Cross-site scripting (XSS) has been a popular finding for me in 2021, discovering five XSS vulnerabilities that have been assigned CVEs. Additionally, it’s been present on recent application testing as well, so I thought it would be beneficial to cover XSS in more depth.
This video is the first in a series of blog posts that will describe various cross-site scripting attacks, remediations, and specific areas to look out for that I have seen overlooked in the sanitization of user-supplied data. This video covers the basics of cross-site scripting, including reflected, stored, and DOM-based XSS. Additionally, I’ll discuss remediation to protect against these attacks. Future videos will cover filter evasion and side-loading payloads, as well as cookie theft and advanced payloads.
I hope this video and the ones that follow give you a better idea about how cross-site scripting works, why it’s dangerous, and how to prevent it from happening to your company.
I’m Brian Tant, and I serve as Raxis’ VP of Engineering. This week, I’m the subject of our in-house infosec inquisition where I’ll be asked all manner of probing questions intended to give you, the reader, some insight into the machinations of a troubled mind. Normally, I avoid this type thing, but, after a series of increasingly dire threats from our COO, Bonnie Smyre, I relented.
Jim: When did you first get into security?
Brian: Do you want the professional answer or the seedy underground one?
The professional version is that I started in IT at the ripe age of 17. I lied about my age to get on with a tech staffing company. They made me do a series of placement tests, although back in the day we used paper.
Jim: [shudders]
Brian: I know, right? Anyways, I had been doing computer stuff for a while and the tests were pretty basic. I did well enough that I bubbled up to the top of the roster for a big brand company looking for a tech. They brought me in and made me a field technician day one. It was the typical firehose-sippy-cup experience that comes with jumping up a level.
Fast forward several cubes later. At some point, I found I had a knack for Terminal Server and Citrix and did that for several years. My last deployment was one of the largest Citrix farms in the world at the time: 1000+ servers and 30k concurrent users across the globe.
Jim: And then?
Brian: I got bored. How many times a day can you hear the phrase, “I can’t print” before you start questioning some fundamental life choices. I loved the tech, but the users. Oi.
Jim: So where does security come into the picture?
Brian: Ah. For that we have to re-visit the the dark seedy part I mentioned earlier. Back in the 90s, the hacker scene was mostly to do with phones and usenet groups. Networks were mostly flat, and email was a cool idea that would never take off. My taste for mischief found a home in that community. Twenty-some- odd years later I decided to re-kindle that and found that there was a whole sector of talented folks that shared a passion for devious tinkering.
Jim: And the rest of the story?
Brian: As a Raxis Paul Harvey would say…
Jim: Wow.
Brian: Yep. I am that dork. Mark (our esteemed CEO) took a chance and brought me onboard Raxis early on. We were tiny, but eventually found our voice. Since then, we’ve grown, and I’ve been privileged to be a part of building something special. What we have here is a real sense of family. I can’t imagine being anywhere else.
Jim: Switching gears. If there is one thing I’ve learned working with Raxis it’s that you guys roll hammer down all day. The pace is frenzied, and things are always changing. How do you unplug?
Brian: As my wife will tell you, I have a problem with hobbies.
Jim: Oh?
Brian: Most of them tend to connect with farming or agriculture in some way. We have a small homestead where we keep bees, goats, worms, chickens and an indeterminate number of dogs and cats at any given time. I sit on the board of directors for the local farm bureau and chair the bee keeping club.
Jim: No shortage of fur-babies then.
Brian: I also make wine, mead, soaps, preserves, and have been known to run a still now and again. For a while I even made a podcast that gained a modest following. I do a lot of backpacking and am a master diver.
Jim: Back up; a still as in moon-
Brian: As in alternative fuel for small engines.
Jim: [cough] Moving on, if you had to pick a favorite thing about working at Raxis, what would it be?
Brian: Easy. It’s the people. The people are the heart of this company. Raxis is an ego-free zone. We’re all passionate about what we do, but, unlike most shops, Raxis is built on empowerment. We’re only the best if our people are at their best, and that means we take care of each other. The same holds true with our customers. Our success comes from helping them succeed.
As Raxis’ chief operating officer, I’ve been busy prodding coworkers to do these meet-the-team interviews. (Looking at you, Brad, Brian, and Mark). Now, it’s my turn for a conversation with our marketing specialist, and the result is the interview below. I’m more accustomed to conducting interviews than giving them, so, if you’re a qualified penetration tester, check out our YouTube channel and our careers page. If Raxis is the type of company you’d like to work with, who knows – maybe I’ll get a chance to interview you.
Jim: First of all, condolences for your Tarheels’ recent loss to my Seminoles in football.
Bonnie: That’s all right. I’m a baseball fan, so North Carolina will get its redemption in the spring – if not before.
