xss countermeasures in grails
TRANSCRIPT
![Page 1: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/1.jpg)
XSS Countermeasures inGrails
Rafael Luque @rafael_luque — OSOCOJosé San Leandro @rydnr — Ventura24
![Page 2: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/2.jpg)
http://goo.gl/UGdJ0I
![Page 3: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/3.jpg)
XSS Intro
![Page 4: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/4.jpg)
XSS concepts
• What’s a XSS• XSS Types: Reflected, stored, DOM-based.• Famous XSS attacks: Samy worm, MrBean defacement, ...
![Page 5: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/5.jpg)
XSS threats
• Interface defacement• Session hijacking• Click hijacking• Malware infection• Your PC may be joined to the horde of zombies in a BotNet.
![Page 6: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/6.jpg)
Followingthewhiterabbit. . .
![Page 7: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/7.jpg)
Something more than a joke. . .
![Page 8: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/8.jpg)
Hooking your browser
![Page 9: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/9.jpg)
Hooked browsers with BeEF
![Page 10: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/10.jpg)
Exploiting your system
![Page 11: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/11.jpg)
Exploiting the browser
1. Preparing the exploit server. . .
![Page 12: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/12.jpg)
Exploiting the browser
2. Injecting an invisible frame pointing to the exploit server. . .
![Page 13: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/13.jpg)
Exploiting the browser
3. Exploit works and executes the payload. . .
![Page 14: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/14.jpg)
Exploiting the browser
4. Spawning notepad.exe process to migrate to. . .
![Page 15: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/15.jpg)
Fun withpost-exploitation
![Page 16: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/16.jpg)
Post-exploitation phase
Run a remote shell
![Page 17: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/17.jpg)
Post-exploitation phase
Keylogging
![Page 18: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/18.jpg)
Post-exploitation phase
Run VNC session
![Page 19: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/19.jpg)
Post-exploitation phase
Run VNC session
![Page 20: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/20.jpg)
Welcome to thehorde ofzombies
![Page 21: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/21.jpg)
Joining to a botnet
1. Install the malware. . .
![Page 22: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/22.jpg)
Joining to a botnet
2. Welcome to my botnet C&C. . .
![Page 23: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/23.jpg)
Responsibilities: Why isthis still an issue?
![Page 24: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/24.jpg)
Commercial software
• XSS is not known for business stakeholders
• For most people, security means attacking your servers• Developers don’t pay enough attention
![Page 25: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/25.jpg)
Commercial software
• XSS is not known for business stakeholders• For most people, security means attacking your servers
• Developers don’t pay enough attention
![Page 26: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/26.jpg)
Commercial software
• XSS is not known for business stakeholders• For most people, security means attacking your servers• Developers don’t pay enough attention
![Page 27: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/27.jpg)
Do your homework
• Raise awareness
• Practice with security tools• Promote defensive coding• Improve monitoring
![Page 28: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/28.jpg)
Do your homework
• Raise awareness• Practice with security tools
• Promote defensive coding• Improve monitoring
![Page 29: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/29.jpg)
Do your homework
• Raise awareness• Practice with security tools• Promote defensive coding
• Improve monitoring
![Page 30: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/30.jpg)
Do your homework
• Raise awareness• Practice with security tools• Promote defensive coding• Improve monitoring
![Page 31: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/31.jpg)
Understanding GrailsEncoding
![Page 32: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/32.jpg)
Grails Pre-2.3 Gotchas
![Page 33: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/33.jpg)
#1: Built-in default codec
is none!
![Page 34: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/34.jpg)
#1: Built-in default codec
is none!
grails.views.default.codec
![Page 35: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/35.jpg)
#1: Built-in default codecis none!
grails.views.default.codec = ’’none’’
![Page 36: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/36.jpg)
#1: Built-in default codecis none!
Problems
You have to escape explicitly every untrusteddata:
encodeAsHTML()encodeAsJavaScript()encodeAsURL()
![Page 37: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/37.jpg)
#1: Built-in default codecis none!
Problems
High likelihood of XSS vulnerabilities inproduction.
E.g. Grails.org website.
![Page 38: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/38.jpg)
#1: Built-in default codecis none!
Problems
Double-encoding prevention over Security bydefault.
![Page 39: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/39.jpg)
#1: Built-in default codecis none!
Solution
Change default codec to HTML:
grails.views.default.codec = ’’html’’
![Page 40: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/40.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}• Scriptlets: <%= ... %>
![Page 41: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/41.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}• Scriptlets: <%= ... %>
![Page 42: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/42.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}• Scriptlets: <%= ... %>
![Page 43: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/43.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}
• Scriptlets: <%= ... %>
![Page 44: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/44.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}• Scriptlets: <%= ... %>
![Page 45: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/45.jpg)
#2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}• Scriptlets: <%= ... %>
![Page 46: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/46.jpg)
#3: Tag output is notescaped
Problems
Review the tags you use to make sure theyencode their output or have options for this (e.g.encodeAs attribute).
