From wiquan@employees.org Wed Oct 17 18:05:11 2007
From: William Quan <wiquan@employees.org>
To: sr-users@lists.kamailio.org
Subject: [OpenSER-Users] sanitizing sip requests
Date: Wed, 17 Oct 2007 11:13:38 -0500
Message-ID: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0554816011=="

--===============0554816011==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi all,
I came across a security alert that basically embeds javascript in the
display name of the From to initiate cross-site-scripting (XSS) attacks.
Here is an example:

From: "<script>alert('hack')</script>""user"
<sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-disc=
losure>>;tag=3D002a000c


Grammatically , I don't see an issue with this. However, under the right
circumstances this could get ugly.
Do you see value in having openser take a proactive role to detect these
and reject calls?  Or is this outside the scope of what a proxy should
be doing (leave it to the UA to sanitize) ?

Looking to get your thoughts-
-will


--===============0554816011==--


From jiri@iptel.org Thu Oct 18 00:02:56 2007
From: Jiri Kuthan <jiri@iptel.org>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Thu, 18 Oct 2007 00:11:00 +0200
Message-ID: <20071017221155.0F9B81810C52@mail.iptel.org>
In-Reply-To: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1928998474=="

--===============1928998474==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

At 18:13 17/10/2007, William Quan wrote:
>Hi all,
>I came across a security alert that basically embeds javascript in the
>display name of the From to initiate cross-site-scripting (XSS) attacks.
>Here is an example:
>
>From: "<script>alert('hack')</script>""user"
><sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-dis=
closure>>;tag=3D002a000c
>
>
>Grammatically , I don't see an issue with this. However, under the right
>circumstances this could get ugly.
>Do you see value in having openser take a proactive role to detect these
>and reject calls?  Or is this outside the scope of what a proxy should
>be doing (leave it to the UA to sanitize) ?

We have been thinking hard of this in the SER community. My 2 cents are that =

sanitizing in the proxy is of limited impact. The trouble is that it is not
just JavaScript, it can be literally any application in any language, which
is tunneled some crafted data through SIP. The SIP proxy can be tought to
detect JavaScript but who knows what is going to come next. Thus I think
that JAva-Script enabled apps should test SER-produced data for Java-script
data, and XYZ-apps should test SER-produced data for XYZ-script data.

As an example, the latest serweb version, which uses JavaScript, is resistant
against such JavaScript attacks.

-jiri


>Looking to get your thoughts-
>-will
>
>_______________________________________________
>Users mailing list
>Users(a)openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users



--
Jiri Kuthan            http://iptel.org/~jiri/



--===============1928998474==--


From cs@unc.edu Thu Oct 18 00:19:40 2007
From: Christian Schlatter <cs@unc.edu>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Wed, 17 Oct 2007 18:27:16 -0400
Message-ID: <47168C44.7020103@unc.edu>
In-Reply-To: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1480991769=="

--===============1480991769==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

William Quan wrote:
> Hi all,
> I came across a security alert that basically embeds javascript in the
> display name of the From to initiate cross-site-scripting (XSS) attacks.
> Here is an example:
>=20
> From: "<script>alert('hack')</script>""user"
> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-di=
sclosure>>;tag=3D002a000c
>=20
>=20
> Grammatically , I don't see an issue with this. However, under the right
> circumstances this could get ugly.
> Do you see value in having openser take a proactive role to detect these
> and reject calls?  Or is this outside the scope of what a proxy should
> be doing (leave it to the UA to sanitize) ?

I think it should be left to the UA. It would be very difficult to come=20
up with good sanitizing rules, and they would get out of data very=20
quickly. Maybe an openser sanitizer module that would download SIP=20
attack signatures would make sense.

/Christian


>=20
> Looking to get your thoughts-
> -will
>=20
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users



--===============1480991769==--


From 4lists@gmail.com Thu Oct 18 02:18:25 2007
From: Edson <4lists@gmail.com>
To: sr-users@lists.kamailio.org
Subject: RE: [OpenSER-Users] sanitizing sip requests
Date: Wed, 17 Oct 2007 22:27:39 -0200
Message-ID: <4716a881.1d1d640a.6ea3.45e4@mx.google.com>
In-Reply-To: <47168C44.7020103@unc.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0758870906=="

--===============0758870906==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

I was thinking about this problem and I think that combining this module
idea with the ones presented by Jiri could guide to an intermediary and more
flexible one. 

