Eradicate Cross-Site ScriptingThe Web’s most prevalent application vulnerability remains an open door to attack on your business and your customers. It doesn’t have to be.

WHITE PAPER

WHITE PAPER Eradicate Cross-Site Scripting

1

Meeting the Threat: Application Security Comes of AgeThe explosive growth of Internet commerce in a little more than a decade has transformed the way we do business. But the rise of e-commerce has generated a concurrent surge of Internet crime into a multi-billion-a-year industry, as criminals follow the money, the countless potential online victims and the vulnerability of web applications to easy exploitation.

Cross-site scripting (XSS) attacks are perhaps the most widespread of Web exploits preying on businesses and consumers. The flaws are relatively easy to find and easy to remediate, yet XSS remains a highly dangerous and, arguably, the most widespread of Web application attacks.

There’s no reason that the advance of cross-site scripting attacks can’t be stemmed and reversed, starting in 2011. Forward-thinking organizations have begun baking security into their software development lifecycles and procurement programs. An independent verification of security quality of applications they build, buy and outsource is becoming an integral part of an organizations risk management strategy. Automated testing of compiled code, available as a SaaS offering, is proficient at detecting XSS flaws, evaluating the business risk they pose, and providing help with remediation.

Application development and application security teams and practitioners can, in fact, begin automated testing and detection of XSS vulnerabilities immediately, using a Free Service from Veracode. In this white paper, you’ll learn more about the cross-site scripting threat, how automated code testing can help detect and remediate it, and the free service that will help energize your application security program.

Getting Started: Registering and Uploading Your ApplicationVeracode’s free cross-site scripting scanning service, will empower you to begin your organization’s campaign to

eradicate XSS vulnerabilities in corporate applications. Registering and uploading your application is straightforward

and quick. The free service can be used for any Java-based application up to 20 MB in size, with a limit of one

application per email address.

HERE’S HOW IT WORKS:

- Go to the free service Web page

- Create an account by registering with your email address and a password

- Create a profile for your application, supplying metadata including name of the application, build version etc., to create a placeholder for your upload.

- Navigate to the compiled archive (.jar, .war., .zip) on your local file-system through an Explorer-type interface select it and upload. (The archives are encrypted in transit and on Veracode’s servers)

- The archive undergoes a pre-scan check to make sure there is code that can be scanned for cross-site scripting. You can wait for the pre-scan to be complete or log out and go back in when you receive a confirmation email.

- Once pre-scan completes click the Begin Scan button. Veracode then scans the application and notifies you by email that the results are ready.

WHITE PAPER Eradicate Cross-Site Scripting

2

A Brief Explanation of Cross-Site ScriptingCross-site scripting is a class of injection attack. In this case, an attacker injects malicious code, usually embedding a JavaScript (but it can be any embedded active content, such as ActiveX, VBScript, Shockwave or Flash) in an otherwise trusted Web site. These malicious scripts run with the same privileges as an authorized script, so the user is tricked by code from a site he or she expects to trust.

Broadly speaking, there are two classes of cross-site scripting attacks: stored and reflected. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database and becomes part of the site’s dynamic content.

In reflected attacks, the user is tricked into clicking on a link, say in an email, and the malicious code is sent to the vulnerable web server, which reflects the attack back to the browser. The user’s browser executes the script, which now appears as if it came from the legitimate server.

XSS attacks can disclose a user’s session cookie and hijack the session. Or, depending on the technique, an attacker can view files, gain access to a sensitive database, install a Trojan, or modify content.

The good news is that XSS flaws are easy to correct, once they are detected, and prevent, once developers are aware of the risk. Developers can protect their code by:

- Input validation. The developer filters special characters as defined by HTML, validating each input field for script tags. Validation is important, but is not sufficient to prevent all possible XSS attacks. Sometimes the data does not come via HTTP and the Web server does not recognize it as part of the dynamic content process and fails to validate it. Also, there may be cases when invalid characters must be allowed, such as a hyphen in a name.

- Encoding. Also known as escaping, encoding ensures that the input in a field is presented as a safe string for HTML use and prevents malicious code from executing. Developers can make use of special libraries that provide encoding methods and, in some cases, automatically encode dynamic controls.

The Persistent MenaceAlthough preventing cross-site scripting faults is not particularly difficult, feature sets and functionality, not security, are top of mind as applications are developed, tested and brought on line. As a consequence, the tens, hundreds and often thousands of applications in each organization are likely to be rife with flaws that attackers can find and will exploit.

Cross-site scripting vulnerabilities head the list. It is not unusual to find hundreds, even a thousand or more XSS vulnerabilities in an application. Given the dynamic nature of web applications, there are so many more opportunities for XSS vulnerabilities to be present compared to other common types of vulnerabilities, such as SQL injection.

Small wonder XSS flaws are number one among the 2010 CWE/SANS Top 25 Most Dangerous Software Errors.

Their prevalence is listed as “high,” but detection is rated as easy and remediation cost low. OWASP ranks cross-site scripting second among its 10 most critical web application security risks.

WHITE PAPER Eradicate Cross-Site Scripting

3

It’s also the most pervasive vulnerability category, accounting for 51% of all vulnerabilities found, according to Veracode’s State of Software Security Report.

Cross-site scripting vulnerabilities are widely exploited because they are so prevalent. Just as they are easy for developers and security practitioners to detect, they are easily found by attackers once an application is deployed and accessible from the Internet using an assortment of off-the-shelf commercial scanners or free tools such as XSSer, XSSploit and Burp Scanner.

