SlideShare a Scribd company logo

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

ClubHack
ClubHack

ClubHack 2011 Hacking and Security Conference. Talk - DOM XSS - Encounters of 3rd Kind Speaker - Bishan Singh Kochher

Technology
1 of 18
Download to read offline
DOM XSS: ENCOUNTERS OF THE 3RD KIND
OBJECTIVES
UNDERSTANDING DOM
COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. Context, hacking-techniques-of-2011.html performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough
SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
SAMPLE #2: GENERATED SOURCE DOES SHOW
SAMPLE #2: DOMINATOR FALSE NEGATIVE
SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying

Recommended

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problems
titanlambda
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
Web Development with Smalltalk
Web Development with SmalltalkWeb Development with Smalltalk
Web Development with Smalltalk
Mariano Martínez Peck
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introduction
Eleonora Ciceri
 

Recommended

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
Nishant Das Patnaik
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Advanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRFAdvanced CSRF and Stateless Anti-CSRF
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
Piyush Pattanayak
 
JSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problemsJSON Fuzzing: New approach to old problems
JSON Fuzzing: New approach to old problems
titanlambda
 
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedJSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons Learned
Kazuho Oku
 
Web Development with Smalltalk
Web Development with SmalltalkWeb Development with Smalltalk
Web Development with Smalltalk
Mariano Martínez Peck
 
AJAX - An introduction
AJAX - An introductionAJAX - An introduction
AJAX - An introduction
Eleonora Ciceri
 
HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introduction
Eleonora Ciceri
 
Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generation
Eleonora Ciceri
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
Simon Willison
 
Wt unit 6 ppts web services
Wt unit 6 ppts web servicesWt unit 6 ppts web services
Wt unit 6 ppts web services
PUNE VIDYARTHI GRIHA'S COLLEGE OF ENGINEERING, NASHIK
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
Julien Lecomte
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
danwrong
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
n|u - The Open Security Community
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
Saif Ullah Dar
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Flask jwt authentication tutorial
Flask jwt authentication tutorialFlask jwt authentication tutorial
Flask jwt authentication tutorial
Katy Slemon
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Json
guestfd7d7c
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScript
Marlon Jamera
 
Java scipt
Java sciptJava scipt
Java scipt
Ashish Gajjar Samvad Cell
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
James Pearce
 
JavaScript
JavaScriptJavaScript
JavaScript
Ivano Malavolta
 
RESTful Web Services with Spring MVC
RESTful Web Services with Spring MVCRESTful Web Services with Spring MVC
RESTful Web Services with Spring MVC
digitalsonic
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
Html javascript
Html javascriptHtml javascript
Html javascript
Soham Sengupta
 
Dom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kindDom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kind
Bishan Singh
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
guestfdcb8a
 

More Related Content

What's hot

Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generation
Eleonora Ciceri
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
Julien Lecomte
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
James Pearce
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

What's hot (20)

HTML5 - An introduction
HTML5 - An introductionHTML5 - An introduction
HTML5 - An introduction
 
Dynamic content generation
Dynamic content generationDynamic content generation
Dynamic content generation
 
How to make Ajax work for you
How to make Ajax work for youHow to make Ajax work for you
How to make Ajax work for you
 
Wt unit 6 ppts web services
Wt unit 6 ppts web servicesWt unit 6 ppts web services
Wt unit 6 ppts web services
 
High Performance Ajax Applications
High Performance Ajax ApplicationsHigh Performance Ajax Applications
High Performance Ajax Applications
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Java script Session No 1
Java script Session No 1Java script Session No 1
Java script Session No 1
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Flask jwt authentication tutorial
Flask jwt authentication tutorialFlask jwt authentication tutorial
Flask jwt authentication tutorial
 
Advanced Json
Advanced JsonAdvanced Json
Advanced Json
 
Introduction to JavaScript
Introduction to JavaScriptIntroduction to JavaScript
Introduction to JavaScript
 
Java scipt
Java sciptJava scipt
Java scipt
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1HTML5 and the dawn of rich mobile web applications pt 1
HTML5 and the dawn of rich mobile web applications pt 1
 
JavaScript
JavaScriptJavaScript
JavaScript
 
RESTful Web Services with Spring MVC
RESTful Web Services with Spring MVCRESTful Web Services with Spring MVC
RESTful Web Services with Spring MVC
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Html javascript
Html javascriptHtml javascript
Html javascript
 

Similar to Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

Dom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kindDom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kind
Bishan Singh
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The Web
Bishan Singh
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
d0nn9n
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
Yury Chemerkin
 
Lab-12 Social Engineering and Physical Security The firs.docx
Lab-12 Social Engineering and Physical Security The firs.docxLab-12 Social Engineering and Physical Security The firs.docx
Lab-12 Social Engineering and Physical Security The firs.docx
pauline234567
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 