Jim: Really? I wouldn’t picture you as a baseball person. How did become a fan?
Bonnie: That started while I was at UNC. I was working as a web and database developer for many years. Baseball just seemed to be an athletic extension of that same mindset. As a game, it fit in with the details, patience, and long-game required to code a complex application from start to finish… and end up with a result that faculty, staff, and students were all happy with.
Jim: I don’t think I’ve ever heard anyone make that connection before. Is that what attracted you to a career in IT in the first place?
Bonnie: I was a shy bookworm when I was younger. IT was a field I thought would allow me to work independently and not require me to interact as much with other people. However, as I grew in my profession, I realized that I needed to get past that shyness if I wanted to really make a difference.
Jim: Did that happen naturally, or did you have to work at it?
Bonnie: Oh, I worked on it. I moved on to a development job at PBS North Carolina (UNCTV while I was there). During our pledge drives, I was usually backstage working on a computer, but occasionally I would be on the phones and on live television. There are people who still tell me they remember seeing me on air.
Jim: Did that make you more comfortable being in front of people?
Bonnie: That started me on the path, I think. But the real breakthrough was when I went completely outside my comfort zone and took improv classes for a few years. I was petrified at first, but I met some great people who gave me the courage to get over my fear.
Jim: I think most people would find that terrifying – to be on stage, all eyes on you, and the pressure to be funny.
Bonnie: Improv isn’t like stand-up comedy. The whole point is that you are not alone. The team has your back, and you have theirs. It gives you a confidence to just run with what pops into your head & see if it’s funny.
Jim: Okay, so you’re a veteran IT pro and you’ve got all this improv experience. How did you find your way to Raxis and bring those skills together?
Bonnie: Our CEO, Mark Puckett, & I were good friends in high school, and I met his wife when her mom and dad were “band parents” for the marching band. (I played the flute.) In 2014, I moved back to the Atlanta area to be closer to my family and began working as a penetration tester at Raxis. When my first PSE (physical security evaluation) job came up, I found that my improv experience helped me think on my feet.
Jim: So, improv helped you convince people you were someone else and your IT background allowed you to capitalize on that?
Bonnie: Yep. It’s a bit scary how often people believed me, but the good news is, it was all for educational purposes. Once they see how easy it is for someone to slip past their security, it helps them better understand what they need to do to protect themselves and their companies.
Jim: Unlike other companies, most of Raxis’ best work has to stay confidential for obvious reasons. In the absence of outside validation, what makes the work fulfilling to you?
Bonnie: As I’ve grown in this job from pen tester, to project manager, to leading operations, I’ve found that I’m no longer in a shy IT position. Just like my improv team made me feel safe to try new things, the team here at Raxis makes things fun every day. It honestly doesn’t feel like a job. I get to work with great people and do what I love each day.
The Open Web Application Security Project (OWASP) Top 10 is intended as a guide to help security professionals prioritize the most common and urgent web application threats that they or their clients are likely to face. By collecting and analyzing data over time, OWASP is a source of both intelligence and awareness for the people responsible for building secure applications. Raxis uses the OWASP Top 10 as a baseline when assessing web applications, ensuring that our customers are guarding against each of the most common threat categories. Of course, our testing goes well beyond the items on the list, but it is an effective starting point for security assessments.
What Is a Broken Access Control?
Broken access control, not to be confused with broken authentication, happens when a user unintentionally is granted elevated permissions or access to an application, user role, or domain. But what does that mean to website users? It means that the user, whether a hacker or someone unintentionally discovering the vulnerability, gains access that was never intended, whether that is access to private information for other users or access to an admin page that allows them to perform actions few people should be allowed to do.
When a web app fails to enforce proper access controls, the results can be unauthorized disclosure of sensitive information, modification or destruction of data in the system, or the ability to perform business function the user should have no authority to perform.
This vulnerability has moved from the fifth position all the way to first in the new 2021 OWASP Top 10 update. According to the OWASP Foundation, 3.81% of the applications tested had some form of broken access control. While that may sound like a small percent, the cost is high when you realize the sensitive data & systems that could be exposed.
A Few Examples
Many web applications can have a user login page with data such as credit card, phone number, or address information. Let’s consider two users of that application, Fred and Karen. If Karen was logged into her profile, she might see a URL similar to the link below:
website[.]com/app/acctinfo?user=karen
But what happens if she can simply change “karen” on the end of the URL to “fred”? We would get the URL below:
website[.]com/app/acctinfo?acct=fred
By itself, that is not broken access control. If the application is secure, Karen would be denied access. However, if Karen was then able to see the information in Fred’s account, it would be an example of broken access control. But why stop there? Once Karen realizes she can see Fred’s personal information, she might write a script that tries common names of other people to gather thousands of credit cards to sell on the dark web.
