Cross and bothered

Mark Newton Read more October 7, 2009

If you manage websites you’re probably aware of increasing attacks of the type called Cross-Site-Scripting or XSS, to which many high-profile sites and commercial products have been vulnerable (see www.xssed.com and lose sleep!). XSS attacks come in a variety of forms, but let’s look at a very simple type: my examples are in ASP, but all other web languages are vulnerable because it isn’t a weakness of the language or operating system but of your code. Yes, this one is your fault! An XSS attack involves changing the URL of a web page being called and embedding a script into it. Imagine a web page that displays items from a database, called “showitems.asp”, which needs to know which item to display and so takes a parameter called “id” which is the item number to display. The URL would look something like www.yoursite.com/showitems.asp?id=1234. Let’s keep things simple and assume we display this item on the web page, using code like:

<% response.write(request.querystring(“id”)) %>

Now imagine that someone modifies the calling URL to www.yoursite.com/showitems.asp?id=•script>alert(“Hello World”)•/script>

What happens now is that our code will insert:

The way to stop these attacks is always to test the data that you read from the previous page: not just data contained in the URL, but also any cookies since these could be hijacked from a previous page in an XSS attack. So if your code only expects a numerical value then only let numbers pass; if you’re expecting a string then examine it, perhaps check its length and discard anything else, or remove any characters that shouldn’t be there. For example, the characters < and > could be removed, as could “;” which is often used in SQL injection attacks as is the ‘ character. Given that these characters are so potentially dangerous and can be removed with no effect on the running of the site, why doesn’t the programming language, or perhaps the web server, block them by default? I have no answer.

For users with IIS6, I’ve found a good add-on that will stop SQL injection attacks, saving you from having to go through a website checking for vulnerable code. It’s available at www.codeplex.com/IIS6SQLInjection and works as an ISAPI filter, and the source code is available. I used it on the site of a client that was being attacked and it solved the problem quickly, giving the programmers time to fix their code just in case.

The easiest way of correcting your site if it appears to be vulnerable to XSS attacks is to write a function that will remove the danger characters. To keep it easy to manage, probably the best way is to create a file containing a function that can be called from your code, then set your pages to include this file using the code:
<!–#include file=”Useful.asp” –>

Now, if you need to add extra routines in future to protect your site, you only have to edit this one file rather than every page, and you can re-use it for other sites.

The code in “Useful.asp” needs to look something like:

Function stripTags(HTMLstring)

HTMLstring = Replace(HTMLstring,”<“,””)

HTMLstring = Replace(HTMLstring,”>”,””)

HTMLstring = Replace(HTMLstring,”onmouseover”,””)

HTMLstring = Replace(HTMLstring,”‘”,””)

HTMLstring = Replace(HTMLstring,”;”,””)

stripTags = HTMLstring

End Function

Each line of this function looks for a particular character and then replaces it with a null – this code isn’t particularly elegant because of a limitation of ASP, but it does work. A more elegant ASP.NET version uses the Regular Expression Object and would look like this:

Function stripTags(HTMLstring)

Set RegularExpressionObject = New RegExp

With RegularExpressionObject

.Pattern = “<[^>]>{};”

.IgnoreCase = True

.Global = True

End With

stripTags = RegularExpressionObject.Replace(HTMLstring, “”)

Set RegularExpressionObject = nothing

End Function

In PHP, it would look like this:

strip_tags ( string $str [, string $allowable_tags ] )

Going back to the ASP example on our web page – which we’ve found to be vulnerable to XSS attacks – we just need to change the code to:

<% response.write(stripTags(request.querystring(“id”))) %>

Now when the attack is attempted, only the code:

scriptalert(“Hello World”)/scriptwill be inserted into our web page, which won’t look very pretty, but because it isn’t recognised as code without the < and > can do no harm.

These examples I’ve given are very simple ones since lots of articles on combating XSS talk about validating the data from previous pages, but don’t make clear how much or how little code one has to write to block it. Just checking for < and similar characters is sometimes not enough, as browsers may decode other sequences of characters into these. For example, < is ANSI code %3C in hex, which in HTML is <. Its decimal value is < (note no semicolons) and its base64 is PA==, so stripping out & # and = would also be a good measure. You could just make sure that you HTML encode any values before you display them. Using my previous example the code would be:

<%response.write(server.HTMLEncode(request.querystring(“id”)))%>

That way no data would be lost, but there’s a danger that if the “id” query string value is used elsewhere in your code then any rogue code embedded in it might execute. I feel that it’s better to strip out the unwanted characters if you can.

Testing your website for these vulnerabilities can be very tedious, particularly if it’s a large site, so what’s needed is an automated way of testing, and thankfully there’s a very good tool available to Windows users called Acunetix Web Vulnerability scanner (www.acunetix.com) that will test for all sorts of problems. However, it’s quite expensive for the small developer, at $6,900 (£3,922) for the version that allows you to scan customers’ sites. If you just want to scan your own sites then it’s “only” $5,000 (£2,842), but either way it’s a lot of money. There’s a free version that does test for XSS vulnerabilities for an unlimited time, which is excellent news, but it won’t test every page in a site, just those that seem to be linked in such a way that they might be vulnerable – you need to be aware of this and test any pages it misses.
Another XSS testing tool is the open-source OWASP CAL9000, which is totally free and downloadable from www.digilantesecurity.com/CAL9000. I found it complicated to use and its UI didn’t display correctly in some browsers I use, but I was spoilt by using Acunetix first. Acunetix is the better tool and is considerably more automated, as it will trawl a site following links and trying a range of attacks. The results are stored in a database, so you can manually relaunch the attack later – very useful to test changes you’ve made to your pages and saving the time it takes to do a complete scan after each modification. The software also gives plenty of information about the form of the attack, which helps when deciding how to stop it. The free licence doesn’t allow you to test websites that don’t belong to you, although unscrupulous users could use it to find vulnerable sites (which shouldn’t worry you because yours isn’t vulnerable, is it?)