The problem becomes even more acute when one takes into account that a corporate application is often an amalgam of code from disparate sources. (Veracode has observed that between 30% and 70% of all code comprising internally developed applications were identifiably from third parties.)

Cross-site Scripting (XSS)

Information Leakage

CRLF Injection

Cryptographic Issues

SQL Injection

Directory Traversal

Buffer Overflow

Potential Backdoor

Time and State

Error Handling

Credentials Management

Numeric Errors

Untrusted Search Path

API Abuse

Encapsulation

5%0% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55%

51%

12%

11%

6%

4%

4%

2%

2%

2%

1%

1%

1%

1%

1%

1%

Indicate categories that are in the OWASP Top 10 or CWE/SANS Top 25

Top Vulnerability Categories (Overall Prevalence)

Figure 1: Top Vulnerability (Overall Prevalence)

WHITE PAPER Eradicate Cross-Site Scripting

4

Free Testing Service Roots Out Cross-Site ScriptingYou can jump-start your company’s efforts to eradicate cross-site scripting fl aws from your applications in 2011 with a new, free static binary code testing service.

Binary Static Application Security Testing is similar to a line by line code review without requiring source code. A scan examines the compiled binary at implementation time to detect security fl aws.

Anyone within an organization producing software can use the free static binary code analysis service to detect, understand, evaluate and remediate cross-site scripting fl aws in any submitted application. Developers, security professionals, IT architects and quality assurance engineers, for example, are all are good candidates to use this service. Since binaries are fully compiled, performing binary code reviews removes concerns surrounding intellectual property contained in source code. This enables application security to be delivered externally using a security-as-a-service (SaaS) model.

In addition to scanning your compiled application and reporting all the cross-site scripting vulnerabilities discovered, the free service provides detailed information on the nature and severity of each fl aw, and how many times and where it appears. Moreover, the service provides a practical analysis and remediation recommendations through an intuitive GUI, so you can easily address the identifi ed issues.

The next section explains how this free service works and how you can use it to help secure your applications from XSS fl aws.

Putting the Service to WorkWhen your scan is complete, the free service delivers two reports, which can be viewed online and/or downloaded in PDF format.

The summary report gives a high-level overview of what was discovered: Quantity, type and category of fl aws, and Veracode quick-hit action items (things you can do immediately that will have high impact on the security of your application). The fi ndings are presented in charts, graphs and text summary, with all fl aws broken out by severity and Veracode recommended action items. This report will bring home to executives the scope of the problems in the applica-tion—it can serve as a litmus test of the company’s application security program or lack thereof—and gives hands-on application professionals a summary assessment of the work they face.

Figure 2: Summary report screenshot

WHITE PAPER Eradicate Cross-Site Scripting

5

The detailed report provides the information that will primarily be used by developers to triage fl aws. It lists each fl aw, with a link to its CWE number (Veracode fi ndings are very much standards based, referencing CWE ID), a description, detailed remediation guidance (including Veracode’s estimate of the effort required), and the source fi le and line number where the fl aw occurs.

The report also helps you assess the areas of highest risk and prioritize remedial activity through the Fix First chart, a plot chart that shows at-a-glance the frequency of a vulnerability’s occurrence represented by the size of the circle representing the fl aw, the severity and average remediation effort based on CWE ID.

The Triage Flaws View provides the under-the-hood level of detail for developers to dig in and learn where and how each fl aw occurred and a platform for determining if and how it should be remediated. The triage view allows devel-opers to overlay source code against the Veracode fi ndings while keeping it on their local machine—the Veracode service only requires compiled code, so the source code never leaves your environment.

Figure 3: Fix First chart

Figure 4: Triage Flaws View

WHITE PAPER Eradicate Cross-Site Scripting

6

Conclusion: Expand Your Web Security ProgramDetecting and remediating cross-site scripting for selected applications is an excellent start towards eradicating these flaws from your applications in 2011. What should follow is a comprehensive, repeatable web application scanning program that can demonstrate progress and hold developers, application owners, development partners and commercial application vendors accountable for security.

Automated static binary analysis through a SaaS offering is a highly effective method of detecting cross-site scripting and should be an essential element of any organization’s application security program. SaaS scales well for large numbers of applications and relieves the cost, manpower burden and management overhead of relying solely on internal review.

Using a cloud-based service such as Veracode you can scale your program to your environment, whether you have a few applications or thousands. Applications can be uploaded and scanned quickly; the results can be evaluated, priori-ties established and remediation applied. Rinse and repeat to track how your web application security efforts are faring.

This means organizations can devote more time to understanding, prioritizing and fixing dangerous cross-site scripting flaws that could give an attacker an opportunity to exploit critical applications and gain access to sensitive information.

Cross-site scripting is pervasive, dangerous and preventable. Detecting and eliminating XSS flaws should be an integral element of any forward-thinking organization’s SDLC and software procurement program. Using Veracode’s free binary analysis service, you can begin on the road to eliminating cross-site scripting from your applications, and strengthen and streamline your corporate software security initiative.

WHITE PAPER

ABOUT VERACODE

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the secu-rity of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics Veracode enables scalable, policy-driven application risk management programs. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. The company’s more than 175 customers include Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, read the ZeroDay Labs’ blog or follow on Twitter @Veracode.

www.veracode.com

© 2011 Veracode, Inc.

All rights reserved.

WP/CSS/0111