

Are you poring over your own source code to find flaws?

How long are you spending to do that, and what tools are you using to do so?

Government Shuts Down for Cyber Security

In a classic move, clearly designed to introduce National Cyber Security Awareness Month with quite a bang, the US Government has shut down, making it questionable as to whether National Cyber Security Awareness Month will actually happen.

In case the DHS isn’t able to make things happen without funding, here’s what they originally had planned:

image

I’m sure you’ll find myself and a few others keen to engage you on Information Security this month in the absence of any functioning legislators.

Maybe without the government in charge, we can stop using the “C” word to describe it.

UPDATE 1

The “C” word I’m referring to is, of course, “Cyber”. Bad word. Doesn’t mean anything remotely like what people using it think it means.

UPDATE 2

The main page of the DHS.GOV web site actually does carry a small banner indicating that there’s no activity happening at the web site today.

image

So, there may be many NCSAM events, but DHS will not be a part of them.

Security-SPP errors in the event log. EVERY. THIRTY. SECONDS.

I admit that it’s a little strange to look at your event log fairly often, but I occasionally find interesting behaviour there, and certainly whenever I encounter an unexpected error, that’s where I look first.

Why?

Because that’s actually where developers put information relating to problems you’re experiencing.

So, when I tried to install Windows 8.1 and was told that I would be able to keep “Nothing” – no apps, no settings, etc – I assumed there would be an error in the log.

But all I saw was this:

image

So, yes, that’s an error with:

Source: Security-SPP
Event ID: 16385
Error Code: 0x80041316

This goes back to September 2, but only because the Application log that it’s in has already run out of room and ‘rolled over’ with too many entries. Presumably, then, the occurrence that caused this was prior to that.

Searching online, I find that there are some others who have experienced the same thing, the most recent of which is in January 2013, and who posted of this error to the TechNet forums.

A Microsoft representative had answered indicating that the cause could be (of all strange things) a partition with no name. Odd. Then they suggested Refreshing or Reinstalling the PC.

I’m not reinstalling unless there’s something hugely wrong, and the refresh didn’t help at all.

So, on to tracing the cause of the problem.

“Schedule” suggests it might be a Task Scheduler issue, and sure enough, when I open up the Task Scheduler (it’s under the Administrative Tools in the Control Panel, so making it very hard to find in Windows 8), I get the following error:

image

Or for the search engines to find, title: “Task Scheduler”, text: “Task SvcRestartTask: The task XML contains an unexpected node.”

It’s a matter of fairly simple searching (as an Administrator, naturally) to find this file “SvcRestartTask” under C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform.

So I moved this file to a document SvcRestartTask.xml in a different folder.

Time to edit it.

Among other lines in the file, these stood out:

    <RestartOnFailure>
      <Priority>3</Priority>
      <Priority>PT1M</Priority>
    </RestartOnFailure>

Odd – two values for Priority, one numeric, one text. So I went hunting in a file from a system that didn’t have that problem. I found these lines in the same place:

    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT1M</Interval>
      <Count>3</Count>
    </RestartOnFailure>

So, clearly something had written to the SvcRestartTask file with incorrect names for these elements. Changing them around in my XML version of the file, I reopened the Task Scheduler UI, navigated down to Microsoft / Windows / SoftwareProtectionPlatform, and imported the XML file there. [This is under “Actions”, but you can also right-click the folder SoftwareProtectionPlatform and select “Import”, then “Refresh”]

Sadly, this wasn’t quite the end of things, because the Task Scheduler UI fails to talk to the Task Scheduler service. Nor can I restart the Task Scheduler service directly.

So a restart will take care of that, and sure enough, now that I’ve restarted, I see no more of these 16385 errors from Security-SPP.

It’s just a shame it took so long to get this answer, and that the Microsoft-supplied answer in the forums is incomplete.

Oh, and of course, one last thing – what does SPP (Software Protection Platform) actually do?

Since this is an element of the Windows Genuine Advantage initiative, with the goal of preventing use of pirated copies of Windows, you might consider you don’t really need / want it around. Either way, you definitely don’t want it clearing your Application event log out every three weeks!

