Cross Site Scripting Prevention in Sun Java System Web Server 7.0

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

    Check out the new improvements we made in Sun Java System Web Server 7.0. It can be downloaded for free from http://www.sun.com/download/index.jsp?cat=Web%20%26%20Proxy%20Servers&tab=3&subcat=Web%20Servers. In this blog I will talk about Cross Site Scripting (XSS) prevention.

Obj.conf now supports a lot of features which allows you to use it a lot like a programming language, which allows us to configure in our Web Server features similar to in ModSecurity Apache Module.

The main method of preventing Cross Site Scripting (XSS) is through entity encoding, using entities such as "<".  We now have a introduced a native input stage filter based on sed which can do XSS filtering. This sed-request filter applies sed edit commands to an incoming request entity body, e.g. an uploaded file or submitted form.

Input fn="insert-filter" ... filter="sed-request" sed="script" [ sed="script" ... ]

Where "script" is the actual sed script you want to run on request body.
For example, if we take example of request body posted in HTML form containing  "<" and ">" characters. In ModSecurity in Apache server you have SecFilter like

SecFilterEngine On SecFilterScanPOST On SecFilter "<(.|\n)+>"

By adding the following in obj.conf, Web Server 7.0 will encode any < and > characters.

Input fn="insert-filter" method="POST" filter="sed-request" sed="s/(<|%3c)/\\&lt;/gi" sed="s/(>|%3e)/\\&gt;/gi"

* Note that because POST bodies are usually URL-encoded, it is important to check for URL-encoded forms also when editing POST. "%3C" is the URL-encoded form of "<" and bodies. "%3E" is the URI-encoded form of ">".

---

In Web Server 7.0 update 2 or 3 onwards, you can have a config file myrules.txt as shown below

SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_BODY "<(.|\n)+>"

I have added in server.xml <config-file>myrules.txt</config-file>

I have added a simple cgi script to test my stuff.

$cat https-test/docs/cgi-bin/test.pl #!/tools/ns/bin/perl5 binmode(STDOUT); binmode(STDIN); if ($ENV{'REQUEST_METHOD'} eq "POST") {     read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});     @pairs = split(/&/, $buffer); } else {     @pairs = split(/&/, $ENV{'QUERY_STRING'}); } foreach $pair (@pairs) {     ($key, $value) = split(/=/, $pair);     $value =~ tr/+/ /;     $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;     $value =~ tr/\cM/\n/;     eval("\$$key = \"$value\"");     $FORM{$key} = $value; } print "Content-Type: text/html\n\n"; print "CGI values passed\n\n"; if ($#pairs < 0) {     print "No CGI Variables\n"; } else {     foreach $var (keys(%FORM)) {         print "$var $FORM{$var}\n";     } } exit;

So when we send a request without < and > , it goes through fine as shown below

$telnet 0 3333 POST /cgi-bin/test.pl HTTP/1.0 Content-length: 10 abcde12345 HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Wed, 16 Jul 2008 07:56:47 GMT Content-type: text/html Connection: close CGI values passed abcde12345

When we send request with < and > as shown below we get forbidden error

$telnet 0 3333 POST /cgi-bin/test.pl HTTP/1.0 Content-length: 10 ab<cd>12 HTTP/1.1 403 Forbidden Server: Sun-Java-System-Web-Server/7.0 Date: Wed, 16 Jul 2008 07:57:24 GMT Content-length: 142 Content-type: text/html Connection: close <HTML><HEAD><TITLE>Forbidden</TITLE></HEAD> <BODY><H1>Forbidden</H1> Your client is not allowed to access the requested object. </BODY></HTML>

When we send a request with just < it doesn't match the pattern, and hence passes :

$telnet 0 3333 POST /cgi-bin/test.pl HTTP/1.0 Content-length: 10 ab<cdef12345 HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Wed, 16 Jul 2008 07:58:03 GMT Content-type: text/html Connection: close CGI values passed ab<cdef123

More details on SecRule and other related Directives supported in Web Server 7.0 update 2 onwards are in this blog.

Posted by meena ( Jun 13 2006, 11:49:12 AM IST ) Permalink Comments [0]