Client Side Cross Site Scripting



Similar documents
Software Security: Services and Products

(WAPT) Web Application Penetration Testing

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Web application testing

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web-Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Adobe Systems Incorporated

The Top Web Application Attacks: Are you vulnerable?

Security Testing with Selenium

The New OWASP Testing Guide v4

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Source code security testing

Intrusion detection for web applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Adding Value to Automated Web Scans. Burp Suite and Beyond

Using Sprajax to Test AJAX. OWASP AppSec Seattle Oct The OWASP Foundation

Comparing Application Security Tools

Application Code Development Standards

Web Application Security

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Web Maniac Hacking Trust. Aditya K Sood [adi_ks [at] secniche.org] SecNiche Security

Application Security Testing

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

HTTPParameter Pollution. ChrysostomosDaniel

A Network Administrator s Guide to Web App Security

Reliable Mitigation of DOM-based XSS

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Web Applications Testing

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Security Products Development. Leon Juranic

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Cross-Site Scripting

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Application security testing: Protecting your application and data

Web application security: Testing for vulnerabilities

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Cross Site Scripting in Joomla Acajoom Component

Blackbox Reversing of XSS Filters

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Preparing for the Cross Site Request Forgery Defense

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Pentests more than just using the proper tools

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Webapps Vulnerability Report

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Complete Cross-site Scripting Walkthrough

Institutionen för datavetenskap

A Multi agent Scanner to Detect Stored XSS Vulnerabilities

Web Application Penetration Testing

Learning objectives for today s session

Web Application Worms & Browser Insecurity

Criteria for web application security check. Version

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

WebGoat for testing your Application Security tools

CS 558 Internet Systems and Technologies

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Exploiting Web 2.0 Next Generation Vulnerabilities

Chapter 1 Web Application (In)security 1

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

JavaScript static security analysis made easy with JSPrime

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Attacks on Clients: Dynamic Content & XSS

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Performing a Web Application Security Assessment

Universal XSS via IE8s XSS Filters

Are AJAX Applications Vulnerable to Hack Attacks?

Hacking de aplicaciones Web

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Optimized Mal-Ops Hack ad networks like a boss

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

HTTP Parameter Pollution. OWASP EU09 Poland. The OWASP Foundation. Luca Carettoni Independent Researcher

Web Application Security

A Tale of the Weaknesses of Current Client-side XSS Filtering

Vulnerability Scanning of WebApps & Course Reviews Lecture 12

Smashing Web Apps Applying Fuzzing to Web Applications and Web Services. Michael Sutton, Security Evangelist

Transcription:

Client Side Cross Site Scripting 1

Client Side Cross Site Scripting CLIENT SIDE XSS - DI PAOLA 2

Soluzioni e sicurezza per applicazioni mobile e payments Consorzio Triveneto, azienda leader nei sistemi di pagamento a livello italiano da sempre all avanguardia nello studio e nella sperimentazione di nuove tecnologie nell ambito dei pagamenti, è una realtà del Gruppo Bassilichi che opera prevalentemente nei campi della Monetica con la gestione dei servizi POS e di Commercio Elettronico e del Corporate Banking a supporto delle imprese. SPONSOR DELL EVENTO Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di CLIENT SIDE XSS - DI PAOLA 3

Who Am I Stefano Di Paola @WisecWisec Research OWASP-Italy Senior Member Testing Guide Contributor OWASP SWFIntruder Bug Hunter & Sec Research (Pdf Uxss, Flash Security, HPP) Security Since '99 Work CTO @ Minded Security Application Security Consulting Director of Minded Security Research Labs Lead of WAPT & Code Review Activities Blog: http://blog.mindedsecurity.com 2

Agenda XSS Client Side XSS (aka DOM Based XSS) Examples Tools and Expertise Some Stats Conclusions 3

XSS... The Flaw that Keeps Being Hacked 4

Three kinds: Reflected Stored <html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> DOM Based User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 5

<html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 6

User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 7

<html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim Image Courtesy of John Wilander 8

<html>.. <script>eviljs</sc ript>..</html> <html>..+ taintedinput +..</html> User-Victim taintedinput=<script>eviljs</script> Image Courtesy of John Wilander 9

User-Victim Injection Happens at Client Side Level! + Sometimes no server roundtrip Eg. http://host/#xxx=inject.. location.hash Courtesy of John Wilander 10

