Building And Stopping Next Generation Xss Worms

2,641 views

Published on

Slides from the OWASP NYC 2008 talk.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,641
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
56
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Building And Stopping Next Generation Xss Worms

    1. 1. building and stopping next generation xss worms arshan dabirsiaghi director of research aspect security
    2. 2. who am i? <ul><li>Name Arshan Dabirsiaghi (gesundheit) </li></ul><ul><li>Trade Security hobbyist & developer </li></ul><ul><li>Job Director of Research at </li></ul><ul><li>Side Job Liverpool fan (go gerrard!) </li></ul><ul><li>Political Affiliation Plutocrat </li></ul><ul><li>Quote “poor people are crazy; i’m eccentric” </li></ul>
    3. 3. talk agenda <ul><li>the past </li></ul><ul><ul><li>formally define xss worms </li></ul></ul><ul><ul><li>brief look at past worms </li></ul></ul><ul><li>the present </li></ul><ul><ul><li>analyze current worm capabilities </li></ul></ul><ul><ul><li>look at current options for “recovery” </li></ul></ul><ul><li>the future </li></ul><ul><ul><li>next generation attack techniques </li></ul></ul><ul><ul><li>next generation countermeasures/recovery </li></ul></ul>
    4. 4. The Past
    5. 5. 1 st : is an xss worm really a worm? <ul><li>5 components of worm (Nazario, et. al.): </li></ul><ul><ul><li>reconnaissance – “[the worm] has to hunt out other network nodes to infect” </li></ul></ul><ul><ul><li>attack – “[components] used to launch an attack against an identified target system” </li></ul></ul><ul><ul><li>communication – “nodes in the network can talk to each other” </li></ul></ul><ul><ul><li>command – “nodes in the worm network can be issued operation commands” </li></ul></ul><ul><ul><li>intelligence – “the worm network needs to know the location of the nodes as well as characteristics about them” </li></ul></ul><ul><li>short answer: 3/5 - probably </li></ul>
    6. 6. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    7. 7. what about an xss virus? <ul><li>fundamental difference between virus and worm is propagation requirements </li></ul><ul><li>a self-contained “attachment” XSS virus is possible in this era </li></ul><ul><li>rich data passed everywhere </li></ul><ul><li>rich data isn’t data </li></ul><ul><li>rich data is code </li></ul><ul><li>your browser executes it </li></ul>
    8. 8. infection model <ul><li>Requires user interaction </li></ul><ul><li>Worm strictly contained within web application </li></ul><ul><li>Passive and localized </li></ul><ul><li>No Warhol worms </li></ul>innocent girl on myspace myspace.com WORM NODE n / 2,872,341 profiles are worm nodes n+1 / 2,872,341 profiles are worm nodes
    9. 9. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul><ul><li>Perform any application function (money transfer, close account) </li></ul><ul><li>XSSProxy/AttackAPI </li></ul><ul><li>Malware (yikes) </li></ul>
    10. 10. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    11. 11. target shift IIS 6.0 IIS 6.0 IIS 6.0 IIS 6.0 www.myspace.com www.facebook.com www.linkedin.com peoplesoft.internal
    12. 12. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    13. 13. penetration CSRF 3 rd Party Proxy www.facebook.com peoplesoft.internal www.myspace.com
    14. 14. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul><ul><li>Hard to jump across domain </li></ul><ul><li>Requires proxy </li></ul><ul><li>Can only “island hop” with CSRF </li></ul>
    15. 15. The Present
    16. 16. traits of current xss worms <ul><li>static payloads </li></ul><ul><li>passive infection strategy </li></ul><ul><li>stay on the same domain (don’t say nduja) </li></ul><ul><li>uncontrolled growth </li></ul><ul><li>no command and control </li></ul><ul><li>much like Tom Stracener’s parents, some of these are obviously related </li></ul>
