Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

1,398 views
1,302 views

Published on

ClubHack 2011 Hacking and Security Conference.
Talk - DOM XSS - Encounters of 3rd Kind
Speaker - Bishan Singh Kochher

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,398
On SlideShare
0
From Embeds
0
Number of Embeds
214
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

  1. 1. DOM XSS: ENCOUNTERS OF THE 3RD KIND
  2. 2. OBJECTIVES
  3. 3. UNDERSTANDING DOM
  4. 4. COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7)Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
  5. 5. WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capabilityPredicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would besecurity issues for 2011 great, but let’s not be too optimistic ATM)http://jeremiahgrossman.blogspot.com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. Context,hacking-techniques-of-2011.html performance & security after thought.IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of850 Fortune 500 Alexa top 100 sites vulnerablehttp://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/2014252usen/RAW14252USEN.PDF 11/05/dominator-project.html(They released a commercial add-on to AppScan (They also released a free tool -called JSA. Not available for eval yet) DOMinator, we will eval that)
  6. 6. SAMPLE #1: DOM XSS (WITH DOMINATOR)Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtmlQ#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0Q#3; What are the tools?- Do you think they solve the problem?- Clever people solve, wise avoid. Code Defensively- Anyways DOMinator and AppScan appear to do a bit but not enough
  7. 7. SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive CodingTaint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
  8. 8. SAMPLE #2: NOT IN VIEW SOURCEMyth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
  9. 9. SAMPLE #2: GENERATED SOURCE DOES SHOW
  10. 10. SAMPLE #2: DOMINATOR FALSE NEGATIVE
  11. 11. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  12. 12. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  13. 13. SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!(DOMINATOR DIDN’T CATCH THIS ONE TOO)
  14. 14. SAMPLE #5: YOU DON’T NECESSARILY NEEDFILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
  15. 15. SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD.NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  16. 16. SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD.NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  17. 17. SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH)Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
  18. 18. THANKS FOLKS…bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying

×