Your SlideShare is downloading. ×
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

1,071
views

Published on

ClubHack 2011 Hacking and Security Conference. …

ClubHack 2011 Hacking and Security Conference.
Talk - DOM XSS - Encounters of 3rd Kind
Speaker - Bishan Singh Kochher

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,071
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DOM XSS: ENCOUNTERS OF THE 3RD KIND
  • 2. OBJECTIVES
  • 3. UNDERSTANDING DOM
  • 4. COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7)Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
  • 5. WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capabilityPredicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would besecurity issues for 2011 great, but let’s not be too optimistic ATM)http://jeremiahgrossman.blogspot.com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. Context,hacking-techniques-of-2011.html performance & security after thought.IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of850 Fortune 500 Alexa top 100 sites vulnerablehttp://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/2014252usen/RAW14252USEN.PDF 11/05/dominator-project.html(They released a commercial add-on to AppScan (They also released a free tool -called JSA. Not available for eval yet) DOMinator, we will eval that)
  • 6. SAMPLE #1: DOM XSS (WITH DOMINATOR)Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtmlQ#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0Q#3; What are the tools?- Do you think they solve the problem?- Clever people solve, wise avoid. Code Defensively- Anyways DOMinator and AppScan appear to do a bit but not enough
  • 7. SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive CodingTaint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
  • 8. SAMPLE #2: NOT IN VIEW SOURCEMyth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
  • 9. SAMPLE #2: GENERATED SOURCE DOES SHOW
  • 10. SAMPLE #2: DOMINATOR FALSE NEGATIVE
  • 11. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 12. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 13. SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!(DOMINATOR DIDN’T CATCH THIS ONE TOO)
  • 14. SAMPLE #5: YOU DON’T NECESSARILY NEEDFILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
  • 15. SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD.NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 16. SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD.NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 17. SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH)Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
  • 18. THANKS FOLKS…bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying