building and stopping next generation xss worms arshan dabirsiaghi director of research aspect security

who am i? Name Arshan Dabirsiaghi (gesundheit) Trade Security hobbyist & developer Job Director of Research at Side Job Liverpool fan (go gerrard!) Political Affiliation Plutocrat Quote “poor people are crazy; i’m eccentric”

Name Arshan Dabirsiaghi (gesundheit)

Trade Security hobbyist & developer

Job Director of Research at

Side Job Liverpool fan (go gerrard!)

Political Affiliation Plutocrat

Quote “poor people are crazy; i’m eccentric”

talk agenda the past formally define xss worms brief look at past worms the present analyze current worm capabilities look at current options for “recovery” the future next generation attack techniques next generation countermeasures/recovery

the past

formally define xss worms

brief look at past worms

the present

analyze current worm capabilities

look at current options for “recovery”

the future

next generation attack techniques

next generation countermeasures/recovery

The Past

1 st : is an xss worm really a worm? 5 components of worm (Nazario, et. al.): reconnaissance – “[the worm] has to hunt out other network nodes to infect” attack – “[components] used to launch an attack against an identified target system” communication – “nodes in the network can talk to each other” command – “nodes in the worm network can be issued operation commands” intelligence – “the worm network needs to know the location of the nodes as well as characteristics about them” short answer: 3/5 - probably

5 components of worm (Nazario, et. al.):

reconnaissance – “[the worm] has to hunt out other network nodes to infect”

attack – “[components] used to launch an attack against an identified target system”

communication – “nodes in the network can talk to each other”

command – “nodes in the worm network can be issued operation commands”

intelligence – “the worm network needs to know the location of the nodes as well as characteristics about them”

short answer: 3/5 - probably

how xss worms are different from traditional infection model payload capability target shift penetration

infection model

payload capability

target shift

penetration

what about an xss virus? fundamental difference between virus and worm is propagation requirements a self-contained “attachment” XSS virus is possible in this era rich data passed everywhere rich data isn’t data rich data is code your browser executes it

fundamental difference between virus and worm is propagation requirements

a self-contained “attachment” XSS virus is possible in this era

rich data passed everywhere

rich data isn’t data

rich data is code

your browser executes it

infection model Requires user interaction Worm strictly contained within web application Passive and localized No Warhol worms innocent girl on myspace myspace.com WORM NODE n / 2,872,341 profiles are worm nodes n+1 / 2,872,341 profiles are worm nodes

Requires user interaction

Worm strictly contained within web application

Passive and localized

No Warhol worms

how xss worms are different from traditional infection model payload capability target shift penetration Perform any application function (money transfer, close account) XSSProxy/AttackAPI Malware (yikes)

infection model

payload capability

target shift

penetration

Perform any application function (money transfer, close account)

XSSProxy/AttackAPI

Malware (yikes)

how xss worms are different from traditional infection model payload capability target shift penetration

infection model

payload capability

target shift

penetration

target shift IIS 6.0 IIS 6.0 IIS 6.0 IIS 6.0 www.myspace.com www.facebook.com www.linkedin.com peoplesoft.internal

how xss worms are different from traditional infection model payload capability target shift penetration

infection model

payload capability

target shift

penetration

penetration CSRF 3 rd Party Proxy www.facebook.com peoplesoft.internal www.myspace.com

how xss worms are different from traditional infection model payload capability target shift penetration Hard to jump across domain Requires proxy Can only “island hop” with CSRF

infection model

payload capability

target shift

penetration

Hard to jump across domain

Requires proxy

Can only “island hop” with CSRF

The Present

traits of current xss worms static payloads passive infection strategy stay on the same domain (don’t say nduja) uncontrolled growth no command and control much like Tom Stracener’s parents, some of these are obviously related

static payloads

passive infection strategy

stay on the same domain (don’t say nduja)

uncontrolled growth

no command and control

much like Tom Stracener’s parents, some of these are obviously related

current incident response options FIX THE VULNERABILITY , then… manual purging can only be done by experts doesn’t scale database snapshot restore effectively removes all worm data from tainted columns forces loss of other application data search & destroy works now tricky in the future but possible

FIX THE VULNERABILITY , then…

manual purging

can only be done by experts

doesn’t scale

database snapshot restore

effectively removes all worm data from tainted columns

forces loss of other application data

search & destroy

works now

tricky in the future but possible

The Future

next gen xss worm RECONNAISSANCE (1 of 5) a reconnaissance component will be added to the client side to find more web apps to infect nodes can use HTML5 Workers / Google Gears WorkerPool / <insert tomorrow’s new RIA technology> what about SOP? old and busted : utilize 3 rd party proxy (a la jikto – circa 2007) what attackers should be doing now : malware – no SOP! (sigh) next gen hotness : cross-site XHR, XDR, postMessage allows cross-site bidirectional communication servers must opt in , like Flash, so absolutely no security issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother

a reconnaissance component will be added to the client side to find more web apps to infect

nodes can use HTML5 Workers / Google Gears WorkerPool / <insert tomorrow’s new RIA technology>

what about SOP?

old and busted : utilize 3 rd party proxy (a la jikto – circa 2007)

what attackers should be doing now : malware – no SOP! (sigh)

next gen hotness : cross-site XHR, XDR, postMessage

allows cross-site bidirectional communication

servers must opt in , like Flash, so absolutely no security issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother

cross-site communication in HTML5 postMessage() cross-domain communication based on strings what do developers do with strings? JSON/ eval() Site A + JSON + Site B = Shared Security = really…?

postMessage()

cross-domain communication based on strings

what do developers do with strings?

JSON/ eval()

Site A + JSON + Site B = Shared Security = really…?

(gulp) window.addEventListener(&quot;message&quot;, receiveMessage, false); function receiveMessage(event) { if (event.origin !== &quot;http://example.org:8080&quot;) return; // ... }

window.addEventListener(&quot;message&quot;, receiveMessage, false);

function receiveMessage(event)

{

if (event.origin !== &quot;http://example.org:8080&quot;)

return;

// ...

}

staniford, paxson & weaver’s RECONNAISANCE techniques “ hit list scanning” (how sexy is that term? answer: mega ) permutation scanning topological scanning not without malware, cross-site XHR

“ hit list scanning” (how sexy is that term? answer: mega )

permutation scanning

topological scanning

not without malware, cross-site XHR

next gen xss worm ATTACK (2 of 5) an attack component will be added to the client side new client side piece delivered with reconnaissance piece to attack other off-domain web apps 85% of websites have XSS (how much is reflected vs. stored?) how likely is it to find a stored XSS in another web app with a blackbox scan? not likely, but with 1,000,000 nodes, our chances go way up once we find one - push patches out to the worm nodes for targeting

an attack component will be added to the client side

new client side piece delivered with reconnaissance piece to attack other off-domain web apps

85% of websites have XSS (how much is reflected vs. stored?)

how likely is it to find a stored XSS in another web app with a blackbox scan?

not likely, but with 1,000,000 nodes, our chances go way up

once we find one - push patches out to the worm nodes for targeting

polymorphic javascript b. hoffman & j. terrill at BH2007 demonstrated: javascript, like any language, can be highly mutated Before Mutation After Mutation Mutation Effects doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction xhr.open(“GET”,url,true); xhr.open(“G”+”ET”, url, true); string fragmentation, whitespace randomization countless encodings, block re-structuring, JIT eval compilation

b. hoffman & j. terrill at BH2007 demonstrated:

javascript, like any language, can be highly mutated

next gen xss worm COMMUNICATION (3 of 5) a communication component will NEVER occur in a XSS worm can’t communicate directly from victim browser to another victim browser “ centralization” in worms is just another word for weakness even if you could have node-to-node communication, no way to mutually authenticate no way to avoid c&c poisoning (good guy sends worm a message: self-destruct plz)