Training developers to write secure code

I’ve done an amount of training developers recently, and it seems like there are a number of different kinds of responses to my security message.

[You can safely assume that there’s also something that’s wrong with the message and the messenger, but I want to learn about the thing I likely can’t control or change – the supply of developers]

Here are some unfairly broad descriptions of stereotypes I’ve encountered along the way. The truth, as ever, is more nuanced, but I think if I can reach each of these target personas, I should have just about everyone covered.

Is there anyone I’ve missed?

The previous victim

I’m always happy to have one or more of these people in the room – the sort of developer who has some experience, and has been on a project that was attacked successfully at some point or another.

This kind of developer has likely quickly learned the lesson that even his own code is subject to attack, vulnerable and weak to the persistent probes of attackers. Perhaps his experience has also included examples of his own failures in more ordinary ways – mere bugs, with no particular security implications.

Usually, this will be an older developer, because experience is required – and his tales of terror, unrehearsed and true, can sometimes provide the “scared straight” lesson I try to deliver to my students.

The previous attacker

This guy is usually a smart, younger individual. He may have had some previous nefarious activity, or simply researched security issues by attacking systems he owns.

But for my purposes, this guy can be too clever, because he distracts from my talk of ‘least privilege’ and ‘defence in depth’ with questions about race conditions, side-channel attacks, sub-millisecond time deltas across multi-second latency routes, and the like. IF those were the worst problems we see in this industry, I’d focus on them – but sadly, sites are still vulnerable to simple attacks, like my favourite – Reflected XSS in the Search field. [Simple exercise – watch a commercial break, and see how many of the sites advertised there have this vulnerability in them.]

But I like this guy for other reasons – he’s a possible future hire for my team, and a probable future assistant in finding, reporting and addressing vulnerabilities. Keeping this guy interested and engaged is key to making sure that he tells me about his findings, rather than sharing them with friends on the outside, or exploiting them himself.

“I did a security class at college”

Unbelievably to me, there are people who “done a project on it”, and therefore know all they want to about security. If what I was about to tell them was important, they’d have been told it by their professor at college, because their professor knew everything of any importance.

I personally wonder if this is going to be the kind of SDE who will join us for a short while, and not progress – because the impression they give to me is that they’ve finished learning right before their last final exam.

Salaryman

Related to the previous category is the developer who only does what it takes to get paid and to receive a good performance review.

I think this is the developer I should work the hardest to try and reach, because this attitude lies at the heart of every developer on their worst days at their desk. When the passion wanes, or the task is uninteresting, the desire to keep your job, continue to get paid, and progress through your career while satisfying your boss is the grinding cog that keeps you moving forward like a wind-up toy.

This is why it is important to keep searching to find ways of measuring code quality, and rewarding people who exhibit it – larger rewards for consistent prolonged improvement, smaller but more frequent rewards to keep the attention of the developer who makes a quick improvement to even a small piece of code.

Sadly, this guy is in my class because his boss told him he ought to attend. So I tell him at the end of my class that he needs to report back to his boss the security lesson that he learned – that all of his development-related goals should have the adverb “securely” appended to them. So “develop feature X” becomes “develop feature X securely”. If that is the one change I can make to this developer’s goals, I believe it will make a difference.

Fanboy

I’ve been doing this for long enough that I see the same faces in the crowd over and over again. I know I used to be a fanboy myself, and so I’m aware that sometimes this is because these folks learn something new each time. That’s why I like to deliver a different talk each time, even if it’s on the same subject as a previous lesson.

Or maybe they just didn’t get it all last time, and need to hear it again to get a deeper understanding. Either way, repeat visitors are definitely welcome – but I won’t get anywhere if that’s all I get in my audience.

Vocational

Some developers do the development thing because they can’t NOT write code. If they were independently wealthy and could do whatever they want, they’d be behind a screen coding up some fun little app.

I like the ones with a calling to this job, because I believe I can give them enough passion in security to make it a part of their calling as well. [Yes, I feel I have a calling to do security – I want to save the world from bad code, and would do it if I was independently wealthy.]

