Frequently Asked Questions
What are the prerequisites for the course? Do you have to be a developer to successfully complete this course?
Yes, you must be a developer.
What was the content of the .raw file?
The content of the .raw file was a copy of the http request that we intercepted. And, SQL map actually took that content and injected malicious characters into it in an effort to carry out an attack.
Where are XSS injected code stored? On user machines, servers or somewhere else?
Where it’s stored depends on the type of XSS attack. In this case the attack is stored in the product microservice, in the product database, stored back-end service. And a copy was sent down to the users that clicked on the review; then they were attacked. In this case, it’s stored on the server. There are variants where they’re not stored anywhere, and then delivered.
Why prevent the script tags and the output rather than filtering before saving in the database?
Filtering the input of data is referred to as blacklisting or negative validation, where you want to take out the known bad characters as the data comes in. The problem with that, is that data could be a usability issue. You want to leverage encoding for wherever that data is going to be used, because of the properties for wherever it is being consumed. For example, if you filter out ‘<’ and ‘>’ to attempt to stop XSS, the problem is the data could be used in a context in the browser where these characters that you filtered out don’t matter. So, you have to be sensitive to the context where the data is being used. In that case, the attack is still going to work. You can’t know that beforehand, before data comes in, in this case. It’s all a matter of where the data ends up. And, that’s why you want to leverage encoders versus filtering on the way in.
I’ve heard that apps developed on Ruby on Rails do not allow SQL Injection or XSS. Is it because it has a template?
Good question. SQL Injection will be covered in the next webinar. ORM technologies help prevent the risk of SQL injections.
Can we use ESAPI encoder for HTML too?
You can if that’s already in your product and your project and you’re using it. And you don’t select something from the ground up, that should be fine. I don’t know how well the ESAPI project is maintained.
What was the name of the editor that you used?
I used VScode, Visual Studio code which is good for web technologies. There are a lot of good plugins. I use it for everything, except for big projects where manual refactoring is difficult.
You showed JavaEE with JSP code. What about JSF?
As far as I know it does have output escaping on board. Java Server Faces does have output encoding. It’s limited to HTML encoding and aggressive output encoding. So, there’s some nice stuff you can do out-of-the-box.
For JSTL, do you have a template that escapes by default?
If you’re using JSTL, which was introduced in the early days of JavaEE, it does do HTML encoding by default. But, that’s it, only HTML encoding.
Is it possible for XSS to affect the external services in any way (as shown in the example application architecture diagram)?
Absolutely. External services could send XSS attacks to us and we could pass along XSS attacks to them. This is discussed in more detail in a later webinar.
Regarding XSS, encoding only solves half the problem.Sanitizing the input keeps it from encoding and encoding again each time a value is stored in the database.
Sanitizing on the way in is actually a negative pattern and may negatively impact user experience. What if the user’s name is O’Neil? How will you save it to the database? ONeil? O'Neil? Validate for the inputs you expect, but XSS is primarily defeated via output encoding.
WAF helps for incoming filtering; what can we do if introducing a WAF after-the-fact and data is already in the database?
Avoid input filtering. Validation is fine, but filtering can cause multiple pain points and are often the subject of discussion in the security community regarding bypass techniques.
Can you also talk about ESAPI Canonicalization?
I’m not a fan of this idea. If you’re canonicalizing data, you’re validating at the wrong spot.
Is Handlebars a good templating engine?
It likely has baseline encoding (ex: HTML Entities and Attributes), but I have no experience otherwise.
Any auto-encoding template for .NET?
Yes, Razor will give you entity encoding and attribute encoding by default. It does have encoders for other contexts. They’re not necessarily auto-applied for you.
Does using struts tag to render data prevent XSS?
Struts tag does not do HTML encoding for you. Once Struts 2 came out, got on the Spring/Thymeleaf bandwagon, I’m not sure how well it does today. It goes beyond HTML encoding, but you do have stuff out-of-the box.
