Improper Output Handling

Corina Aionioaie
25.11.2014

Agenda
1. What is it?
2. Types
3. What does it lead to ?
4. Where can you find it?
5. Attacks and Reports
6. Bibliography

Improper Output Handling

What is it ?

output handling = the way an application generates outgoing data

improper output handling => output data may be consumed
leading to vulnerabilities and actions never intended by the
application developer
unintended interpretation = critical application vulnerabilities

Improper Output Handling

Types

protocol errors
missing or improper output encoding or escaping
outputting of invalid data
application errors (includes logic errors)
outputting incorrect data
passing on malicious content unfiltered
data consumer related errors
indistinguishability between legimitimate/ilegitimate content
no work around for known vulnerabilities in data consumer
Improper Output Handling

What does it lead to ?

Content Spoofing

URL Redirector

Cross-Site Scripting

XML Injection

HTTP Response Splitting

XQuery Injection

HTTP Response Smuggling

XPath Injection

LDAP Injection

Mail Command Injection

OS Commanding

Null Injection

Routing Detour

SQL Injection

Soap Array Abuse

Improper Output Handling

Where can you find it ?

anywhere data leaves an application boundary

leaves one context, enters another
applications passing data to other applications via :
web services
sockets
command line
environmental variables

passing data between tiers within an application architecture

database
directory server
HTML/JavaScript interpreter (browser)

operating system

Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside HTTP Headers

attacks against HTTP headers

=>
injection of CR/LF in order to change the HTTP message structure
=>
abuse both clients (e.g. browsers), and servers (application servers,
proxies, and web servers)

Notable attacks : HTTP Response Splitting, HTTP Response Smuggling, and

URL Redirector Abuse
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside HTML Tags
<tag>text</tag>
text :
treated by the browser as text to be displayed to the user
if not properly escaped => unintentionally treated as HTML markup
=> vulnerabilities
<script> and <style> require additional care to prevent the introduction of
additional vulnerabilities
Notable attacks : Cross-Site Scripting, Cross-Site Request Forgery, and
Content Spoofing
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside HTML Attributes
<tag attr="text">
always requires escaping to avoid the data being inadvertently treated as
HTML markup
additional attention required for src, href, action

Notable attacks : Cross-Site Scripting, Cross-Site Request Forgery, and

Content Spoofing
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside Client-side Script
application data inside <script> tags deserves special attention
data as script variable content must be quoted and escaped
apps shoul insure that the text is treated as data and not executable
script
even when data is properly escaped => "eval" => XSS

Notable attacks : Cross-Site Scripting, Cross-Site Request Forgery, and

Content Spoofing
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside XML Messages
application data inserted into XML requires escaping or risks being
treated as XML markup (similar to HTML)
even when properly encoded, some XML messages types give certain
attributes and content special meaning that may be interpretted in a
way that leads to a vulnerability

Notable attacks : XML Injection, SOAP Array Abuse, XML External Entities ,
XML Entity Expansion , and XML Attribute Blowup
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside SQL Queries

applications must insure that SQL queries based upon user influenced
data will not allow the data to be interpretted as instructions to the
database

Notable attacks : SQL Injection

Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside JavaScript Object Notation (JSON) Messages
JSON uses eval() function for object creation
all dynamic data => properly sanitized prior to being included within a
JSON message
quotes or double-quotes : escaped when placed in keys or values

Notable JSON attacks : Cross-Site Scripting, Cross-Site Request Forgery, and

Content Spoofing
Improper Output Handling

Where can you find it ?

Depending on where it is placed, several attacks can be put in place:
Inside Cascading Style Sheets (CSS)
common practice to auto generate CSS
applyed via the <style> HTML element or tag
user influenced data included within CSS : sanitized to prevent the
injection, and execution of a user controlled CSS content

Notable attacks : Cross-Site Scripting, Cross-Site Request Forgery, and

Content Spoofing
Improper Output Handling

Where can you find it ?

Besides that, attacks can appear due to several other facts :

not specifying the appropiate charset

in 2005 : XSS vulnerability was discovered in Google due to not
specifying a charset/encoding, suh as UTF8. An attacker was capable of
injecting UTF7 into the webpage and execute a malicious payload
without the use of metacharacters
unicode abusing => attacks the way the data is presented to the user

Improper Output Handling

How to prevent it?

Output sanitization
transforming data from its original form to an acceptable form :
by removal of that data
by encoding/decoding it
methods:
HTML entity encoding : < encoded as &lt;
URL Encoding schemes : < encoded as %3C

Improper Output Handling

How to prevent it?

Output filtering
acceptance or rejection of output based on predefined criteria
steps:
1. matching/comparing a data stream with a predefined set of
characters to determine acceptability
2. acceptable data is processed => unwanted characters are
blocked/stripped/transformed => preventing the application from
processing unrecognized and potentially malicious output
methods:
Whitelist - Allowing only the known good characters
Blacklist - Allowing anything except the known bad characters
Improper Output Handling

How to prevent it?

RegExp
common approach for validation, sanitization, filtering
concise and flexible way of identifying patterns in a given data set

XML Schema Validation

a way of checking if an XML document conforms to a set of constraints

contains essential preprocessor instructions
in security context : schema hardening

Improper Output Handling

How to prevent it?

Protection tools
Microsoft : Anti Cross-Site Scripting Library
guides users and developers with putting measures in place to thwart
cross-site scripting attacks
provides insight into alternatives for proper input and output encoding
where its library routines may not apply
OWASP : ESAPI project
provides guidelines and primary defenses against SQL Injection attacks
provides details on database specific SQL escaping requirements to help
escape/encode user input before concatenating it with a SQL query
Improper Output Handling

Attacks & Reports

<% String email = request.getParameter("email"); %>
...
Email Address: <%= email %>
displays an email address that was submitted as part of a form
form parameter is not encoded => XSS attacks

Improper Output Handling

Attacks & Reports

sub GetUntrustedInput {
return($ARGV[0]);
}
sub encode {
my($str) = @_;
$str =~ s/\&/\&amp;/gs;
$str =~ s/\"/\&quot;/gs;
$str =~ s/\'/\&apos;/gs;
$str =~ s/\</\&lt;/gs;
$str =~ s/\>/\&gt;/gs;
return($str);
}

this example takes user input, encodes it and

then creates a directory specified by the user
the blacklist for encoding is incomplete
attacker passes ;command => command
injection

sub doit {
my $uname = encode(GetUntrustedInput("username"));
print "<b>Welcome, $uname!</b><p>\n";
system("cd /home/$uname; /bin/ls -l");}
Improper Output Handling

Attacks & Reports

CVE-2008-5573

SQL injection vulnerability in the login feature in Poll Pro 2.0 allows remote
attackers to execute arbitrary SQL commands via the password and
username parameters.

CVE-2008-3773

Cross-site scripting (XSS) vulnerability in vBulletin 3.7.2 PL1 and 3.6.10 PL3,
when "Show New Private Message Notification Pop-Up" is enabled, allows
remote authenticated users to inject arbitrary web script or HTML via a
private message subject, allowing an attacker to carry out an action
impersonating a legal user, or to obtain access to a user's account.

Improper Output Handling

Bibliography
1.http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
2.http://projects.webappsec.org/w/page/13246934/Improper
%20Output%20Handling
3.http://cwe.mitre.org/data/definitions/116.html
4.https://www.juniper.net/security/auto/vulnerabilities/vuln32707.html
5.http://minsky.gsi.dit.upm.es/semanticwiki/index.php/Category:Impro
per_Encoding_or_Escaping_of_Output

Improper Output Handling