Dom based xss
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Dom based xss

on

  • 438 views

 

Statistics

Views

Total Views
438
Views on SlideShare
438
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • World Wide Web Consortium (W3C), is a group development of standards for the World Wide Web , which internet browsers and web developers will follow.Môhìnhnàythểhiệntàiliệudướidạngcấutrúccâyphâncấp. Tấtcảcácthànhphầntrong HTML, XML đềuđượcxemnhưmột node). Thaotácdữliệu (manipulate data): thêm, xóa, sửadữliệu.
  • Kỹ thuật XSS được thực hiện dựa trên việc chèn các đoạn script nguy hiểm vào trong source code ứng dụng web. Nhằm thực thi các đoạn mã độc Javascript để thựchiện ý đồxấu.
  • third kind of XSS attacks - the ones that do not rely on sending the malicious data to the server in the first place!
  • It is not uncommon to find an application HTML page containing Javascript code that parses (phângiải)the URL line (by accessing document.URL or document.location) and performs some client side logic according to it. The below is an example to such logic.
  • (static!) HTML page. The victim’s browser then starts parsing this HTML into DOM. When the parser arrives to the Javascript code, it executes it and it modifies the raw HTML of the page. In this case, the code references document.URL, and so, a part of this string is embedded at parsing time in the HTML, which is then immediately parsed and the Javascript code found (alert(…)) is executed in the context of the same page, hence the XSS condition.
  • NOTE: This exploit only works if the browser does not modify the URL characters. Mozilla automatically encodes < and > (into %3C and %3E, respectively) in the document.URL when the URL is not directly typed at the address bar, and therefore it is not vulnerable to the attack as shown in the example. It is vulnerable to attacks if < and > are not needed (in raw form). Microsoft Internet Explorer 6.0 does not encode < and >, and is therefore vulnerable to the attack as-is. Of course, embedding in the HTML directly is just one attack mount point, there are various scenarios that do not require < and >, and therefore Mozilla in general is not immune from this attack.XSS Test
  • In the above example, it may be argued that still, the payload did arrive to the server (in the query part of the HTTP request), and so it can be detected just like any other XSS attack. But even that can be taken care of. The string beyond # sign is a fragment, not part of an actual query, that is not sent to server. Therefore, the server will get only a query string without the malicious part of the input data. As a resuilt, many strong XSS filters at server-side do not even recognize such attacks. Since most of detectors and firewalls ignore client-side pages, they are inherently not able to detect DOM-based XSS. To handle DOM-based XSS, we need to concentrate on client-side HTML pages rather than server-side pages.
  • Headless browser (that is, a browser that runs without a GUI, allowing you to navigate the web and interact with web pages from your terminal). Engine trìnhduyệt
  • Various test frameworks such as Jasmine, Capybara, QUnit, Mocha, WebDriver and many others are supported.

