Iâ€™ve found a new weekend hobby â€“ it takes only a few minutes, is easily interruptible, and reminds me that the state of web security is such that I will never be out of a job.
I open my favourite search engine (Iâ€™m partial to Bing, partly because I get points, but mostly because Iâ€™ve met the guys who built it), search for â€śsecurity blogâ€ť, and then pick one at random.
Once Iâ€™m at the security blog site â€“ often one Iâ€™ve never heard of, despite it being high up in the search results â€“ I find the search box and throw a simple reflected XSS attack at it.
If that doesnâ€™t work, I view the source code for the results page I got back, and use the information I see there to figure out what reflected XSS attack will work. Then I try that.
[Note: I use reflected XSS, because I know I can only hurt myself. I donâ€™t play stored XSS or SQL injection games, which can easily cause actual damage at the server end, unless I have permission and Iâ€™m being paid.]
Finally, I try to find who I should contact about the exploitability of the site.
Itâ€™s interesting just how many of these sites are exploitable â€“ some of them falling to the simplest of XSS attacks â€“ and even more interesting to see how many sites donâ€™t have a good, responsive contact address (or prefer simply not to engage with vuln discoverers).
I clearly wouldnâ€™t dream of disclosing any of the vulnerabilities Iâ€™ve found until well after theyâ€™re fixed. Of course, after theyâ€™re fixed, Iâ€™m happy to see a mention that Iâ€™ve helped move the world forward a notch on some security scale. [Not sure why Iâ€™m not called out on the other version of that changelog.] I might allude to them on my twitter account, but not in any great detail.
From clicking the link to exploit is either under ten minutes or not at all â€“ and reporting generally takes another ten minutes or so, most of which is hunting for the right address. The longer portion of the game is helping some of these guys figure out what action needs to be taken to fix things.
You can try using a WAF to solve your XSS problem, but then youâ€™ve got two problems â€“ a vulnerable web site, and that you have to manage your WAF settings. If you have a lot of spare time, you can use a WAF to shore up known-vulnerable fields and trap known attack strings. But it really doesnâ€™t ever fix the problem.
If you can, donâ€™t echo back to me what I sent you, because thatâ€™s how these attacks usually start. Donâ€™t even include it in comments, because a good attack will just terminate the comment and start injecting HTML or script.
Unless youâ€™re running a source code site, you probably donâ€™t need me to search for angle brackets, or a number of other characters. So take them out of my search â€“ or plain reject my search if I include them in my search.
OK, so you donâ€™t have to encode the basics â€“ what are the basics? I tend to start with alphabetic and numeric characters, maybe also a space. Encode everything else.
Yeah, thatâ€™s always the hard part. Encode it using the right encoding. Thatâ€™s the short version. The long version is that you figure out whatâ€™s going to decode it, and make sure you encode for every layer that will decode. If youâ€™re putting my text into a web page as a part of the pageâ€™s content, HTML encode it. If itâ€™s in an attribute string, quote the characters using HTML attribute encoding â€“ and make sure you quote the entire attribute value! If itâ€™s an attribute string that will be used as a URL, you should URL encode it. Then you can HTML encode it, just to be sure.
[Then, of course, check that your encoding hasnâ€™t killed the basic function of the search box!]
You should definitely respond to security reports â€“ I understand that not everyone can have a 24/7 response team watching their blog (I certainly donâ€™t) â€“ you should try to respond within a couple of days, and anything under a week is probably going to be alright. Some vuln discoverers are upset if they donâ€™t get a response much sooner, and see that as cause to publish their findings.
Me, I send a message first to ask if Iâ€™ve found the right place to send a security vulnerability report to, and only when I receive a positive acknowledgement do I send on the actual details of the exploit.
Iâ€™ve said before that I wish programmers would respond to reports of XSS as if Iâ€™d told them I caught them writing a bubble sort implementation in Cobol. Full of embarrassment at being such a beginner.