Your SlideShare is downloading. ×
0
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Building And Stopping Next Generation Xss Worms
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Building And Stopping Next Generation Xss Worms

2,379

Published on

Slides from the OWASP NYC 2008 talk.

Slides from the OWASP NYC 2008 talk.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,379
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. building and stopping next generation xss worms arshan dabirsiaghi director of research aspect security
    • 2. who am i? <ul><li>Name Arshan Dabirsiaghi (gesundheit) </li></ul><ul><li>Trade Security hobbyist & developer </li></ul><ul><li>Job Director of Research at </li></ul><ul><li>Side Job Liverpool fan (go gerrard!) </li></ul><ul><li>Political Affiliation Plutocrat </li></ul><ul><li>Quote “poor people are crazy; i’m eccentric” </li></ul>
    • 3. talk agenda <ul><li>the past </li></ul><ul><ul><li>formally define xss worms </li></ul></ul><ul><ul><li>brief look at past worms </li></ul></ul><ul><li>the present </li></ul><ul><ul><li>analyze current worm capabilities </li></ul></ul><ul><ul><li>look at current options for “recovery” </li></ul></ul><ul><li>the future </li></ul><ul><ul><li>next generation attack techniques </li></ul></ul><ul><ul><li>next generation countermeasures/recovery </li></ul></ul>
    • 4. The Past
    • 5. 1 st : is an xss worm really a worm? <ul><li>5 components of worm (Nazario, et. al.): </li></ul><ul><ul><li>reconnaissance – “[the worm] has to hunt out other network nodes to infect” </li></ul></ul><ul><ul><li>attack – “[components] used to launch an attack against an identified target system” </li></ul></ul><ul><ul><li>communication – “nodes in the network can talk to each other” </li></ul></ul><ul><ul><li>command – “nodes in the worm network can be issued operation commands” </li></ul></ul><ul><ul><li>intelligence – “the worm network needs to know the location of the nodes as well as characteristics about them” </li></ul></ul><ul><li>short answer: 3/5 - probably </li></ul>
    • 6. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    • 7. what about an xss virus? <ul><li>fundamental difference between virus and worm is propagation requirements </li></ul><ul><li>a self-contained “attachment” XSS virus is possible in this era </li></ul><ul><li>rich data passed everywhere </li></ul><ul><li>rich data isn’t data </li></ul><ul><li>rich data is code </li></ul><ul><li>your browser executes it </li></ul>
    • 8. infection model <ul><li>Requires user interaction </li></ul><ul><li>Worm strictly contained within web application </li></ul><ul><li>Passive and localized </li></ul><ul><li>No Warhol worms </li></ul>innocent girl on myspace myspace.com WORM NODE n / 2,872,341 profiles are worm nodes n+1 / 2,872,341 profiles are worm nodes
    • 9. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul><ul><li>Perform any application function (money transfer, close account) </li></ul><ul><li>XSSProxy/AttackAPI </li></ul><ul><li>Malware (yikes) </li></ul>
    • 10. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    • 11. target shift IIS 6.0 IIS 6.0 IIS 6.0 IIS 6.0 www.myspace.com www.facebook.com www.linkedin.com peoplesoft.internal
    • 12. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul>
    • 13. penetration CSRF 3 rd Party Proxy www.facebook.com peoplesoft.internal www.myspace.com
    • 14. how xss worms are different from traditional <ul><li>infection model </li></ul><ul><li>payload capability </li></ul><ul><li>target shift </li></ul><ul><li>penetration </li></ul><ul><li>Hard to jump across domain </li></ul><ul><li>Requires proxy </li></ul><ul><li>Can only “island hop” with CSRF </li></ul>
    • 15. The Present