Stereotypical / The Surgeon

Sadly, the hardest person to reach – harder even than the Salaryman – is the developer who matches the stereotypical perception of the developer mindset.

Convinced of his own superiority and cleverness, even if he doesn’t express it directly in such conceited terms, this person will see every suggested approach as beneath him, and every example of poor code as yet more proof of his own superiority.

“Sure, you’ve had problems with other developers making stupid security mistakes,” he’ll think to himself, “But I’m not that dumb. I’ve never written code that bad.”

I certainly hope you won’t ever write code as bad as the examples I give in my classes – those are errant samples of code written in haste, and which I wouldn’t include in my class if they didn’t clearly illustrate my point. But my point is that your colleagues – everyone around you – are going to write this bad a piece of code one day, and it is your job to find it. It is also their job to find it in the code you write, so either you had better be truly as good as you think you are, or you had better apply good security practices so they don’t find you at your worst coding moment.

Useful Excel Macros #1–compare two columns

I often need to compare two columns, and get a list in a third column of the items that are in one column, but not the other.

Every solution I find online has one common problem – the third column is full of blanks in between the items. I don’t want blanks. I want items.

So I wrote this function, which returns an array of the missing items – items which are in the first parameter, but not in the second.

I’m probably missing a trick or two (I’m particularly not happy with the extra element in the array that has to be deleted before the end), so please feel free to add to this in the comments.

Public Function Missing(ByRef l_ As Range, ByRef r_ As Range) As Variant()
' Returns a list of the items which are in l_ but not in r_
' Note that you need to put this formula into a range of cells as an array formula.
' So select a range, then type =Missing($A:$A,$B:$B), and press Ctrl-Shift-Enter
' If the range is too big, you'll get lots of N/A cells
Dim i As Long ' loop through l_
Dim l_value As Variant ' current value in l_
Dim y() As Variant ' Temp array to store values found
ReDim y(0)

For i = 1 To l_.Count ' Loop through input

  l_value = l_.Cells(i, 1) ' Get current value
  
  If Len(l_value) = 0 Then ' Exit when current value is empty
    GoTo exitloop
  End If

  If r_.Find(l_value) Is Nothing Then ' Can't find current value => add it to the missing
    ReDim Preserve y(UBound(y) + 1) ' Change array size
    y(UBound(y) - 1) = l_value ' Add current value to end
  End If
Next i
exitloop:
If UBound(y) < 1 Then
  Return
End If
ReDim Preserve y(UBound(y) - 1)
If Application.Caller.Rows.Count > 1 Then ' If we were called from a vertical selection
  Missing = Application.Transpose(y) ' Transpose the array to a vertical mode.
Else
  Missing = y ' otherwise just return the array horizontally.
End If
End Function

Windows Phone 8 improves podcast support to Windows Phone 7 levels

OK, so that’s a really quite inflammatory headline, for a feature change that actually has me really excited, because I can finally use a feature of my phone that I used to love very much.

TL;DR – New version of the Windows Phone for Desktop App. Get it, it puts podcast support for MP3 files (rather than web hosted) back in.

Podcasts

But not really podcasts

As soon as I start talking about podcasts, most of you are either happily thinking about, or dismissing out of hand, the concept of a few people talking into a microphone about some topic they care about very deeply. I don’t really enjoy those kinds of podcasts, because I feel I can get the same kind of information more quickly and without the fanboy stylings from written material like blogs and the intertubes.

So, no, I don’t listen to podcasts.

But I do listen to something that has a lot of similar features to podcasts. I’ll call them “Sequential Long Audio Files” or SLAFs.

Not really music, either

Episodic in nature, and sequential in that it generally pays to listen in the right order, audiobooks and radio drama are examples of SLAFs – audio files that don’t behave like the typical “Music” that phones are generally designed to play.

Music files start from the beginning every time you play them. If you break away from one music track to listen to another, and then come back, you aren’t upset that it lost your place.

With the exception of concept albums and mix tapes, you don’t tend to need to listen to music files in any particular order.

OK, also the exception of symphonic music, opera, musical theatre, etc. There’s probably a lot of music that people want to listen to in sequence and with the ability to break away to another audio file and then return to the same point once you get back.

