When Vendors Attack! Film at 11

By on January 7, 2007 7:25 am

I’m sorry to interrupt the performance post series, but this seems to warrant a timely response.

Before I go any further, I should note that once-upon-a-time I was deeply involved in the webapp security community. As an engineer at a small MSSP in ’02 and ’03, I contributed to OWASP, lead one of their main projects, and participated in the associated discussions. I’ve audited web software for security flaws and worked to secure new and existing systems. These days, my involvement in the security world is reduced to reading interesting papers from the various conferences and my occasional trawl of CiteSeer. I have tremendous respect for the security community and many of the smart and talented people I had a chance to work with in those days.

But all is not right with the world of web app security. Paola and Fedon’s paper is an amalgam of other people’s research (response splitting) and a sprinkling of idiomatic JavaScript. When it can get to the front page of slashdot with “the web2.0 is falling!” billing, it only feeds the FUD flames. Pablum as revolution is disturbing. When it’s widely read, it’s urban legend in the making.

Here’s what Paola and Fedon tried to side-step:

  1. Response Splitting attacks aren’t that common (no, really)
    • The scariest bits of the presented paper require a complicit, b0rken proxy.
    • Mitigating the threat therefore means fixing the proxies, not the clients. This is comparatively good news as it implies fewer nodes to upgrade to remove the immediate-term threat. This matters to everyone interested in mitigating and managing risk (not eliminating it).
  2. The fundamental root-of-trust issue here is still an XSS attack. If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web. This is the fundamental weakness of the web’s security model today, and one that is difficult to solve (e.g., requires upgrading all clients). That there are problems associated with being rooted should surprise no one.
  3. Characterizing the replacement of existing functions as a “design flaw” in JavaScript is comical. The assumption is malicious code in the same execution scope as the code being attacked (see #2), and that’s not tractable by disallowing redefinition. Even if JavaScript didn’t allow it, any environment that would allow runtime event handlers to be registered would suffice, and since there is no way (in current JS) to determine if code is “valid”, the gig would still be up. Just register a malicious onreadystatechange handler. The only change would be that you might have to target applications more narrowly.

What really makes me sad though is that the work of folks like H.D. Moore, Thor Larhom, and Jeremiah Grossman gets lost in the noise when chaff like this is published. By not providing an honest evaluation of the real-world potential of a threat vector, the authors of a paper like this create a sort of seismograph that can’t tell magnitudes, only number of things shaking. Without magnitude information, an instant market is created for people to stand on the tops of roofs and yell down how bad it is (or in this case, how bad it could have been had they not been valiantly standing there).

Threat information is only valuable as when there is enough data about it to manage and mitigate risk. Yes, security problems are real, and web app security problems aren’t going away any time soon, but without level-headed analysis of the threat vectors, the real-world risk profiles, and the root-of-trust that is being attacked there is very little reason for clients to view the security community as anything but a freakish collection of opportunists, wolves, and disillusioned techno-utopianists. Accurate data builds trust, and trust builds a relationships that allows you to effectively mitigate risk. It’s high time that the security industry developed a code of ethics that prevents FUD-slinging. OWASP could even lead the way although I suspect there’s not a chance in hell of it happening.

The view from the roof is pretty good, after all.