![Page 47: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/47.jpg)
#3: Tag output is notescaped
Problems
Review the tags from plugins you use.
![Page 48: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/48.jpg)
#3: Tag output is notescaped
Problems
Review the tags you invoke as methods inControllers.
![Page 49: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/49.jpg)
#3: Tag output is notescaped
Problems
Don’t trust Grails core tags, they haveinconsistent behaviour. E.g:
<g:fieldValue /> // HTML-encoded<g:message /> // NO HTML-encoded
![Page 50: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/50.jpg)
#3: Tag output is notescaped
Solutions
If tag implementation doesn’t encode, add itexplicitly or invoke it as a method inside a GSPexpression:
<g:message ... encodeAs=’’HTML’’/>${g.message(...)}g.message(...).encodeAsHTML()
![Page 51: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/51.jpg)
#4: g:message doesn’tescape arguments
Problems
With default codec set to HTML the followingXSS attack vector works:
<g:message code=’welcome’ args=’[params.user]’/>
where:welcome = Hi {0}!params.user = <script>alert(’pwnd’)</script>
![Page 52: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/52.jpg)
#4: g:message doesn’tescape arguments
Solutions
Upgrade to a Grails version with the issue(GRAILS-7170) fixed:
2.0.5, 2.1.5, 2.2.2, 2.3-M1
![Page 53: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/53.jpg)
#4: g:message doesn’tescape arguments
Solutions
Escape explicitly or invoke the tag inside a GSPexpression:
<g:message code=’welcome’ args=’[params.user]’encodeAs=’HTML’/>
${g.message(code:’welcome’, args:[params.user])}
![Page 54: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/54.jpg)
#5: One codec is notenough
You MUST use the escape syntax for the context of the HTMLdocument you’re putting untrusted data into:
• HTML• JavaScript• URL• CSS
![Page 55: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/55.jpg)
#5: One codec is notenough
HTML entity encoding doesn’t work if you’re using untrusteddata inside a <script>, or an event handler attribute likeonmouseover, or inside CSS, or in a URL.
![Page 56: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/56.jpg)
#5: One codec is notenough
Problems
You can override the default codec for a page,but not to switch the codec for each context:
<%@page defaultCodec=’CODEC’ %>
![Page 57: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/57.jpg)
#5: One codec is notenough
Problems
How to manage GSPs with mixed encodingrequirements?
![Page 58: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/58.jpg)
#5: One codec is notenough
Solutions
Turn off default codec for that page and useencodeAsJavaScript() andencodeAsHTML() explicitly everywhere.
![Page 59: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/59.jpg)
#5: One codec is notenough
Solutions
Extract the JavaScript fragment to a GSP tagencoding as JavaScript.
![Page 60: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/60.jpg)
Grails 2.3 EncodingEnhancements
![Page 61: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/61.jpg)
#1: New configuration moresecure by default
![Page 62: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/62.jpg)
#1: New configuration moresecurity by default
grails {views {
gsp {encoding = ’UTF-8’htmlcodec = ’xml’ // use xml escaping instead of HTML4codecs {
expression = ’html’ // escapes values inside ${}scriptlet = ’html’ // escapes output from scriptlets in GSPstaglib = ’none’ // escapes output from taglibsstaticparts = ’none’ // escapes output from static templates
}}// escapes all not-encoded output at final stage of outputtingfilteringCodecForContentType {//’text/html’ = ’html’
}}
}
![Page 63: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/63.jpg)
#2: Finer-grained control ofcodecs
Control the codecs used per plugin:
pluginName.grails.views.gsp.codecs.expression = ’CODEC’
![Page 64: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/64.jpg)
#2: Finer-grained control ofcodecs
Control the codecs used per page:
<%@ expressionCodec=’CODEC’ %>
![Page 65: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/65.jpg)
#2: Finer-grained control ofcodecs
Control the default codec used by a tag library:
static defaultEncodeAs = ’HTML’
Or on a per tag basis:
static encodeAsForTags = [tagName: ’HTML’]
![Page 66: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/66.jpg)
#2: Finer-grained control ofcodecs
Add support for an optional encodeAs attribute to all tagsautomatically:
<my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
![Page 67: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/67.jpg)
#3: Context-sensitiveencoding switching
Tag withCodec(’CODEC’, Closure) to switch the currentdefault codec, pushing and popping a default codec stack.
out.println ’<script type=’’text/javascript’’>’withCodec(‘‘JavaScript’’) {
out << body()}out.println()out.println ’</script>’
![Page 68: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/68.jpg)
#3: Context-sensitiveencoding switching
Core tags like <g:javascript/> and <r:script/>automatically set an appropriate codec.