But not podcasts

Podcasts are already in this area, and they’re well supported on the Windows Phone 8 platform. So, there’s little need to improve in that feature, says the guy who acknowledges he never listens to podcasts.

What’s not been supported well – in Windows Phone 7 or at all in Windows Phone 8 – is the type of audio file exemplified by audio books, radio drama, symphonic music, opera, and so on. The SLAFs.

Here’s some differences between SLAFs and regular podcasts:

  • You already have the files – they’re not on the web to be subscribed to
  • The files are sequenced by ID3 tags – rather than XML you fetch from a web site
  • Also in ID3 tags, AlbumArt that indicates a thumbnail for the series – rather than an XML file
  • Often, the sequence is finite, there’s an expectation that you will listen to all six (or however many) episodes (chapters, lieder, etc) and then be done with that set – rather than a podcast which may start at “episode 1”, but entices you back for “another great show next week” until such time as the audience and advertising dwindles to the point where the power (and the podcast) gets pulled. This means that “subscribing” makes no sense in sequential audio.

I’m sure there are other differences too.

He’s said this before

Yes, I’ve complained about podcast support on Windows Phone before, over and over and over again.

In Windows Phone 7, I wanted a few simple features added.

In Windows Phone 8, they took the entire feature set away. Podcasts now had to come from a URL and be subscribed to. Great for traditional podcasts, but intolerable for SLAFs. Yes, I could have written a web service that turns a SLAF album into a podcast series, but I just didn’t have the time.

Now, the feature has been brought back – and through a delivery of a new version of the Windows Phone app for desktop. This is what replaced the Zune software. Which really wasn’t all that bad.

So, how do we do this?

Step by step.

  1. Install the new version of the Windows Phone app for desktop.
  2. Now run it.
    image
  3. Click on “pc”, if you need to. Note that, because this is a “metro” interface, “PC” is in lower case, despite all English style guides.
    image
  4. Click on “podcasts”
    image
  5. Check the podcasts you want to put on the phone, and hit “Sync” to send them there.

What if I didn’t see any podcasts?

Yes, that will happen, if you haven’t marked any items as podcasts, or put them into the sync folders.

You see that thing that says “Add or remove folders”?

This is what allows you to pick the folders into which you will put your SLAFs.

Click that, and you’re presented with a familiar-looking dialog:

image

In Windows Phone 7 and the Zune software, you also had to go and change the genre on your SLAFs to “Podcast”.

I am pleased as punch to say that you don’t have to do that any more. Leave the genre what it was. Not that the phone will make any use of it, allow you to search, sort or filter by it, or in any way act as if you’ve done anything better than setting the genre to “Podcast”. But it makes me feel good to know that I don’t have to assault my files to make them work on the Windows Phone.

What’s left to do?

Clearly the feature isn’t finished – there’s some work to do in the phone to improve support.

wp_ss_20130531_0002

As you can see from the image to the left, there’s a whole lot of grey where there ought to be images from the AlbumArt ID3 tag in each of these series.

I can’t help but think that sometimes these titles are going to lose something important off the end. Radio shows like to have incredibly long titles, and I’m sure that something like “The Hitch-hiker’s Guide to the Galaxy Series 2” is going to be truncated so that I can’t tell which series I’m listening to. A little more wrap, possibly a marquee-style scrolling display, should fix this where it makes sense to do so.

Ordering – or sequencing – of episodes seems to still leave a little to be desired. It seems that the series will only play in sequence if the files are date-stamped. It would be nice if the podcast tool would simply read the ID3 tags for “track number” and/or “part of set” rather than rely on file dates, which could simply work off when you downloaded or ripped these files. [Note that I advocate the legal use of such technologies to space-shift or time-shift recordings to which you have purchased, or otherwise legitimately own, rights to possess and listen.]

But I can now listen happily to my radio shows – without the radio – and without the Interwebs – as if they were podcasts (though they aren’t).

Gin & tonic all round.

So, thanks and cheers, then, to all at Microsoft involved in bringing this feature back.

