Jun
02
2008
I’ve just uploaded an update to AntiXSS, based on feedback we’ve received from developers looking at the library. This can be found at the GDS Tools page. I have also updated the original AntiXSS announcement post to point to the new release.
Since the release of the library, the two main areas of feedback we got from users of the library were:
- Why is it only Java 5 and above? We have a lot of Java 1.4 code.
- Why are the methods all named with UpperCamelCase? We use lowerCamelCase for all of our method names.
In brief, we’ve addressed the first issue but not the second in this release. You should find that AntiXSS will work with your Java 1.4 code as we’ve changed the underlying functionality to remove the dependency on Java 5. As for the method names, those are the names used in the Microsoft Anti-Cross Site Scripting (AntiXSS) v1.5 library for .NET applications of which this library is a port. As such, we’ve preserved the API as is, and think it would be counter productive to rename the methods, have duplicate methods with different capitalisation, or to ship an adapter interface with lowerCamelCase names.
Any feedback, bug reports, or reports of usage appreciated.
May
20
2008
Current version of Sqlbrute supports Microsoft SQL Server and Oracle, however the similarities between Microsoft SQL Server and Sybase make it easy to adapt to Sybase with a few minor tweaks. Make the following changes to the current version and you should be able to brute Sybase as easily as SQL Server:
1) Line 484:
foo = “xtype=’u’ and ”
TO
foo = "type='U' and "
2) Line 533:
predblike = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where xtype = ‘u’ and name like ‘”
TO
predblike = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where type = ‘U’ and name like ‘”
3) Line 558:
predbequals = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where xtype = ‘u’ and name = ‘”
TO
predbequals = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where type = ‘U’ and name = ‘”
4) Line 583:
foo = “xtype=’u’ and ”
TO
foo = “type=’U’ and ”
Essentially, we’re just changing the “sysobjects” column named “xtype” to “type” in order to be Sybase compatible. Justin will be releasing an updated version of Sqlbrute with Sybase support in the near future. For more information on Sybase system tables, go here. Enjoy!
Feb
27
2008
The ability to transform and inspect HTTP data as it flows in and out of a web application has many practical uses (both inside and outside of security). On IIS, this capability was historically restricted to ISAPI filters. Http Modules written in ASP.NET have always allowed processing of requests and responses to and from an ASP.NET application, but with the advent of IIS7 and the integrated ASP.NET pipeline, Http Modules written in ASP.NET now have access to virtually all stages of request processing (including those not handled by ASP.NET).
Transformer.NET is an Http Module designed for on-the-fly inbound and outbound url rewriting. Apache’s mod_rewrite, used to manipulate inbound request urls, is arguably one of the most popular Apache modules around. While there have been several ports of mod_rewrite to IIS (with implementations ranging from Http Modules to ISAPIs), they all share one shortcoming in common with their Apache predecessor: They only rewrite requests and not urls within outbound responses (such as links that are generated within an HTML page).
This has long been a pet peeve of mine. If you want to use mod_rewrite, you typically need to update the underlying website source code so that the hyperlinks within the application point to the “rewritten” urls. This can be a major effort and inconvenience if the site is already written, and even worse, it may not be possible for 3rd party or COTS web applications.
The initial beta release of Transformer.NET differs from previous rewrite modules because it supports bi-directional (inbound and outbound) url rewriting. Bi-directional rewriting eliminates the need to modify the underlying website code, which is great for legacy or third party web sites and applications. In addition to the ability to parse response content (such as HTML), Transformer.NET also includes the following two key internal mechanisms:
| |
Normalization Engine
Normalizing all urls into their absolute representation quickly became essential for two reasons. First, the module needs to be able to apply configured rules to a given url in any form. So a rule for “/foo/bar.htm” might need to be applied to “bar.htm”, “../bar.htm”, or any other number of relative url variants depending on the path of the rendering page. Second, if “/foo/bar.htm” is rewritten to “/fake/bar.htm”, then suddenly all of the relative links on the page (images, css, etc) will be broken. Replacing a relative link on a rewritten page with its absolute counterpart is essential.
Internal Url Cache
Like anything in the software world, performance is important. Inspecting and transforming very large responses when lots of rules have been defined can be a real performance killer. To help minimize performance impact, Transformer.NET maintains an internal cache of all rewrites that are performed. This eliminates un-needed processing the next time the url is rendered on a page. The net result is that as more requests are parsed by the module, performance impact continually decreases. To avoid stale cache entries, the cache gets cleared any time a change is made to a rewrite rule.
|
The bi-directional rewriting capability of Transformer.NET was really an initial “proof-of-concept” for us to start building bi-directional HTTP inspection and transformation solutions to solve some very interesting web application security problems.
Unlike Apache’s mod_rewrite, Transformer.NET does not implement conditional rewrites (ala mod_rewrite’s RewriteCond) so it is not intended to be a total port. The current beta version can be downloaded from our tools page. Transformer works on IIS6 (limited to ASP.NET applications) and with any site running on IIS7. A detailed user guide is included with the download.
