ultimate dom-based xss detection scanner on cloud

24

Ul#mate DOM Based XSS Detec#on Scanner On Cloud Nera W. C. Liu & Albert Yu Paranoids Yahoo

Upload: neraliu

Post on 24-Jan-2017

169 views

Category:

Software

4 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Ultimate DOM-based XSS Detection Scanner on Cloud

Ul#mate DOM Based XSS Detec#on Scanner On Cloud

Nera W. C. Liu & Albert Yu Paranoids Yahoo

Page 2: Ultimate DOM-based XSS Detection Scanner on Cloud

•  DOM XSS •  Our solu=on •  DEMO!

Agenda

Page 3: Ultimate DOM-based XSS Detection Scanner on Cloud

Who are we What people think we are? What we think we are?

What we actually are?

Page 4: Ultimate DOM-based XSS Detection Scanner on Cloud

DO[r]M XSS

Page 5: Ultimate DOM-based XSS Detection Scanner on Cloud

•  Does not rely on flaws in applica=on containers •  Easier target for aIacker •  Harder for defender to detect See “DOM Based Cross Site Scrip=ng or XSS of the Third Kind”. Amit Klein. 2005. hIp://www.webappsec.org/projects/ar=cles/071105.shtml

“XSS of the 3rd Kind”

Page 6: Ultimate DOM-based XSS Detection Scanner on Cloud

hDp://www.vulnerable.site/welcome.html#foo<script

Page 7: Ultimate DOM-based XSS Detection Scanner on Cloud

Sta#c Analysis

Page 8: Ultimate DOM-based XSS Detection Scanner on Cloud

⌥⌘U

Page 9: Ultimate DOM-based XSS Detection Scanner on Cloud

If that’s not enough

•  Anonymous func=ons •  Dynamic loading

Page 10: Ultimate DOM-based XSS Detection Scanner on Cloud

The Chemistry of DOM what is executable?

Page 11: Ultimate DOM-based XSS Detection Scanner on Cloud

The Chemistry of DOM what is executable?

Page 12: Ultimate DOM-based XSS Detection Scanner on Cloud

DOM XSS DETECTION

Page 13: Ultimate DOM-based XSS Detection Scanner on Cloud

•  Analysis how “an=gen” (untrusted data) get into our “body” (DOM)

What we want to do

Page 14: Ultimate DOM-based XSS Detection Scanner on Cloud

char*

•  All arithme=c opera=ons need to be overridden

•  Enable to propagate through different context (HTML/CSS/JS)

Page 15: Ultimate DOM-based XSS Detection Scanner on Cloud

Tainted Phantomjs

•  Hacking the JavaScriptCore and WebKit engine by propaga=ng the tainted signal during the javascript execu=on.

Page 16: Ultimate DOM-based XSS Detection Scanner on Cloud

Source code of Tainted PhantomJS

sink – document.write

Source – loca=on.href

Sink – document.writeln

Propaga=on – String.concat

Page 17: Ultimate DOM-based XSS Detection Scanner on Cloud

Flow Analysis

Page 18: Ultimate DOM-based XSS Detection Scanner on Cloud

•  [screenshots]

Flow Analysis

Page 19: Ultimate DOM-based XSS Detection Scanner on Cloud

False alarm rate = non-‐issues / issues reported More you fix, the higher the false alarm rate Our ul=mate goal:

0 false alarm = 0% rate!

Usable Security

Page 20: Ultimate DOM-based XSS Detection Scanner on Cloud

Benchmark and Comparisons peak memory usage

The tainted logic performance hit is negligible!