Now, if you don’t mind also making it better, that would be lovely.

Playing with security blogs

I’ve found a new weekend hobby – it takes only a few minutes, is easily interruptible, and reminds me that the state of web security is such that I will never be out of a job.

I open my favourite search engine (I’m partial to Bing, partly because I get points, but mostly because I’ve met the guys who built it), search for “security blog”, and then pick one at random.

Once I’m at the security blog site – often one I’ve never heard of, despite it being high up in the search results – I find the search box and throw a simple reflected XSS attack at it.

If that doesn’t work, I view the source code for the results page I got back, and use the information I see there to figure out what reflected XSS attack will work. Then I try that.

[Note: I use reflected XSS, because I know I can only hurt myself. I don’t play stored XSS or SQL injection games, which can easily cause actual damage at the server end, unless I have permission and I’m being paid.]

Finally, I try to find who I should contact about the exploitability of the site.

It’s interesting just how many of these sites are exploitable – some of them falling to the simplest of XSS attacks – and even more interesting to see how many sites don’t have a good, responsive contact address (or prefer simply not to engage with vuln discoverers).

So, what do you find?

I clearly wouldn’t dream of disclosing any of the vulnerabilities I’ve found until well after they’re fixed. Of course, after they’re fixed, I’m happy to see a mention that I’ve helped move the world forward a notch on some security scale. [Not sure why I’m not called out on the other version of that changelog.] I might allude to them on my twitter account, but not in any great detail.

From clicking the link to exploit is either under ten minutes or not at all – and reporting generally takes another ten minutes or so, most of which is hunting for the right address. The longer portion of the game is helping some of these guys figure out what action needs to be taken to fix things.

Try using a WAF – NOT!

You can try using a WAF to solve your XSS problem, but then you’ve got two problems – a vulnerable web site, and that you have to manage your WAF settings. If you have a lot of spare time, you can use a WAF to shore up known-vulnerable fields and trap known attack strings. But it really doesn’t ever fix the problem.

Don’t echo my search query

If you can, don’t echo back to me what I sent you, because that’s how these attacks usually start. Don’t even include it in comments, because a good attack will just terminate the comment and start injecting HTML or script.

Remove my strange characters

Unless you’re running a source code site, you probably don’t need me to search for angle brackets, or a number of other characters. So take them out of my search – or plain reject my search if I include them in my search.

Encode everything

OK, so you don’t have to encode the basics – what are the basics? I tend to start with alphabetic and numeric characters, maybe also a space. Encode everything else.

Which encoding?

Yeah, that’s always the hard part. Encode it using the right encoding. That’s the short version. The long version is that you figure out what’s going to decode it, and make sure you encode for every layer that will decode. If you’re putting my text into a web page as a part of the page’s content, HTML encode it. If it’s in an attribute string, quote the characters using HTML attribute encoding – and make sure you quote the entire attribute value! If it’s an attribute string that will be used as a URL, you should URL encode it. Then you can HTML encode it, just to be sure.

[Then, of course, check that your encoding hasn’t killed the basic function of the search box!]

Respond to security reports

You should definitely respond to security reports – I understand that not everyone can have a 24/7 response team watching their blog (I certainly don’t) – you should try to respond within a couple of days, and anything under a week is probably going to be alright. Some vuln discoverers are upset if they don’t get a response much sooner, and see that as cause to publish their findings.

Me, I send a message first to ask if I’ve found the right place to send a security vulnerability report to, and only when I receive a positive acknowledgement do I send on the actual details of the exploit.

Be like Billy – Mind your XSS Manners!

I’ve said before that I wish programmers would respond to reports of XSS as if I’d told them I caught them writing a bubble sort implementation in Cobol. Full of embarrassment at being such a beginner.

Using URL anchors to enliven XSS exploits

I hope this is original, I certainly couldn't find anything in a quick bit of research on “Internet Explorer”, “anchor” / “fragment id” and “onfocus” or “focus”. [Click here for the TLDR version.]