    17. 17. current incident response options <ul><li>FIX THE VULNERABILITY , then… </li></ul><ul><li>manual purging </li></ul><ul><ul><li>can only be done by experts </li></ul></ul><ul><ul><li>doesn’t scale </li></ul></ul><ul><li>database snapshot restore </li></ul><ul><ul><li>effectively removes all worm data from tainted columns </li></ul></ul><ul><ul><li>forces loss of other application data </li></ul></ul><ul><li>search & destroy </li></ul><ul><ul><li>works now </li></ul></ul><ul><ul><li>tricky in the future but possible </li></ul></ul>
    18. 18. The Future
    19. 19. next gen xss worm RECONNAISSANCE (1 of 5) <ul><li>a reconnaissance component will be added to the client side to find more web apps to infect </li></ul><ul><ul><li>nodes can use HTML5 Workers / Google Gears WorkerPool / <insert tomorrow’s new RIA technology> </li></ul></ul><ul><ul><li>what about SOP? </li></ul></ul><ul><ul><ul><li>old and busted : utilize 3 rd party proxy (a la jikto – circa 2007) </li></ul></ul></ul><ul><ul><ul><li>what attackers should be doing now : malware – no SOP! (sigh) </li></ul></ul></ul><ul><ul><ul><li>next gen hotness : cross-site XHR, XDR, postMessage </li></ul></ul></ul><ul><ul><ul><ul><li>allows cross-site bidirectional communication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>servers must opt in , like Flash, so absolutely no security issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother </li></ul></ul></ul></ul>
    20. 20. cross-site communication in HTML5 <ul><li>postMessage() </li></ul><ul><ul><li>cross-domain communication based on strings </li></ul></ul><ul><ul><li>what do developers do with strings? </li></ul></ul><ul><ul><li>JSON/ eval() </li></ul></ul><ul><ul><li>Site A + JSON + Site B = Shared Security = really…? </li></ul></ul>
    21. 21. (gulp) <ul><li>window.addEventListener(&quot;message&quot;, receiveMessage, false); </li></ul><ul><li>function receiveMessage(event) </li></ul><ul><li>{ </li></ul><ul><li>if (event.origin !== &quot;http://example.org:8080&quot;) </li></ul><ul><li>return; </li></ul><ul><li>// ... </li></ul><ul><li>} </li></ul>
    22. 22. staniford, paxson & weaver’s RECONNAISANCE techniques <ul><li>“ hit list scanning” (how sexy is that term? answer: mega ) </li></ul><ul><li>permutation scanning </li></ul><ul><li>topological scanning </li></ul><ul><ul><li>not without malware, cross-site XHR </li></ul></ul>
    23. 23. next gen xss worm ATTACK (2 of 5) <ul><li>an attack component will be added to the client side </li></ul><ul><ul><li>new client side piece delivered with reconnaissance piece to attack other off-domain web apps </li></ul></ul><ul><ul><li>85% of websites have XSS (how much is reflected vs. stored?) </li></ul></ul><ul><ul><li>how likely is it to find a stored XSS in another web app with a blackbox scan? </li></ul></ul><ul><ul><ul><li>not likely, but with 1,000,000 nodes, our chances go way up </li></ul></ul></ul><ul><ul><ul><li>once we find one - push patches out to the worm nodes for targeting </li></ul></ul></ul>
    24. 24. polymorphic javascript <ul><li>b. hoffman & j. terrill at BH2007 demonstrated: </li></ul><ul><ul><li>javascript, like any language, can be highly mutated </li></ul></ul>Before Mutation After Mutation Mutation Effects doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction xhr.open(“GET”,url,true); xhr.open(“G”+”ET”, url, true); string fragmentation, whitespace randomization countless encodings, block re-structuring, JIT eval compilation