Similar to Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher) (20)

Dom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kindDom XSS: Encounters of the3rd kind
Dom XSS: Encounters of the3rd kind
 
2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA2 Roads to Redemption - Thoughts on XSS and SQLIA
2 Roads to Redemption - Thoughts on XSS and SQLIA
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
The Enemy On The Web
The Enemy On The WebThe Enemy On The Web
The Enemy On The Web
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Lab-12 Social Engineering and Physical Security The firs.docx
Lab-12 Social Engineering and Physical Security The firs.docxLab-12 Social Engineering and Physical Security The firs.docx
Lab-12 Social Engineering and Physical Security The firs.docx
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Layer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdfLayer7-WebServices-Hacking-and-Hardening.pdf
Layer7-WebServices-Hacking-and-Hardening.pdf
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 

More from ClubHack

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
ClubHack
 

More from ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

  • 1. DOM XSS: ENCOUNTERS OF THE 3RD KIND
  • 4. COMPLEX BROWSER CONTEXTS JavaScript URI XSS HTML->DOM->HTML Auto Decoding (to be covered in Demo#7) JavaScript Auto Decoding (not covered. Similar to Demo#7) Ref: http://www.cs.berkeley.edu/~dawnsong/papers/2011%20systematic%20analysis%20xss
  • 5. WHY WORRY? Who is safe? Those who write quality code – DOM Construction and Input Sanitization But, could they (YUI/jQuery/Browsers) do better? Yes, MY WISHLIST - make it easier to do the right thing - Warn on unsafe & abuse-able APIs - Provide in-function sanitization capability Predicted to be one of the top 5 (Aah, context-sensitive auto-sanitization would be security issues for 2011 great, but let’s not be too optimistic ATM) http://jeremiahgrossman.blogspot .com/2011/02/top-ten-web- Native APIs & Frameworks do no protect. Context, hacking-techniques-of-2011.html performance & security after thought. IBM found 2370 vulnerabilities on 92 sites out of Minded Security found 56 out of 850 Fortune 500 Alexa top 100 sites vulnerable http://public.dhe.ibm.com/common/ssi/ecm/en/raw http://blog.mindedsecurity.com/20 14252usen/RAW14252USEN.PDF 11/05/dominator-project.html (They released a commercial add-on to AppScan (They also released a free tool - called JSA. Not available for eval yet) DOMinator, we will eval that)
  • 6. SAMPLE #1: DOM XSS (WITH DOMINATOR) Q#1: New? No, first discovered by Amit Klein in 2005 www.webappsec.org/projects/articles/071105.shtml Q#2: Then why now? Because code shifted client side - RIA, AJAX, Web2.0 Q#3; What are the tools? - Do you think they solve the problem? - Clever people solve, wise avoid. Code Defensively - Anyways DOMinator and AppScan appear to do a bit but not enough
  • 7. SAMPLE #1: WHAT WENT WRONG? WHAT WOULD HAVE SAVED THE DAY? Taint Sources (Direct or Indirect) Taint Sinks (eval, location.replace) Defensive Coding Taint Sources & Sinks: http://code.google.com/p/domxsswiki/wiki/Introduction
  • 8. SAMPLE #2: NOT IN VIEW SOURCE Myth#1 : we have default framework auto-sanitization at the server – Sever-side auto-sanitization like PHP Filter will not protect – They has no way of intercepting DOM
  • 9. SAMPLE #2: GENERATED SOURCE DOES SHOW
  • 10. SAMPLE #2: DOMINATOR FALSE NEGATIVE
  • 11. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 12. SAMPLE #3: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS!
  • 13. SAMPLE #4: YUI / JQUERY ISN’T BAD. DOM TEMPLATING IS! (DOMINATOR DIDN’T CATCH THIS ONE TOO)
  • 14. SAMPLE #5: YOU DON’T NECESSARILY NEED FILTERING. YUI / NATIVE JS API (INNERTEXT) / OTHERS LET YOU PLAY SAFE. THIS IS CALLED DOM CONSTRUCTION
  • 15. SAMPLE #5: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 16. SAMPLE #6: BEWARE OF CONTEXTS. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. NO FILTERING / CONTEXT INSENSITIVE FILTERING IS!
  • 17. SAMPLE #7: BEWARE OF AUTO-DECODING. AGAIN YUI / NATIVE JS API / OTHERS ARE NOT BAD. INSECURE CODING / INSUFFICIENT FILTERING IS! (ANOTHER THING DOMINATOR DIDN’T CATCH) Myth#2 : I encoded server-side right? – Exception. When DOM and HTML are mixed they tend to explode – HTML->DOM->HTML means switching of context and browser auto decoding
  • 18. THANKS FOLKS… bish@route13.in yukinying@gmail.com twitter:b1shan twitter: yukinying