Those of you who know me, or have been reading this blog for a while know that I have something of a soft spot for the XSS exploits (See here, here, here and here – oh, and here). One of the reasons I like them is that I can test sites without causing any actual damage to them – a reflected XSS that I launch on myself only really affects me. [Stored XSS, now that’s a different matter] And yet, the issues that XSS brings up are significant and severe.

A quick reminder

XSS issues are significant and severe because:

  • An attacker with a successful XSS is rewriting your web site on its way to the user
  • XSS attacks can be used to deliver the latest Java / ActiveX / Flash / Acrobat exploits
  • Stored XSS can affect all of your customers, and can turn your web server into a worm to infect all of your users all of the time
  • A reflected XSS can be used to redirect your users to a competitor’s or attacker’s web site
  • A reflected or stored XSS attack can be used to void any CSRF protection you have in place
  • XSS vulnerability is usually a sign that you haven’t done the “fit and finish” checks in your security reviews
  • XSS vulnerability is an embarrassing rookie mistake, made often by seasoned developers

Make it “SEXY”

So, I enjoy reporting XSS issues to web sites and seeing how they fix them.

It’s been said I can’t pass a Search box on a web site without pasting in some kind of script and seeing whether I can exploit it.

So, the other day I decided for fun to go and search for “security blog” and pick some entries at random. The first result that came up – blog.schneier.com – seemed unlikely to yield any fruit, because, well, Bruce Schneier. I tried it anyway, and the search box goes to an external search engine, which looked pretty solid. No luck there.

A couple of others – and I shan’t say how far down the list, for obvious reasons – turned up trumps. Moderately simple injections into attributes in HTML tags on the search results page.

One only allowed me to inject script into an existing “onfocus” event handler, and the other one allowed me to create the usual array of “onmouseover”, “onclick”, “onerror”, etc handlers – and yes, “onfocus” as well.

I reported them to the right addresses, and got the same reply back each time – this is a “low severity” issue, because the user has to take some action, like wiggling the mouse over the box, clicking in it, etc.

Could I raise the severity, they asked, by making it something that required no user interaction at all, save for loading the link?

Could I make the attack more “sexy”?

Try something stupid

Whenever I’m faced with an intellectual challenge like that, I find that often a good approach is to simply try something stupid. Something so stupid that it can’t possibly work, but in failing it will at least give me insight into what might work.

I want to set the user’s focus to a field, so I want to do something a bit like “go to the field”. And the closest automatic thing that there is to “going to a field” in a URL is the anchor portion, or “fragment id” of the URL.

Anchor? What’s that in a URL?

You’ll have seen them, even if you haven’t really remarked on them very much. A URL consists of a number of parts:

protocol://address:port/path1//path2?query#anchor

The anchor is often called the “hash”, because it comes after the “hash” or “sharp” or “pound” (if you’re not British) character. [The query often consists of sets of paired keys and values, like “key1=value1&key2=value2”, etc]

The purpose of an anchor is to scroll the window to bring a specific portion to the top. So, you can give someone a link not just to a particular page, but to a portion of that page. It’s a really great idea. Usually an anchor in the URL takes you to a named anchor tag in the page – something that reads “<a name=foobar></a>” will, for instance, be scrolled to the top whenever you visit it with a URL that ends with “#foobar”.

[The W3C documentation only states that the anchor or fragment ID is used to “visit” the named tag. The word “visit” is never actually defined. Common behaviour is to load the page if it’s not already loaded, and to scroll the page to bring the visited element to the top.]

This anchor identifier in the URL is also known as a “fragment identifier”, because technically the anchor is the entire URL. Not what people make as common usage, though.

XSS fans like myself are already friendly with the anchor identifier, because it has the remarkable property of never being sent to the server by the browser! This means that if your attack depends on something in the anchor identifier, you don’t stand much chance of being detected by the server administrators.

Sneaky.

The stupid thing

So, the stupid thing that I thought about is “does this work for any name? and is it the same as focus?”

Sure enough, in the W3C documentation for HTML, here it is:

Destination anchors in HTML documents may be specified either by the A element (naming it with the name attribute), or by any other element (naming with the id attribute).