    25. 25. next gen xss worm COMMUNICATION (3 of 5) <ul><li>a communication component will NEVER occur in a XSS worm </li></ul><ul><ul><li>can’t communicate directly from victim browser to another victim browser </li></ul></ul><ul><ul><li>“ centralization” in worms is just another word for weakness </li></ul></ul><ul><ul><li>even if you could have node-to-node communication, </li></ul></ul><ul><ul><ul><li>no way to mutually authenticate </li></ul></ul></ul><ul><ul><ul><li>no way to avoid c&c poisoning (good guy sends worm a message: self-destruct plz) </li></ul></ul></ul>
    26. 26. next gen xss worm COMMAND (4 of 5) <ul><li>a command component will be added to the worm payload </li></ul><ul><ul><li>communication w/ operator necessary for command-and-control structure, data delivery (new target information, source updates, etc) </li></ul></ul><ul><ul><li>old and busted : centralized source updates </li></ul></ul><ul><ul><ul><li>worm calls http://www.evil.com/evil.js </li></ul></ul></ul><ul><ul><ul><li>attacker keeps evil.js the latest greatest copy of worm </li></ul></ul></ul><ul><ul><ul><li>easy for large worm network to overload (DoS) </li></ul></ul></ul><ul><ul><ul><li>easy to call registrar/ISP and get it taken down </li></ul></ul></ul><ul><ul><li>new hotness : introducing… Distributed XSS Worm Node C&C Structure ! </li></ul></ul>
    27. 27. MyFaceNovel.com  Attacker quietly posts signed payloads  Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting  Victim queries Google for token using JSON  Victim finds a signed result  Executes the signed payload
    28. 28. wait… signing in javascript? <ul><li>http://home.versatel.nl/MAvanEverdingen/Code/ </li></ul><ul><li>RSA, AES, everything </li></ul><ul><li>… in javascript </li></ul>
    29. 29. next gen xss worm INTELLIGENCE (5 of 5) <ul><li>an intelligence component will be used </li></ul><ul><ul><li>after initial worm stages, it can’t be trusted (adversaries can poison) </li></ul></ul><ul><ul><li>xss worms probably don’t need this – they typically follow this pattern </li></ul></ul><ul><ul><ul><li>First 24 hours: reach massive infections through epic growth rate </li></ul></ul></ul><ul><ul><ul><li>After that: gone and never seen again </li></ul></ul></ul>
    30. 30. The Defense
    31. 31. search+destroying polymorphed javascript <ul><li>martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly ” </li></ul>
    32. 32. on demand exploit egress filters <ul><li>popular sites need agile response techniques </li></ul>doSomethingEvil(); xhr.onreadystatechange=handleIt; xhr.open(“GET”,url,true); xhr.send(null); doSomethingEvil(); xhr.onreadystatechange=handleIt; //xhr.open(“GET”,url,true); xhr.send(null);
    33. 33. OWASP AntiSamy – safe rich input validation <ul><li>AntiSamy </li></ul><ul><ul><li>Uses a positive security model for rich input validation </li></ul></ul><ul><ul><li>High assurance mechanism for stopping XSS (and phishing) attacks </li></ul></ul>(samy) <ul><ul><li>http://www.owasp.org/index.php/AntiSamy </li></ul></ul>
    34. 34. utilizing cross-domain workflows <ul><li>letting the browser SOP protection prevent cookie disclosure + sensitive application information </li></ul><ul><ul><li>rsnake’s anti-iframe solution, iframes for in-house apps </li></ul></ul>
    35. 35. browser content restrictions <ul><li><jail secret=“OJE3foiwse”> </li></ul><ul><li>dangerous user content </li></ul><ul><li></jail secret=“OJE3foiwse”> </li></ul><ul><li><start-jail secret=“FASj325s”/> </li></ul><ul><li>dangerous user content </li></ul><ul><li><end-jail secret=“FASj325s”/> </li></ul>Book Reviews ThiefBook Thief1 Thief2 Buy Find Policy -------- -------- -------- -------- -------- Ads <ul><li>doesn’t make sense in a DOM </li></ul><ul><li>reqs parsers to honor end tag attributes </li></ul><ul><li>my idea </li></ul><ul><li>way better </li></ul>
    36. 36. questions and answers

    ×