a communication component will NEVER occur in a XSS worm

can’t communicate directly from victim browser to another victim browser

“ centralization” in worms is just another word for weakness

even if you could have node-to-node communication,

no way to mutually authenticate

no way to avoid c&c poisoning (good guy sends worm a message: self-destruct plz)

next gen xss worm COMMAND (4 of 5) a command component will be added to the worm payload communication w/ operator necessary for command-and-control structure, data delivery (new target information, source updates, etc) old and busted : centralized source updates worm calls http://www.evil.com/evil.js attacker keeps evil.js the latest greatest copy of worm easy for large worm network to overload (DoS) easy to call registrar/ISP and get it taken down new hotness : introducing… Distributed XSS Worm Node C&C Structure !

a command component will be added to the worm payload

communication w/ operator necessary for command-and-control structure, data delivery (new target information, source updates, etc)

old and busted : centralized source updates

worm calls http://www.evil.com/evil.js

attacker keeps evil.js the latest greatest copy of worm

easy for large worm network to overload (DoS)

easy to call registrar/ISP and get it taken down

new hotness : introducing… Distributed XSS Worm Node C&C Structure !

MyFaceNovel.com  Attacker quietly posts signed payloads  Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting  Victim queries Google for token using JSON  Victim finds a signed result  Executes the signed payload

wait… signing in javascript? http://home.versatel.nl/MAvanEverdingen/Code/ RSA, AES, everything … in javascript

http://home.versatel.nl/MAvanEverdingen/Code/

RSA, AES, everything

… in javascript

next gen xss worm INTELLIGENCE (5 of 5) an intelligence component will be used after initial worm stages, it can’t be trusted (adversaries can poison) xss worms probably don’t need this – they typically follow this pattern First 24 hours: reach massive infections through epic growth rate After that: gone and never seen again

an intelligence component will be used

after initial worm stages, it can’t be trusted (adversaries can poison)

xss worms probably don’t need this – they typically follow this pattern

First 24 hours: reach massive infections through epic growth rate

After that: gone and never seen again

The Defense

search+destroying polymorphed javascript martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly ”

martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly ”

on demand exploit egress filters popular sites need agile response techniques doSomethingEvil(); xhr.onreadystatechange=handleIt; xhr.open(“GET”,url,true); xhr.send(null); doSomethingEvil(); xhr.onreadystatechange=handleIt; //xhr.open(“GET”,url,true); xhr.send(null);

popular sites need agile response techniques

OWASP AntiSamy – safe rich input validation AntiSamy Uses a positive security model for rich input validation High assurance mechanism for stopping XSS (and phishing) attacks (samy) http://www.owasp.org/index.php/AntiSamy

AntiSamy

Uses a positive security model for rich input validation

High assurance mechanism for stopping XSS (and phishing) attacks

http://www.owasp.org/index.php/AntiSamy

utilizing cross-domain workflows letting the browser SOP protection prevent cookie disclosure + sensitive application information rsnake’s anti-iframe solution, iframes for in-house apps

letting the browser SOP protection prevent cookie disclosure + sensitive application information

rsnake’s anti-iframe solution, iframes for in-house apps

browser content restrictions <jail secret=“OJE3foiwse”> dangerous user content </jail secret=“OJE3foiwse”> <start-jail secret=“FASj325s”/> dangerous user content <end-jail secret=“FASj325s”/> Book Reviews ThiefBook Thief1 Thief2 Buy Find Policy -------- -------- -------- -------- -------- Ads doesn’t make sense in a DOM reqs parsers to honor end tag attributes my idea way better

<jail secret=“OJE3foiwse”>

dangerous user content

</jail secret=“OJE3foiwse”>

<start-jail secret=“FASj325s”/>

dangerous user content

<end-jail secret=“FASj325s”/>

doesn’t make sense in a DOM

reqs parsers to honor end tag attributes

my idea

way better

questions and answers