I wish there was a do/don't list (such as input sanitation, etc.) which when respected, such attacks are nearly impossible to succeed.
Take a look at the OWASP Top Ten Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Aha, you'll be wanting the XSS (Cross Site Scripting) Prevention Cheat Sheet and the SQL Injection Prevention Cheat Sheet from OWASP, then.
Related
Do any tools exists that will scan ColdFusion source code and locate XSS vulnerabilities?
Say for example a programmer wrote something like this:
<cfoutput> This is a #url.cat#. </cfoutput>
The tool would need to locate un-sanitized code.
Update:
While all of the answers and feedback so far are accurate, none point to a tool which can be run against the source code directly.
I personally know how to write code which is xxs safe. Also I can manually find, detect and correct XXS vulnerabilities. I am looking for something automated which can scan thousands of .cfm and .cfc to automate the processes.
Probably the correct answer is that such a tool does not exists. There are companies such as VeriCode which offer a service do such things. They have an automated process which in my opinion does a horrible job because of it's inability to follow code logic.
Anyway, I'll give all +1s and at this point leave the question unanswered.
Update 2: Someone did answer that I would not find a tool, so I will mark this as accepted.
Not specific to XSS but Pete Freitag has a tool that will scan your ColdFusion server for vulnerabilities. The site is Hack My CF. I believe there is a free scan option and they also offer monthly subscription options. I think the tool includes some XSS checks as well.
If you're using ColdFusion 10, you should read this article: http://www.isummation.com/blog/day-2-avoid-cross-site-scripting-xss-using-coldfusion-10-part-1/
I don't think you'll find a tool that checks your actual code, XSS tools out there focus on the form inputs, etc. You might be able to write a script parser yourself that looks for <cfoutput> tags in your ColdFusion file and then looks to see if any of the tags mentioned are present, but trying to define a set of rules for when variables should or should not be wrapped by XSS preventing functions would be almost impossible. You really need to look at each variable and its context.
There are some things you can do in ColdFusion to prevent XSS attacks though as mentioned in the article above and this one: http://www.mindfiresolutions.com/Prevent-crosssite-scripting-attacks-in-ColdFusion-1341.php
Although not ColdFusion-specific, there are several plugins for Fiddler which can detect or hint at where XSS flaws may exist. I've tried out watcher before and found it gave me some useful pointers.
This semi-new tool, security analyzer, for the ColdFusion Builder sounds promising: http://www.adobe.com/devnet/coldfusion/articles/security-analyzer.html.
And VERACODEs scanning is much better nowadays: http://www.veracode.com/
Is there a framework to unit test applications categorized under Business Intelligence - especially on the microsoft platform? I am particularly looking at ETL, SSRS and SSAS based apps. I have heard people doing it the manual way by writing scripts. I thought of getting inputs on any frameworks or tools or practices that can reduce the manual effort.
You should check Nbi. This framework let you check the structure and members of your cubes but also compare query, mdx or sql, results to predefined or dynamic results. The documentation is relatively exhaustive for an open-source project
Please refer to the URL: http://rsunit.codeplex.com. Certainly it lacks documentation now. This might be helpful to you.
I'm using TinyMCE as my online editor but I'm concerned of XSS attacks etc..
I though of replacing all < and >, but that doesn't seem to be an option with this kind of editor and I'm not sure removing script tags is enough too (what about onclick, onmouseover and other events).
What should be my approach to avoid such attacks?
You have to choose, security or convenience. The WYSIWYG editor like TinyMCE is very convenient. It allows non-experts to use a web interface to update some content with or without html tags. Its the lazy way to allow someone non-technical to update html, and it comes with all kinds of hazards.
When you give users access to TinyMCE interface to your database it is absolutely equal to giving them a database client to update data directly in your database.
ALso, note that today there is a great deal of Cross-Site-Scripting that is not malicious, that is in fact facebook, linkedin, youtube, etc integration that requires script references to third party domains etc.
So if you harden the TinyMCE tool so that XSS can not be added it will be useless to a serious web developer in many scenarios.
But if you need to make an add/edit/update/delete editor XSS proof you need to validate and sanitize all inputs and your best choice is to roll your own.
In theory you can eliminate XSS like this, but in practice its difficult. There always seems to be something that you've overlooked.
The best way I've found is to use a regular expression to only permit use of certain tags that you specify ( <strong>, <em> etc) and remove all others. You also need to look for attempts to circumvent your protection by users encoding characters.
I am looking for some kind of web regression testing tool. I would like it to be free and also allow me to verify download links.
any suggestions are welcome
http://seleniumhq.org/ - free, programmable, probably close to industry standard.
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.
I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).
Is anyone aware of a similar tool? Preferably it should be:
cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)
Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).
Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/
I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do.
The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do.
I hope that helps.
http://www.metasploit.com/
Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.
I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!
Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.
There are some Firefox plugins to do some XSS testing here:
http://labs.securitycompass.com/index.php/exploit-me/
A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:
Open Source (LGPL),
Cross Platform - PHP is not in your list, but maybe it's ok?
Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
Logs to databases.
I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.
From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.
A much better idea, I think, would be to perform code reviews.
You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.