Any sanitization task would be processed by a dedicated module. This module
could load as many 'sanitizations descriptions' as desired. Each
'sanitization description' could be a XML file (just to give an exemple) and
would take care of an especific language or language family. It could
describe signatures, or even include language syntax and semantics checks
(who knows what is really necessary?). This way, changing/improving the
descriptions with language specific sanitization knownledge would extended
the protection without the need of logical changes on the proxy script.

For sure even if the idea is easy to understand it's implementation is not a
trivial work. But is an idea... ;)

Edson

>-----Original Message-----
>From: users-bounces(a)openser.org [mailto:users-bounces(a)openser.org] On
>Behalf Of Christian Schlatter
>Sent: quarta-feira, 17 de outubro de 2007 20:27
>To: William Quan
>Cc: users(a)openser.org
>Subject: Re: [OpenSER-Users] sanitizing sip requests
>
>William Quan wrote:
>> Hi all,
>> I came across a security alert that basically embeds javascript in the
>> display name of the From to initiate cross-site-scripting (XSS) attacks.
>> Here is an example:
>>
>> From: "<script>alert('hack')</script>""user"
>> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-
>disclosure>>;tag=002a000c
>>
>>
>> Grammatically , I don't see an issue with this. However, under the right
>> circumstances this could get ugly.
>> Do you see value in having openser take a proactive role to detect these
>> and reject calls?  Or is this outside the scope of what a proxy should
>> be doing (leave it to the UA to sanitize) ?
>
>I think it should be left to the UA. It would be very difficult to come
>up with good sanitizing rules, and they would get out of data very
>quickly. Maybe an openser sanitizer module that would download SIP
>attack signatures would make sense.
>
>/Christian
>
>
>>
>> Looking to get your thoughts-
>> -will
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
>_______________________________________________
>Users mailing list
>Users(a)openser.org
>http://openser.org/cgi-bin/mailman/listinfo/users



--===============0758870906==--


From klaus.mailinglists@pernau.at Thu Oct 18 09:38:58 2007
From: Klaus Darilion <klaus.mailinglists@pernau.at>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Thu, 18 Oct 2007 09:47:52 +0200
Message-ID: <47170FA8.3000409@pernau.at>
In-Reply-To: <471634B2.10408@employees.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1529910218=="

--===============1529910218==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable



William Quan schrieb:
> Hi all,
> I came across a security alert that basically embeds javascript in the
> display name of the From to initiate cross-site-scripting (XSS) attacks.
> Here is an example:
>=20
> From: "<script>alert('hack')</script>""user"
> <sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-di=
sclosure>>;tag=3D002a000c

Thats a cool attack. I fear there will be more smart attacks in the next=20
time.

klaus

> Grammatically , I don't see an issue with this. However, under the right
> circumstances this could get ugly.
> Do you see value in having openser take a proactive role to detect these
> and reject calls?  Or is this outside the scope of what a proxy should
> be doing (leave it to the UA to sanitize) ?
>=20
> Looking to get your thoughts-
> -will
>=20
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users


--===============1529910218==--


From henning.westerholt@1und1.de Thu Oct 18 10:32:33 2007
From: Henning Westerholt <henning.westerholt@1und1.de>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Thu, 18 Oct 2007 10:41:17 +0200
Message-ID: <200710181041.17823.henning.westerholt@1und1.de>
In-Reply-To: <4716a881.1d1d640a.6ea3.45e4@mx.google.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0363356824=="

--===============0363356824==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Thursday 18 October 2007, Edson wrote:
> I was thinking about this problem and I think that combining this module
> idea with the ones presented by Jiri could guide to an intermediary and
> more flexible one.
>
> Any sanitization task would be processed by a dedicated module. This module
> could load as many 'sanitizations descriptions' as desired. Each
> 'sanitization description' could be a XML file (just to give an exemple)
> and would take care of an especific language or language family. It could
> describe signatures, or even include language syntax and semantics checks
> (who knows what is really necessary?). This way, changing/improving the
> descriptions with language specific sanitization knownledge would extended
> the protection without the need of logical changes on the proxy script.
>
> For sure even if the idea is easy to understand it's implementation is not
> a trivial work. But is an idea... ;)

Perhaps it makes more sense to use an IDS for this job, which already has the 
infrastructure present to search in the traffic and match against arbitrary 
rules. It can alert or kill the connection if something against the policy is 
detected.

