dom-based xss

Download DOM-based XSS

Post on 19-Oct-2014

4.668 views

Category:

Education

1 download

Embed Size (px)

DESCRIPTION

This is our M.Sc. project thesis, attested on the 11.06.2012

TRANSCRIPT

DOM-based XSS Attacks

M.Sc. Project thesis

Zdravko Danailov Krassen Deltchev

zdravko.danailov@rub.de krassen.deltchev@rub.de

Ruhr-University of Bochum

Faculty Of Electrical Engineering And Information Technology

Chair for Network and Data Security Horst-Grtz Institute

Prof. Dr. Jrg Schwenk

First examiner: Prof. Dr. Jrg Schwenk Adviser and Second examiner: Dipl.-Ing. Mario Heiderich

16. April 2012

Abstract Concerning the matter of modern Internet Security, we are obliged to understand the meaning and proper utilization of Web Application Security and Web Services Security. In this paper, we discuss one of the recent and misunderstood problems, related to Web Application Security.In distinction to the standard Web Application Cross-Site Scripting Attack Vector, DOM-based XSS conveys a way to inject malicious payload on Layer 7 ISO/OSI Model on the client-side implementation of the Web-Application logic. Precisely, DOMXSS represents a subclass of this dominant Web Application Attack Vector XSS. Therefore, we observe the comprehensive environmental aspects of DOMXSS; we divide them in two layers Programming environment, which concerns the DOM Abstraction Model, Web-Application coding language and the rendering engine of the Web client (Web-Browser); and Implementation environment the Web Application programming logic and source code.Because of the fact, that this subclass, should be still considered as misapprehended and consequentially systematically avoided by the security and scientific communities, the main objectives of this project thesis are: proposing and evaluating of related categorizations and meta- model, demonstration of case studies and sanitization best practices, and further propositions across the problem DOM-based XSS attacks.

Keywords XSS, DOM-based XSS, DOMXSS, DOM-based XSS taxonomy, Web Application Security, Mobile Security, Web Application Attack Vector, Application Flow Analysis, Function Flow Analysis, Data Flow Analysis, Static Model Checkers, Dynamic Model Checkers, JSLint, Web Application scanners, DOMinator, Security patterns, JavaScript/AJAX Coding Patterns, JavaScript/AJAX Design Patterns, Anti-Patterns, DOM and Web-Browser Patterns, HTML5, Filters, ESAPI4JS, ECMAScript conventions, Secure ECMAScript, Direct Proxies

ContentsAbstract ..................................................................................................................................................List of Tables......................................................................................................................................IVList of Figures......................................................................................................................................VList of Abbreviations.........................................................................................................................VII 1 Introduction .....................................................................................................................................1

1.1 Limitations of the paper............................................................................................................3 2 General approach to DOMXSS and limitations of the paper ..........................................................4

2.1 What is DOM? .........................................................................................................................4 2.2 Types of XSS Attacks...............................................................................................................4

2.2.1 Non-persistent XSS Attacks..............................................................................................5 2.2.2 Persistent XSS Attacks......................................................................................................6

3 DOMXSS Attacks............................................................................................................................9 3.1 Historical reference work..........................................................................................................9 3.2 Explanation of the technical background................................................................................11

3.2.1 Environment and Threat Model......................................................................................11 3.2.2 Classifications.................................................................................................................16 3.2.3 Sources and Sinks...........................................................................................................16 3.2.4 URL obfuscation Encoding/Decoding.........................................................................21 3.2.5 Attack scenarios..............................................................................................................23

3.2.5.1 Case study: Testing environment and educational scenario....................................23 3.2.5.2 Case study: Real time scenario AOL....................................................................26 3.2.5.3 Example: Stored DOMXSS.....................................................................................30 3.2.5.4 Example: JavaScript private functions ...................................................................31

4 Prevention and defense...................................................................................................................35 4.1 Lack of sufficient collaboration between the teams, involved in the Defensive STO Model 37 4.2 Function Flow and Data Flow Analysis..................................................................................41 4.3 JavaScript/AJAX patterns false usage of patterns and conventions ...................................43 4.4 False usage of filters...............................................................................................................48 4.5 Related tools...........................................................................................................................58

4.5.1 Tools' Requirements Rules (TRRs).................................................................................58 4.5.2 Penetration Testing Tools................................................................................................61

4.5.2.1 Static Code Checkers: DOM XSS Scanner.............................................................63 4.5.2.2 Educational Tools: Web Goat (IDE/Framework)....................................................64 4.5.2.3 Dynamic Web-App Scanners: DOMScan...............................................................66 4.5.2.4 Dynamic Web-App Scanners: DOM Tracer (Mozilla Firefox)...............................66 4.5.2.5 Dynamic Web-App Scanners: Web Scarab and Web Scarab-NG...........................67 4.5.2.6 Mixed tools: DOM Snitch.......................................................................................68 4.5.2.7 Mixed tools: DOMinator Project (Mozilla Firefox)................................................69

4.6 Synopsis..................................................................................................................................73 5 Future work....................................................................................................................................75 6 Conclusion......................................................................................................................................77Affirmation.........................................................................................................................................IXBibliography.......................................................................................................................................XIList of Links.....................................................................................................................................XIIIAppendix.........................................................................................................................................XVI

III

List of TablesTable 1: Classification of sources.......................................................................................................19Table 2: Classification of sinks [L7]...................................................................................................20Table 3: Encoding Differences, derived from [L13]..........................................................................22Table 4: Address bar double encoded XSS.........................................................................................22Table 5: Decoding differences, derived from [L13]...........................................................................23Table 6: Scenario types.......................................................................................................................23Table 7: Code fragment of vulnerable to P-DOMXSS Web-Application [L10]................................31Table 8: DOMXSS on private JavaScript function [L25]..................................................................32Table 9: DOMXSS S3MM database proposal....................................................................................33Table 10: Defensive STO Model........................................................................................................36Table 11: A general classification of patterns.....................................................................................44Table 12: Example 1 for an Anti-pattern, a well-known DOMXSS Sink [S10]................................46Table 13: Example 2 for an Anti-pattern, a well-known DOMXSS Sink [S10]................................47Table 14: DOM and Brows