Another example of a broken access control is the ability to access a server status or web app information page that should not be public to all users. If an unauthenticated user can access either of the two example pages below, it would be a form of broken access control.
website[.]com/server-status
website[.]com/app/getappinfo
Why would that be important? Many attacks require multiple steps, and each step that provides information helps the hacker understand if their actions are working or not. A hacker may use a server-status page to see if their attack is successful, or they may use the getappinfo page to find out what software the server is using so they know what type of attacks to try.
How to prevent Broken Access Control
Remediating broken access control is not a one-size-fits-all concept. Just like people are all unique and beautiful in their own way, and deserve to be treated fairly, not tossed aside… err [deep breath] ahem. Really sorry. Website developers must implement trusted server-side code or APIs that do not allow attackers to modify the access control checks or metadata.
The list below is a good place to start with hardening Access Controls in your environment:
Implement deny-by-default on everything except public resources.
Minimize Cross-Origin Resource Sharing (CORS), instead implementing access control mechanisms once and reusing them throughout the application.
Enforce record ownership rather than accepting that the user can create, read, update, and/or delete any record.
Ensure file metadata and backup files are not present in web roots.
Disable web server directory listings.
Set rate limits for API and controller access to minimize the attack surface of automated attack tools.
I’m Scottie Cole, and this week, it’s my turn to be interviewed by our marketing specialist. Unlike my Raxis colleagues, I’ve been friends and worked with Jim for well over a decade (that is, if you consider what he does actual ‘work.’ ) What follows is our best attempt at an interview, but it highlights one of the things I like best about this team: For as hard as we work, we also have a lot of fun. If that sounds like an environment that would bring out your best, check out our careers page and learn more about our opportunities.
Jim: I seem to remember you having much darker hair when we first met.
Scottie: That’s right! And I seem to remember you actually having hair when we first met.
Jim: True enough. You were responsible for our internal security at the cybersecurity company where we both worked for many years. Some of our readers might think that would be an easy job or maybe even redundant.
Scottie: Thanks to you and your marketing people, I always had plenty of new risks to mitigate.
Jim: You’re welcome.
Scottie: Seriously, security companies are frequent targets of hackers, so we have to pay extra attention to keeping our own house in order. We have customers counting on us, of course, but we also have our reputation to protect. That raises the stakes and adds a lot of pressure.
Jim: Given your previous jobs, you were accustomed to working under pressure, right?
Scottie: I spent several years as a dispatcher, a firefighter, and a law enforcement officer. Those jobs gave me plenty of experience working in high-stress situations. In cybersecurity, the ‘bad guys’ are different, and the fire drills aren’t literal, but the consequences can still be very severe. That’s especially true when you consider how many devices are being connected to the internet now.
Jim: You’d know that better than most. Your house is like Area 51, except with more electronics.
Scottie: Well, maybe more radios.
Jim: That’s right.You’re a HAM radio operator. How’d you get into that? More importantly, why?
Scottie: As a dispatcher, I became fascinated with radios. When cell service and other forms of communication go down, the HAM operators can continue to broadcast, and that’s an important civil defense benefit. During the terrible hurricane in Puerto Rico, for example, it was the HAM operators providing updates to people in the US. Think about how relieved people were to hear that their loved ones were okay. Or how important it was to know what relief supplies were needed where.
Jim: Is that how you found your way into the IT security world?
Scottie: That was actually more by chance than by design. As you remember, our former company was growing fast, especially in the early days. They needed help, so a friend of mine offered me an opportunity to join the team and learn about infosec. Being a first responder was a great job, but cybersecurity offered better pay and more predictable hours . . . in theory.
Jim: I’ve asked other team members how they found Raxis, but as I understand it, Raxis found you.
Scottie: That’s right. In my previous job, I didn’t like to take phone calls for security reasons.
Jim: I thought it was only my calls you didn’t take.
Scottie: There were a lot of reasons I didn’t take your calls. But I was always wary, and the folks at the front desk knew to screen everyone. But (Raxis’ COO) Bonnie Smyre actually got me on the phone to talk about doing a penetration test for us. My first thought was, “She must be really good if she got through that easily.”
Jim: Did you hire Raxis for the pentest?
Scottie: Yep. But I also got to know Bonnie, (VP of business development) Brad Herring, and (CEO) Mark Puckett and realized this is the type work I want to do, and they are the people I want to work with. As I met other team members, I knew it was a great culture and a great team, so I jumped at the opportunity to join them.
Jim: What’s your favorite part of the job?
Scottie: What’s not to like? I get paid to hack into other people’s networks. I get to learn from the best in the business and share what I know with them. It’s an outstanding company in a space that’s becoming a lot more important. When business owners say that a network breach would be more damaging than a fire, you understand just how critical cybersecurity is in our daily lives.