    • 16. traits of current xss worms <ul><li>static payloads </li></ul><ul><li>passive infection strategy </li></ul><ul><li>stay on the same domain (don’t say nduja) </li></ul><ul><li>uncontrolled growth </li></ul><ul><li>no command and control </li></ul><ul><li>much like Tom Stracener’s parents, some of these are obviously related </li></ul>
    • 17. current incident response options <ul><li>FIX THE VULNERABILITY , then… </li></ul><ul><li>manual purging </li></ul><ul><ul><li>can only be done by experts </li></ul></ul><ul><ul><li>doesn’t scale </li></ul></ul><ul><li>database snapshot restore </li></ul><ul><ul><li>effectively removes all worm data from tainted columns </li></ul></ul><ul><ul><li>forces loss of other application data </li></ul></ul><ul><li>search & destroy </li></ul><ul><ul><li>works now </li></ul></ul><ul><ul><li>tricky in the future but possible </li></ul></ul>
    • 18. The Future
    • 19. next gen xss worm RECONNAISSANCE (1 of 5) <ul><li>a reconnaissance component will be added to the client side to find more web apps to infect </li></ul><ul><ul><li>nodes can use HTML5 Workers / Google Gears WorkerPool / <insert tomorrow’s new RIA technology> </li></ul></ul><ul><ul><li>what about SOP? </li></ul></ul><ul><ul><ul><li>old and busted : utilize 3 rd party proxy (a la jikto – circa 2007) </li></ul></ul></ul><ul><ul><ul><li>what attackers should be doing now : malware – no SOP! (sigh) </li></ul></ul></ul><ul><ul><ul><li>next gen hotness : cross-site XHR, XDR, postMessage </li></ul></ul></ul><ul><ul><ul><ul><li>allows cross-site bidirectional communication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>servers must opt in , like Flash, so absolutely no security issues there, ever, don’t even look, seriously alex/sirdarkcat/stefano di paolo/amit klein, don’t bother </li></ul></ul></ul></ul>
    • 20. cross-site communication in HTML5 <ul><li>postMessage() </li></ul><ul><ul><li>cross-domain communication based on strings </li></ul></ul><ul><ul><li>what do developers do with strings? </li></ul></ul><ul><ul><li>JSON/ eval() </li></ul></ul><ul><ul><li>Site A + JSON + Site B = Shared Security = really…? </li></ul></ul>
    • 21. (gulp) <ul><li>window.addEventListener(&quot;message&quot;, receiveMessage, false); </li></ul><ul><li>function receiveMessage(event) </li></ul><ul><li>{ </li></ul><ul><li>if (event.origin !== &quot;http://example.org:8080&quot;) </li></ul><ul><li>return; </li></ul><ul><li>// ... </li></ul><ul><li>} </li></ul>
    • 22. staniford, paxson & weaver’s RECONNAISANCE techniques <ul><li>“ hit list scanning” (how sexy is that term? answer: mega ) </li></ul><ul><li>permutation scanning </li></ul><ul><li>topological scanning </li></ul><ul><ul><li>not without malware, cross-site XHR </li></ul></ul>
    • 23. next gen xss worm ATTACK (2 of 5) <ul><li>an attack component will be added to the client side </li></ul><ul><ul><li>new client side piece delivered with reconnaissance piece to attack other off-domain web apps </li></ul></ul><ul><ul><li>85% of websites have XSS (how much is reflected vs. stored?) </li></ul></ul><ul><ul><li>how likely is it to find a stored XSS in another web app with a blackbox scan? </li></ul></ul><ul><ul><ul><li>not likely, but with 1,000,000 nodes, our chances go way up </li></ul></ul></ul><ul><ul><ul><li>once we find one - push patches out to the worm nodes for targeting </li></ul></ul></ul>
    • 24. polymorphic javascript <ul><li>b. hoffman & j. terrill at BH2007 demonstrated: </li></ul><ul><ul><li>javascript, like any language, can be highly mutated </li></ul></ul>Before Mutation After Mutation Mutation Effects doEvil1() zDx/*fdSa*/() symbol renaming, random comment introduction xhr.open(“GET”,url,true); xhr.open(“G”+”ET”, url, true); string fragmentation, whitespace randomization countless encodings, block re-structuring, JIT eval compilation