Do you have any experience with the Vaadin framework?
I am familiar with it, but not from a security perspective. I would expect some level of encoding built-in when the components are generated but I am not familiar with its maturity.
Are "Auto Encoding Templates" the "Parameterized Query for SQL" of the web presentation?
Auto-encoding is for XSS what parameterized query is for SQL Injection.
Which proxy program was used?
Why don't you like Go? It may be a valid reason from the perspective of a security consultant and would be good to hear.
I think it looks ugly. The syntax drives me nuts. Like C with some namespaces. C++ got it better. It’s a cosmetic thing.
Would you consider Microsoft's AntiXSS library implemented as a generic http runtime encoder a good practice vs. implementing contextually?
There are two technologies. Http modules act as filters and can see stuff going in and out. If you’re doing encoding there, it’s not going to work. That sort of suggests that you’re doing encoding going in. The second is http runtime. I’m not entirely familiar with it, but suspect that it helps apply it automatically for you, as it’s being generated for the page by the presentation, and that’s great. Microsoft AntiXSS library is a solid library, and they were the first to push out a library with all these encoders, so if there’s a way you can apply it to your application as it’s being rendered, that’s a huge win.
Any thoughts on the newest .NET tech, -> WPF?
WPF is not subject to XSS unless you misuse the web browser control.
Is it easy to get security right in Spring security?
Spring security makes a number of security patterns easier… if you’re using Spring, then you should strongly consider Spring Security.
Is there a catalog of security design patterns, like the "auto-encoding templates?
Unfortunately no. The security community has not done a great job of defining and promoting a secure design pattern taxonomy.
Wouldn't it be more cost efficient to use WAF/IDPS technology, rather than trying to educate developers? It feels more intuitive to hire some security engineers in order to separate responsibilities: developers develop, while sec guys harden the infrastructure. What is your take on this?
Depends… if the app is legacy, then WAF might be cheaper. But remember that we will never decrease the number of vulnerabilities introduced without educating folks who write the code. Now if you have a security engineering team that builds enterprise security patterns, components, services etc., then great! But you still need to educate developers on how to use those services… Training never goes away.
Does this applies to mobile app framework like Ionic that are built on top of Angular 2?
I’m not familiar with Ionic. But if it’s built on top of Angular 2, Angular 2 does have auto-encoding capabilities for you. Theoretically, you should get some benefits there.
Is there any similar example for AngularJS like rRedux?
Anytime you are rendering templates on the server, you could experience such vulnerabilities.
How do you deal with nested situations in AngularJS and ReactJs? Can I find examples somewhere?
These are tough. You must know your contexts well. Start with the context that generates the template (as we saw in our example), then think about the context in which data lands in the generated template, and go from there… Not fun I know.
What is the usual initial vector for a hacker to insert the HTML tag to redirect to their evil site?
Usually in common “redirect” components, 3rd party / affiliate linking pages, or initial login pages tend to have such redirect components.
How does Angular AoT and http2 server push help avoid security flaws?
Http2 provides little to no benefit in regards to XSS. AoT might help make the underlying frameworks job easier to apply encoding, but you must still be aware of its capabilities.
Is the GO Template integrated with JEE technologies?
How can http referee be validated for preventing XSS?
XSS cannot be prevented by validating the referrer.
Is it possible to sql injection through an IVR system in any way?
I’m not an IVR expert, but it would make for a cool demonstration if the system were able to translate special characters.
Any comments on Vue?
Not from a security perspective. Seems like a cool library though.
Can you comment on VUE.JS related to encoding?
I suspect it has some built in encoding, but I have not dug into it enough.
Apart from encoding, what are other techniques for preventing XSS?
Output encoding is the primary defense. Secondary defense could be input validation. There are examples where output encoding is not going to work. We’ll talk about one of those in the next Secure Coding webinar.
How can we secure web socket communication?
Loaded question. Start by using WSS.