![Page 69: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/69.jpg)
#4: Raw output
When you do not wish to encode a value, you can use theraw() method.
${raw(book.title)}
It’s available in GSPs, controllers and tag libraries.
![Page 70: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/70.jpg)
#5: Default encoding for alloutput
You can configure Grails to encode all output at the end of aresponse.
![Page 71: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/71.jpg)
#5: Default encoding for alloutput
grails {views {
gsp {codecs {...staticparts = ’raw’ // escapes output from static templates
}}// escapes all not-encoded output at final stage of outputtingfilteringCodecForContentType {’text/html’ = ’html’
}}
}
If activated, the staticparts codec needs to be set to raw sothat static markup is not encoded.
![Page 72: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/72.jpg)
Check your Pluginssecurity
![Page 73: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/73.jpg)
Plugins are also part of your application
• Grails plugins are not security audited
• Grails plugins are part of your application’s attack surface• Review plugins to make sure they encode, and if they don’t
you should JIRA the authors immediately, and fork andpatch to fix your app quickly.
![Page 74: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/74.jpg)
Plugins are also part of your application
• Grails plugins are not security audited• Grails plugins are part of your application’s attack surface
• Review plugins to make sure they encode, and if they don’tyou should JIRA the authors immediately, and fork andpatch to fix your app quickly.
![Page 75: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/75.jpg)
Plugins are also part of your application
• Grails plugins are not security audited• Grails plugins are part of your application’s attack surface• Review plugins to make sure they encode, and if they don’t
you should JIRA the authors immediately, and fork andpatch to fix your app quickly.
![Page 76: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/76.jpg)
E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.
• Allows blind XSS attack via X-Forwarded-For headerspoofing.
• The attack target is the admin’s browser.• Fixed in the last release (1.47).• You should upgrade ASAP.
![Page 77: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/77.jpg)
E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.• Allows blind XSS attack via X-Forwarded-For header
spoofing.
• The attack target is the admin’s browser.• Fixed in the last release (1.47).• You should upgrade ASAP.
![Page 78: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/78.jpg)
E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.• Allows blind XSS attack via X-Forwarded-For header
spoofing.• The attack target is the admin’s browser.
• Fixed in the last release (1.47).• You should upgrade ASAP.
![Page 79: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/79.jpg)
E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.• Allows blind XSS attack via X-Forwarded-For header
spoofing.• The attack target is the admin’s browser.• Fixed in the last release (1.47).
• You should upgrade ASAP.
![Page 80: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/80.jpg)
E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.• Allows blind XSS attack via X-Forwarded-For header
spoofing.• The attack target is the admin’s browser.• Fixed in the last release (1.47).• You should upgrade ASAP.
![Page 81: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/81.jpg)
Demo: Javamelody XSSed
![Page 82: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/82.jpg)
Solutions: What optionsdo we have?
![Page 83: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/83.jpg)
Think like an attacker
• According to your grails version
• Find unescaped values• Use fuzzers• Read and understand Samy code• Review OWASP XSS cheatsheets
![Page 84: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/84.jpg)
Think like an attacker
• According to your grails version• Find unescaped values
• Use fuzzers• Read and understand Samy code• Review OWASP XSS cheatsheets
![Page 85: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/85.jpg)
Think like an attacker
• According to your grails version• Find unescaped values• Use fuzzers
• Read and understand Samy code• Review OWASP XSS cheatsheets
![Page 86: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/86.jpg)
Think like an attacker
• According to your grails version• Find unescaped values• Use fuzzers• Read and understand Samy code
• Review OWASP XSS cheatsheets
![Page 87: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/87.jpg)
Think like an attacker
• According to your grails version• Find unescaped values• Use fuzzers• Read and understand Samy code• Review OWASP XSS cheatsheets
![Page 88: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/88.jpg)
Be aware
• Review your Grails app to double-check how all dynamiccontent gets escaped
• Monitor for suspicious traffic• Spread the knowledge• Adopt ZAP or similar fuzzers in your CI process• Review available security plugins for Grails
![Page 89: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/89.jpg)
Be aware
• Review your Grails app to double-check how all dynamiccontent gets escaped
• Monitor for suspicious traffic
• Spread the knowledge• Adopt ZAP or similar fuzzers in your CI process• Review available security plugins for Grails
![Page 90: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/90.jpg)
Be aware
• Review your Grails app to double-check how all dynamiccontent gets escaped
• Monitor for suspicious traffic• Spread the knowledge
• Adopt ZAP or similar fuzzers in your CI process• Review available security plugins for Grails
