Follow a Real-World Attack

Saw a great article on Informit.com that walks you through a real-world application penetration scenario.  The author starts out by finding and exploiting a cross-site scripting (XSS) vulnerability and then walks through exploiting additional vulnerabilities to the point that he can run shell commands on the system.  This is a great view into the mindset of application-level attackers.

I did have an issue with one of his recommended fixes.  In order to fix the XSS vulnerability that he used in the first place he recommended stripping out a list of bad characters often used in XSS attacks.  Although that might appear to fix the problem in this case, this is a bad strategy.  Blacklisting bad characters is a stop-gap solution that fails to provide real security.  Instead, each input should be specifically validated to make sure that it contains what it should.  An email address should look like an email address (xyz@xyz.com), a positive integer should be a positive integer (12345) and so on.

This may seem like a minor point to argue about but it is not.  If security vulnerabilities are going to be remediated, they need to be remediated correctly.  Applying band-aid solutions to the problem is a bad idea because underlying serious vulnerabilities will remain and everyone will be left with a false sense of security.  That is, of course, until someone exploits the remaining vulnerabilities – then developers will be in hot water.  It won’t be a fun conversation trying to explain why an application is still vulnerable even though $X and  Y weeks were “securing” it.

So if you are going to set out to fix something you should actually fix it.  You probably won’t get a second chance.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *