This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-02-12 09:08 AM
Jump to solution

IPS defense: Cross-site scripting over HTTP

Hi mates,

Our internal team is 'concerned' about  CP's Cross-site scripting over http ips defense.  Is there anyway we can calm his nerves that it won't block GOOD input?  Can we provide any more detail on the rule?   The details are like KFC secret recipe correct?  Or does this IPS rule correlated with http methods in inspection at all, which provides a nice ale cart menu of defenses.   See attached. 

 

I his words:

Comment

I would say it's not so much that we need users to be able to input this kind of stuff, but that the rule is not very robust and doesn't give us confidence that it will only stop bad user input.

It started off with a vulnerability scan that inserted (escaped) html into some fields. The error made us think the scan had somehow succeeded in compromising something, so that took some time to debug.

But as noted, the rule is blocking invalid or escaped html it doesn't need to block, doesn't block all valid html, and doesn't block all kinds of requests with bad html. E.g. we were able to insert those values in the first place as normal form submissions - x-www-form-urlencoded. But when POSTing the same data as multipart/form-data it triggered the rule. It also seems to just be a regex or something that casts a pretty wide net - for example "onerror=asdgasd asdgasafh alert(" will fail. So it looks like there's at least one ".+" involved somewhere that makes me nervous.

Personally I would think it'd be best to rely on stuff like CSRF tokens, SameSite, etc. and just enforce that we have that.

 

IMO it'd be helpful if we could see exactly what the rules are to allay our concerns. I've had to piece it together by trial and error. I just find the idea that a user could type unspecified wonky (but harmless) strings into a text input and end up with a generic network error a bit worrying. Or that you can submit such strings via some methods but certain other requests might then fail. Part of it is I'm not sure how to catch and log such errors on the client since they don't seem distinctive enough from normal connection errors, so we might not know it's happening without a user report.

Preview file
78 KB
Preview file
31 KB
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2024-02-13 01:07 AM
Jump to solution

The best approach would be to run specific tests and see the results and then tune IPS with exceptions, if required. It is virtually impossible to make a general statement for the cause.

View solution in original post

4 Replies
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-02-12 09:11 AM
Jump to solution

This was our response.   The accepted protections for apps is to use parameterized queries for database functions and to escape anything that comes out of the database when building responses. If this is a Django app using the standard patterns, that should be built-in automatically. Then the app should also have valid field rules for acceptable responses, but that gets tricky for text fields and there is only so much you can do before you start blocking legitimate entries.

 

their reply

We're using Spring Boot and already do all of that or have it done for us. These IPS rules though are not blocking html - they're blocking sanitized "HTML-like" values based on (to me) unknown patterns. Which leaves me with questions like - if I'm a user and I type "<missing>" in a comment field is that going to get interpreted as an HTML tag? As it turns out, no, but that's sort of the level the rule seems to operate on.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-13 05:59 AM
In response to Daniel_Kavan
Jump to solution

I agree with Val here, for sure...hard to say for certain unless tests are run.

Andy

Best,
Andy
0 Kudos
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-02-13 06:27 AM
In response to the_rock
Jump to solution

And in general you guys agree, the only option I have it active, inactive, detect, right?

0 Kudos
_Val_
Admin
Admin
‎2024-02-13 01:07 AM
Jump to solution

The best approach would be to run specific tests and see the results and then tune IPS with exceptions, if required. It is virtually impossible to make a general statement for the cause.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events