Tuesday Jun 13, 2006

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

    Check out the new improvements we made in Sun Java System Web Server 7.0. It can be downloaded for free from http://www.sun.com/download/index.jsp?cat=Web%20%26%20Proxy%20Servers&tab=3&subcat=Web%20Servers. In this blog I will talk about Cross Site Scripting (XSS) prevention.

Obj.conf now supports a lot of features which allows you to use it a lot like a programming language, which allows us to configure in our Web Server features similar to in ModSecurity Apache Module.

The main method of preventing Cross Site Scripting (XSS) is through entity encoding, using entities such as "<".  We now have a introduced a native input stage filter based on sed which can do XSS filtering. This sed-request filter applies sed edit commands to an incoming request entity body, e.g. an uploaded file or submitted form.

Input fn="insert-filter" ... filter="sed-request" sed="script" [ sed="script" ... ]

Where "script" is the actual sed script you want to run on request body.
For example, if we take example of request body posted in HTML form containing  "<" and ">" characters. In ModSecurity in Apache server you have SecFilter like
SecFilterEngine On
SecFilterScanPOST On
SecFilter "<(.|\\n)+>"


By adding the following in obj.conf, Web Server 7.0 will encode any < and > characters.

Input fn="insert-filter"
method="POST"
filter="sed-request"
sed="s/(<|%3c)/\\\\&lt;/gi"
sed="s/(>|%3e)/\\\\&gt;/gi"

\* Note that because POST bodies are usually URL-encoded, it is important to check for URL-encoded forms also when editing POST. "%3C" is the URL-encoded form of "<" and bodies. "%3E" is the URI-encoded form of ">".


In Web Server 7.0 update 2 or 3 onwards, you can have a config file myrules.txt as shown below

SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_BODY "<(.|\\n)+>"

I have added in server.xml <config-file>myrules.txt</config-file>

I have added a simple cgi script to test my stuff.
$cat https-test/docs/cgi-bin/test.pl
#!/tools/ns/bin/perl5
binmode(STDOUT);
binmode(STDIN);

if ($ENV{'REQUEST_METHOD'} eq "POST") {
    read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    @pairs = split(/&/, $buffer);
} else {
    @pairs = split(/&/, $ENV{'QUERY_STRING'});
}

foreach $pair (@pairs) {
    ($key, $value) = split(/=/, $pair);
    $value =~ tr/+/ /;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    $value =~ tr/\\cM/\\n/;
    eval("\\$$key = \\"$value\\"");
    $FORM{$key} = $value;
}

print "Content-Type: text/html\\n\\n";
print "CGI values passed\\n\\n";

if ($#pairs < 0) {
    print "No CGI Variables\\n";
} else {
    foreach $var (keys(%FORM)) {
        print "$var $FORM{$var}\\n";
    }
}
exit;


So when we send a request without < and > , it goes through fine as shown below

$telnet 0 3333
POST /cgi-bin/test.pl HTTP/1.0
Content-length: 10

abcde12345
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 16 Jul 2008 07:56:47 GMT
Content-type: text/html
Connection: close

CGI values passed

abcde12345

When we send request with < and > as shown below we get forbidden error
$telnet 0 3333
POST /cgi-bin/test.pl HTTP/1.0
Content-length: 10

ab<cd>12
HTTP/1.1 403 Forbidden
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 16 Jul 2008 07:57:24 GMT
Content-length: 142
Content-type: text/html
Connection: close

<HTML><HEAD><TITLE>Forbidden</TITLE></HEAD>
<BODY><H1>Forbidden</H1>
Your client is not allowed to access the requested object.
</BODY></HTML>




When we send a request with just < it doesn't match the pattern, and hence passes :
$telnet 0 3333
POST /cgi-bin/test.pl HTTP/1.0
Content-length: 10

ab<cdef12345
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Wed, 16 Jul 2008 07:58:03 GMT
Content-type: text/html
Connection: close

CGI values passed

ab<cdef123

More details on SecRule and other related Directives supported in Web Server 7.0 update 2 onwards are in this blog.

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today