    • 25. next gen xss worm COMMUNICATION (3 of 5) <ul><li>a communication component will NEVER occur in a XSS worm </li></ul><ul><ul><li>can’t communicate directly from victim browser to another victim browser </li></ul></ul><ul><ul><li>“ centralization” in worms is just another word for weakness </li></ul></ul><ul><ul><li>even if you could have node-to-node communication, </li></ul></ul><ul><ul><ul><li>no way to mutually authenticate </li></ul></ul></ul><ul><ul><ul><li>no way to avoid c&c poisoning (good guy sends worm a message: self-destruct plz) </li></ul></ul></ul>
    • 26. next gen xss worm COMMAND (4 of 5) <ul><li>a command component will be added to the worm payload </li></ul><ul><ul><li>communication w/ operator necessary for command-and-control structure, data delivery (new target information, source updates, etc) </li></ul></ul><ul><ul><li>old and busted : centralized source updates </li></ul></ul><ul><ul><ul><li>worm calls http://www.evil.com/evil.js </li></ul></ul></ul><ul><ul><ul><li>attacker keeps evil.js the latest greatest copy of worm </li></ul></ul></ul><ul><ul><ul><li>easy for large worm network to overload (DoS) </li></ul></ul></ul><ul><ul><ul><li>easy to call registrar/ISP and get it taken down </li></ul></ul></ul><ul><ul><li>new hotness : introducing… Distributed XSS Worm Node C&C Structure ! </li></ul></ul>
    • 27. MyFaceNovel.com  Attacker quietly posts signed payloads  Victim creates token www.evil.com Google (JSON) www.geocities.com/evil1 www.myspace.com/evil2 www.sharedhost.net/evil3 www.goodguys.com/poison remote scripting  Victim queries Google for token using JSON  Victim finds a signed result  Executes the signed payload
    • 28. wait… signing in javascript? <ul><li>http://home.versatel.nl/MAvanEverdingen/Code/ </li></ul><ul><li>RSA, AES, everything </li></ul><ul><li>… in javascript </li></ul>
    • 29. next gen xss worm INTELLIGENCE (5 of 5) <ul><li>an intelligence component will be used </li></ul><ul><ul><li>after initial worm stages, it can’t be trusted (adversaries can poison) </li></ul></ul><ul><ul><li>xss worms probably don’t need this – they typically follow this pattern </li></ul></ul><ul><ul><ul><li>First 24 hours: reach massive infections through epic growth rate </li></ul></ul></ul><ul><ul><ul><li>After that: gone and never seen again </li></ul></ul></ul>
    • 30. The Defense
    • 31. search+destroying polymorphed javascript <ul><li>martin johns: “sure you can polymorph javascript to absurd levels, but the vector can’t vary greatly ” </li></ul>
    • 32. on demand exploit egress filters <ul><li>popular sites need agile response techniques </li></ul>doSomethingEvil(); xhr.onreadystatechange=handleIt; xhr.open(“GET”,url,true); xhr.send(null); doSomethingEvil(); xhr.onreadystatechange=handleIt; //xhr.open(“GET”,url,true); xhr.send(null);
    • 33. OWASP AntiSamy – safe rich input validation <ul><li>AntiSamy </li></ul><ul><ul><li>Uses a positive security model for rich input validation </li></ul></ul><ul><ul><li>High assurance mechanism for stopping XSS (and phishing) attacks </li></ul></ul>(samy) <ul><ul><li>http://www.owasp.org/index.php/AntiSamy </li></ul></ul>
    • 34. utilizing cross-domain workflows <ul><li>letting the browser SOP protection prevent cookie disclosure + sensitive application information </li></ul><ul><ul><li>rsnake’s anti-iframe solution, iframes for in-house apps </li></ul></ul>
    • 35. browser content restrictions <ul><li><jail secret=“OJE3foiwse”> </li></ul><ul><li>dangerous user content </li></ul><ul><li></jail secret=“OJE3foiwse”> </li></ul><ul><li><start-jail secret=“FASj325s”/> </li></ul><ul><li>dangerous user content </li></ul><ul><li><end-jail secret=“FASj325s”/> </li></ul>Book Reviews ThiefBook Thief1 Thief2 Buy Find Policy -------- -------- -------- -------- -------- Ads <ul><li>doesn’t make sense in a DOM </li></ul><ul><li>reqs parsers to honor end tag attributes </li></ul><ul><li>my idea </li></ul><ul><li>way better </li></ul>
    • 36. questions and answers

    ×