Don’t Trust, Always Test

Today we were looking for a BBCode interpreter. Primarily a .NET development team, after some frantic googling to see there was anything that we could use in the hope it has been tried, tested, and ultimately secure, there was a possibility.

Googling for ‘.NET bbcode’ results in this at the top of the page: http://bbcode.codeplex.com. Looks promising, and even confirms what we are after in the blurb:

We have used Pex (http://research.microsoft.com/en-us/projects/Pex/) to extensively test some important properties of this BBCode-Parser. We used Pex to ensure that the parser never crashes and that it never emits any dangerous tag such as , no matter what the input was. The user can type any HTML he wants but it will just get encoded, even when it is in unusual places like the href-attribute of the url-tag. If you have any questions about this you can post them on http//codekicker.de if you speak german. In other cases you can contact us by email in english.

Excellent, even singles out security. 60 seconds into a test ourselves, and we have this:

So what went wrong. Well the first thing is the way in which [url] tags are dealt with:

[url href=javascript:document.body.innerHTML=String.fromCharCode(88,83,83)]bbcode[/url]

Which results in the following HTML:

bbcodetest

OK bad start, but it requires a user to click the link to execute, not the end of the world right? Well lets have a look at the [img] tag to see if that is any better:

[img] [img] onerror=javascript:alert(String.fromCharCode(88,83,83)) [/img] [/img]
Results in:

<img src="  " />
OK, not fantastic. So whats the takeaway from this, well OWASP Top 10 for 2013 has this at number 9:

‘Using Components With Known Vulnerabilities’

And for good reason. It’s extremely easy to google for a library and have multiple sources tell you ‘this is secure, use this’. Always remember to security test your libraries before implementing.

Thanks to http://jeffchannell.com/Other/bbcode-xss-howto.html for the excellent bbcode injection examples and a great resource if you are attempting to test your own BBCode solution.

Advertisements

One thought on “Don’t Trust, Always Test

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s