The average peak memory usage

Page 21: Ultimate DOM-based XSS Detection Scanner on Cloud

DEMO hIp://www.youtube.com/watch?v=VU3YnAwc2Ag

Page 22: Ultimate DOM-based XSS Detection Scanner on Cloud

•  hIp://www.flickr.com/photos/58053205@N06/6999839463/ •  hIp://www.flickr.com/photos/67272961@N03/6123892769/ •  hIp://upload.wikimedia.org/wikipedia/commons/7/75/UCLA_dorm_room.JPG •  hIp://www.flickr.com/photos/44124348109@N01/4682168995/ •  hIp://www.flickr.com/photos/15923063@N00/3150765076/ •  hIp://www.flickr.com/photos/88063120@N00/3529818070/ •  hIp://en.wikipedia.org/wiki/File:Angiome_annulaire.JPG •  hIp://www.flickr.com/photos/free-‐stock/4817475664/ •  hIp://www.flickr.com/photos/78428166@N00/9604922912/

Crea#ve Commons

Page 23: Ultimate DOM-based XSS Detection Scanner on Cloud

THANK YOU!

Page 24: Ultimate DOM-based XSS Detection Scanner on Cloud

Dom XSS: Encounters of the3rd kind

Unraveling some of the Mysteries around DOM-based XSS · PDF fileUnraveling some of the Mysteries around DOM-based XSS Dave Wichers Aspect Security, COO OWASP Board Member OWASP Top

CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29

Universal XSS via IE8s XSS Filters - Black Hat | Home

XSS - brutelogic.com.brbrutelogic.com.br/docs/XSS-FTW.pdf · Agenda Fast Intro to XSS Dangers of XSS Virtual Defacement LSD - Leakage, Spying and Deceiving Account Stealing Memory

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect

Unraveling some of the Mysteries around DOM-based XSS · 2020-01-17 · Unraveling some of the Mysteries around DOM-based XSS Dave Wichers Aspect Security, COO OWASP Boardmember OWASP

Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS

Breaking XSS mitigations - 2017.appsec.eu€™t trust the DOM... · Despite considerable effort XSS is a widespread and unsolved issue. Data point: 70% of vulnerabilities in Google

HTML5 and Security - UTF-8utf-8.jp/public/20140908/owasp-hasegawa.pdf · 2014-09-09 · HTML5 and Security Part 4 : DOM based XSS HTML5セキュリティその4 : DOM based XSS編

INJECTING SECURITY - hackinparis.com · INJECTING SECURITY ... Templates escapes User Input - Just HTML Escape -> XSS ... Preventing DOM XSS. RASP BY API INSTRUMENTATION AND DYNAMIC

Unraveling some of the Mysteries around DOM-based XSS ... · Unraveling some of the Mysteries around DOM-based XSS @ AppSec USA 2012 –Austin, TX Dave Wichers Aspect Security, COO

DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify

Client Side Injection on Web Applications · DOM-Based Client Side Scripting Vulnerability Dom-Based XSS is an XSS attack that payload will inject by modifying the web page DOM Elements

Analyzing DoM xss with Dominator

faculty.scf.edufaculty.scf.edu/bodeJ/CIS2352/Supplemental Chapter... · Web viewNStalker is a WebApp security scanner used to search for vulnerabilities such as SQL injection, XSS,

Analysis and Identification of DOM Based XSS Issues

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

Client-Side Protection Against DOM-based XSS Done Right (TM)

XSS Lightsabre techniques using Hackvertor. What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser

Pentestlab — Eingabe/Ausgabe-Validierung - TU Dresden · DOM-Based XSS • Ausnutzung von Lücken in Skripten, die eine Web-Seite mittels DOM-Zugriff verändern • Üblicherweise

Analysis and Identification of DOM Based XSS Issues · 2012-01-25 · Analysis and Identification of DOM Based XSS Issues Stefano di Paola CTO @ Minded Security [email protected]

Auto-patching DOM-Based XSS at Scale

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

25 Million Flows Later – Large-scale Detection of DOM-based XSS

Advanced(XSS(Defense - Previous - SecAppDev Manico/SecAppDe… · DOM XSS is triggered when a victim interacts with a web page directly without causing the page to reload. ! Difficult

The Future of Web Application Security · The Future of Web Application Security W3Conf, November 15 & 16, ... Omniture, more… DOM XSS Sources: –document.URL

Xss Desvendado!

DOM Based XSS and Proper Output Encoding

DOM-based XSS Attacks

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: