WHITE PAPER

Eradicate Cross-Site Scripting

The Webs most prevalent application vulnerability remains an open door to attack on your business and your customers. It doesnt have to be.

WHITE PAPER Eradicate Cross-Site Scripting

Getting Started: Registering and Uploading Your Application

Veracodes free cross-site scripting scanning service, will empower you to begin your organizations campaign to eradicate XSS vulnerabilities in corporate applications. Registering and uploading your application is straightforward and quick. The free service can be used for any Java-based application up to 20 MB in size, with a limit of one application per email address.
HERES HOW IT WORKS:

- Go to the free service Web page - Create an account by registering with your email address and a password - Create a profile for your application, supplying metadata including name of the application, build version etc., to create a placeholder for your upload. - Navigate to the compiled archive (.jar, .war., .zip) on your local file-system through an Explorer-type interface select it and upload. (The archives are encrypted in transit and on Veracodes servers)

- The archive undergoes a pre-scan check to make sure there is code that can be scanned for cross-site scripting. You can wait for the pre-scan to be complete or log out and go back in when you receive a confirmation email. - Once pre-scan completes click the Begin Scan button. Veracode then scans the application and notifies you by email that the results are ready.

Meeting the Threat: Application Security Comes of Age

The explosive growth of Internet commerce in a little more than a decade has transformed the way we do business. But the rise of e-commerce has generated a concurrent surge of Internet crime into a multi-billion-a-year industry, as criminals follow the money, the countless potential online victims and the vulnerability of web applications to easy exploitation. Cross-site scripting (XSS) attacks are perhaps the most widespread of Web exploits preying on businesses and consumers. The flaws are relatively easy to find and easy to remediate, yet XSS remains a highly dangerous and, arguably, the most widespread of Web application attacks. Theres no reason that the advance of cross-site scripting attacks cant be stemmed and reversed, starting in 2011. Forward-thinking organizations have begun baking security into their software development lifecycles and procurement programs. An independent verification of security quality of applications they build, buy and outsource is becoming an integral part of an organizations risk management strategy. Automated testing of compiled code, available as a SaaS offering, is proficient at detecting XSS flaws, evaluating the business risk they pose, and providing help with remediation. Application development and application security teams and practitioners can, in fact, begin automated testing and detection of XSS vulnerabilities immediately, using a Free Service from Veracode. In this white paper, youll learn more about the cross-site scripting threat, how automated code testing can help detect and remediate it, and the free service that will help energize your application security program.

WHITE PAPER Eradicate Cross-Site Scripting

A Brief Explanation of Cross-Site Scripting

Cross-site scripting is a class of injection attack. In this case, an attacker injects malicious code, usually embedding a JavaScript (but it can be any embedded active content, such as ActiveX, VBScript, Shockwave or Flash) in an otherwise trusted Web site. These malicious scripts run with the same privileges as an authorized script, so the user is tricked by code from a site he or she expects to trust. Broadly speaking, there are two classes of cross-site scripting attacks: stored and reflected. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database and becomes part of the sites dynamic content. In reflected attacks, the user is tricked into clicking on a link, say in an email, and the malicious code is sent to the vulnerable web server, which reflects the attack back to the browser. The users browser executes the script, which now appears as if it came from the legitimate server. XSS attacks can disclose a users session cookie and hijack the session. Or, depending on the technique, an attacker can view files, gain access to a sensitive database, install a Trojan, or modify content. The good news is that XSS flaws are easy to correct, once they are detected, and prevent, once developers are aware of the risk. Developers can protect their code by: - Input validation. The developer filters special characters as defined by HTML, validating each input field for script tags. Validation is important, but is not sufficient to prevent all possible XSS attacks. Sometimes the data does not come via HTTP and the Web server does not recognize it as part of the dynamic content process and fails to validate it. Also, there may be cases when invalid characters must be allowed, such as a hyphen in a name. - Encoding. Also known as escaping, encoding ensures that the input in a field is presented as a safe string for HTML use and prevents malicious code from executing. Developers can make use of special libraries that provide encoding methods and, in some cases, automatically encode dynamic controls.

The Persistent Menace

Although preventing cross-site scripting faults is not particularly difficult, feature sets and functionality, not security, are top of mind as applications are developed, tested and brought on line. As a consequence, the tens, hundreds and often thousands of applications in each organization are likely to be rife with flaws that attackers can find and will exploit. Cross-site scripting vulnerabilities head the list. It is not unusual to find hundreds, even a thousand or more XSS vulnerabilities in an application. Given the dynamic nature of web applications, there are so many more opportunities for XSS vulnerabilities to be present compared to other common types of vulnerabilities, such as SQL injection. Small wonder XSS flaws are number one among the 2010 CWE/SANS Top 25 Most Dangerous Software Errors. Their prevalence is listed as high, but detection is rated as easy and remediation cost low. OWASP ranks cross-site scripting second among its 10 most critical web application security risks.

WHITE PAPER Eradicate Cross-Site Scripting

Top Vulnerability Categories (Overall Prevalence)

Indicate categories that are in the OWASP Top 10 or CWE/SANS Top 25 Cross-site Scripting (XSS) Information Leakage CRLF Injection Cryptographic Issues SQL Injection Directory Traversal Buffer Overflow Potential Backdoor Time and State Error Handling Credentials Management Numeric Errors Untrusted Search Path API Abuse Encapsulation 0% 2% 2% 2% 1% 1% 1% 1% 1% 1% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 4% 4% 6% 12% 11% 51%

Figure 1: Top Vulnerability (Overall Prevalence)

Its also the most pervasive vulnerability category, accounting for 51% of all vulnerabilities found, according to Veracodes State of Software Security Report. Cross-site scripting vulnerabilities are widely exploited because they are so prevalent. Just as they are easy for developers and security practitioners to detect, they are easily found by attackers once an application is deployed and accessible from the Internet using an assortment of off-the-shelf commercial scanners or free tools such as XSSer, XSSploit and Burp Scanner. The problem becomes even more acute when one takes into account that a corporate application is often an amalgam of code from disparate sources. (Veracode has observed that between 30% and 70% of all code comprising internally developed applications were identifiably from third parties.)

WHITE PAPER Eradicate Cross-Site Scripting

Free Testing Service Roots Out Cross-Site Scripting

You can jump-start your companys efforts to eradicate cross-site scripting aws from your applications in 2011 with a new, free static binary code testing service. Binary Static Application Security Testing is similar to a line by line code review without requiring source code. A scan examines the compiled binary at implementation time to detect security aws. Anyone within an organization producing software can use the free static binary code analysis service to detect, understand, evaluate and remediate cross-site scripting aws in any submitted application. Developers, security professionals, IT architects and quality assurance engineers, for example, are all are good candidates to use this service. Since binaries are fully compiled, performing binary code reviews removes concerns surrounding intellectual property contained in source code. This enables application security to be delivered externally using a security-as-a-service (SaaS) model. In addition to scanning your compiled application and reporting all the cross-site scripting vulnerabilities discovered, the free service provides detailed information on the nature and severity of each aw, and how many times and where it appears. Moreover, the service provides a practical analysis and remediation recommendations through an intuitive GUI, so you can easily address the identied issues. The next section explains how this free service works and how you can use it to help secure your applications from XSS aws.

Putting the Service to Work

When your scan is complete, the free service delivers two reports, which can be viewed online and/or downloaded in PDF format. The summary report gives a high-level overview of what was discovered: Quantity, type and category of aws, and Veracode quick-hit action items (things you can do immediately that will have high impact on the security of your application). The ndings are presented in charts, graphs and text summary, with all aws broken out by severity and Veracode recommended action items. This report will bring home to executives the scope of the problems in the applicationit can serve as a litmus test of the companys application security program or lack thereofand gives hands-on application professionals a summary assessment of the work they face.
Figure 2: Summary report screenshot

WHITE PAPER Eradicate Cross-Site Scripting

The detailed report provides the information that will primarily be used by developers to triage aws. It lists each aw, with a link to its CWE number (Veracode ndings are very much standards based, referencing CWE ID), a description, detailed remediation guidance (including Veracodes estimate of the effort required), and the source le and line number where the aw occurs.

Figure 3: Fix First chart

The report also helps you assess the areas of highest risk and prioritize remedial activity through the Fix First chart, a plot chart that shows at-a-glance the frequency of a vulnerabilitys occurrence represented by the size of the circle representing the aw, the severity and average remediation effort based on CWE ID. The Triage Flaws View provides the under-the-hood level of detail for developers to dig in and learn where and how each aw occurred and a platform for determining if and how it should be remediated. The triage view allows developers to overlay source code against the Veracode ndings while keeping it on their local machinethe Veracode service only requires compiled code, so the source code never leaves your environment.

Figure 4: Triage Flaws View

WHITE PAPER Eradicate Cross-Site Scripting

Conclusion: Expand Your Web Security Program

Detecting and remediating cross-site scripting for selected applications is an excellent start towards eradicating these flaws from your applications in 2011. What should follow is a comprehensive, repeatable web application scanning program that can demonstrate progress and hold developers, application owners, development partners and commercial application vendors accountable for security. Automated static binary analysis through a SaaS offering is a highly effective method of detecting cross-site scripting and should be an essential element of any organizations application security program. SaaS scales well for large numbers of applications and relieves the cost, manpower burden and management overhead of relying solely on internal review. Using a cloud-based service such as Veracode you can scale your program to your environment, whether you have a few applications or thousands. Applications can be uploaded and scanned quickly; the results can be evaluated, priorities established and remediation applied. Rinse and repeat to track how your web application security efforts are faring. This means organizations can devote more time to understanding, prioritizing and fixing dangerous cross-site scripting flaws that could give an attacker an opportunity to exploit critical applications and gain access to sensitive information. Cross-site scripting is pervasive, dangerous and preventable. Detecting and eliminating XSS flaws should be an integral element of any forward-thinking organizations SDLC and software procurement program. Using Veracodes free binary analysis service, you can begin on the road to eliminating cross-site scripting from your applications, and strengthen and streamline your corporate software security initiative.

WHITE PAPER

ABOUT VERACODE Veracode, Inc. 4 Van de Graaff Drive Burlington, MA 01803 Tel +1.781.425.6040 Fax +1.781.425.6039 www.veracode.com 2011 Veracode, Inc. All rights reserved.
WP/CSS/0111

Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics Veracode enables scalable, policy-driven application risk management programs. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. The companys more than 175 customers include Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, read the ZeroDay Labs blog or follow on Twitter @Veracode.