DOM Based XSS... The Elephant in the XSS Room 11

DOM XSS Page Application Perspective 3rd Party JS (?) Courtesy of Dave Wichers 12

Traditional XSS Vs DOM Based Impacts/Risks are identical Detectability is lower for DOM-Based XSS as its harder for defenders to find XSS Risk from OWASP Top 10 13

From Server to Client 14

3rd Party JS Experiment take the first top 100 Sites from Alexa: Extract all script sources and count how many external scripts are used. Result: ~70% contained 3rd Party Js. Do you trust 3rd Party Code in your site? Let me rephrase it: Have you ever tested your 3rd Party JS? Script used to extract: http://pastebin.com/n3pkxbzd 15

Client Side Vulnerabilities Vulnerability JS Execution HTML Injection/ Content Spoofing Impact Complete Control Over User's Page. (CI) Arbitrary HTML Insertion. Attacker can completely spoof the content. Cannot Access Cookies and other JS Data. (CI) Client Side SQL Injection URL Redirect CSS Injection Resource Manipulation Data exfiltration (CI) URL Spoofing (C) Extract Sensitive Information (C) Change the location of a resource requested by a page. (CI)...... 16

Client Side HTML Injection...<script> var nextlink=getparameterfromlocation('nextid'); document.write('<a href="page'+nextlink+'.html">next Step</a>'); </script>... http://www.vic.tim.com/page.html?nextid=2 http://www.vic.tim.com/page.html?nextid=2 ><img src='a' onerror=alert(1)> 17

A Client Side XSS Example Twitter 2010 ( function(g){ var a=location.href.split("#!")[1]; if(a){ g.location=g.hbr=a; } } )(window); 18

A Client Side XSS Example Twitter 2010 ( function(g){ 'http://twitter.com#!/wisecwisec'.split('#!')[1] var a=location.href.split("#!")[1]; if(a){ Returns g.location=g.hbr=a; /WisecWisec } g.location= /WisecWisec } http://twitter.com/wisecwisec )(window); 19

A Client Side XSS Example Twitter 2010 'http://twitter.com#!javascript:icanhascookies()'.split('#!')[1] Returns javascript:icanhascookies() window.location= 'javascript:icanhascookies()' Pseudo-Protocol 20

A Client Side XSS Example Twitter 2010 Pseudo-Protocol 21

Client Side Issues - Examples DEMO 22

Code Analysis - Manual Minimized Client Side JavaScript Server Side Java/C#/Whatever Spot the Difference! But Automated Static Analysis can do it.. doesn't it? 23

Code Analysis Automated static analysis Problems with Minimizers Obfuscators AND JavaScript Rigid langs Ie. Java: request.getquerystring() ; Ok.. some coverage can be performed (according to Static Analysis limits) Flexible/Dynamic langs - JavaScript: location.search window.location.search document.location.search window[ location ]['search'] window[ l + o + \x63 + ation ][atob('c2vhcmno')] window[arr[43]][obj['thesearch']] Very poor coverage. OK so What About Runtime? 24

Runtime Analysis Runtime Fuzzing: BlackBox Scanning, fault injection with patterns, hoping to reach the sink (dangerous function). Poor coverage, Lot of False Negatives Real Time Taint Propagation with Instrumentation: While executing it propagates the "taint" flag. In the JavaScript case if the Browser is "instrumented" there are other Pros, like Real Client State emulation. (Use Selenium, JSUnits...) OWASP Project: DOMinator by Minded Security 25

Some Stats from 2010-2011 Took first 100 from Top 1 Million Alexa list. Found several others in top 1 Million most of them advertising hosted as 3rd party scripts. For example Omniture, Google AdWords, or widgets, buttons etc. Using DOMinator + my brain I found that 56 out of 100 top Alexa sites where vulnerable to directly exploitable DOM Based Xss. Means, remote attacker with a reliable scenario. 26

Conclusions Client Side Issues are very hard to find. JavaScript is a language for tough people :) Strongly depends on both Client AND Server States. It's a quite untested topic. Even Google Microsoft and big companies have difficulties in identification. Only now, after 8 years scanners are starting to add some kind of identification technique in order to give. some coverage. We need more tools but, more important, we need more brains! 27

Tnx! ^_^ Q&A Mail: stefano.dipaola@mindedsecurity.com Twitter: wisecwisec 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information