Indigestion

Staying on the theme of security, many Internet Payment Providers are now insisting that previously voluntary security measures become compulsory, mainly to prevent XSS attacks. The latest IPP to enforce this is SecPay, now part of Pay Point. With each credit card transaction you now have to send a “digest” value – a string containing the transaction number combined with the amount plus a private key value, the whole lot encrypted using MD5 and sent to Pay Point. Your private key has previously been registered with the company and so its system can decode this “digest” value and check that the transaction number and amounts agree: if not, the transaction fails. The code to implement this isn’t difficult and it took me about an hour, including testing, to implement and inform Pay Point of the private key. MD5 encryption routines are available free of charge for all languages, and a simple web search should find one you can use.

However, things weren’t so easy when we came to implement the changes in Actinic, which we use for a couple of online shops. As the “digest” key is no longer optional, it was here that problems started, because the Actinic Payment Provider module for SecPay doesn’t support the digest key. Looking at its forum it appears Actinic doesn’t see it as its problem but SecPay’s, which isn’t very helpful. I emailed Actinic support and got the same response, and as I had to come up with a solution I removed SecPay as a payment method from my shops and added PayPal until a solution is offered.

Missing hints

All this editing of older sites led me to try out the normally excellent Visual Studio 2008 to edit and test some ASP code. This code wasn’t ASP.NET but the pre .NET version, and I was shocked to see all intellisense and code hinting was missing for ASP, turning Visual Studio 2008 into little more than a large notepad for ASP projects! A dig through the forums showed this was correct behaviour, but quite what they were thinking isn’t clear. The only suggestion I could find from Microsoft was to use Visual Studio 2005 as well, which is okay if it’s installed first. If you try to install it after the 2008 version, you’ll find a lot of the .NET file associations point to Visual Studio 2005. Of course, you can reinstall Visual Studio 2008 after you’ve installed 2005, and that will fix these associations – after all, you didn’t need to get any real work done this week did you?
Photosynth

The other day Microsoft launched Photosynth, which is an interesting way to produce a 3D world from a bunch of photos. The results can be very impressive, enabling the viewer to browse and “walk around” a scene online. To display high-resolution images on the web and allow the viewer to zoom into them, Photosynth uses the “Deep Zoom” technology built into Silverlight. Currently, your Photosynth project has to be hosted on Microsoft Live servers, although apparently there’s a plan to make the server-side code available.

So how do you make your own ‘synth? The first stage is to take some photos, which is surprisingly tricky – Photosynth will still work, but best results occur only if you take the right sort of photos. It uses texture to identify similar features so, as I discovered, a flat surface with writing on isn’t identified correctly. Your photos need to overlap so the software can work out their correct order, and you need a lot if the area to cover is large (if it isn’t large the whole point of Photosynth is lost).

I went to listen to a talk by James Glossop, The Times Young Photographer of the Year 2008, who had experimented with Photosynth. We were then armed with Nikon D60 cameras and treated to a trip on the London Eye with the aim of making a community Photosynth project. I’m afraid Mac users won’t be able to view these, as the technology makes extensive use of DirectX and there are no DirectX drivers for Macs. Hopefully, this will be addressed in the future, but in the meantime a rather amusing message was displayed saying they were sorry “but we’re not cool enough yet to support Macs”. However, when I looked just now I saw this message has been replaced by a more staid one about “not being supported on your operating system”. What a shame, for a moment there Microsoft looked as though it had a sense of humour…

This reliance on DirectX isn’t too surprising, but if you’re running Windows in a virtual machine as I do then if you use Parallels you’ll find Photosynth won’t work for the same reason. Help is at hand, though, as the beta version of VMware Fusion 2 runs Photosynth in a virtual machine on a Mac. Inspired by this fun way of taking photos, and while attending a large gathering of hot rods and custom cars over a bank holiday weekend, I decided to have a go myself.

After going on the world record-breaking cruise (647 cars) the day before, I decided to try to do a ‘synth of the display area on the public day. I shot around 250 pictures, and afterwards loaded them into the free downloadable Photosynth generator program running on a fairly powerful laptop – the processing and uploading took six and a half hours and then failed, but a second attempt was quicker and uploaded successfully. The result was fun to see (just do a search for NATS on www.photosynth.com). After you’ve successfully uploaded your images, the website will tell you how good a match the software managed to make across them all: this value is called “Synthy” and one aims for 100% synth. My first attempt was 11%, so I obviously needed to take far more than 250 photos!

I found this need to take so many snapshots unsatisfactory, but it got me thinking about ways of getting a lot of photos. Obviously a community project where several people supply photos could be fun, but the problem would still be whether it would produce a good ‘synth, since most people would take very similar views, rather than the less interesting shots needed to join up the rest. Thinking back to Jon Honeyball’s recent article about the very-high-res Red video cameras that are either 3K or 5K lines, individual frames from these are the same quality as most digital still cameras, so a quick pan using one of these could produce all the boring images a ‘synth would need.
The ability to build a realistic 3D world from individual photos has many possibilities. Perhaps the technique could be used for recording car accident scenes, enabling the emergency services to clear the roads more quickly; now that would be a good use of technology. Remember that Photosynth is not the same as stitching together photos into a panorama, but creates a 3D world without needing aerial shots or complicated cameras. It’s a great way of presenting a large area for exploration by online viewers, but no amount of reading about it will help you understand it fully: get out there and give it a try. It really is a fun way of displaying your photos, and with 20GB of free storage there’s plenty of room for your experiments.