![Page 91: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/91.jpg)
Be aware
• Review your Grails app to double-check how all dynamiccontent gets escaped
• Monitor for suspicious traffic• Spread the knowledge• Adopt ZAP or similar fuzzers in your CI process
• Review available security plugins for Grails
![Page 92: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/92.jpg)
Be aware
• Review your Grails app to double-check how all dynamiccontent gets escaped
• Monitor for suspicious traffic• Spread the knowledge• Adopt ZAP or similar fuzzers in your CI process• Review available security plugins for Grails
![Page 93: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/93.jpg)
Application firewalls
• Enable common, safe rules
• Log unexpected traffic• Don’t fool yourself
![Page 94: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/94.jpg)
Application firewalls
• Enable common, safe rules• Log unexpected traffic
• Don’t fool yourself
![Page 95: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/95.jpg)
Application firewalls
• Enable common, safe rules• Log unexpected traffic• Don’t fool yourself
![Page 96: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/96.jpg)
Early-adopt CSP
• CSP: Content Security Policy
• Adds headers to disable default behavior
• inline Javascript• dynamic code evaluation
• Still a Candidate Recommendation of W3C
![Page 97: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/97.jpg)
Early-adopt CSP
• CSP: Content Security Policy• Adds headers to disable default behavior
• inline Javascript• dynamic code evaluation
• Still a Candidate Recommendation of W3C
![Page 98: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/98.jpg)
Early-adopt CSP
• CSP: Content Security Policy• Adds headers to disable default behavior
• inline Javascript
• dynamic code evaluation
• Still a Candidate Recommendation of W3C
![Page 99: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/99.jpg)
Early-adopt CSP
• CSP: Content Security Policy• Adds headers to disable default behavior
• inline Javascript• dynamic code evaluation
• Still a Candidate Recommendation of W3C
![Page 100: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/100.jpg)
Early-adopt CSP
• CSP: Content Security Policy• Adds headers to disable default behavior
• inline Javascript• dynamic code evaluation
• Still a Candidate Recommendation of W3C
![Page 101: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/101.jpg)
Conclusions: Grails candefeat XSS
![Page 102: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/102.jpg)
Grails
• Is able to defend our application from XSS attacks
• But we need to pay attention to the details• Upgrade to 2.3 ASAP• Pay attention to XSS
![Page 103: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/103.jpg)
Grails
• Is able to defend our application from XSS attacks• But we need to pay attention to the details
• Upgrade to 2.3 ASAP• Pay attention to XSS
![Page 104: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/104.jpg)
Grails
• Is able to defend our application from XSS attacks• But we need to pay attention to the details• Upgrade to 2.3 ASAP
• Pay attention to XSS
![Page 105: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/105.jpg)
Grails
• Is able to defend our application from XSS attacks• But we need to pay attention to the details• Upgrade to 2.3 ASAP• Pay attention to XSS
![Page 106: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/106.jpg)
XSS
• Is much more dangerous than defacement jokes
• The browsers are the actual target• Difficult to monitor• Unconfortable counter-measures in the browser: NoScript,
Request Policy
![Page 107: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/107.jpg)
XSS
• Is much more dangerous than defacement jokes• The browsers are the actual target
• Difficult to monitor• Unconfortable counter-measures in the browser: NoScript,
Request Policy
![Page 108: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/108.jpg)
XSS
• Is much more dangerous than defacement jokes• The browsers are the actual target• Difficult to monitor
• Unconfortable counter-measures in the browser: NoScript,Request Policy
![Page 109: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/109.jpg)
XSS
• Is much more dangerous than defacement jokes• The browsers are the actual target• Difficult to monitor• Unconfortable counter-measures in the browser: NoScript,
Request Policy
![Page 110: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/110.jpg)
Wake up
• Write secure applications by default
• Get yourself used with Metasploit, Burp, ZAP• Spread the word both horizontally and vertically
![Page 111: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/111.jpg)
Wake up
• Write secure applications by default• Get yourself used with Metasploit, Burp, ZAP
• Spread the word both horizontally and vertically
![Page 112: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/112.jpg)
Wake up
• Write secure applications by default• Get yourself used with Metasploit, Burp, ZAP• Spread the word both horizontally and vertically
![Page 113: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/113.jpg)
Picture credits
• Cover:http://www.flickr.com/photos/usairforce/CC by-nc
• White rabbit:http://www.flickr.com/photos/alles-banane/5849593440CC by-sa-nc
• Hieroglyphs:http://www.flickr.com/photos/59372146@N00CC by-sa-nc
• Zombies:http://www.flickr.com/photos/aeviin/4986897433CC by-sa-nc
![Page 114: XSS Countermeasures in Grails](https://reader034.vdocuments.mx/reader034/viewer/2022042715/559f014c1a28ab10378b4619/html5/thumbnails/114.jpg)
XSS Countermeasures inGrails
Rafael Luque @rafael_luque — OSOCOJosé San Leandro @rydnr — Ventura24