[From http://www.w3.org/TR/html4/struct/links.html#h-12.1]

So, that means any tag with an “id” attribute can be scrolled into view. This effectively applies to any element with a “name” attribute too, because:

This attribute [name] names the current anchor so that it may be the destination of another link. The value of this attribute must be a unique anchor name. The scope of this name is the current document. Note that this attribute shares the same name space as the id attribute. [my emphasis]

[From http://www.w3.org/TR/html4/struct/links.html#adef-name-A]

This is encouraging, because all those text boxes already have to have ids or names to work.

So, we can bring a text box to the top of the browser window by specifying its id or name attribute as a fragment.

That’s the first stupid thing checked off and working.

Bringing it into focus

But moving a named item to the top of the screen isn’t the same as selecting it, clicking on it, or otherwise giving it focus.

Or is it?

Testing in Firefox, Chrome and Safari suggested not.

Testing in Internet Explorer, on the other hand, demonstrated that even for as old a version as IE8, all the way through IE9 and IE10, caused focus behaviour – including any “onfocus” handler – to trigger.

The TLDR version:

Internet Explorer has a behaviour different from other browsers which makes it easier to exploit a certain category of XSS vulnerabilities in web sites.

If you are attacking users of a vulnerable site that allows an attacker to inject code into an “onfocus” handler (new or existing), you can force visitors to trigger that “onfocus” event, simply by adding the id or name of the vulnerable HTML tag to the end of the URL as a fragment ID.

You can try it if you like – using the URL http://www.microsoft.com/en-us/default.aspx#ctl00_ctl16_ctl00_ctl00_q

OK, so you clicked it and it didn’t drop down the menu that normally comes when you click in the search field on Microsoft’s front page. That’s because the onfocus handler wasn’t loaded when the browser set the focus. Try reloading it.

You can obviously build any number of test pages to look at this behaviour:

<form>
<input type="text" name="exploit" id="exploitid" onfocus="alert(1)" />
</form>

Loading that with a link to formpage.html#exploit or formpage.html#exploitid will pop up an ‘alert’ dialog box.

So, that’s a security flaw in IE, right?

No, I don’t think it is – I don’t know that it’s necessarily even a flaw.

The documentation I linked to above only talks about the destination anchor being used to “visit” a resource. It doesn’t even say that the named anchor should be brought into view in any way. [Experiment: what happens if the ID in the fragment identifier is a “type=hidden” input field?]

It doesn’t say you should set focus; it also doesn’t say you should not set focus. Setting focus may be simply the most convenient way that Internet Explorer has to bring the named element into view.

And the fact that it makes XSS exploits a little easier doesn’t make it a security flaw either – the site you’re visiting STILL has to have an XSS flaw on it somewhere.

Is it right to publish this?

Finally, the moral question has to be asked and answered.

I start by noting that if I can discover this, it’s likely a few dozen other people have discovered it too – and so far, they’re keeping it to themselves. That seems like the less-right behaviour – because now those people are going to be using this on sites unaware of it. Even if the XSS injection is detected by the web site through looking in their logs, those same logs will tell them that the injection requires a user action – setting focus to a field – and that there’s nothing causing that to happen, so it’s a relatively minor issue.

Except it’s not as minor as that, because the portion of the URL that they CAN’T see is going to trigger the event handler that just got injected.

So I think the benefit far outweighs the risk – now defenders can know that an onfocus handler will be triggered by a fragment ID in a URL, and that the fragment ID will not appear in their log files, because it’s not sent to the server.

I’ve already contacted Microsoft’s Security team and had the response that they don’t think it’s a security problem. They’ve said they’ll put me in touch with the Internet Explorer team for their comments – and while I haven’t heard anything yet, I’ll update this blog when / if they do.

In general, I believe that the right thing to do with security issues is to engage in coordinated disclosure, because the developer or vendor is generally best suited to addressing specific flaws. In this case, the flaw is general, in that it’s every site that is already vulnerable to XSS or HTML injection that allows the creation or modification of an “onfocus” event handler. So I can’t coordinate.

The best I can do is communicate, and this is the best I know how.

Posted by Alun Jones | with no comments
Filed under: ,
More Posts Next page »