Cheers,

Henning


--===============0363356824==--


From daniel@voice-system.ro Thu Oct 18 16:18:07 2007
From: Daniel-Constantin Mierla <daniel@voice-system.ro>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Thu, 18 Oct 2007 17:26:59 +0300
Message-ID: <47176D33.3000801@voice-system.ro>
In-Reply-To: <47170FA8.3000409@pernau.at>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1629448579=="

--===============1629448579==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit



On 10/18/07 10:47, Klaus Darilion wrote:
>
>
> William Quan schrieb:
>> Hi all,
>> I came across a security alert that basically embeds javascript in the
>> display name of the From to initiate cross-site-scripting (XSS) attacks.
>> Here is an example:
>>
>> From: "<script>alert('hack')</script>""user"
>> <sip:user at domain.com 
>> <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>>;tag=002a000c 
>>
>
> Thats a cool attack. I fear there will be more smart attacks in the 
> next time.
cooler and cooler. My opinion is that the client should take care. I do 
not see any reason why an application will interpret the display or user 
name. It should be printed as it is. Same we can say may happen with the 
email, when the text message will be interpreted, but not just 
displayed. Would be funny to get compile errors or code executed when 
someone just gives a snippet in a message.

AFAIK, unless is need for escape/unescape, those values should be taken 
literally. Of course, having something in openser to detect/prevent 
would be nice, but just as an add-on. Don't forget that some headers 
bring nightmare after changing them -- although, in such cases, the 
caller device won't care too much :)

Cheers,
Daniel

>
> klaus
>
>> Grammatically , I don't see an issue with this. However, under the right
>> circumstances this could get ugly.
>> Do you see value in having openser take a proactive role to detect these
>> and reject calls?  Or is this outside the scope of what a proxy should
>> be doing (leave it to the UA to sanitize) ?
>>
>> Looking to get your thoughts-
>> -will
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>


--===============1629448579==--


From jiri@iptel.org Fri Oct 19 10:11:57 2007
From: Jiri Kuthan <jiri@iptel.org>
To: sr-users@lists.kamailio.org
Subject: Re: [OpenSER-Users] sanitizing sip requests
Date: Fri, 19 Oct 2007 10:20:53 +0200
Message-ID: <20071019082056.3096D18111E7@mail.iptel.org>
In-Reply-To: <47176D33.3000801@voice-system.ro>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0098637642=="

--===============0098637642==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

At 16:26 18/10/2007, Daniel-Constantin Mierla wrote:


>On 10/18/07 10:47, Klaus Darilion wrote:
>>
>>
>>William Quan schrieb:
>>>Hi all,
>>>I came across a security alert that basically embeds javascript in the
>>>display name of the From to initiate cross-site-scripting (XSS) attacks.
>>>Here is an example:
>>>
>>>From: "<script>alert('hack')</script>""user"
>>><sip:user at domain.com <https://lists.grok.org.uk/mailman/listinfo/full-d=
isclosure>>;tag=3D002a000c=20
>>
>>Thats a cool attack. I fear there will be more smart attacks in the next ti=
me.
>cooler and cooler. My opinion is that the client should take care. I do not =
see any reason why an application will interpret the display or user name.=20

'cos your phone has a webpage with received calls.

>It should be printed as it is. Same we can say may happen with the email, wh=
en the text message will be interpreted, but not just displayed. Would be fun=
ny to get compile errors or code executed when someone just gives a snippet i=
n a message.
>
>AFAIK, unless is need for escape/unescape, those values should be taken lite=
rally. Of course, having something in openser to detect/prevent would be nice=
, but just as an add-on. Don't forget that some headers bring nightmare after=
 changing them -- although, in such cases, the caller device won't care too m=
uch :)

possibly nice-to-have, but wasted effort IMO, see the previous email. somethi=
ng generally
app-unaware ('cos who knows what the actual app is) can't filter app, and att=
empts to do
so always lag behind the attackers or break the apps.

-jiri



--
Jiri Kuthan            http://iptel.org/~jiri/



--===============0098637642==--