X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • June 12, 2006

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

Cross Site Scripting Prevention in Sun Java System Web Server 7.0


    Check out the new improvements we
made in Sun Java System Web Server 7.0. It can be downloaded
for
free from http://www.sun.com/download/index.jsp?cat=Web%20%26%20Proxy%20Servers&tab=3&subcat=Web%20Servers.
In this blog I will talk about Cross Site Scripting (XSS) prevention.


Obj.conf now supports a lot of features which allows you to use it a
lot like a programming language, which allows us to configure in our
Web Server features similar to in ModSecurity Apache Module.



The main method of preventing Cross Site Scripting (XSS) is through
entity encoding, using entities such as "<".  We now have a
introduced a native input stage filter based on sed which can do XSS
filtering. This sed-request
filter applies sed edit
commands to an incoming request entity body, e.g. an uploaded file or
submitted form.

Input fn="insert-filter" ...
filter="sed-request" sed="script" [
sed="script" ... ]



Where "script" is the
actual sed script you want to run on request body.

For example, if we take example of request body posted in HTML form
containing  "<"
and ">" characters. In ModSecurity in Apache server
you have SecFilter like

SecFilterEngine On

SecFilterScanPOST On

SecFilter "<(.|\\n)+>"



By adding the following in obj.conf, Web Server 7.0 will encode any < and > characters.

Input
fn="insert-filter"

method="POST"
filter="sed-request"

sed="s/(<|%3c)/\\\\&lt;/gi"


sed="s/(>|%3e)/\\\\&gt;/gi"



\* Note that because POST bodies are usually URL-encoded, it is
important to check for URL-encoded forms also when editing POST. "%3C" is the URL-encoded form
of "<" and bodies. "%3E" is the URI-encoded form of ">".



In Web Server 7.0 update 2 or 3 onwards, you can have a config file
myrules.txt as shown below


SecRuleEngine On

SecRequestBodyAccess On

SecRule REQUEST_BODY "<(.|\\n)+>"


I have added in server.xml <config-file>myrules.txt</config-file>


I have added a simple cgi script to test my stuff.

$cat https-test/docs/cgi-bin/test.pl
#!/tools/ns/bin/perl5
binmode(STDOUT);
binmode(STDIN);

if ($ENV{'REQUEST_METHOD'}
eq "POST") {

   
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

    @pairs =
split(/&/, $buffer);

} else {
    @pairs =
split(/&/, $ENV{'QUERY_STRING'});

}

foreach $pair (@pairs) {
    ($key,
$value) = split(/=/, $pair);

    $value
=~ tr/+/ /;

    $value
=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

    $value
=~ tr/\\cM/\\n/;

   
eval("\\$$key = \\"$value\\"");

   
$FORM{$key} = $value;

}

print "Content-Type:
text/html\\n\\n";

print "CGI values
passed\\n\\n";


if ($#pairs < 0) {
    print
"No CGI Variables\\n";

} else {
    foreach
$var (keys(%FORM)) {

       
print "$var $FORM{$var}\\n";

    }
}

exit;


So when we send a request without < and > , it goes through fine as
shown below

$telnet 0 3333
POST /cgi-bin/test.pl
HTTP/1.0

Content-length: 10

abcde12345
HTTP/1.1 200 OK
Server:
Sun-Java-System-Web-Server/7.0

Date: Wed, 16 Jul 2008
07:56:47 GMT

Content-type: text/html
Connection: close

CGI values passed

abcde12345

When we send request with <
and > as shown below
we get forbidden error
$telnet 0 3333

POST /cgi-bin/test.pl HTTP/1.0


Content-length: 10



ab<cd>12


HTTP/1.1 403 Forbidden


Server: Sun-Java-System-Web-Server/7.0


Date: Wed, 16 Jul 2008 07:57:24 GMT


Content-length: 142


Content-type: text/html


Connection: close



<HTML><HEAD><TITLE>Forbidden</TITLE></HEAD>


<BODY><H1>Forbidden</H1>


Your client is not allowed to access the requested object.


</BODY></HTML>




When we send a request with just < it doesn't match the
pattern, and hence passes :

$telnet 0 3333

POST /cgi-bin/test.pl HTTP/1.0


Content-length: 10



ab<cdef12345


HTTP/1.1 200 OK


Server: Sun-Java-System-Web-Server/7.0


Date: Wed, 16 Jul 2008 07:58:03 GMT


Content-type: text/html


Connection: close



CGI values passed



ab<cdef123

More details on SecRule and other related Directives supported in Web Server 7.0 update 2 onwards are in
this blog.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.