Client Side Cross Site Scripting

Transcription

1 Client Side Cross Site Scripting 1

2 Client Side Cross Site Scripting CLIENT SIDE XSS - DI PAOLA 2

3 Soluzioni e sicurezza per applicazioni mobile e payments Consorzio Triveneto, azienda leader nei sistemi di pagamento a livello italiano da sempre all avanguardia nello studio e nella sperimentazione di nuove tecnologie nell ambito dei pagamenti, è una realtà del Gruppo Bassilichi che opera prevalentemente nei campi della Monetica con la gestione dei servizi POS e di Commercio Elettronico e del Corporate Banking a supporto delle imprese. SPONSOR DELL EVENTO Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di CLIENT SIDE XSS - DI PAOLA 3

4 Who Am I Stefano Di Research OWASP-Italy Senior Member Testing Guide Contributor OWASP SWFIntruder Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Security Since '99 Work Minded Security Application Security Consulting Director of Minded Security Research Labs Lead of WAPT & Code Review Activities Blog: 2

5 Agenda XSS Client Side XSS (aka DOM Based XSS) Examples Tools and Expertise Some Stats Conclusions 3

6 XSS... The Flaw that Keeps Being Hacked 4

7 Three kinds: Reflected Stored <html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> DOM Based User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 5

8 <html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 6

9 User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 7

10 <html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim Image Courtesy of John Wilander 8

11 <html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 9

12 User-Victim Injection Happens at Client Side Level! + Sometimes no server roundtrip Eg. location.hash Courtesy of John Wilander 10

13 DOM Based XSS... The Elephant in the XSS Room 11

14 DOM XSS Page Application Perspective 3rd Party JS (?) Courtesy of Dave Wichers 12

15 Traditional XSS Vs DOM Based Impacts/Risks are identical Detectability is lower for DOM-Based XSS as its harder for defenders to find XSS Risk from OWASP Top 10 13

16 From Server to Client 14

17 3rd Party JS Experiment take the first top 100 Sites from Alexa: Extract all script sources and count how many external scripts are used. Result: ~70% contained 3rd Party Js. Do you trust 3rd Party Code in your site? Let me rephrase it: Have you ever tested your 3rd Party JS? Script used to extract: 15

18 Client Side Vulnerabilities Vulnerability JS Execution HTML Injection/ Content Spoofing Impact Complete Control Over User's Page. (CI) Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI) Client Side SQL Injection URL Redirect CSS Injection Resource Manipulation Data exfiltration (CI) URL Spoofing (C) Extract Sensitive Information (C) Change the location of a resource requested by a page. (CI)

19 Client Side HTML Injection...<script> var nextlink=getparameterfromlocation('nextid'); document.write('<a href="page'+nextlink+'.html">next Step</a>'); </script> ><img src='a' onerror=alert(1)> 17

20 A Client Side XSS Example Twitter 2010 ( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.hbr=a; } } )(window); 18

21 A Client Side XSS Example Twitter 2010 ( function(g){ ' var a=location.href.split("#!")[1]; if(a){ Returns g.location=g.hbr=a; /WisecWisec } g.location= /WisecWisec } )(window); 19

22 A Client Side XSS Example Twitter 2010 ' Returns javascript:icanhascookies() window.location= 'javascript:icanhascookies()' Pseudo-Protocol 20

23 A Client Side XSS Example Twitter 2010 Pseudo-Protocol 21

24 Client Side Issues - Examples DEMO 22

25 Code Analysis - Manual Minimized Client Side JavaScript Server Side Java/C#/Whatever Spot the Difference! But Automated Static Analysis can do it.. doesn't it? 23

26 Code Analysis Automated static analysis Problems with Minimizers Obfuscators AND JavaScript Rigid langs Ie. Java: request.getquerystring() ; Ok.. some coverage can be performed (according to Static Analysis limits) Flexible/Dynamic langs - JavaScript: location.search window.location.search document.location.search window[ location ]['search'] window[ l + o + \x63 + ation ][atob('c2vhcmno')] window[arr[43]][obj['thesearch']] Very poor coverage. OK so What About Runtime? 24

27 Runtime Analysis Runtime Fuzzing: BlackBox Scanning, fault injection with patterns, hoping to reach the sink (dangerous function). Poor coverage, Lot of False Negatives Real Time Taint Propagation with Instrumentation: While executing it propagates the "taint" flag. In the JavaScript case if the Browser is "instrumented" there are other Pros, like Real Client State emulation. (Use Selenium, JSUnits...) OWASP Project: DOMinator by Minded Security 25

28 Some Stats from Took first 100 from Top 1 Million Alexa list. Found several others in top 1 Million most of them advertising hosted as 3rd party scripts. For example Omniture, Google AdWords, or widgets, buttons etc. Using DOMinator + my brain I found that 56 out of 100 top Alexa sites where vulnerable to directly exploitable DOM Based Xss. Means, remote attacker with a reliable scenario. 26

29 Conclusions Client Side Issues are very hard to find. JavaScript is a language for tough people :) Strongly depends on both Client AND Server States. It's a quite untested topic. Even Google Microsoft and big companies have difficulties in identification. Only now, after 8 years scanners are starting to add some kind of identification technique in order to give. some coverage. We need more tools but, more important, we need more brains! 27

30 Tnx! ^_^ Q&A Mail: Twitter: wisecwisec 28