Dom based xss Presentation Transcript

  • 1. DOM BASED XSS AND DETECTION
  • 2. CONTENT About DOM Based XSS. • What is DOM?? • What is XSS?? • DOM Based XSS?? How DOM Based XSS works?? DOM Based XSS detection. • General analysis. • PhantomJS. • Tainted PhantomJS
  • 3. ABOUT DOM BASED XSS
  • 4. ABOUT DOM BASED XSS: WHAT IS DOM?? Definition: is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents (As World Wide Web Consortium (W3C))
  • 5. ABOUT DOM BASED XSS: WHAT IS DOM?? Definition of HTML DOM: The HTML DOM is a standard object model and programming interface for HTML. It defines: • The HTML elements as objects • The properties of all HTML elements • The methods to access all HTML elements • The events for all HTML elements. When a web page is loaded, the browser creates a Document Object Model of the page.
  • 6. ABOUT DOM BASED XSS: WHAT IS DOM?? The HTML DOM model is constructed as a tree of Objects: The HTML DOM is a standard for how to get, change, add, or delete HTML elements. With the object model, JavaScript gets all the power it needs to create dynamic HTML.
  • 7. ABOUT DOM BASED XSS: WHAT IS XSS?? Original definition: vulnerability wherein one sends malicious data (typically HTML stuff with JavaScript code in it) that is echoed back later by the application in an HTML context of some sort, and the JavaScript code gets executed.
  • 8. ABOUT DOM BASED XSS: WHAT IS XSS?? Original definition: vulnerability wherein one sends malicious data (typically HTML stuff with JavaScript code in it) that is echoed back later by the application in an HTML context of some sort, and the JavaScript code gets executed.
  • 9. ABOUT DOM BASED XSS: WHAT IS XSS?? Persistent/ Stored XSS: the payload is stored by the system, and may later be embedded by the vulnerable system in an HTML page provided to a victim.
  • 10. ABOUT DOM BASED XSS: WHAT IS XSS?? Non-persistent/ Reflected XSS: the malicious (JavaScript) payload is echoed by the server in an immediate response to an HTTP request from the victim.
  • 11. ABOUT DOM BASED XSS: DOM BASED XSS?? DOM Based XSS: an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.
  • 12. How DOM Based XSS works??
  • 13. HOW DOM BASED XSS WORKS?? The prerequisite : we must have an HTML page that uses data from the document.location or document.URL or document.referrer (or any various other objects which the attacker can influence in an insecure manner).
  • 14. HOW DOM BASED XSS WORKS?? LET’S MAKE AN EXAMPLE! Imagine we have an HTML page http://www.vulnerable.site/ welcome.html with the content here <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write (document.URL.substring (pos, document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML>
  • 15. HOW DOM BASED XSS WORKS??
  • 16. HOW DOM BASED XSS WORKS?? ANOTHER EXAMPLE! Imagine we have an HTML page with that content <label id="searchLbl" for="search">Search</label> <input id="search" autocomplete="off"/> <div id="results"></div> <script> document.getElementById('search').addEventListener('key press', function(e) { var code = e.keyCode || e.which; if (code === 13) { document.getElementById('results').innerHTML = document.getElementById('search').value; } }); </script>
  • 17. DOM BASED XSS DETECTION
  • 18. DOM BASED XSS DETECTION: GENERAL ANALYSIS
  • 19. DOM BASED XSS DETECTION: PHANTOMJS => PhantomJS is a browser but a headless browser. PhantomJS is a headless WebKit scriptable with a JavaScript API. WebKit is the layout engine that designed to allow web browsers to render web pages. Chrome, Safari and a couple of other browsers also use WebKit.
  • 20. DOM BASED XSS DETECTION: PHANTOMJS Headless web testing: lightning-fast testing without the browser. Page automation. Access and manipulate web pages with the standard DOM API, or with usual libraries like jQuery. Screen capture. Programmatically capture web contents, including CSs, SVG and Canvas. Network monitoring. Automate performance analysis, track page loading and export as standard HAR format.
  • 21. DOM BASED XSS DETECTION: TAINTED PHANTOMJS Tainted PhantomJS (by Nera Liu): the scriptable tool for DOM-based XSS detection. It is built based on the open source PhantomJS by hacking the JavaScriptCore and WebKit engine with the tainted signal.
  • 22. • http://securitydaily.net/cac-kieu-khai-thac-xss-phan-3-dom-based-xss • http://www.webappsec.org/projects/articles/071105.shtml • https://www.blackhat.com/docs/asia-14/materials/Liu/Asia-14-Liu-Ultimate-Dom-Based- XSS-Detection-Scanner-On-Cloud.pdf • http://www.chmag.in/article/aug2010/advance-xss-attacks-dom-based • http://www.acunetix.com/websitesecurity/improving-dom-xss-vulnerabilities-detection • https://code.google.com/p/domxsswiki/wiki/ • http://blog.spiderlabs.com/2013/02/easy-dom-based-xss-detection-via-regexes.html • http://ben-stock.de/2013/09/summary-of-our-ccs-paper-on-dom-based-xss/ • http://blog.spiderlabs.com/2013/02/easy-dom-based-xss-detection-via-regexes.html • https://code.google.com/p/ra2-dom-xss-scanner/ • http://www.slideshare.net/ErolSelitektay/introduction-to-phantomjs • http://code.tutsplus.com/tutorials/testing-javascript-with-phantomjs--net- 28243#disqus_thread